risk management
FFIRS 12/22/2010 14:13:57 Page 1
Corporate Value of Enterprise
Risk Management
FFIRS 12/22/2010 14:13:57 Page 2
FFIRS 12/22/2010 14:13:57 Page 3
Corporate Value of Enterprise Risk Management
The Next Step in Business Management
SIM SEGAL
John Wiley & Sons, Inc.
FFIRS 12/22/2010 14:13:57 Page 4
Copyright # 2011 by Sim Segal. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web� at� www.copyright.com.� Requests� to� the� Publisher� for� permission� should� be� addressed� to the Permissions Department, JohnWiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201)� 748-6011,� fax� (201)� 748-6008,� or� online� at� http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer ofWarranty:While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.
For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit� our� web� site� at� www.wiley.com.
Library of Congress Cataloging-in-Publication Data: Segal, Sim, 1964—
Corporate value of enterprise risk management : the next step in business management / Sim Segal.
p. cm. Includes index. ISBN 978-0-470-88254-2 (cloth); ISBN 978-1-118-02328-0 (ebk);
ISBN 978-1-118-02329-7 (ebk); ISBN 978-1-118-02330-3 (ebk) 1. Risk management. I. Title. HD61.S364 2011 658.1505—dc22 2010045243
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
FTOC 12/29/2010 9:39:8 Page 5
Contents
Foreword ix
Preface xi
Acknowledgments xix
PART I: BASIC ERM INFRASTRUCTURE
Chapter 1: Introduction 3
Evolution of ERM 4 Basel Accords 4 September 11th 5 Corporate Accounting Fraud 7 Hurricane Katrina 9 Rating Agency Scrutiny 10 Financial Crisis 11 Rare Events 13 Long-Term Trends 14 Challenges to ERM 15 Summary 16 Notes 16
Chapter 2: Defining ERM 18
Definition of Risk 18 Definition of ERM 24 Summary 58 Notes 59
Chapter 3: ERM Framework 61
Value-Based ERM Framework 63 Challenges of Traditional ERM Frameworks 63
v
FTOC 12/29/2010 9:39:8 Page 6
Value-Based ERM Framework 65 Overcoming the Challenges by Using a Value-Based ERM Framework 83
Summary 109 Notes 110
PART II: ERM PROCESS CYCLE
Chapter 4: Risk Identification 113
Components of Risk Identification 113 Five Keys to Successful Risk Identification 114 Risk Categorization and Definition 114 Qualitative Risk Assessment 129 Emerging Risk Identification 153 Killer Risks 155 Summary 166 Notes 167
Chapter 5: Risk Quantification 168
Practical Modeling 169 Components of Risk Quantification 174 Calculate Baseline Company Value 174 Quantify Individual Risk Exposures 185 Quantify Enterprise Risk Exposure 207 Summary 223 Notes 224
Chapter 6: Risk Decision Making 226
Defining Risk Appetite and Risk Limits 227 Integrating ERM into Decision Making 239 Summary 269 Notes 270
Chapter 7: Risk Messaging 271
Internal Risk Messaging 271 External Risk Messaging 280 Summary 292 Notes 293
vi & Contents
FTOC 12/29/2010 9:39:8 Page 7
PART III: RISK GOVERNANCE AND OTHER TOPICS
Chapter 8: Risk Governance 297
Focusing on Common Themes 298 Components of Risk Governance 298 Roles and Responsibilities 298 Organizational Structure 319 Policies and Procedures 325 Summary 327 Notes 327
Chapter 9: Financial Crisis Case Study 329
Summary of the Financial Crisis 330 Evaluating Bank Risk Management Practices 332 Summary 342 Notes 343
Chapter 10: ERM for Non-Corporate Entities 344
Generalizing the Value-Based ERM Approach 344 Complexities of Objectives-Based ERM 350 Examples of NCEs 351 Summary 369 Conclusion 369 Notes 369
Glossary 371
About the Author 389
Index 391
Contents & vii
FTOC 12/29/2010 9:39:8 Page 8
FBETW 01/05/2011 15:56:19 Page 9
Foreword
IN MY FORMER ROLE leading Standard & Poor’s ERM evaluations,I visited with hundreds of executives from companies all over the worldand in all types of businesses, and discussed their ERM programs. I watched these ERM programs evolve, and witnessed their successes, and sometimes
their colossal failures. Much more often than not, firms struggled both with
having a clear objective for their ERM efforts and with the day-to-day problems
of implementation. This perspective tells me that there is a tremendous need
for clear thinking and clear exposition of the actions needed to practice ERM.
The value-based approach that Segal developed, and introduces for the first
time in this important book, definitely provides that clarity. Many other ERM
books merely outline the problem and leave the readers to figure out how to
implement a solution on their own. Here you will find each and every step of
ERM implementation clearly laid out for the practitioner to follow along. In
addition, Segal’s approach to ERM:
& Is robust, yet highly practical & Is able to quantify strategic and operational risks (this alone makes this
book a worthwhile read) & Takes the mystery out of risk appetite, one of the most elusive ERM topics
(two-thirds of those believing that defining risk appetite is critical to their
ERM programs have not yet done so) & Supports better decision making
This book is also highly accessible to every business leader. Segal’s
writing style is smooth and in plain language. He offers crisp insights that
can benefit everyone interested in ERM, from the ERM-savvy to the ERM
novice.
ix
FBETW 01/05/2011 15:56:19 Page 10
Finally, this book offers a very credible business case for adopting ERM.
I have read nearly every book related to this topic, and I heartily recom-
mend this one. This could well be the only ERM book you will ever need.
—Dave Ingram, CERA
Senior Vice President, Willis Re
Former leader of Standard & Poor’s insurance ERM evaluations
x & Foreword
FPREF 01/05/2011 16:17:53 Page 11
Preface
PURPOSE OF THE BOOK
Adoption of enterprise risk management (ERM) programs is a strong and
growing global trend. However, while ERM programs have a lot of potential,
traditional approaches to ERM often struggle to generate sufficient buy-in
from internal stakeholders, such as business decision-makers. The primary
reason for this is that traditional ERM approaches lack a business case for their
adoption. In response to this difficulty, I developed the value-based ERM
approach, and this book is its first in-depth presentation.
The value-based ERM approach is designed to have a built-in business case
for its adoption. At its core, it is a synthesis of ERM and value-based manage-
ment. This synthesis provides the missing link between risk and return. It is this
connection that transforms ERM into a strategic management approach that
enhances strategic planning and other business decision making. As a result,
the value-based ERM approach is seen by internal stakeholders—business
segment leaders, senior management, and the board—as a way to help them
achieve their goals of profitably growing the business and increasing company
value.
The value-based ERM approach has several other advantages as well.
It works equally well in all industry sectors. I have used this approach to help
implement ERM programs for corporate entities in a wide range of sectors,
such as manufacturing, energy, entertainment, technology, services, tele-
communications, banking, and insurance, as well as for non-corporate
entities, such as professional associations. The value-based ERM approach
also works equally well regardless of geography or accounting system. In
addition, the value-based ERM approach is an advanced yet practical
approach to ERM. I have used this approach exclusively in my work as
an ERM consultant, helping organizations to quickly, fully, and successfully
implement their ERM programs.
xi
FPREF 01/05/2011 16:17:53 Page 12
Finally, the value-based ERM approach also overcomes the three core
challenges that prevent traditional ERM programs from achieving their full
potential:
1. An inability to quantify strategic and operational risks
2. An unclear definition of risk appetite
3. A lack of integration into business decision making
The value-based approach quantifies all types of risk: strategic, operational,
and financial. This is often referred to as the ‘‘holy grail’’ of ERM. I am unaware
of any other ERM approach that can fully quantify strategic and operational
risks. In addition, the value-based ERM approach provides a clear, quantitative
definition of risk appetite that can be used in the risk governance process.
Finally, the value-based ERM approach, due to its linkage between risk and
return as well as its sheer practicality, fully integrates ERM information into
decision making at all levels, from strategic planning to tactical decision
making to transactions.
I often am encouraged when I read introductions to allegedly new ERM
information in articles, books, and seminars that tout an ERM approach that
‘‘adds value’’ to the business, only to end up disappointed when I find the same
old traditional ERM approaches, which have no direct connection to value.
In sharp contrast, this book presents an ERM approach that is centrally focused
on measuring, protecting, and increasing company value.
INTENDED AUDIENCE
The primary audience for this book is corporate stakeholders, including:
& Heads of ERM programs, such as chief risk officers (CROs) and their staff & Heads of internal audit & Heads of compliance & Senior executives, such as CEOs and CFOs & Management, such as business segment leaders & Heads of strategic planning & Heads of human resources & Boards of directors, including chairs of audit committees and chairs of risk
committees & Shareholders
xii & Preface
FPREF 01/05/2011 16:17:53 Page 13
& Rating agencies & Regulators
Other audiences for this book include the following:
& Stakeholders of non-profit organizations, such as charitable organizations
and professional associations & Heads of government bodies & Financial planners and their customers & Professors of MBA/EMBA programs in Finance, and their students
Corporate Audiences
Heads of ERM programs, such as chief risk officers (CROs) and their
staff,will learn an advanced yet practical approach for either implementing an
ERM program for the first time, or for enhancing an existing ERM program.
They will learn an ERM approach that offers several advantages, such as:
& Builds buy-in among the business segments, senior management, and the
board & Satisfies all 10 key ERM criteria (which also serve as benchmarking criteria
for any ERM program) & Avoids the five common mistakes of risk identification & Overcomes the three core challenges of traditional ERM programs by:
& Quantifying strategic and operational risks in a consistent manner with
financial risks & Clearly defining risk appetite in a way that it can be used in the risk
governance process & Integrating ERM into key decision-making processes, including strate-
gic planning, strategic and tactical decisions, and transactions & Satisfies rating agency ERM requirements & Satisfies regulatory risk disclosure requirements
Heads of internal audit and heads of compliance will learn how to
quantify the value that they bring to the company, in terms of its direct
impact on company value. They will also learn their ERM roles and
responsibilities.
Senior executives, such as CEOs and CFOs, will learn an ERM
approach that can offer them the following advantages:
Preface & xiii
FPREF 01/05/2011 16:17:53 Page 14
& Improves the company’s shock resistance, making it more likely to achieve
the strategic plan goals & Potentially leads to a higher stock price, resulting from a more effective set
of tools for communicating with stock analysts & Potentially leads to a better rating by satisfying rating agency ERM
requirements
Management, such as business segment leaders, as well as heads
of strategic planning and heads of human resources, will learn an ERM
approach that can offer them the following advantages:
& Well-defined methodology to manage risk exposures to within risk appe-
tite, and quantitative information that supports decisions on risk mitiga-
tion alternatives & Better prioritization of limited resources, by focusing efforts on the most
important risks and the most impactful component drivers of the key risk
scenarios & Enhanced strategic planning process, with a more sophisticated and
dynamic ability to project results for the baseline scenario as well as
key risk scenarios, including upside and downside ranges of outcomes & Decision-making tool for selecting projects with the best risk–return profile
for all types of routine decisions, including strategic planning, strategic and
tactical decisions, and transactions & Enhanced business performance analysis, with metrics that reflect the
entire contribution to company value during the past period, and that
correct a serious flaw in balanced scorecards & Improved incentive compensation plan, by (a) providing a firm basis for
asserting that it is not a risky compensation plan subject to new SEC
disclosure requirements; and (b) better aligning management and share-
holder interests through correction of two suboptimal aspects of common
compensation schemes
Boards of directors, including chairs of audit committees and
chairs of risk committees, will learn the following:
& What questions they should be asking management about risk manage-
ment practices & How to gain comfort that the key risks of the organization are well
understood and effectively managed
xiv & Preface
FPREF 01/05/2011 16:17:53 Page 15
& What their roles and responsibilities are regarding risk governance & How to satisfy SEC disclosure requirements on risk governance
Shareholders will learn what they should expect from companies in
which they invest, in terms of a robust ERM program to protect and grow
company value. In addition, they will learn how to identify companies with
superior abilities to manage risks, through an enhanced ability to interpret
their risk disclosures.
Rating agencies will learn what they should be including in their ERM
evaluation criteria. In addition, they will learn an ERM approach that offers
them enhanced prospective information about a company, including the
likelihood that the company will properly execute its strategic plan.
Regulators will learn what they should be requiring from companies to
better protect against bankruptcies, as well as shareholder losses generally.
Other Audiences
Stakeholders of non-profit organizations, such as charitable organi-
zations and professional associations, in analogous roles to their corpo-
rate counterparts listed earlier, will learn analogous lessons. Using a
generalized version of the value-based ERM approach, these stakeholders
will learn how to improve the chances of achieving their (usually multiple)
goals.
Heads of government bodies will learn how to apply the value-based
ERM approach to their entities, and how this can better leverage their limited
resources and help them achieve their strategic objectives.
Financial planners and their customers will learn how the value-
based ERM concepts can be applied to help individuals identify their key
risks, robustly define their risk appetite, and better allocate their assets
among a range of financial products (such as investments and insurance),
on an integrated basis, to increase the chances of achieving their personal
goals.
Professors of MBA/EMBA programs in Finance and their students
will learn a full range of ERM concepts and how they are practically applied.
This book is currently serving as the basis for an MBA/EMBA course I am
teaching at Columbia Business School. Any professor wishing to use this book
as a required text for a similar course will be provided with supplementary
teaching materials, including the syllabus, lecture materials, exercises and
solutions, and exams and solutions.
Preface & xv
FPREF 01/05/2011 16:17:53 Page 16
SUMMARY OF THE CONTENTS
The book is divided into three sections:
Part I: Basic ERM Infrastructure (Chapters 1–3)
Part II: ERM Process Cycle (Chapters 4–7)
Part III: Risk Governance and Other Topics (Chapters 8–10)
Part I: Basic ERM Infrastructure (Chapters 1–3)
Chapter 1, Introduction, highlights the major events over the past 10 years
that contributed to the growing popularity of ERM. This provides the context
for a better understanding of traditional ERM approaches and their short-
comings, which are discussed in the following two chapters. The chapter
concludes by discussing two major challenges to the ERM movement.
It is important to clearly define ERM before delving into the heart of our
discussions. ERM is a complex and wide-ranging topic. In addition, there is a lot
of confusion in the market regarding what ERM is, and, as a result, there are
many disparate definitions. Finally, even the concept of risk itself is often
understood in differing ways, because it is so common a term as to be taken for
granted. We therefore devote the entirety of Chapter 2, Defining ERM, to first
defining risk and then defining ERM in four ways: by a basic definition; in terms
of the 10 key ERM criteria; by the four steps in the ERM process cycle; and by its
fundamental benefits. The 10 key ERM criteria introduced in this chapter are a
foundational element for this book, and are revisited frequently throughout.
In addition, the 10 key ERM criteria can be used to benchmark any ERM
program to determine its level of robustness.
Chapter 3, ERM Framework, begins by discussing the failure of traditional
ERM approaches to satisfy the 10 key ERM criteria and the three core
challenges to these programs. The chapter then introduces the value-based
ERM framework and discusses how it satisfies all 10 key ERM criteria, and how
it resolves the three core challenges of traditional ERM programs. The value-
based ERM framework is central to all discussions that follow.
Part II: ERM Process Cycle (Chapters 4–7)
Chapter 4, Risk Identification, discusses the first step in the ERM process cycle.
The three components of risk identification include risk categorization and
definition; qualitative risk assessment; and emerging risk identification. Al-
though risk identification is the first step in the ERM process cycle, traditional
xvi & Preface
FPREF 01/05/2011 16:17:53 Page 17
approaches are still suboptimal. This chapter discusses the five keys to success-
ful risk identification. One of the five keys to success is defining risks by their
source, a crucial building block that most organizations fail to construct
properly, leading to several difficulties with their ERM programs. In addition,
several applications of the risk categorization and definition (RCD) tool are
discussed. This chapter concludes with a discussion of two ‘‘killer risks.’’
Chapter 5, Risk Quantification, discusses the second step in the ERM
process cycle. This chapter begins by stressing the importance of practical
modeling, a critical characteristic of the value-based ERM approach. Next, this
chapter discusses how to calculate the baseline company value—an internal
calculation of company value consistent with the strategic plan. This is a key
element of the value-based approach, which quantifies risks in terms of their
potential impact on baseline company value. The chapter then discusses how
to quantify individual risk exposures, revealing the secrets of how to quantify all
types of risks, including strategic, operational, and financial. This is illustrated
with several case studies. The chapter closes with a discussion on how to
quantify enterprise risk exposure, the aggregate measure of risk exposure at the
enterprise level. This represents the distribution of possible outcomes, capturing
combinations of multiple key risk scenarios occurring simultaneously, includ-
ing their interactivity.
Chapter 6, Risk Decision Making, discusses the third step in the ERM
process cycle. The first decisions involve defining risk appetite (enterprise level
tolerance limits) and risk limits (tolerance limits below enterprise level). The
discussion reveals how to develop a clear, quantitative definition of risk appetite
that can be used in the risk governance process. The chapter then discusses
how to integrate ERM information into decision-making processes. This
includes enhancing the strategic planning process and providing a universal
protocol for all decisionmaking, whether related to risk mitigation or to routine
business, such as strategic planning, strategic and tactical decisions, or
transactions. In the discussions of mitigation decisions, this chapter reveals
how to quantify the value of mitigation in place, which can be used to illustrate
the value of internal audit or the compliance department.
Chapter 7, Risk Messaging, discusses the fourth and final step in the ERM
process cycle. The first part of this chapter addresses internal risk messaging,
which includes integration of ERM into business performance analysis and
incentive compensation. One notable element of the business performance
analysis discussion is how the value-based ERM approach can correct a
fundamental flaw in balanced scorecards. The second part of this chapter
discusses external risk messaging, which is about using ERM information for
Preface & xvii
FPREF 01/05/2011 16:17:53 Page 18
communications with external stakeholders, including shareholders, stock
analysts, rating agencies, and regulators.
Part III: Risk Governance and Other Topics (Chapters 8–10)
Chapter 8, Risk Governance, addresses three aspects of risk governance: roles
and responsibilities; organizational structure; and policies and procedures. The
roles and responsibilities are discussed for internal ERM stakeholders including
corporate ERM; the ERM committee; risk experts; business segments; the board
of directors; and internal audit. In the discussion of the roles and responsibilities
of corporate ERM, an entire section is devoted to listing all the ways in which
the value-based ERM approach helps achieve one of their most challenging
responsibilities: building buy-in for the ERM program.
Chapter 9, Financial Crisis Case Study, answers the question, ‘‘Because
banks massively failed, causing the global financial crisis that began in the
United States in 2007, and they claim to have been using ERM, can ERM be any
good?’’ The chapter begins with a summary of the financial crisis, and then
proceeds to evaluate bank risk management practices against the 10 key ERM
criteria to determine whether banks were actually practicing ERM.
Chapter 10, ERM for Non-Corporate Entities, reveals how to generalize the
value-based ERM approach for application to non-corporate entities, including
non-profit organizations, such as charitable organizations and professional
associations; government bodies; and individuals.
The book concludes with a glossary of ERM terms.
Web Site
The following Web page provides additional resources for this book:
www.simergy.com/ermbookresources.
The following Web site provides additional resources on ERM:
www.simergy.com.
xviii & Preface
FLAST 12/29/2010 11:8:37 Page 19
Acknowledgments
I WOULD FIRST LIKE to thank those who reviewed the draft manuscriptand provided feedback that improved the quality of this book. I wouldespecially like to recognize those whose contributions of time and effort were unusually generous, and to whom I am deeply indebted: Rich Lauria,
Leslie Bauer, Adam Litke, Dale Hall, Michel Rochette, Hugo Rodrigues, and
David Romoff provided numerous corrections and insights that enhanced both
the content and readability of the text.
In addition, I would like to thank Barbara Minto, inventor of the Minto
Pyramid Principle and the author of The Minto Pyramid Principle: Logic in
Writing, Thinking, & Problem Solving. The ease with which this book flows for
the reader is due to the Minto technique, which helps writers clarify their
thinking and express concepts logically and smoothly.
Finally, I would like to thank my publisher, John Wiley & Sons, and the
outstanding editors with whom I have had the pleasure of working: Sheck Cho,
Stacey Rivera, and Chris Gage. I would also like to thank Rachel Rabinowitz for
introducing me to Wiley.
xix
FLAST 12/29/2010 11:8:37 Page 20
FLAST 12/29/2010 11:8:37 Page 21
Corporate Value of Enterprise
Risk Management
FLAST 12/29/2010 11:8:37 Page 22
C01 12/29/2010 9:49:22 Page 1
IPART ONE Basic ERM
Infrastructure
C01 12/29/2010 9:49:22 Page 2
C01 12/29/2010 9:49:22 Page 3
1CHAPTER ONE Introduction
History is the sum total of the things that could have
been avoided.
Konrad Adenauer
ENTERPRISE RISK MANAGEMENT, or ERM, is generally defined asfollows: The process by which companies identify, measure, manage, and disclose all key risks to increase value to stakeholders.
One of the challenges with ERM lies in understanding what this defini-
tion means. There are many interpretations, and some would say misinter-
pretations, of this short definition. In the next chapter, we will fully and
properly define ERM. For now, consider ERM simply as an approach to treat
risk holistically in an organization.
3
C01 12/29/2010 9:49:22 Page 4
EVOLUTION OF ERM
ERMhas been gaining significantmomentum in recent years.Wewill discuss the
following eight most important factors driving this trend, which are as follows:
1. Basel Accords
2. September 11th
3. Corporate accounting fraud
4. Hurricane Katrina
5. Rating agency scrutiny
6. Financial crisis
7. Rare events
8. Long-term trends
The first seven factors involve significant discrete events and are listed
in chronological order, while the remaining factor includes trends that have
developed gradually over time. Some of the discrete events originate from,
or relate primarily to, the financial services sector. However, it is helpful for
those in all sectors to understand these events because they are commonly
known in ERM circles and their impacts on ERM are felt in all industry
sectors. In addition, it is helpful to understand the chronology because the
order of events has played a role in ERM development. The cumulative impact
of events, and the regulatory and corporate responses to them, has led to
the current environment for ERM.
BASEL ACCORDS
Basel II,1 an international guideline for risk management, influenced the
advancement of ERM practices in the financial services sector. The Basel
Accords are guidelines developed by a group of global banking regulators
in an attempt to improve risk management practices. Basel II, the second of
two accords developed by the Basel Committee on Banking Supervision, was
published in 2001.
There are three pillars in Basel II:
& Pillar 1: Minimum capital requirements & Pillar 2: Supervisory review & Pillar 3: Market discipline
4 & Introduction
C01 12/29/2010 9:49:22 Page 5
Pillar 1 specifies methods to calculate capital requirements, offering
standardized options based on industry averages and advanced options for
more sophisticated banks based on their own internal models, customized
to account for the specifics of the company, its businesses, and its risks, and
largely using management’s own estimates for most parameters.
Pillar 2 allows for supervisors to review the bank’s risk management
practices and risk exposures and, if necessary, apply a multiplier to increase the
amount of minimum required capital calculated in Pillar 1.
Pillar 3 addresses appropriate risk disclosures.
The most important advancement since Basel I was the expansion of scope
to include operational risks, moving banks in the direction of a holistic
treatment of risk (although many other risks, including all strategic risks,
are still excluded).
In retrospect, it is easy to criticize and say that the Basel Committee failed in
their goal, as evidenced by the global financial crisis that began in the United
States in 2007. However, these accords were widely adopted and did represent
an improvement from prior practices. Even if the Basel Accords fell short of their
goal to develop a standard benchmark for stellar risk management practices,
they did however result in an enhanced focus on risk in the banking sector and
beyond, as others held up the banking sector as a model for managing risk.
Solvency II, a set of risk management standards for European Union (EU)
insurance companies scheduled to take effect in November 2012, is clearly
influenced by Basel II, and is largely analogous to it.
SEPTEMBER 11TH
The terrorist attacks on the United States on September 11, 2001, advanced our
thinking in the area of ERM by raising awareness of four major aspects of risk:
1. Terrorism risk
2. Concentration risk
3. Risk complexity
4. Need for an integrated approach
Terrorism Risk
Virtually all organizations are more aware of the possibility of a terrorist attack
as a result of September 11th. Many of these organizations, particularly those
September 11th & 5
C01 12/29/2010 9:49:22 Page 6
operating in or near major cities or potential terrorist targets, have also thought
through various terrorism scenarios. They have examined the potential im-
pacts of an attack impacting their physical assets, employees, customers,
stakeholders, suppliers, and/or the economies in which they operate. These
exercises have led to some preventive mitigation (such as decentralizing offices)
as well as enhanced business continuity plans. An additional benefit is the
general raising of awareness of the possibility of the previously unthinkable.
This is helpful, since ERM requires management to keep an open mind to a
more complete range of future scenarios.
Concentration Risk
Even before September 11th, companies were aware of the danger of concen-
trations of risk. For example, companies try to avoid depending too much on a
single large customer or supplier; investing too much of their assets in any one
sector; or having too much knowledge, power, or access concentrated with one
employee. However, September 11th dramatically changed the way compa-
nies, and governments, thought about concentration risk.
The result was a complete rethinking of where and how resources are,
or might become, exposed in a concentrated way to terrorism or other types
of risk. Where are our most critical employees located? Where do we gather
our most critical employees together? Where are the bulk of our invested assets
geographically? Are any of our key customers or suppliers or other credit
counterparties exposed to significant concentration risk? One manifestation of
this was many employers decentralizing their locations out of major landmark
buildings and also out of major cities.
Risk Complexity
September 11th raised awareness of the complexity of risk. A complex set of
interdependencies, which remains beneath the surface until a significant dis-
ruption reveals it, became apparent in the aftermath of the attacks. There were
numerous secondary impacts that were unexpected, or at least had not been
examined until then.
Though it may appear obvious now, few would have predicted how
severely the airline business would be impacted. After all, statistically, even
with a moderate increase in terrorism, flying is still far safer than other modes
of travel. According to a study by Sivak and Flannigan published in the
January–February issue of American Scientist, even if a terrorist event equiv-
alent to September 11th occurred every month, flying would still be safer
6 & Introduction
C01 12/29/2010 9:49:22 Page 7
than driving.2 However, the human factor is a significant component of risk
complexity. It is more difficult to account for fear and other irrational human
tendencies, which often direct actions that are counter to our collective best
interests. A Cornell University study found that an additional 725 people lost
their lives in just the three months following September 11th as a result of a
shift from flying to driving.3
Another type of risk complexity that was highlighted as a result of
September 11th was that while there are mostly downside impacts from a
horrible event, there are often upside impacts as well. For example, anyone in
the security business can tell you how much opportunities increased after
the attacks. In addition, companies providing teleconferencing benefited as
well, as business travel decreased dramatically. While this is not a new
concept, again, the sheer scale of September 11th increased awareness that
in considering a risk scenario, it is important to factor in the potentially
offsetting upside impacts as well.
Need for an Integrated Approach
September 11th highlighted the need for an integrated approach to risk
management. It moved the U.S. government closer to managing risks on a
basis more consistent with ERM principles. The government reorganization
in response to September 11th is analogous to the beginnings of an ERM
program. They established the Department of Homeland Security, later
organized under the ODNI (Office of the Department of National Intelligence),
which centralizes efforts regarding most risks facing the country. One of the
key recognitions was that the government was in possession of intelligence
which should have, or could have, prevented the attacks, but due to a lack of
coordination, sharing, and prioritization of information, a disaster occurred.
It is the same within companies. Many companies possess excellent infor-
mation, but fail to realize their potential—both in terms of averting disasters
as well as capitalizing on opportunities—due to a lack of integration between
separate business segments.
CORPORATE ACCOUNTING FRAUD
In 2001 and 2002, a wave of accounting scandals rocked the business world.
Enron, Tyco, and WorldCom were just three of the most prominent examples.
These firms suffered dramatic financial collapses and had executives convicted
Corporate Accounting Fraud & 7
C01 12/29/2010 9:49:22 Page 8
and sentenced to prison. The names of these executives—Jeff Skilling, Ken Lay,
Andrew Fastow, Dennis Kozlowski, and Bernie Ebbers—still send shudders
down the spines of executives everywhere, nearly a decade later. In addition,
Arthur Andersen, the audit firm for both Enron and WorldCom, went out of
business as a result of the scandals. The fallout from all the accounting scandals
included two significant events that led many companies to improve their risk
management processes.
The first event involved litigation, and increased the accountability of
members of the board of directors and, more important, their personal financial
liability, in the event of undetected corporate accounting fraud. In aWorldCom
lawsuit, a settlement was reported that involved 10 outside directors paying
damages out of their personal assets amounting to approximately 20 percent of
their net worth, and whichwere not allowed to be reimbursed by their directors
and officers (D&O) liability insurance coverage. An Enron lawsuit settlement
involved similar personal payments from directors.
These settlements were significant in that they led to two major trends.
First, serving on a board of directors became less attractive due to the increased
liability. Many companies saw directors retiring from the board, and found
it more difficult to recruit directors. The second, and more important trend
for ERM, is that the remaining directors became more diligent about risk, and
began asking management what was being done to protect the company
against key risks. In many instances where companies have adopted ERM,
it was precipitated by pressure on management from a member of the board
of directors.
The second event involved legislation and enhanced the risk manage-
ment practices of companies and their auditors in relation to ensuring the
accuracy of external financial reports. In 2002, the U.S. Congress passed the
Sarbanes-Oxley Act, also commonly referred to as SOX. Similar legislation
was later adopted elsewhere, including Japan (J-SOX), France, Italy, and some
other countries. This legislation required companies to establish a highly
detailed and expensive process for identifying risks to, and establishing,
documenting, and testing the effectiveness of risk controls for, the financial
reporting process, and to have company executives formally attest to the
accuracy of the financial reports. In an effort to comply with SOX, many
companies adopted a modified version of the COSO Internal Control frame-
work developed in the early 1990s.4
Though SOX has been widely criticized as onerous and ineffective, it did
raise corporate awareness of risk regarding financial reporting accuracy as
well as more generally. Many companies used process maps to help identify
8 & Introduction
C01 12/29/2010 9:49:22 Page 9
vulnerable areas (e.g., regarding the handoffs and access to data) in the
reporting process, and some began to expand the use of process maps to
identify risks and inefficiencies in other company processes as well. SOX also
empowered employees to identify and address some new risks, as well as to
raise, and get funding to resolve, some known issues.
HURRICANE KATRINA
The August 2005 hurricane that devastated the city of New Orleans taught us
many lessons regarding risk management, but two of them in particular have
helped advance ERM practices in a way that is both lasting and significant.
These lessons relate to:
& Worst-case scenarios & Natural disasters
Worst-Case Scenarios
Like September 11th, Hurricane Katrina opened the imagination up to worst-
case scenarios, even though they may be remote in likelihood. According to
the U.S. Army Corps of Engineers, Hurricane Katrina was a 1-in-396-year
event. The lesson here is to put more emphasis on the impact of risk
scenarios, rather than on the likelihood. The likelihood may be very small,
but it is more a matter of not exposing yourself to anything that can wipe
you out completely.
Natural Disasters
Up until relatively modern times, people have been largely exposed to the
elements of nature. For example, before Benjamin Franklin invented the
lightning rod in 1747, every city faced the very real possibility of entire
neighborhoods burning down with each new lightning storm. Each new
technological advance over the years has brought with it more power over
our environment, as well as a growing sense of invulnerability.
Katrina reminded us of our vulnerability to natural disasters and the
fallibility of our best attempts to prevent or mitigate them. This was dramati-
cally underscored in the wake of the powerful hurricane and the ensuing
flooding, which showed the most powerful nation in the world unable to stem
the virtual loss of a major city to nature. After Katrina, many companies began
Hurricane Katrina & 9
C01 12/29/2010 9:49:22 Page 10
to incorporate more natural disaster scenarios in their ERM programs, and that
practice continues today.
RATING AGENCY SCRUTINY
In October 2005, rating agency scrutiny of company ERM programs took a
great leap forward. Standard & Poor’s (S&P) added ERM as an additional dis-
tinct ratings category for their credit ratings of insurance companies, globally.
Though the other major rating agencies did not follow their approach precisely,
they did begin to highlight how they were addressing ERM, in response to
questions raised as a result of S&P’s move. S&P’s ERM review advanced the
global practices of ERM in four ways:
1. Rapid advancement
2. Continual evolution
3. Growth beyond requirements
4. Expansion to all sectors
Rapid Advancement
Insurance companies moved, and moved quickly, to begin implementing an
ERM program or enhance their existing ERM programs. S&P’s move was bold
and brilliant from a marketing perspective. As a separate and distinct com-
ponent of the overall rating, the ERM ‘‘grade’’ a company received would be
publicly available. As a result, companies were highly motivated to get a
good grade. S&P published their ERM ratings criteria in some detail, and
companies used this as a guide for enhancing their ERM programs. Companies
needed to be prepared in time for their next meeting with S&P, and since
implementing ERM has a long lead time, many scrambled to prepare for the
S&P ERM review.
Continual Evolution
Insurance companies began to enhance their ERM programs each year. S&P
made a strategic decision to raise the bar on the level of sophistication that
would be required to maintain the ERM rating, and did so each year since
the introduction of its initial ERM review criteria. Once companies achieved the
ERM rating they desired, they quickly became even more concerned about the
possibility of losing that rating, and what that might signal to bondholders
10 & Introduction
C01 12/29/2010 9:49:22 Page 11
and shareholders alike. As a result, S&P helped encourage a continual evolu-
tion of ERM programs at these companies.
Growth beyond Requirements
Insurance companies began to take ERM programs even further than S&P
requirements. Once companies began to develop robust ERM programs, some
of them began to tout how their ERM programs afforded them a competitive
advantage. Spurred on by a certain level of competition, others began to
investigate how they too could use ERM for competitive purposes.
Expansion to All Sectors
Other sectors became, and continue to become, more aware of the need to
advance their ERM programs. S&P enjoyed much success with their insurance
ERM reviews, not only in terms of their moving the sector forward in ERM
sophistication but also in terms of attention. S&P received a phenomenal level
of press coverage for their innovative approach. This led to S&P announcing in
May 2008 that they would enhance their ERM reviews as part of their credit
ratings of non-financial companies. This is an important and much-needed
development, because most non-financial sectors have been lagging in risk
management practices as compared to the financial services sector. Although the
non-financial sector ERM review is not treated as a distinct ratings category like
that in the insurance sector, even before its formal incorporation into the ratings
process, these companies are becoming more aware of S&P’s ERM criteria, and
are acknowledging the need to improve their risk management practices.
FINANCIAL CRISIS
The global financial crisis that began in the United States in 2007 has shaken
up the status quo in the world of risk management and has opened the door for
all companies to look at how to improve their ERM programs. First, the crisis
has clearly laid false the claim by the banking sector that they had best-in-class
risk management practices. This is important, because others in the financial
services sector had been enamored with the banking approach and were of the
opinion that all they had to do was mimic it. In Chapter 9 we describe what
banks were and were not doing in terms of ERM practices.
In addition to witnessing the fall of the mighty in the banking sector,
companies had their own direct experience in the crisis that, if they survived
Financial Crisis & 11
C01 12/29/2010 9:49:22 Page 12
it (and many did not), served as a wake-up call. During the heart of the
crisis, there was a lull in ERM advancement as individuals and companies
were just scampering to survive. However, after the worst seemed to be over,
companies in all sectors of the economy began to perform assessments of their
ERM programs to determine priorities for enhancements. As before, the
financial services sector is actively engaged. However, the non-financial
services sector is also moving forward, some companies more quickly than
others. In particular, Steve Dreyer, who leads S&P’s global initiative to
incorporate ERM into their credit ratings for non-financial services compa-
nies, indicates that ‘‘coming out of the financial crisis, many companies in
the consumer products sector enhanced their ERM activities, in part due to
their experience with the financial crisis and its impact on their supply chain.
Likewise, energy companies exposed to recession-driven low natural gas
prices have focused more intently than ever on proactively managing
exposure to commodity price movements.’’
Another important consequence of the financial crisis is that it is no longer
as difficult for those involved in the ERM process to get management to consider
worst-case scenarios. Living ‘‘in the tail’’—which refers to experiencing what
was previously considered so unlikely an event that it would graphically reside
in the extreme downside tail-end portion of the distribution curve illustrating
the range of possible events—has opened management’s imagination of what
else can go badly, and how badly it can go.
In addition, it is expected that fallout from the financial crisis in the forms of
legislation, regulation, and litigation could have significant positive impacts on
the advancement of ERM globally. At the time of the writing of this book, it is
too early to determine these impacts. However, there are two consequences
that are worth mentioning that have the potential to accelerate adoption of
ERM programs:
1. SEC disclosure regulation
2. Dodd-Frank legislation
SEC Disclosure Regulation
In February 2010, the SEC passed a regulation requiring the disclosure of risk
governance as well as risky compensation programs. These are both discussed
in Chapter 7. Adopting an ERM program would help companies comply with
this regulation. The regulation may reveal the presence, or lack, of good risk
12 & Introduction
C01 12/29/2010 9:49:22 Page 13
governance at companies. In addition, the regulation requires an ability to
determine whether the incentive compensation program is risky, and this
cannot effectively be done without a proper ERM program in place.
Dodd-Frank Legislation
In July 2010, the Dodd-Frank legislation became effective. Much of the
legislation was written to merely empower regulators to design and implement
new requirements, which will take awhile to emerge. However, there is one
aspect of the bill that has the potential to advance ERM practices. The bill
created a new entity, the Financial Stability Oversight Council, and empowered
it to make recommendations regarding new risk management requirements
for financial institutions.
RARE EVENTS
In 2009, two threats resurfaced related to risk events so rare that they had
not been taken seriously in modern times. Although these threats did not
result in significant impacts, they played a part in helping management
keep an open mind about rare events, which is important in ERM. The two
threats were:
1. H1N1 flu pandemic
2. Pirates
H1N1 Flu Pandemic
For many years, scientists have been saying that it is only a matter of when,
not if, we will experience a pandemic disease of similar virulence as the 1918–
1919 flu pandemic, or the Spanish Flu, when, according to the Center for
Disease Control (CDC), more than 2.5 percent of the global population died.
Though many companies did include such scenarios in their ERM programs,
most approached it with a bit of skepticism. This is no longer the case. As the
2009 flu season approached, there were significant fears that the impending
H1N1 flu pandemic might be as deadly as the 1918 flu. Although it turned out
to only be about as deadly as a typical seasonal flu, this experience changed
attitudes. Before H1N1, the fact that an ‘‘old’’ date (1918) was attached to
the deadly event made it seem more unlikely or unreal to us.
Rare Events & 13
C01 12/29/2010 9:49:22 Page 14
Pirates
Though not a particularly important factor, piracy is worth mentioning
because it is another example of something that previously seemed un-
imaginable in modern times. However, in 2009, pirate attacks off the coast
of Somalia received a lot of media attention and became a concern for the
shipping industry and cruise lines. Before this occurred, if you raised this as a
potential risk, the response would have been, ‘‘Pirates? Are you kidding?’’
Pirates evoke a far distant history of wooden ships and cannon. It had been over
100 years since the last attack on a U.S. ship by pirates. Yet, again, a remote
(and ridiculous-sounding) risk event becoming reality is more fodder for ERM
programs, which include exercises to identify emerging risks—risks currently
not on the radar screen but that might become important in the future.
Events such as this have made us more aware of the gap between our attitude
before a remote event occurs and immediately afterwards, and how quickly our
mind-set, and our reality, can change.
LONG-TERM TRENDS
In addition to the events laid out chronologically earlier in the chapter, there
are two other drivers of ERM adoption worth mentioning that have evolved
over a long period of time. One is technological advancement. ERM requires a
lot of computing power. Until recently, the run time for the required calcula-
tions was prohibitively slow. However, the continued increase in processing
speeds is now making ERM feasible, and companies are beginning to take
advantage of this.
Another driver is increased risk savvy in the business world and even in
the general population. Until fairly recently, consumers of information have
been content to receive ‘‘best-estimate’’ projections, be they earnings fore-
casts or weather forecasts. However, in recent years, consumers have
become more comfortable with the concept of volatility (the best estimate
does not always occur) and also more accustomed to receiving and process-
ing multiple scenarios (ranges of possible results, either above or below
best estimate). As a result, forecasts have taken a more sophisticated turn
and commonly provide a range of possible or likely occurrences. For exam-
ple, television weather forecasts of hurricanes routinely display a range of
possible paths, often with color-coded probability ranges produced by so-
phisticated weather models. Another example is media coverage of elections,
14 & Introduction
C01 12/29/2010 9:49:22 Page 15
where analysts now present consumers with numerous detailed scenarios
that might influence different results.
CHALLENGES TO ERM
As a result of all the factors driving awareness and adoption of ERM programs,
ERM is currently a hot topic, and has been for a few years. Most companies
have begun adopting ERM, are considering adopting ERM, or are curious to
learn more about ERM. Boards of directors are asking about it, and their
management is actively seeking knowledge about it. Even non-profit organi-
zations and government entities have an interest in ERM and how they can
adapt it for their use. At companies implementing ERM, many have a formal
full-time position of chief risk officer (CRO) to lead the development, imple-
mentation, maintenance, and enhancement of the ERM program.
In response to this demand, providers of products and services have been
rapidly investing in growth to serve the growing ERM market. Conferences are
adding ERM as a topic to their agenda or offering entire events dedicated solely
to ERM. Universities are building ERM curricula for executives as well as
students, and are searching for both content and qualified professors. Consult-
ing firms, audit firms, and technology providers are continually seeking to
develop and expand their ERM products and services and are competing to hire
ERM practitioners from the limited pool of qualified people.
With all this momentum, it may seem inevitable that ERM will become
a large and sustaining movement in the corporate world and beyond.
However, there are two major challenges that currently threaten to derail
the ERM movement:
1. Confusion over ERM providers
2. ERM programs falling short of expectations
Confusion over ERM Providers
The first challenge is confusion in the market over just what ERM is and who is
offering valid ERM services. The rapid proliferation of providers of ERM products
and services has resulted in many ERM providers that narrowly define ERM in
a way that plays to their limited set of products and services, which are usually
risk management offerings that pre-date ERM. This confusion over what
constitutes ERM may also lead to the tarnishing and eventual abandonment
of the label ERM, although the valid underlying ERM concepts would live on
Challenges to ERM & 15
C01 12/29/2010 9:49:22 Page 16
under a new name. Chapter 2 addresses this by providing a robust definition of
ERM, which can be used to evaluate whether a company’s risk management
program is, in fact, an ERM program. Another result of this confusion in the
marketplace for ERM products and services is that it may dissuade some
companies from adopting ERM.
ERM Programs Falling Short of Expectations
The second challenge is that the majority of ERM programs are falling short of
expectations. There is no consensus yet on ERM best practices, and there are a
variety of methods being employed. Most ERM frameworks and approaches
currently in use, while producing some valuable benefits, are resulting in
suboptimal ERM programs. Chapter 3 defines the ERM framework for an
advanced yet practical approach that helps companies avoid these issues
and successfully implement a robust ERM program. The majority of the
book describes this framework and approach in more detail.
SUMMARY
Due to a confluence of significant risk-related events, mostly over the past
10 years, as well as longer-term supporting trends, the time for ERM seems to
have arrived. Some disastrous events, both man-made and natural, have raised
management’s awareness of specific sources of risks, the possibility of worst-
case scenarios, and the need for an integrated approach to managing risk.
Some actions, both proactive and reactive, by external stakeholders—rating
agencies and government bodies—have improved risk management practices
and disclosures, as well as raised management’s awareness of the benefits of
an ERM program. While poised to continue to grow as a business approach,
ERM suffers from some confusion in the marketplace and a lack of leading
practices. In the next chapter, we will begin to clear up some of this confusion
by thoroughly and clearly defining ERM. The remainder of this book will
then go on to delineate leading practices for ERM.
NOTES
1. Basel II replaced the original Basel Accord. While there is now a Basel III
emerging, it is not materially different, from the perspective of our discussion.
The primary difference is higher capital requirements.
16 & Introduction
C01 12/29/2010 9:49:22 Page 17
2. ‘‘Definitive Statistics Comparing Driving with Flying,’’ available at www
.fearofflying.com/about/research.shtml#driving. The study indicates that
such an increase in terrorism would make flying about as risky as rural
interstate driving, which is one of the least risky types of driving. Therefore,
overall, driving would still be riskier.
3. ‘‘How We Calculate Risk: Fear of Flying After 9/11 Led to Increase in Auto
Deaths,’’ available at http://thestatsblog.wordpress.com/2008/01/16/fear-
of-flying-after-911-led-to-increase-in-auto-deaths/.
4. The COSO Internal Control framework is intended as a process to help achieve
effectiveness and efficiency of operations, reliability of financial reporting, and
compliance.
Notes & 17
C02 01/07/2011 10:39:7 Page 18
2CHAPTER TWO Defining ERM
Security is mostly a superstition. It does not exist in
nature, nor do the children of men as a whole
experience it. Avoiding danger is no safer in the
long run than outright exposure. Life is either a
daring adventure or nothing.
Helen Keller
B EFORE WE CAN even begin to define ERM, we must define risk.While risk is a very common term, it has several connotations. Weneed a very clear and specific understanding of risk itself, in terms of how we will use it in the context of ERM.
DEFINITION OF RISK
We will discuss the following three fundamental aspects of risk:
1. Risk is uncertainty.
18
C02 01/07/2011 10:39:7 Page 19
2. Risk includes upside volatility.
3. Risk is deviation from expected.
Risk Is Uncertainty
A good way to think about risk is that it is present whenever there is less than
100 percent certainty that an event will occur precisely as expected. If that is
our definition of risk, is there anything that does not involve risk? This may
bring to mind the famous quote about uncertainty by Benjamin Franklin: ‘‘The
only things certain in life are death and taxes.’’
Other than these two eventualities, is there anything else in your life that
does not involve risk? Interestingly, even death and taxes involve uncertainty,
regarding the timing of the former and the exact amount of the latter. So, it may
be that absolutely everything involves uncertainty.
Risk Includes Upside Volatility
When you think of the risks in your life, you probably think of negative events,
such as losing your job or losing your health. On a daily basis, risk may be as
simple as the chance of not getting somewhere on time because of traffic or
weather conditions. However, in an ERM context, we will define risk as any
deviation from expected. Defined this way, risk includes both downside and
upside volatility.1 For example, you certainly would consider the possibility that
your bonus will be lower than expected as being a risk; however, you are
unlikely to think of the possibility of your bonus being higher than expected as
being a risk. But that is exactly what our definition of risk asks you to do—
consider risk as the possibility that results may not be exactly equal to expected,
but rather are either lower or higher than expected. The ‘‘upside volatility’’
refers to the range of possible upside risk events, and the ‘‘downside volatility’’
refers to the range of possible downside risk events.
Including upside volatility in the definition of risk is important in ERM,
because we need to appropriately reflect three characteristics of risk:
1. Offsets from other business segments
2. Offsets from other events
3. Cost of volatility
Offsets from Other Business Segments
A single event that is a downside risk event for one business segment might be
an upside risk event for a second business segment. For example, consider a
Definition of Risk & 19
C02 01/07/2011 10:39:7 Page 20
tour company in the United States that markets national tours as well as tours
to China to U.S. citizens. Assume a risk event occurs where the U.S. dollar
becomes devalued against China’s currency, renminbi (RMB). The tour
company would expect a decrease in business for their tours to China, but
they also might expect an increase in business for their national tours. In such
cases, management must understand the net impact of the single event on the
enterprise as a whole.
A related concept is that what appears to be a downside risk event can
ultimately turn out to be an upside risk event for the entity. One example is a
moderate external attack from a competitor, which strengthens the entity’s
defenses, allowing it to survive what would otherwise have been a fatal attack
later on from a larger competitor. This is analogous to the famous quote by
Friedrich Nietzsche: ‘‘Whatever does not kill us makes us stronger.’’ For a
related anecdote, see ‘‘Blessing in Disguise.’’
Offsets from Other Events
Multiple risk events can occur simultaneously, with some being downside
risk events and others being upside risk events. In these cases, manage-
ment needs to measure the net impact of all risk events combined. For
example, during one period, everything goes precisely as planned, except for
two things:
BLESSING IN DISGUISE
I n October 2007, a swimmer named Michael Phelps was training forthe 2008 Beijng Olympics when he broke his wrist.2 Having won six gold medals at the 2004 Athens Olympics, Phelps had hoped to beat the world record of seven Olympic gold medals set by Mark Spitz in 1972. Despite publicly denying it at the time, in a later interview, Phelps admitted that the moment he realized he broke his wrist, he knew that his dream of winning eight Olympic gold medals was in jeopardy. During rehabilitation therapy for his wrist, Phelps was limited to doing kicking exercises in the water. Once he was fully healed, it became apparent that the injury had been a blessing in disguise. The extensive leg workouts gave him a competi- tive advantage that propelled him to his goal of winning eight Olympic gold medals in Beijing. Stronger legs made him faster, allowing him to push harder off the walls when turning and to kick harder during his swimming strokes.3
20 & Defining ERM
C02 01/07/2011 10:39:8 Page 21
1. A downside risk event occurs, such as a cost savings program not being
executed as expected, resulting in fixed costs being $10million higher than
expected.
2. An upside risk event occurs, such as an unexpected decrease in the cost
of raw materials used in production, resulting in variable costs being
$10 million lower than expected
The net effect of these risk events—one upside and one downside—is
zero. In an ERM context, had we applied an approach that only captured the
downside risk event, we would have ignored the offsetting upside risk event.
Cost of Volatility
An excess of volatility, even where the upside is more impactful than the
downside, can lower value by increasing the cost of capital. In other words, not
all upside volatility is necessarily good news, because it is accompanied
by additional downside volatility as well. Consider a simplified example of
two companies: StableCo and WildCo, both with one million shares outstand-
ing. Both companies are in the same industry sector being valued by the same
equity analyst. The analyst projects the cash flows (in millions) for the coming
10-year period for each company. The cash flows are shown in Table 2.1.
Assume that the equity analyst values each company as the present
value of their 10-year projected cash flows (see ‘‘Present Value’’). If the
discount rate used to value both StableCo and WildCo were the same 6
percent rate, StableCo would be valued at $80.10 per share and WildCo
would be valued at $91.22 per share, or $11.12 per share more than
StableCo. However, it is unlikely that the same discount rate would be
used to value both companies.
WildCo does have more total projected cash flow over the 10-year period.
The upside volatility is expected to generate more additional dollars of cash
flow than are lost by the accompanying additional downside volatility, as
TABLE 2.1 Cash Flow Projection: StableCo and WildCo
Cash Flows
(in millions)
Year
1
Year
2
Year
3
Year
4
Year
5
Year
6
Year
7
Year
8
Year
9
Year
10 Total
StableCo 10 10 10 11 11 11 12 11 12 12 110
WildCo 10 5 25 !2 18 10 28 2 24 6 126
Definition of Risk & 21
C02 01/07/2011 10:39:10 Page 22
compared to StableCo. However, WildCo also has higher overall volatility
than StableCo. This is illustrated in Figure 2.1, which graphs the values from
Table 2.1. Investors require a higher rate of return when there is higher
volatility or uncertainty. Higher risk goes with higher required returns.
Assume that the additional volatility of WildCo translates to the equity
analyst adding 300 basis points to the discount rate. The equity analyst will
now value WildCo using a 9 percent (6 percent þ 3 percent) discount rate,
Ca sh
fl ow
(i n
m ill
io ns
)
30
25
20
15
10
5
0
-5 1 2 3 4 5 6 7 8 9 10
StableCo WildCo
Year
FIGURE 2.1 WildCo Is More Volatile Than StableCo
PRESENT VALUE
Present value is a calculation that reduces a series of future cash flows to asingle equivalent value at the present time, adjusting for the time value of money. For example, assume that, for you, the time value of money is a 6 percent interest rate, in terms of your business dealings with your local bank. In other words, you are indifferent between the bank offering you $106 one year from now or offering you $100 today. Now, assume the bank offers you $100 one year from now and $150 two years from now. What is the present value, i.e., what is the single value today which you would accept in place of these future cash flows? The present value is calculated as:
Present value ¼ $100 ð1:06Þ1
þ $150 ð1:06Þ2
¼ $227:84
The future cash flows are said to be discounted to the present time.
22 & Defining ERM
C02 01/07/2011 10:39:14 Page 23
reflecting the higher level of risk in the stock. This produces a valuation for
WildCo equal to $78.84 per share, which is $1.27 lower than StableCo’s
valuation. In this case, the additional volatility (which reflects all volatility—
upside and downside) of WildCo outweighed the additional cash flows, result-
ing in a lower valuation than the less volatile (and lower total cash flow)
StableCo.
Risk Is Deviation from Expected
Risk is generally thought of as the possibility of a loss. This is the most common
reference used, even by many ERM practitioners. However, loss is an in-
complete concept because, as discussed earlier, it excludes upside volatility,
which is the possibility of an unexpected gain. But loss has an even more
insidious shortcoming. It often inadvertently causes people to overestimate the
severity, or magnitude, of a risk. This is because when considering a negative
(downside) risk event, or scenario, it is natural to visualize, for example, the loss
as the total outflow of cash. Unfortunately, this results in double-counting some
expected losses, which should be excluded.
Consider the following example. A Fortune 500 company is considering
litigation risk. Several risk scenarios are developed, including one worst-case
scenario where the company could have a total of $100 million in after-tax
litigation costs. In this example, the loss from this risk event might be thought to
be $100 million. But that would be incorrect. This large company experiences
litigation costs each year, and a certain amount is normal and expected.
Because our definition of risk is deviation from expected, the risk severity, or
impact, should only include the excess over the amount expected. The annual
expected litigation cost is likely to be included in the company’s strategic plan
baseline financial projection. Assume that it is, and that the annual expected
litigation cost is estimated at $35 million in the baseline projection. The risk
severity of the worst-case litigation risk scenario would then be:
ðLitigation costs in worst-case scenarioÞ ! ðLitigation costs in baseline scenarioÞ ¼ ð$100millionÞ ! ð$35millionÞ ¼ $65million
While this may seem like a straightforward distinction, it is one that is
often overlooked. It is easy to forget to deduct the amount expected. In some
cases, those individuals involved with developing the risk scenario may not
be familiar with the strategic plan baseline financial projection and what
items it incorporates. In other cases, the strategic plan baseline projection
Definition of Risk & 23
C02 01/07/2011 10:39:14 Page 24
should have accounted for an item, but omitted it. In the latter cases, the risk
scenario development exercise offers an opportunity to enhance the baseline
projection.
The strategic plan projection is usually developed with primary focus on
value drivers, and this influences which items are included and their account-
ing. The ERM process, in this case specifically the risk scenario development
process, brings in another perspective—the risk drivers. Bringing both aspects
of business—both risk and return—into the strategic planning process
improves its robustness.
Now that we have clarified the three fundamental aspects of the definition
of risk, we will move on to the definition of ERM itself. However, we will further
expand on the definition of risk in Chapter 4, in the section ‘‘Risk Categorization
and Definition.’’
DEFINITION OF ERM
ERM is a complex process. To help provide a solid understanding of ERM, with
its key nuances, we will spend the remainder of this chapter defining ERM from
the following perspectives:
& Basic definition & Key criteria & The ERM process cycle & Fundamental benefits
Basic Definition
In Chapter 1, we provided a short definition of ERM:
The process by which companies identify, measure, manage, and disclose all key risks to increase value to stakeholders.
In the next section, we describe the key criteria implied by this basic
definition, and that comprise the defining characteristics of an ERM program.
Key Criteria
There are 10 criteria that are the critical defining elements of an ERM program.
These can serve as a useful benchmark against which to evaluate whether a
24 & Defining ERM
C02 01/07/2011 10:39:15 Page 25
company truly has a robust ERM program. Currently, most ERM programs are
relatively immature, as measured against these criteria, and are slowly evolv-
ing toward a robust program. These criteria are:
1. Enterprise-wide scope
2. All risk categories included
3. Key risk focus
4. Integrated across risk types
5. Aggregated metrics
6. Includes decision making
7. Balances risk and return management
8. Appropriate risk disclosures
9. Measures value impacts
10. Primary stakeholder focus
Criterion 1: Enterprise-wide Scope
Enterprise is the first word in ERM. This means that ERM must apply to every
area of the company. One never knows where a significant risk event will
occur. In fact, it often occurs precisely where management is not looking.
Unfortunately, most ERM programs do not have a comprehensive enterprise-
wide scope. In such companies, one or more of the following situations exist:
& A ‘‘golden boy’’ unit & An area deemed insignificant & A limiting approach & Differing cultures & Incomplete implementation
A ‘‘Golden Boy’’ Unit The most noteworthy, and troubling, situation is the presence of a ‘‘golden boy’’ unit. This is a business unit that enjoys special rules
because it has been generating large revenue growth and/or profits. The special
rules usually take the form of exempting the business unit from scrutiny or even
routine oversight processes, such as corporate reporting criteria, risk manage-
ment activities, or internal audits. This can be the result of a misalignment of
incentives (e.g., management is paid for revenue or earnings growth and is not
held accountable for increasing the firm’s risk exposure). Whatever the cause,
the result is either a lack of understanding of the risks involved in the business,
or worse, willful ignorance.
Definition of ERM & 25
C02 01/07/2011 10:39:15 Page 26
One example of this was AIG Financial Products (AIGFP). AIGFP caused
the collapse of AIG during the global financial crisis that began in the United
States in 2007. They exposed AIG to enormous risk exposure in credit default
swaps (CDSs). Before these exposures exploded into drowning losses, AIGFP
was a growing source of large profits for AIG, and this led to their being
exempt from corporate risk management scrutiny.
An Area Deemed Insignificant Another situation is a business unit that is deemed minor enough to omit from the ERM process. This often happens
as a result of rolling out an ERM implementation in stages, where priority
order is based on size of the business segment. In considering whether or
not to extend the ERM program further, management decides to omit a
small business area. This is potentially dangerous. Large losses often arise
from small or obscure parts of the firm believed to have very little risk.
However, risk exposure is not always in proportion to the visible size of the
business; it is therefore critical to consider risks that may arise from any-
where in the company.
Nassim Taleb, author of The Black Swan: The Impact of the Highly Improbable
and other books on large loss events, points out that large losses will eventually
appear in business areas with certain qualities that generate routine, and
relatively minor, income for a long period of time.4 Companies that ignore this
warning, and deem apparently minor areas of their organization too small to
include in their ERM program, may be unknowingly exposed to a ticking time
bomb of risk exposure with a fuse of unknown length.
A Limiting Approach A common reason that many corporations cannot roll out their ERM program to all of their operations is because the approach
they are using only works with their primary business segment. This is
especially true for financial services companies with a holding company
structure containing many different types of businesses. In these cases, the
ERM approach commonly used for the banking or insurance operations is based
on capital requirements and cannot be applied to other businesses that do not
have any capital requirements.5
Differing Cultures In some organizations, two (or more) cultures exist, causing some business processes not to be adopted uniformly. In these cases,
ERM may have been adopted, and even successfully implemented, by one part
of the enterprise while another part, operating under a different culture,
26 & Defining ERM
C02 01/07/2011 10:39:15 Page 27
remains uninterested or unaware of ERM. This is more likely to occur in
companies where business segments are more independent, as opposed to those
with a more authoritative corporate department. Competing cultures can be
caused by a variety of differences that separate them, including, but not limited
to, the following:
& Office location & Time zone & Local culture & Language & Types of business & Origins (e.g., a merger of two companies)
Incomplete Implementation In many situations, it is simply the case that ERM is in an earlier stage of development and has not yet been extended fully
to all business segments. Eventually, the ERM program may become truly
enterprise-wide. Most ERM programs are currently in this situation. Until the
ERM program covers all areas, the company remains vulnerable. An ERM
program that does not fully extend across the entire enterprise is similar to the
watertight bulkheads (walls) that were not extended high enough above the
waterline on the infamous Titanic, resulting in its rapid sinking and massive
loss of lives on April 15, 1912.
Criterion 2: All Risk Categories Included
The word all in the basic ERM definition means that all risk categories must be
included. In Chapter 4, we will improve on the standard industry terminology
for risk categories, but for now, we will use the common industry terms. Risk
categories, for most companies, include financial risk, strategic risk, and
operational risk. The definitions of these risk categories are as follows:
& Financial risk. Unexpected changes in external markets, prices, rates,
and liquidity supply and demand. This includes market risk, credit risk, and
liquidity risk. & Strategic risk. Unexpected changes in key elements of strategy formu-
lation or execution. & Operational risk. Unexpected changes in elements related to operations,
such as human resources, technology, processes, and disasters.
Definition of ERM & 27
C02 01/07/2011 10:39:15 Page 28
There is one additional risk category—insurance risk, which generally
applies only to insurance companies. Insurance risk involves poor performance
of the pricing, underwriting, reserving, or setting of required capital for
insurance products.
Including all risk categories is critical for the validity of an ERM program.
Key risks can reside in any of the risk categories. Ignoring a risk category, or not
having a balanced focus among all risk categories, can expose the company to
excessive risk and result in focusing limited risk mitigation resources on the
wrong priorities.
Surprisingly, the vast majority of ERM programs focus all, or most, of their
attention only on financial risks. The primary evidence of this imbalance is the
lack of a sufficiently robust approach to quantifying strategic and operational
risks. There are three main causes of this neglect:
1. Inability to quantify strategic and operational risks
2. Myth regarding importance of financial risks
3. Financial analyst bias
Inability to Quantify Strategic and Operational Risks One basis for this imbalance is an inability to quantify strategic and operational risks. For
financial risks, there is a large amount of objective market data to use in
developing risk scenarios, which include quantitative impacts on financial
results. However, for strategic and operational risks, which are heavily depen-
dent on the specific makeup of the organization impacted, there is far less data
available. In addition, popular quantification methods do not adequately
support strategic and operational risks. The quantification methods either
do not provide any quantification, or worse, they dramatically understate
the severity of the risk. In Chapter 3, we explore this issue in more detail and
describe an emerging approach that resolves this, and other, issues.
Myth Regarding Importance of Financial Risks A second source of the disproportional focus on financial risks is the belief that financial risks are the
most important risks—that they are themajority of the risks that most threaten
the organization. This is not supported by experience, and in fact, quite the
opposite is true. Research studies consistently show that strategic and opera-
tional risks represent the majority of the key risks for a company and also
comprise the biggest threats.
A research study published in December 2009, which I directed and co-
authored, examined the distribution of risks by risk category.6 The analysis was
28 & Defining ERM
C02 01/07/2011 10:39:15 Page 29
based on the occurrence of negative events, related to public companies,
appearing on the front page of the Wall Street Journal in 2006. Only 1 percent
of such front-page news were financial risks, while approximately two-thirds
(64 percent) were strategic risks and approximately one-third (35 percent)
were operational risks.
Similar results are found in other industry research, confirming that the
source of significant risk events for companies is, in decreasing order: strategic
risk, operational risk, and financial risk. In Figure 2.2, an 18-year study by the
Corporate Executive Board Company shows the root causes for one-year
market capitalization declines of 50 percent or more, involving the top 20
percent of the Fortune 1000. Approximately two-thirds (65 percent) were
strategic, 20 percent were operational (including legal and compliance risks
categorized as operational), and only 15 percent were financial. However, even
the 15 percent may be overstated, because many if not all of the risks
categorized as financial appear to be operational, specifically human re-
sources-related (such as performance risk, which is management or staff
not performing their function as expected).7
Figure 2.3 shows a six-year study by Mercer Management Consulting
examining the triggering events for the 100 largest one-month value declines
among the Fortune 1000 between 1993 and 1998. The vast majority of the
risks were strategic (61 percent), one-third (33 percent) were operational, and
only 6 percent were financial.
16% 15%
13%
7%
4% 4% 2% 2% 2%
5% 4%
3% 1%
4% 3%
6% 4%
3% 2%
Operational Risks
Legal and Compliance
Risks Financial
Risks Strategic
Risks
n = 98
Market Capitalization Decline Drivers Top 20% of Fortune 1000 (1988-2005)
15%7%13%65%
FIGURE 2.2 Risks Causing 50 Percent Decline in Value
Definition of ERM & 29
C02 01/07/2011 10:39:18 Page 30
Another research study shows that the vast majority of members of boards
of directors believe that the biggest threats for their organizations are strategic
risks rather than financial risks. Figure 2.4 shows the results of a 2006 survey
of directors by The Conference Board, which asked directors about the biggest
threats facing their organizations. The research reveals that, across all sectors,
24
12
7 6
4 2
1 1 1
11
7 7 6
3 2
1 0 0
0
5
10
15
20
25
Cost Overrun
Accounting Problems
Poor Manage-
ment Supply Chain Issues
Competitive
Merger Problem
Wrong Products
Pricing Pressure
Customer Losses
Supplier Problems
R&D Delays
Demand Shortfall
Regulation
Strategic 61%
Operational 33%
Financial 6%
Hazard 0%
Foreign Economic
Issues
Interest Rates
High Input
Prices
Law- suits
Natural Disaster
FIGURE 2.3 Largest 100 Declines in Value
0% 20% 40% 60%
All Sectors
Financial Services
16%
26%
41%
52%
53%
48%
Strategic risk Risk of regulatory change Financial risk
FIGURE 2.4 Directors’ Ranking of Biggest Threats
Source: The Conference Board, The Role of U.S. Corporate Boards in Enterprise Risk Management, 2006.
30 & Defining ERM
C02 01/07/2011 10:39:19 Page 31
directors believing that strategic risks are the biggest threats outnumber those
believing the threats to be financial risks bymore than 3 to 1 (53 percent versus
16 percent). Even within the financial services sector, directors voting strategic
risks as most important outnumbered those voting for financial risks by almost
2 to 1 (48 percent versus 26 percent).
Part of the myth that financial risks are the most important is based on an
incorrect approach to risk categorization and definition; in confusing the source
of a risk with its outcome, risks that are either in whole or in part strategic or
operational risks are frequently miscategorized as exclusively financial risks.
One example is the global financial crisis that began in the United States in
2007. There were multiple sources of risk that led to the financial crisis, many
of which were not financial risks. See ‘‘Criterion 2: All Risk Categories
Included’’ in Chapter 9 for the case study analysis.
Financial Analyst Bias A third cause of the lack of appropriate focus on non- financial risks is financial analyst bias. Most of those doing the modeling share a
financial-centric mind-set. Their education is focused on financial risk. Their
training and certification is in financial risk. Their experience is only with
financial risk. Even the name and purview of their department may limit them
to financial risk. In addition, their techniques cannot readily handle strategic
and operational risks; their methods work best when there is a wealth of
objective quantitative data available, which is not the case with strategic and
operational risks.
The lack of sufficient inclusion of non-financial risks may be the result of
one or a combination of the previously mentioned factors. Whatever the
reason, this represents a dangerous flaw in most ERM programs. The impor-
tance of this cannot be overstated. These partially quantitative ERM programs
fail to quantify the vast majority of the key risks in terms of their individual and
collective contribution to the overall volatility of the organization, in terms of
the key metrics.
These partially quantitative ERM programs give the strong impression that
they are not incomplete, causing management to erroneously rely on, and
misinterpret, the information. This false impression is given by the level of
precision implied by the data handed to management by the financial modelers
(also known as financial analysts or simply modelers) of these flawed ERM
programs. The modelers routinely provide outputs from their models showing
the volatility of key metrics, presented in a way that implies a high degree
of accuracy; one example is showing the figure out to a large number of
significant digits.
Definition of ERM & 31
C02 01/07/2011 10:39:19 Page 32
This problem is rampant in the financial services sector, where it is even
more common to find this imbalance in the quantification of key risks. One
example, from the banking sector, is the ‘‘Value-at-Risk’’ (VaR) metric. VaR
is often defined as the maximum amount of capital that can be lost in a single
day, within a given small predefined likelihood. Another example, at insur-
ance companies, is the ‘‘economic capital’’ metric, which is the amount of
capital needed on hand today to limit the probability of ruin, over a given
time horizon, to within a given small predefined likelihood. In both of these
examples, these numbers are commonly provided to management in number
form that includes a large number of significant digits, implying a high level
of accuracy (e.g., a number is shown as $35,455,809, rather than
$35 million). In addition, these numbers are often provided without the
proper disclaimers of incompleteness regarding overall firm volatility. This
offers an incorrect representation to management, despite being quite
unintentional, that this (financial-only) volatility represents the bulk, or
even the totality, of the risk exposures about which management needs to
be concerned.
This is alarming because of the dangerous nature of ignoring the majority
of the key risks in the metrics, and particularly so because this is often
occurring under the guise of an enterprise risk management program . . . yet
the word enterprise seems ignored. However, what is even more shocking is
that what the (usually) math-savvy modelers are doing violates a basic
mathematical concept we all learned in elementary school—the rule of
significant digits. See ‘‘Significant Digits.’’
SIGNIFICANT DIGITS
The rule of significant digits can best be illustrated through a simpleexample. Assume we have two numbers. The first number is 2. What do we know about the level of accuracy of this number? It might be rounded up from 1.50 or it might be rounded down from 2.49. Now, we have a second number, which is 2.04. This number is presented to us out to two decimal places. What do we know? Well, we know it has far more implied accuracy than the first number. However, the second number similarly may be rounded up from 2.0350 or rounded down from 2.0449. The significant digits rule indicates that where two numbers have different levels of significant digits, we must report the sum of those two numbers with
32 & Defining ERM
C02 01/07/2011 10:39:20 Page 33
Modelers in partially quantitative ERM programs are violating the rule of
significant digits. They are omitting the impacts of strategic and operational
risks from the ERM metrics, which purport to be holistic or all-inclusive, and
then presenting these metrics with only the financial sources of risks
included, and out to a high degree of significant digits. From the available
research data, it seems clear that financial risks are certainly not the totality
of the key risk exposure, and they are not even the majority of it. The research
suggests that, on average, financial risks are likely to represent only a small
percentage (at most, 15 percent) of the total volatility of the enterprise and
that the strategic and operational risks account for the majority of the
volatility. Therefore, if modelers are providing ERM metrics to management
representing the total firm risk exposure but the metrics only include
financial risk exposure, it is as if they are presenting the sum of two numbers
to management:
Total enterprise risk exposure ¼ ðRisk exposure from financial risksÞ þ ðRisk exposure from non-financial risksÞ
the same number of significant digits as the less accurate of the two numbers. In this case, we must report the sum of the two numbers out to only zero decimals.
2þ 2:04 ¼ 4
Alternatively, as a business matter, we could merely report each number separately, without summing them, and indicate the differing levels of accuracy of each number, if there is a desire not to lose the additional information that one of the numbers has more significant digits. This would maintain the integrity of the information and not mislead.
The significant digits rule also states that we cannot report the summa- tion of the two numbers as follows:
2þ 2:04 ¼ 4:04
This would be misleading, giving the false impression that we have confidence in the sum of the two numbers out to two decimal places. But this is not true. Claiming that the sum is 4.04 would mask the poor level of confidence in the accuracy of the sum, whose true value, expressed out to two decimals, ranges anywhere from 3.54 to 4.53, as shown:
ðMinimum;MaximumÞ ¼ ð1:50þ 2:04; 2:49þ 2:04Þ ¼ ð3:54; 4:53Þ
Definition of ERM & 33
C02 01/07/2011 10:39:22 Page 34
where:
a) The risk exposure from financial risks is calculated out to a large number of
significant digits, and
b) The risk exposure from non-financial risks is estimated as zero (and worse
yet, not even shown as a zero, but merely omitted from the page)
For example:
Total enterprise risk exposure
¼ ðRisk exposure from financial risksÞ þ ðRisk exposure from non-financial risksÞ ¼ ð$35;455;809Þ þ ð0Þ ¼ $35;455;809
If we assume, perhaps generously, that the financial risks represent a full
15 percent of overall firm risk exposure, then the total enterprise risk exposure,
rather than $35,455,809, is actually closer to the neighborhood of a quarter of
a billion dollars (number of significant digits intentionally minimized). This
gives some perspective on how much of a disservice is done by omitting
quantification of strategic and operational risks.
In some financial services companies, rather than use zero, they estimate
the non-financial risk exposure as an arbitrary percentage (e.g., 15 percent) of
the financial risk exposure. This is almost as bad a practice, and certainly still
violates the significant digits rule, because the large number of significant digits
in the financial risk exposure number is masquerading as a highly accurate
number worthy of our respect and attention. In fact, it is not that useful a
number and should be afforded the level of disrespect that it deserves.
The only defense offered by these modelers as to why they do not attempt to
quantify strategic and operational risks is related to the first reason stated
earlier—an inability to quantify. However, they verbalize their argument a bit
differently, saying that ‘‘you can’t quantify strategic and operational risks with
accuracy.’’ What they mean, of course, is that it is not possible to quantify these
risks with the same level of accuracy as financial risks. And that may be true,
but that doesn’t justify not estimating them at all, considering they represent
the larger component, which, as shown earlier, is an egregious alternative that
violates the business purpose of the ERM metric in question.
Criterion 3: Key Risk Focus
The word key in the basic definition indicates that ERM should only include
the major risks to the company’s value. ERM is not intended to include a
34 & Defining ERM
C02 01/07/2011 10:39:22 Page 35
comprehensive list of potential risks, which could range in the hundreds or
thousands. ERM is strategic in nature and is focused on a relatively small list
of risks that have the largest potential impact to the firm. For a company’s
first time through the ERM process cycle, a reasonable number of key risks
may be in the range of 10 to 30. Approximately 10 risks might be appropriate
for a pilot exercise, if management wants to build buy-in before implemen-
tation. However, 20 to 30 risks are needed to produce a robust set of results to
rely on for decision making. The specific number of key risks that is
appropriate for the enterprise depends on a proper categorization and
definition of risks and also on finding an appropriate cut-off point during
the qualitative risk assessment process.
However, the number of key risks does not depend on the size of the
organization. In other words, just because one company is 10 times the size of
another does not imply that it has 10 times the number of key risks. If the two
companies are otherwise identical, they will have approximately the same
number of key risks (the number of key risks may not be exactly the same,
because, for example, the larger company may have more key risks related to
reputational issues). This is because the number of key risks is merely a
reasonable number of risks on which senior management can focus, at a
given time, in a priority manner. It is based on people and their reasonable
limits of focus. There is only one CEO, one board of directors, and one senior
management team. The magnitude of the impact of the key risks will vary
significantly by company size, but the number of key risks should not vary
that much.
This is in stark contrast to the way many companies try to approach
ERM. Many companies mistakenly believe that ERM is merely an extension of
a Sarbanes-Oxley (SOX) exercise. The Sarbanes-Oxley Act passed in response
to a wave of financial reporting scandals. In trying to comply with SOX, most
companies created lists of every possible risk to financial reporting accuracy.
The list of risks often numbered in the hundreds or even thousands for the
larger companies. Each risk was tracked against information on its mitiga-
tion, including assignment of a risk owner. SOX compliance became a
quarterly routine of verification that the risks were adequately mitigated.
When ERM came along, many companies wrongly assumed it was similar to
SOX, with which they were familiar, with the only difference being that ERM
applied to all risks rather than just inaccurate financial reporting. Com-
pounding this issue, some technology vendors reinforce this false notion by
capitalizing on the software needs of maintaining an exhaustive list of every
potential risk for every company process. Similarly, some audit firms further
Definition of ERM & 35
C02 01/07/2011 10:39:22 Page 36
this misunderstanding by relabeling an expanded version of a SOX exercise
as ERM and claiming that it is part of a governance, risk, and compliance
(GRC) program.
Criterion 4: Integrated across Risk Types
Virtually all companies have been managing risk since their inception in some
fashion. However, companies have traditionally managed each type of risk in
isolation, rather than on an integrated basis: The information technology (IT)
department deals with technology-related risks; the human resources (HR)
department manages people-related risks; the investment department covers
market and credit risk; and so on. Unfortunately, this ‘‘silo’’ approach to risk
management has three disadvantages. Silo risk management is:
1. Incomplete
2. Inefficient
3. Internally inconsistent
Incomplete The most dangerous weakness of silo risk management is that it provides an incomplete representation of the risk profile. Silo risk management
does capture the most basic type of risk event—where one risk scenario occurs
at a time. This provides the most fundamental picture of a given risk and how it
can impact the enterprise. However, it is important to also measure the impact
of multiple risks occurring at the same time. There are three reasons why
limiting risk measurement to silo risk scenarios is incomplete:
1. Ignores real-world complexity. It is unrealistic for only one risk event
to occur at a time. This may be true for worst-case scenarios, where each
one is so unlikely to occur. However, many risks considered in an ERM
program are of moderate likelihood. For only a single moderate risk
scenario to occur at a time is like having everything happen precisely
as you expect for every aspect of your business, except one. For example,
your product strategy, your distribution strategy, your marketing strat-
egy, your human resources plan, and so forth all go perfectly . . . except
your technology update program is a little behind schedule. Reality
involves far more uncertainty than that.
2. Omits the largest threats. Multiple risk events occurring simulta-
neously can result in some of the largest threats to a company’s survival.
After the first event, the enterprise is in a weakened state, increasing the
36 & Defining ERM
C02 01/07/2011 10:39:23 Page 37
likelihood of some secondary events occurring. In addition, risks can
interact to exacerbate each other. A research study performed by Deloitte
Research called ‘‘Disarming the Value Killers: A Risk Management Study’’
revealed that over 80 percent of the 100 largest losses in shareholder
value (over the 10-year study period, 1994–2003) were the result of two
or more risks interacting.
This is also intuitive. Consider competitive boxers in the heavyweight
division. They are often said to be able to ‘‘take a punch,’’ which means a
competitor can land a single solid blow to their chin and yet they can stay
on their feet. But what can result in a knockout? It’s usually a combination
punch. This is a barrage of multiple blows occurring in rapid succession.
Also consider people you may have known or heard about whose lives
suddenly went into a downward spiral. Often it is not just one unlucky
event that caused their downfall, but rather two or more shocks to the
system that sends them reeling. It’s the same for organizations. So, if you
are not capturing multiple simultaneous risk events, then you may be
missing something that could potentially ruin the firm.
3. Does not capture offsetting risks. Multiple risk events can offset each
other. Our definition of risk includes both downside and upside risk events,
so one event can offset the financial impact of another. For example,
consider that one downside risk event lowers sales growth by some
amount, but another upside risk event occurs that increases sales growth
by an equal, and offsetting, amount. This seems fairly straightforward.
What may be surprising is that even two downside risk events can offset
each other, to some degree. For an example, see ‘‘Downside Risk Events
Can Partially Offset Each Other.’’
DOWNSIDE RISK EVENTS CAN PARTIALLY OFFSET EACH OTHER
To illustrate how two downside risk events can partially offset each other,we will use a hypothetical global manufacturing company, called Glob- alCo, as an example. Table 2.2 shows the GlobalCo strategic plan baseline scenario financial projection for the coming year. For illustrative purposes, in this example, we make the following simplifying assumptions:
(continued )
Definition of ERM & 37
C02 01/07/2011 10:39:26 Page 38
(continued )
& GlobalCo is only in business for one year.
& Expenses are 90 percent of revenues.
& Income tax rate is zero.
Consistent with our definition of risk as deviation from what is expected, risk is measured by the shock to, or change in, the strategic plan baseline scenario financial projection. In this example, we will use the net income metric to represent the baseline, and risk will be defined as deviations from net income. Consider two different risk scenarios, each from a different source of risk:
Risk Scenario A: A new regulation is passed increasing GlobalCo’s expense ratio from 90 percent of revenues to 95 percent of revenues.
Risk Scenario B: A new competitor enters GlobalCo’s markets reducing their market share from 5 percent to 4 percent.
First, let’s consider the financial impact of each risk scenario occurring by itself. If Risk Scenario A occurs by itself, the change in net income is a decrease of $50 million (shock scenario net income of $50 million minus baseline scenario net income of $100 million), as shown in Table 2.3.
If Risk Scenario B occurs by itself, the change in net income is a decrease of $20 million (shock scenario net income of $80 million minus baseline scenario net income of $100 million), as shown in Table 2.4.
TABLE 2.3 GlobalCo: Risk Scenario A
Risk Scenario A (in $ millions) Year 1
Revenues 1,000
Expenses 950
Net Income (Revenues less Expenses) 50
Change from Baseline !50
TABLE 2.2 GlobalCo: Baseline Scenario
Baseline Scenario (in $ millions) Year 1
Revenues 1,000
Expenses 900
Net Income (Revenues less Expenses) 100
Change from Baseline N/A
38 & Defining ERM
C02 01/07/2011 10:39:30 Page 39
In Chapter 3, we describe how a robust ERM framework addresses this
issue by capturing multiple risk events and their interaction, including exac-
erbation or offsetting of financial impacts.
Inefficient Silo risk management results in various inefficiencies. The most important of these inefficiencies are:
& Overpaying. The lack of awareness and coordination often present in silo
risk management can result in the separate purchasing of hedges for
Now, let’s consider the financial impact of both risk scenarios occurring simultaneously. If Risk Scenario A and Risk Scenario B both occur together, the change in net income is a decrease of $60 million (shock scenario net income of $40 million minus baseline scenario net income of $100 million), as shown in Table 2.5.
The $60 million decrease in net income from the combination of both risk events is lower than the sumof the two risks occurring separately, which is $70 million ($50 millionþ $20 million). So, in this case, the financial impact of the risks is not additive. The difference, an interactivity benefit of $10 million ($70 million !$60 million), is the amount that the risks offset each other. This is attributable to the additional 5 percent expense ratio (due to Risk Scenario A) that is operating on a revenue base that is $200 million lower (due to Risk Scenario B), which results in the offset of $10 million ($200 million multiplied by 5 percent).
TABLE 2.4 GlobalCo: Risk Scenario B
Risk Scenario B (in $ millions) Year 1
Revenues 800
Expenses 720
Net Income (Revenues less Expenses) 80
Change from Baseline !20
TABLE 2.5 GlobalCo: Risk Scenario A and Risk Scenario B
Risk Scenario A and Risk Scenario B (in $ millions) Year 1
Revenues 800
Expenses 760
Net Income (Revenues less Expenses) 40
Change from Baseline !60
Definition of ERM & 39
C02 01/07/2011 10:39:32 Page 40
related risk exposures in multiple parts of the company. This can increase
the overall cost of mitigation, as opposed to that which could be achieved
by buying in bulk. & Under-communicating. The absence of a centralized approach and
appropriately structured risk governance impedes information sharing.
This inhibits the development of best practices in risk management. In
particular, and most costly, is the inability to effectively share lessons
learned from costly mistakes, potentially dooming other departments to
repeat the same error.
In contrast, a robust ERM program is integrated, removes these in-
efficiencies, and results in appropriate bulk purchasing of hedges and sharing
of information enterprise-wide.
Internally Inconsistent A third disadvantage of silo risk management is that the organization may be making internally inconsistent projections
regarding the market. Different business segments, developing explicit or
implicit risk scenarios independently, may be making different assumptions,
for example, about the direction of the economy or sector growth. As a result,
different areas may unknowingly be making bets that are at cross-purposes.
In contrast, an integrated approach would facilitate a single set of internally
consistent market projections, and reconcile all bets on market direction,
enterprise-wide.
Criterion 5: Aggregated Metrics
Another implication of the word enterprise in ERM is the ability to aggregate
exposure metrics and risk decision making to the enterprise level. There are
two main aggregate pieces of ERM information at the enterprise level. One is a
calculated metric of aggregate risk exposure and the other is a management
decision defining the target level of aggregate risk exposure.
The first is a calculated metric, or set of metrics, that aggregates the risk
exposures to the enterprise level. This is called enterprise risk exposure.
Assume that company value is one of the ERM metrics. This will be defined
later in this chapter (see ‘‘Company Value’’), but for now consider it simply as
an internal valuation, performed by management, to calculate the value of
the company to its primary stakeholder. The enterprise risk exposure may
be expressed, for example, as ‘‘We currently have a 10 percent chance of
losing 15 percent or more of our company value.’’ This is just one example.
40 & Defining ERM
C02 01/07/2011 10:39:34 Page 41
There are usually multiple metrics, each with multiple thresholds, and
corresponding likelihoods. This is a calculated metric, or set of numbers,
at one point in time.
The second aggregate element—the counterpart to enterprise risk expo-
sure—is a quantitative definition, set by management, of the amount of enter-
prise risk exposure that is acceptable. This is called risk appetite. Another term
for this is risk tolerance, which is used by Standard & Poor’s. Risk appetite is the
target level of enterprise risk exposure. Risk appetite is what management wants
enterprise risk exposure to be, at the limit. Continuing our company value metric
example, management may define risk appetite as ‘‘We want no more than a
7 percent chance of losing 15 percent or more of our company value.’’ Again,
this example involves just one data point, whereas, mirroring enterprise risk
exposure, risk appetite is a set of defined targets for a set of metrics.
In this example, management defines risk appetite below the current
enterprise risk exposure level, indicating a desire to reduce the level of risk.
Because likelihood and severity go hand in hand, even our single data point
definition of risk appetite can be expressed in two ways. In our example,
management expressed a desire to reduce the likelihood, from 10 percent to
7 percent, of suffering a loss of 15 percent or more in company value. They
focused on a specific level of severity—a loss of 15 percent or more—and
wanted this to be less likely. This is the most common choice, because
management focus is on the severity of events more than the likelihood.
Management is well aware of the outcomes they would like to avoid. Never-
theless, management can express the desire for a reduction in risk by fixing
the likelihood and targeting a lower corresponding severity. For example,
management can define risk appetite as ‘‘We want a 10 percent chance to
correspond to, at the maximum, losing 12 percent or more of our company
value.’’ This is equally valid.
Most companies still use silo risk management and do not yet have either
of these aggregate elements. However, they are such a fundamental part of
ERM that without these two elements, the ERM program cannot perform its
primary function, which is to manage enterprise risk exposure to within risk
appetite. In our example, management is indicating that they wish to lower
enterprise risk exposure from its current 10 percent likelihood to within a 7
percent likelihood of crossing a threshold of a loss of 15 percent or more of
company value.
The ability to produce aggregate information at the enterprise level—and
particularly enterprise risk exposure and risk appetite—is not critical only
because it supports the primary function of ERM. It is also of vital importance
Definition of ERM & 41
C02 01/07/2011 10:39:34 Page 42
because this should be the first step, chronologically, in the risk decision-
making process. Information on risk exposures and risk appetite should first
be produced at the enterprise level, and then cascaded downward through the
organization, in a type of allocation or budgeting process. For example, risk
appetite is allocated or budgeted downward to determine risk limits. The type
of risk limits set varies by organization, and can include geographic areas,
business segments, and/or individual risks.
When this is implemented in the correct chronological order, it turns the
risk management process upside-down, or more accurately, right-side-up, for
the first time. Traditional risk management assesses risks at the local business
unit or risk level, and decides on mitigation based on local business manage-
ment’s judgment, instinct, or, even worse, arbitrary rules of thumb established
long ago for other purposes. Using a traditional risk management approach can
result in under-mitigating some risks, which can be disastrous if such a risk
event occurs and the company is not adequately protected. However, a more
common and immediate consequence of the traditional risk management
bottom-up approach is the converse—many risks are over-mitigated. This
results in waste, as resources are unwittingly spent on excess mitigation which
management would have vetoed, if the proper information had been available.
In contrast, ERM introduces a logical approach based on the overall
volatility of the enterprise and the desired level of enterprise stability, or shock
resistance, desired by management. This is more sensible, because this is
how the shareholders and other key stakeholders perceive the volatility: in
the way that it expresses itself at the enterprise level. Once the two essential
aggregate counterparts of information—enterprise risk exposure and risk
appetite—are determined, lower-level decisions can be made at the business
segment, business unit, or risk level, depending on the specific risk culture of
the organization, and how they choose to allocate their aggregate enterprise
‘‘risk budget’’ down through the organization.
Criterion 6: Includes Decision Making
The word manage in the ERM basic definition indicates the main purpose of
ERM: responding to the risk, managing it, making decisions. Many risk
management programs identify and quantify the risks, but then merely report
them to management and the Board with little or no action built directly into
the ERM process. For example, many companies conduct qualitative risk
assessments with the primary goal of developing a simple risk status report
to senior management or the board of directors.
42 & Defining ERM
C02 01/07/2011 10:39:35 Page 43
This report usually takes the form of a ‘‘heat map’’—a simple chart listing
key risks and scoring them with stop-light color coding: red (danger), yellow
(warning), and green (okay). Some color codings refer to the overall scoring
of likelihood or severity, while others refer to the level of exposure versus the
risk limit. An example of the latter heat map is shown in Figure 2.5.
This focus on reporting seems to skip the most important step—actually
doing something about the risk exposures. In a vigorous ERM program, the
main purpose is making decisions and addressing the risk exposures, bringing
them within the company’s risk appetite. This primary activity is central to the
ERM process and is repeated in each process cycle (see ‘‘The ERM Process
Cycle’’ later in this chapter).
Criterion 7: Balances Risk and Return Management
Another aspect implied by the word manage in the basic ERM definition is that
ERM is not just about risk mitigation. Prior to the introduction of ERM, risk
management was exclusively about downside risk, employing mitigation to
lower the exposure, and avoiding some risks altogether. The risk management
function often manifested itself in the form of risk managers frequently saying
no to projects, impeding the business segments from taking on more downside
Risk Quantification
Status
Key Risk Prior
Period Current Period
Projected Period
Currency risk E N W Supplier risk W N W Regulatory risk N E N Compliance risk W W W M&A execution risk N W W IT failure W W W
(W) = Within Limits (N) = Near Limits (E) = Exceeding Limits
... ... ... ...
FIGURE 2.5 Sample Heat Map
Definition of ERM & 43
C02 01/07/2011 10:39:36 Page 44
risk exposure. This sometimes frustrated business opportunities and business
decisionmakers, because it was not always clear that the upside potential of the
project was fairly weighed against the downside risk exposure. As a result,
decisionmakers in the business segments often looked to minimize involvement
by the risk management department.
However, ERM represents a quantum leap forward. Both upside and
downside volatility are in scope. This means that the full range of business
is recognized and addressed. Risk exposures from which the company does
not benefit are considered for mitigation—a reduction in exposure. This was
present in traditional risk management. But what is new with ERM is that
risks for which the company is rewarded are considered for exploitation—
an increase in exposure. This expanded approach allows for considering
any business decision holistically: The upside risk-taking opportunity is
considered alongside the downside risk exposures, for a full risk–return
evaluation. Upside volatility is in scope and factored into the enterprise
risk exposure calculations. As a result, ERM can identify where, and how
much, additional risk may be taken, in the context of appropriate risk–return
trade-offs. This involves a key linkage between risk and return, often missing
in traditional risk management programs and even traditional business
management approaches.
The importance of this cannot be overstated for risk management per-
sonnel. Rather than being the bearers of bad news whom business decision-
makers avoid, they are now welcome at the strategy table. They are invited to
decision-making conversations in the business segments and at the corporate
level. The risk professionals nowhave a framework for bringing risk and return
together, and can add value to important decision-making processes, includ-
ing strategic planning.
Criterion 8: Appropriate Risk Disclosures
When first implementing an ERM program, the question often arises as to
whether a new risk will be identified. The general answer is that the company
already knows its key risks, and uncovering a completely new type of risk that
management hadn’t considered is unlikely. However, there is one risk that is
frequently the single most overlooked risk, and that is the risk of improper risk
disclosures.
The word disclose in the basic ERM definition implies offering external
stakeholders real insights into the company’s risks and ERM program. Un-
fortunately, risk disclosures are typically generic—they look very similar from
44 & Defining ERM
C02 01/07/2011 10:39:36 Page 45
company to company—and their risk lists are often exhaustive, appearing to
list every major conceivable risk for their industry sector. Yet, there can be a
vast range of ERM sophistication between companies in a given sector—some
are quite advanced in their ERM process while others have not started theirs
yet. This mismatch between what is disclosed to external stakeholders and
what is the reality of the ERM program inside the company represents a
significant risk.
Imagine a company that suddenly has its stock price fall 50 percent due to
some risk event that did not occur for any of its competitors. Management is
now under scrutiny. Many questions will be asked, some by shareholder
litigation attorneys, including ‘‘What did management know, and when did
they know it, regarding the potential impact of this risk on shareholder value?’’
Imagine further that the litigants are able to say, ‘‘This risk is listed as #35 in
the risk disclosures, yet management should have known that based on the
potential impact to shareholder value it should have been listed in or near the
top five. Why didn’t management list it as such?’’
Now, imagine a second company that has its stock price collapse similarly.
However, when asked similar questions by shareholders, management is able
to respond as follows: ‘‘We cannot know what risk events will actually occur.
However, we recently implemented an ERM program that measured the
potential impact of all key risks on shareholder value, and used this to inform
development of the risk disclosures. This resulted in a significant shift from the
prior year’s risk disclosures. We changed the order of the risks, the length of
text, the tone, and the context of the information. We did our best to help
shareholders understand the risks present, and the shareholders were as well
informed as possible.’’ The second company is in a much better position to
defend the appropriateness of their risk disclosures.8
Virtually all companies are in the situation of the first company—they
do not infuse their risk disclosures with information about the potential
impact of key risks on shareholder value. For each such company, there
are two possible explanations. One is that the company may be unable to do so
because they do not measure the potential impact of risks on shareholder
value. Most companies are in this situation. Another possibility is that the
company may be unwilling to do so, because none of their competitors have
yet disclosed this kind of information. It is just speculation, but we may be
coming soon to a time when neither answer will be acceptable. At some
point, either shareholder litigation may raise the stakes for external risk
disclosures or regulations may require it. Chapter 7 discusses risk disclosures
in more detail.
Definition of ERM & 45
C02 01/07/2011 10:39:37 Page 46
Criterion 9: Measures Value Impacts
The word value in the basic ERM definition indicates the importance of using
holistic metrics in the risk quantification process—metrics that can fully
capture the value of the company to the primary stakeholder. People often
refer to the importance of value-added, yet few actually measure it. Manage-
ment needs measures to inform their decision making. For public companies,
the primary stakeholder is the shareholder. The market’s measure of share-
holder value is market capitalization, which is the stock price multiplied by
the outstanding shares. We will define management’s own measure of
shareholder value as company value. Company value is a key metric that
will be used throughout this book. It is management’s internal valuation of
what the company is worth to its primary stakeholders, which are the
shareholders for public companies or owners for companies that are not
publicly traded. See ‘‘Company Value.’’
COMPANY VALUE
We will define company value as an internal valuation, performed bymanagement, that calculates the value of the company from the perspective of its primary stakeholder. For public companies, company value is the value of the company to shareholders. Unless otherwise specified, in this book, we will generally refer to public companies, although the concepts are analogous for non-publics as well. In addition, we define company value herein in one particular way, but this is often modified by management to conform to internal views on the definition of value.
We will define company value by defining each of the following three terms:
1. Distributable cash flow
2. Company value
3. Baseline company value
Distributable Cash Flow
Distributable cash flow is cash flow available to be distributed to share- holders. Distributable cash flow is generally calculated as:
46 & Defining ERM
C02 01/07/2011 10:39:38 Page 47
Distributable cash f lowNon!f inancial services ¼Net income þDepreciation and amortization ! Increase in working capital !Capital expenditures
For financial services companies, distributable cash flow has an extra component and is calculated as:
Distributable cash f lowFinancial services ¼Net income þDepreciation and amortization ! Increase in working capital !Capital expenditures ! Increase in required capital
Unless otherwise specified, in this book, we will use the formula for non- financial services companies.
Technically, distributable cash flow also includes changes in the level of debt, which includes repayment of principal to bondholders as well as issuance of new debt. To simplify our discussions and illustrations in this book, we will omit this.
Company Value
Company value is an internal valuation by management of the value of the company to shareholders, which is the present value of distributable cash flows:
Company value ¼ X1
n¼1 Distributable cash f lown
ð1þ dÞn
Where:
& n ¼ year of projection & Distributable cash f lown ¼ distributable cash flow, projection year n & d ¼ discount rate, which is management’s estimate of the rate of return
required by the shareholders for their investment; this is an estimate of the cost of equity capital
Technically, company value also includes distributable equity capital at time zero, which is calculated differently for different types of companies. For non-financial services companies, it is adjusted shareholder equity. For financial services companies, it is available capital (adjusted shareholder equity minus required capital). To simplify our discussions and illustrations in this book, we will omit this.
(continued )
Definition of ERM & 47
C02 01/07/2011 10:39:40 Page 48
Surprisingly, very few companies have an internal valuation of the
company for general management purposes, and even fewer use this metric
in their ERM program. Traditionally, risk management programs quantify risk
in terms of short-term period metrics; for example, the impact on today’s
balance sheet or the impact on next quarter’s earnings. This is not adequate for
capturing the full impact of all types of risks and is also inadequate for informing
decision making. ERM must include more holistic metrics.
Criterion 10: Primary Stakeholder Focus
Many traditional risk management programs focus on maintaining their
ratings as their central theme. In addition to a focus on ratings, financial
service companies also focus heavily on maintaining regulatory capital
requirements. This is understandable when you consider that traditional
risk management is rooted in downside risk events and mitigation. However,
ERM is more strategic, involves upside volatility as well as downside volatil-
ity, and begins with a focus on the primary metrics of the firm. So, while
rating agencies and regulators are important, they are secondary to the
primary stakeholder: shareholders. As such, rating agencies and regulators
should not be maximally satisfied, because this often leads to less-than-
maximal shareholder value.9 For example, a financial services company that
holds excessive capital may garner the top rating from rating agencies, but
the fallow capital will lower future growth and returns and thereby lower
company value.
(continued ) There are many alternate ways to calculate company value. One example
is to discount distributed cash flow, in the form of projected shareholder dividends, rather than distributable cash flow, which we will use in this book.
Baseline Company Value
The baseline company value ismanagement’s calculation of company value based on distributable cash flow projections consistent with the strategic plan baseline financial projection. Whereas market capitalization is the market’s estimate of shareholder value, baseline company value is man- agement’s estimate, or ‘‘expectation,’’ of shareholder value. The baseline company value is the value an investor would pay today, if they believed that management will be able to perfectly execute the strategic plan and that everything will go the way the company expects.
48 & Defining ERM
C02 01/07/2011 10:39:40 Page 49
Instead, ERM must focus on increasing value to shareholders. The level of
satisfaction of secondary stakeholders is factored in, but only to the extent that it
impacts shareholder value, or company value, which is management’s estimate
of shareholder value. For example, while searching for the risk-to-value trade-
offs that might maximize company value, rating agency constraints must be
taken into account because a lower rating might negatively impact value. But it
might not. This is witnessed by the fact that most companies have long since
migrated away from AAA ratings, deeming them too expensive and un-
necessary in the quest to maximize company value, and the market has
validated this shift. As another example, if regulators are not sufficiently satisfied,
they may take action that will then result in a lower company value.
The ERM Process Cycle
ERM can also be defined in terms of its process cycle.We first clarify the definition
of process. After that, we identify the components of the ERM process cycle.
Process
ERM is a process. It is not a periodic validation exercise, it cannot be completely
delineated at the outset, and it is not an isolated stand-alone function. Rather,
ERM is a continuous, evolving, and integrated process.
Continuous ERM is not a periodic validation exercise, like an annual car inspection. ERM is more like the continuing activities you do to protect yourself
from risks involving your vehicle, such as routine car maintenance, safe driving
practices, and auto insurance.
Evolving It is not possible to fully determine at the outset precisely what an ERM program will ultimately be for a particular organization. Though it is
possible to lay out a high-level implementation plan, ERM evolves over time. It
usually takes years for an ERM program to fully develop to maturity, and many
things can change in that time. In addition, as the program develops, some
aspects may gain more popularity and be expanded. The pace and scope of ERM
adoption is a function of many variables, many of which are unique to each
organization. The most common examples of these company-specific variables
affecting ERM adoption are the following ‘‘10 Cs’’:
1. Catalyst. What or who initiated the desire to implement ERM?
2. Commitment. Is the Board focused on driving ERM adoption? Is senior
management?
Definition of ERM & 49
C02 01/07/2011 10:39:41 Page 50
3. Champion. Is there a chief risk officer (CRO) to continually advance
efforts?
4. Culture. Are they quick to adopt change?
5. Centralization. Does Corporate dictate requirements or are business
segments independent?
6. Climate. Are there distractions slowing adoption? Conversely, has there
been a recent risk event that has heightened risk awareness?
7. Circumstances. Is there an impending major threat or opportunity
about which the ERM program has the opportunity to help evaluate
decision alternatives?
8. Contagion. Can ERM concepts spread quickly across the enterprise via
communication, training, inter-department interactions, and sharing of
best practices?
9. Cascade. How long will it take for ERM applications, and supporting tools
and techniques, to filter from the strategic level down to tactical and
transactional levels?
10. Confirmation. Have rating agencies approved of the company’s ERM
program? What about regulators and shareholders?
Integrated In many companies, traditional risk management is a function housed in the corporate department, separate from the business segments.
Risk management processes are considered an add-on that can be performed
independently from other company processes. This is usually a sign that the
company has a compliance-centric approach to risk management, concerned
mainly with downside risk mitigation.
This is not the case with ERM, which is a more advanced approach
that involves merging risk management and return management. ERM
processes must be fully integrated with other key company processes,
including:
& Governance & Decision making
& Strategic planning & Strategic and tactical decisions & Transactions (e.g., M&A)
& Business performance analysis & Incentive compensation & Communications with shareholders, rating agencies, and regulators
50 & Defining ERM
C02 01/07/2011 10:39:42 Page 51
The ultimate goal, achieved in a mature ERM program, is to have ERM so
integrated that it becomes part of the culture; ERM just becomes a better way of
doing business.
Four Steps
There are four steps in the continuous ERM process cycle (see Figure 2.6).
While there are other steps involved in establishing an ERM program (ERM
framework discussed in Chapter 3 and risk governance discussed in Chapter 8),
the four steps described here are the major steps that are routinely performed
on a continuous basis, once the ERM program is up and running. The four steps
in the ERM process cycle are:
1. Risk identification. Risk identification is the first step in the ERM
process cycle. It involves determining the key risks, which represent
the biggest potential threats to the enterprise. This entails narrowing
down a very large list of potential risks to a small number of key risks. As
stated earlier in this chapter, this is commonly in the range of 20 to 30
risks. This is primarily done using qualitative risk assessments, based on
internal opinions as to the likelihood and severity of each potential risk.
Risk identification is discussed in detail in Chapter 4.
Risk Identification
Risk Quantification
Risk Decision Making
Risk Messaging
FIGURE 2.6 ERM Process Cycle
Definition of ERM & 51
C02 01/07/2011 10:39:43 Page 52
2. Risk quantification. In the second step in the ERM process cycle, the
key risks are quantified on both an individual and integrated basis. This
involves using an ERM model to quantify the impact of individual risk
scenarios, for each key risk, in terms of their potential impact on key
metrics. Once this is completed, the impact of integrated risk scenarios—
multiple risks occurring simultaneously—is quantified, leading to enter-
prise risk exposure metrics. Risk quantification is discussed in detail in
Chapter 5.
3. Risk decision making. Risk decision making is the third step in the
ERM process cycle. This consists of two categories of decision making. The
first category includes decisions related to managing risk exposures to
within risk appetite. The first step in this category is to define risk appetite.
Once risk appetite is defined, decisions can be made to reduce risk
exposures or to increase risk exposures. The second category includes
embedding ERM into routine decision making, such as strategic planning,
strategic and tactical decisions, and transactions. Risk decision making is
discussed in detail in Chapter 6.
4. Risk messaging. The fourth step in the ERM process cycle is risk
messaging. This consists of two distinct categories of messaging: internal
risk messaging and external risk messaging. Internal risk messaging
involves integrating ERM into business performance analysis and incentive
compensation. This is a strong form of internal messaging; it is a powerful
signal to management that risk and return must be considered together.
Once risk exposures are tracked by the departments, the business segments,
and the individuals generating them, and reflected in incentive compensa-
tion, it becomes clear that if one exposes the firm to more risk, more return
is expected. The second category is external risk messaging, which involves
integrating ERM into communications with shareholders, rating agencies,
and regulators. Risk messaging is discussed in detail in Chapter 7.
Fundamental Benefits
Another useful way to define ERM is by its outcomes. In other words, ‘‘What
are the reasons that a company should implement an ERM program? What do
they get out of it?’’ We examine the benefits of ERM from the perspective of
each major stakeholder:
& Shareholders & Board of directors
52 & Defining ERM
C02 01/07/2011 10:39:43 Page 53
& C-Suite & Management & Rating agencies & Regulators
Shareholders
Shareholders—the primary stakeholders—benefit from ERM in two main
ways:
1. Increased likelihood of achieving returns
2. Enhanced risk disclosures
Increased Likelihood of Achieving Returns With an ERM program, the company has an increased likelihood of achieving returns—of executing its
strategic plan as expected. This is a natural result of a more rigorous approach
to identifying and responding to its most important threats, which are risks that
can negatively impact its performance.
Figure 2.7 provides some unique evidence to support this claim, illustrat-
ing a correlation between ERM and resistance to declines in value. Standard &
Poor’s (S&P) has a separate component of its insurance ratings dedicated to
ERM. S&P analysis reveals that North American insurers with better ERM
scores tended to be more shock resistant through the heart of the global
financial crisis (January 1, 2008–November 14, 2008) than their counterparts
with lower ERM scores. Figure 2.7 also shows that, at the extreme, those with
weak ERM programs suffered more than twice the value loss as those with
excellent ERM programs.
Additional evidence that ERM helps companies deliver better performance
is provided in Figure 2.8, which shows a correlation between ERM and the
ability to stabilize volatility of results. This S&P study shows that better ERM
was positively correlated with lower stock price volatility in 2009. At the
extreme, those with weak ERM programs had more than twice the stock price
volatility as those with excellent ERM programs.
Enhanced Risk Disclosures ERM also provides shareholders, as well as potential investors, with a better sense of the risks and opportunities of owning
the stock. This is due to the enhanced risk disclosures, which list the key risks
prioritized from the perspective of the (current and future) shareholders: the
potential impact to company value.
Definition of ERM & 53
C02 01/07/2011 10:39:43 Page 54
54 & Defining ERM
FIGURE NOT AVAILABLE IN ELECTRONIC VERSION
FIGURE NOT AVAILABLE IN ELECTRONIC VERSION
C02 01/07/2011 10:39:44 Page 55
Board of Directors
The members of the board of directors gain additional comfort that the key
risks of the organization are well understood and effectively managed. This
reassurance primarily comes from three aspects of the ERM program:
1. A disciplined approach to quantify enterprise risk exposure, based on all
key risks
2. A clear definition of the firm’s risk appetite
3. A formal process for managing exposures to within risk appetite, sup-
ported by a risk governance structure
ERM also places the board of directors in a comfortable position regard-
ing the SEC disclosure requirements on the board’s role in risk oversight.10
In addition, ERM provides a solid basis for addressing the SEC disclosure
requirements on risky incentive compensation programs.11 A compensation
program is considered ‘‘risky’’ if it creates risks that are ‘‘reasonably likely
to have a material adverse effect’’ on the company. Each of these disclosure
requirements is discussed further in Chapter 7 (see ‘‘Mandatory Risk
Disclosures’’).
C-Suite
The C-Suite, and mainly the CEO and CFO, gain a more sophisticated
risk management program, which provides better shock resistance. The
company will experience less downside volatility and more strategic plan
integrity—a higher potential to achieve strategic plan goals. Perhaps even
more important for the CEO and CFO, ERM provides them with an advanced
and more accessible set of tools for communicating these competitive
advantages to key stakeholders, which can lead to a higher stock price
and a better rating.
Higher Stock Price For communication with stock analysts, the CEO and CFO are better equipped to respond to, or proactively address, concerns about
their ability to deliver results in the face of an impending risk or a developing
risk event. This is because the ERM model quantifies the financial impact of
key risk scenarios, in terms of the impact on company value (and other key
metrics) and does so in a timely manner. For example, if analysts are
overstating the impact an adverse market development will have on the
company, the CEO and CFO are in a position to rebut this in a credible way
Definition of ERM & 55
C02 01/07/2011 10:39:45 Page 56
because their information is bolstered by robust risk scenarios and an
integrated quantitative ERM model. The CFO could respond:
We have already thought through the eventuality now unfolding in the market. While it doesn’t exactly match, it is fairly close to one of the risk scenarios that we considered for this risk event. You are overestimating the impact on one of our major business segments where we have the following mitigation in place . . . We also have a detailed contingency plan, which will involve the following man- agement actions over the next period . . .
This kind of advanced ability to communicate quickly and in a credible
manner effectively conveys management’s superior abilities in risk manage-
ment. Over time, similar communications can lead to a higher ‘‘management
multiple’’ resulting in a higher stock price. The management multiple refers
here to the factor that analysts take into account when valuing the company
that to a large extent reflects their appraisal of the quality of management; a
higher factor indicates a higher level of trust in management’s ability to
consistently and successfully execute their strategic plan. Essentially, the
analysts are lowering the cost of equity capital for the company. A lower
cost of equity capital, with all other things being equal, increases analysts’
valuations and puts upward pressure on the stock price, to the extent that
analysts influence the general market.
Better Rating For communications with rating agencies, the CEO and CFO are able to satisfy the portion of the ratings review related to ERM. Over
the past several years, rating agencies have increased their level of focus on
ERM. S&P has led the way; as discussed earlier, they have a distinct
component of their ratings dedicated to ERM, in the insurance sector.
While rating agencies have raised the bar on ERM requirements, forcing
companies to advance their programs, their requirements are geared toward
ERM from their limited perspective: protecting the interests of the bond-
holders. A truly robust ERM program has a broader focus—protecting the
shareholder—which by its nature incorporates all secondary stakeholder
interests to the appropriate degree. ERM helps determine the optimal level
of satisfying secondary stakeholders—that which maximizes company value.
Therefore, a complete ERM program will more than satisfy the ERM portion
of rating agency reviews, and can lead to an improvement in, or strengthen-
ing of, the overall rating of the company, which means a lower cost of debt
56 & Defining ERM
C02 01/07/2011 10:39:45 Page 57
capital, which increases company value. Rating agencies tend to see the quality
(or lack thereof) of a company’s ERM program as a leading indicator of
performance and credit-worthiness.
In addition, for financial services companies, the CFO may be able to
persuade some rating agencies to lower their capital requirements for the
company. While this is not the official position of the rating agencies, it may
be possible to influence, at least implicitly, a downward adjustment to the
capital requirements. At one point, S&P indicated that they would consider
this in the insurance sector. Rating agencies have their own opinion of a
sufficient capital level for a company, based largely on their industry
perspective. In contrast, the ERM model estimates the impact of key risks
on the company’s capital position as one of its key metrics. This is a company-
specific capital model, which offers the potential to be a far more accurate
predictor of the company’s true capital needs. The ERM model also reflects
risk interactions, including offsets, resulting in a required capital level that is
often lower than rating agency capital requirements. However, to succeed in
having the rating agency consider the company’s ERM model in setting the
required capital level, the CFO must demonstrate the credibility of the ERM
model calculations. To do this, the CFO must overcome the natural (and
sometimes warranted) skepticism of the rating agency. After all, the ERM
model, along with its data and assumptions, are a product of management
which has a biased vested interest in lowering capital requirements.
Management
Management gains three significant enhancements to their decision-making
abilities. They gain a well-defined methodology to manage risk exposures to
within risk appetite, and quantitative information that supports decisions on
risk mitigation alternatives. In addition, management gets a decision-making
tool for selecting the projects with the best risk–return profile. The decision-
making tool—the ERM model—supports all types of routine decisions, includ-
ing strategic planning, strategic and tactical decisions, and transactions.
Finally, management benefits from better prioritization of its limited resources.
The ERM program allows focus on the most important risks.
Rating Agencies
Rating agencies enhance their ability to assess the credit-worthiness of the
companies for which they provide credit ratings. Through the ERM lens, they
see prospective information on the major threats to the company’s strategic
Definition of ERM & 57
C02 01/07/2011 10:39:45 Page 58
plan financial projections, which includes impacts to liquidity. The ERM
program provides a complete shift in the kind of financial information
typically provided to rating agencies, which is almost entirely retrospective.
With the ERM program, rating agencies receive prospective insights into
which risks are on management’s radar, how the risks would impact the
enterprise, the potential financial impacts, and management’s estimates of
the likelihood of each risk. They also receive data on enterprise risk exposure,
which is essentially prospective information on the company’s shock resist-
ance. In addition, as more companies achieve a mature, robust ERM
program, rating agencies will expand their sense of relative credit-worthiness
between companies.
Regulators
For companies in the financial services sector, regulators are primarily
concerned with preventing insolvencies. In the United States, there are
financial costs to the government and political costs to regulators when
financial services companies fail. When banks fail, the government FDIC
guarantee covers depositors (up to a limit).12 When securities firms suffer
losses due to fraud, the government SIPC guarantee covers investors (up to a
limit).13 When insurance companies fail, although the government does not
provide a guarantee, state regulators are held accountable politically, because
they are responsible for protecting policyholder interests. In unusual times,
like the global financial crisis that began in the United States in 2007, the
government provides special funding to bail out companies deemed critical to
maintaining the economic infrastructure.
Regulators benefit as more companies adopt ERM because it lowers
systemic risk. For our purposes, we define systemic risk here simply as the
risk that failures in one part of the economic system can spread contagiously to
others, resulting in a cascading set of failures threatening to crash the entire
system. ERM makes companies more shock resistant, lowering their risk of
failure andmaking themmore aware of their dependencies on other companies
in the event those other companies fail.
SUMMARY
Even with the most advanced risk practitioners, it is critical to clearly
define both risk and ERM before delving into any discussion on ERM. These
58 & Defining ERM
C02 01/07/2011 10:39:45 Page 59
are concepts that are often defined in quite disparate ways. Risk is any-
thing uncertain whose outcome can result in a deviation from expected
results, up or down. ERM can be defined in four different ways: by its basic
one-sentence definition; by its 10 key criteria; by its four-step process cycle;
and by its fundamental benefits. The 10 key ERM criteria provide the
most robust definition and can serve as a benchmark against which all
ERM programs can be compared. These criteria will be referred to periodically
throughout this book and will serve as a focal point of the next chapter,
as we evaluate an advanced yet practical approach to ERM: the value-
based approach.
NOTES
1. Volatility is being used here in a general sense, as opposed to specific reference
to the metric standard deviation.
2. ‘‘Phelps confirms right wrist is broken,’’ available at www.baltimoresun.com/
services/newspaper/bal-sp.phelps06nov06,0,3620926.story.
3. www.jockbio.com/Bios/Phelps/Phelps_bio.html.
4. The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb,
Random House, April 17, 2007.
5. Capital requirements are requirements by external stakeholders, such as
regulators or rating agencies, to hold a certain amount of capital as a buffer
against existing liabilities.
6. The research study is published in an article titled ‘‘IMPACT Study: focusing on
risks that matter to you . . . and to the media,’’ a Watson Wyatt Horizons
publication.
7. Source: CFO Executive Board; Audit Director Roundtable research.
8. This does not constitute legal advice.
9. Throughout this text, we refer to stock analysts and rating agencies as
stakeholders (the former being primary and the latter being secondary).
Technically, stock analysts and rating agencies are largely acting as agents
of the shareholders and bondholders, respectively, who are the true underlying
stakeholders. For convenience, we use the term stakeholder interchangeably
for the true underlying stakeholders and their agents.
10. Code of Federal Regulations, Title 17 (Commodity and Security Exchanges),
Chapter II (Security and Exchange Commission), Part 229 (Regulation S-K),
Item 407(h), effective February 28, 2010.
11. Code of Federal Regulations, Title 17 (Commodity and Security Exchanges),
Chapter II (Security and Exchange Commission), Part 229 (Regulation S-K),
Item 402(s), effective February 28, 2010.
Notes & 59
C02 01/07/2011 10:39:45 Page 60
12. At the time of the writing of this book, the FDIC guarantee covered up to
$250,000 per individual bank account.
13. At the time of the writing of this book, the SIPC guarantee covered up to
$500,000 per individual investment account and up to $100,000 per indi-
vidual money market account.
60 & Defining ERM
C03 01/12/2011 23:58:21 Page 61
3CHAPTER THREE ERM Framework
What you risk reveals what you value.
Jeanette Winterson, English author and journalist
W HEN THE WORD framework is invoked, I become wary of what Iam about to hear. It is a word that is adored by consultants. It isoften accompanied by a visually appealing and complex chart with lots of boxes and arrows, or sometimes overlapping bubbles, which offers a
feeling of reassurance and comfort when viewed up on an office wall.
Unfortunately, these charts usually do not lead to anything actionable, or
sometimes even discernable. I have seen many such framework charts on ERM.
In sharp contrast, in this chapter, we will define the ERM framework in a
specific, meaningful, and practical way. Our accompanying chart will facilitate
our discussions, and will also be useful for ERM discussions within your
organization, particularly with senior executives and the board.
In Chapter 2, we defined the ERM process cycle as having four steps which
are repeated periodically—risk identification, risk quantification, risk decision
making, and risk messaging. Equally important are two additional elements in
an ERM program: ERM framework and risk governance. Consider each of these
61
C03 01/12/2011 23:58:21 Page 62
as ERM infrastructure or structural overlays within which the ERM process
cycle operates. The ERM framework provides the functional structure and risk
governance provides the hierarchical structure. Think of ERM framework as
the ‘‘what (activities), how (they interact), and why (they are performed),’’ and
risk governance as the ‘‘who (does what), when (they do it), and where
(activities take place).’’
Although ERM framework and risk governance are both elements of ERM
infrastructure, we will discuss ERM framework in this chapter, move on to
discuss the ERM process cycle (Part II, Chapters 4 through 7), and then discuss
risk governance in Chapter 8. There are three reasons for this.
1. Relative importance. Good risk governance is a necessary condition for
a robust ERM program, but it is not a sufficient condition. A company may
have designed and implemented what appears to be a robust risk govern-
ance structure, but that alone cannot reveal much without knowing what
activities are actually taking place. All the risk governance pieces might be
in place around a hollow ERM program, much like an elaborate highway
system with no vehicles traveling on it.
However, the functional structure, or ERM framework, is more
elemental, more closely linked to the quality of an ERM program. As a
consultant, when I have initial discussions with a company about their
ERM program, I often begin by asking about their ERM framework. That
tells me virtually everything I need to know about the level of maturity of
their ERM program. It is the ERM framework that reveals what activities
are actually taking place and how many of the 10 key ERM criteria,
discussed in Chapter 2, are present in their ERM program.
2. Implementation sequence. The order of our discussion more closely
mirrors what companies experience when first implementing an ERM
program. Initially, only the most basic risk governance structure is
warranted before moving through the ERM process cycle at least one
time. The way ERM evolves, is adopted, and becomes integrated into a
company’s key processes differs from company to company. Until it is clear
what the ERM activities will actually look like, the comprehensive risk
governance structure required to support them cannot easily be written.
3. Context for understanding. To understand risk governance it is im-
portant first to understand the ERM process steps. The roles and respon-
sibilities of the different key players in ERM can only be discussed in the
context of the ERM activities. The same is also true for the organizational
structure, as well as policies and procedures, which, along with roles and
62 & ERM Framework
C03 01/12/2011 23:58:21 Page 63
responsibilities, constitute risk governance. They can only be discussed
once the entirety of the ERM process is well defined and understood.
Finally, terms and concepts which will be needed to discuss risk govern-
ance are defined during discussions of the ERM process cycle (Chapters 4
through 7).
VALUE-BASED ERM FRAMEWORK
The ERM framework described in this chapter—the value-based ERM frame-
work—is an advanced yet practical approach to ERM. This ERM framework
represents an emerging approach toward which other frameworks in the
industry may eventually evolve. A small but growing number of consulting
firms and companies are employing this framework. It is the only framework
of which I am aware that satisfies all 10 of the key ERM criteria. Other ERM
frameworks will largely be a subset of the value-based ERM framework,
which can be used to benchmark other ERM frameworks.
CHALLENGES OF TRADITIONAL ERM FRAMEWORKS
We will discuss the challenges of traditional ERM frameworks from two
perspectives:
1. Inability to satisfy the 10 key ERM criteria
2. Three core challenges
Inability to Satisfy the 10 Key ERM Criteria
The 10 key criteria of an ERM program (discussed in Chapter 2) are:
1. Enterprise-wide scope
2. All risk categories included
3. Key risk focus
4. Integrated across risk types
5. Aggregated metrics
6. Includes decision making
7. Balances risk and return management
8. Appropriate risk disclosures
Challenges of Traditional ERM Frameworks & 63
C03 01/12/2011 23:58:21 Page 64
9. Measures value impacts
10. Primary stakeholder focus
These criteria must be in place for a risk management program to be
considered a robust ERM program. Unfortunately, traditional ERM frameworks
do not satisfy many of these 10 key criteria and often fail to achieve most of
them. As a result, companies employing these traditional ERM frameworks
discover that despite putting much good effort into development and imple-
mentation, their ERM program falls short of the bulk of their expectations.
Three Core Challenges
Years of research and client work in this area have revealed three core challenges
to successful ERM implementation, which are like flags, or symptoms, identifying
those companies that are using a suboptimal ERM framework and, as a result, are
struggling to satisfy the 10 key criteria. These three core challenges are:
1. Inability to quantify strategic and operational risks (subset of Criterion 2)
2. Unclear definition of risk appetite (subset of Criterion 5)
3. Lack of integration of ERM into decision making (Criterion 6)
The first core challenge—an inability to quantify strategic and operational
risks—is what I often refer to as the holy grail of ERM. The failure of traditional
ERM approaches to deliver this elusive ability is the root cause of many other
challenges in successfully implementing ERM.
The second core challenge is the most common question I am asked, which
is, ‘‘What is risk appetite? How do you define it? How do you quantify it in a way
that you can use it in risk governance?’’
Finally, the third core challenge is the most prevalent one, and ultimately,
the most important one: an inability to use ERM information for decision
making. If ERM is not providing actionable information, not resulting in
different decisions than would otherwise be made, then it has no purpose.
Although some traditional ERM programs do provide some decision-making
abilities, this is usually pretty limited. For example, most of the decisions
resulting from traditional ERM programs involve financial risk (which, tech-
nically, makes this merely a glorified version of financial risk management
rather than holistic enterprise risk management).
After we describe the value-based ERM approach, we will discuss how this
emerging framework satisfies each of the 10 key criteria, including the three
core challenges.
64 & ERM Framework
C03 01/12/2011 23:58:21 Page 65
VALUE-BASED ERM FRAMEWORK
The value-based ERM framework is illustrated in Figure 3.1.
Figure 3.1 shows the major process flows for three of the four steps in the
ERM process cycle:
1. Risk identification (highlighted in white)
2. Risk quantification (highlighted in grey)
3. Risk decision making (highlighted in black)
4. Risk messaging (discussed in Chapter 7)
Risk Identification
Starting on the extreme left side of Figure 3.1, we begin with all the risks in the
universe, known or unknown, which can potentially impact a company’s
value. These correspond to all categories of risks, which for most companies are
strategic, operational, and financial.1 The flow of action, as indicated by the
arrows, is to the right, as these risks attempt to impact the baseline company
value, represented by the cube (in grey highlight) labeled ‘‘ERM Model.’’ The
ERM model calculates the baseline company value (see ‘‘Company Value’’ in
Chapter 2 for the definition), as well as changes in the baseline company value
resulting from simulating key risk scenarios.
However, not all risks in the universe will impact a particular company’s
value. Many of these potential risks are simply not relevant. The company’s
chosen strategy acts as a natural filter, eliminating risks that are irrelevant. In
other words, the strategy will determine which risks will, and which will not, be
important to the company. The strategy is composed of the company’s choices
that fundamentally define its businesses, including:
& What products or services to sell & Which distribution channels to use & Which customer markets to serve & What value proposition to offer
For example, if the company does not do business in France, then sovereign
risks related to France will likely not impact the company’s value, are therefore
not relevant, and may be screened out of consideration. Or, as another
example, if the company is not manufacturing products using steel as a
raw material, then it probably doesn’t care if the price of steel rises
Value-Based ERM Framework & 65
C 03
01/12/2011 23:58:21
Page 66
FIGURE 3.1 Value-Based ERM Framework
6 6
C03 01/12/2011 23:58:22 Page 67
unexpectedly (all other things being equal). What remains, after considering
the strategy as a filter to a comprehensive list of all potential risks, are just the
relevant risks for the company.
However, the list of relevant risks is still too large of a list, from a practical
standpoint. A qualitative risk assessment process must be conducted to further
narrow down the list of relevant risks to a list of key risks, which are usually in the
neighborhood of 20 to 30 risks. This process commonly consists of internal surveys
askingmanagement tofirst identifyand thenqualitativelyassess thecompany’s key
risks by ranking them in terms of their frequency (how likely they are to occur) and
severity (assuming they occur, how much they would impact financial results).
This is illustrated in Figure 3.1 by a likelihood-severity graph. Various
methods may be used at this point to select a subset of the relevant risks based
on their likelihood-severity ranking. In the graph, risks above and to the right of
the line—those with higher likelihood and/or severity—are selected as this
subset; this is just an example of one of these methods. This process prioritizes
the list of relevant risks down to a smaller number of key risks. This determi-
nation of the key risks ends the risk identification process.
Risk Quantification
The key risks are those risks that will be quantified in the risk quantification
stage of the ERM process.2 In the value-based ERM approach, the quantifica-
tion process begins with developing discrete deterministic risk scenarios for
each key risk.3 For example, a single key risk may have the following multiple
risk scenarios:
& Very pessimistic & Pessimistic & Baseline—no risk event & Optimistic & Very optimistic
Not all risks have upside scenarios (the optimistic and very optimistic scenar-
ios). However, one example of a risk that does have upside scenarios for many
companies is stock market volatility. The market can move in a direction that
increases the company’s value, as well as in a direction that decreases its value.
Risk scenarios primarily consist of a description of the risk event, the
likelihood of its occurrence, and the financial impacts. There are two types
of key risks in terms of the level of difficulty, and therefore the type of approach
used, in developing risk scenarios: ‘‘mostly objective’’ versus ‘‘mostly subjective.’’
Value-Based ERM Framework & 67
C03 01/12/2011 23:58:22 Page 68
Those key risks forwhichdeveloping risk scenarios ismostly objective are those
for which there exists a large set of objective external quantitative experience data.
Most of the key risks in this category are financial risks. As an example, consider
market risks.We have decades of experiencewith daily (and intra-day) data on the
volatility of the major stock markets. As a result, we can construct a detailed,
smooth, continuous distribution of historical risk scenarios for market risk.
For these types of risks, developing risk scenarios is mostly objective. The
historical experience largely informs the understanding of the risk event, its
likelihood, and its financial impacts. Management selects a set of deterministic
risk scenarios from the continuous distribution, which introduces some sub-
jective judgment. A number of risk scenarios—both upside and downside—is
selected to adequately represent the shape of the distribution and capture its
key inflection points. This is depicted by the set of upper graphs in Figure 3.1,
where the continuous distribution is represented by the solid curve and the
deterministic risk scenarios selected are represented by the dots.
In contrast, the key risks for which developing risk scenarios is mostly
subjective are those for which no objective external quantitative experience
data exist, or for which there is a very limited amount of such data readily
available. Most of the key risks in this category are strategic and operational risks.
Take, for example, the strategic risk related to executionof strategy.There certainly
is no industry data available, because this is related to the particulars of the
company’s specific situation—strategy, competitive environment, capabilities of
currentmanagement, and so on. For these types of risks, developing risk scenarios
is mostly subjective. Management develops a set of deterministic risk scenarios
using an adaptation of an approach from the manufacturing sector called Failure
Modes and Effects Analysis (FMEA), which relies largely on input from internal
subject matter experts. The FMEA process will be further discussed later in this
chapter, as well as in Chapter 5. A number of risk scenarios, both upside and
downside, are constructedandare intended to represent the shapeof theunknown
distribution. This is depicted by the set of lower graphs in Figure3.1,where the lack
of a known distribution is represented by the dotted-line curve, and the determi-
nistic risk scenarios developed are again represented by the dots.
Even the ‘‘mostly objective’’ risk scenarios can benefit from the FMEA
technique. Historical data is often insufficient. In addition, subject matter
experts can contribute their knowledge and intuition, which can add signifi-
cant value to the process. For these ‘‘mostly objective’’ risk scenarios, a
combination of the two approaches is often best.
Once the risk scenarios are completed, we have all the risk-related inputs
needed to quantify the individual risk exposures. We are now ready to quantify
the impact on the baseline company value of a simulation involving only one
68 & ERM Framework
C03 01/12/2011 23:58:22 Page 69
event; that is, one risk scenario occurring at a time. This activity is represented
in Figure 3.1 by the lower arrow labeled ‘‘one event per simulation’’ passing
information to the ERM model for quantification.
We also must quantify the enterprise risk exposure. Enterprise risk
exposure is the distribution of all potential impacts on the baseline company
value from simulations involving one or more events; that is, one or more risk
scenarios occurring at a time. This is a more realistic and complete represen-
tation of the firm’s risk exposure, because in business, more than one variable
deviates from the strategic plan during any given period. Enterprise risk
exposure represents the overall aggregate volatility of company value.4 This
activity is represented in Figure 3.1 by the upper arrow labeled ‘‘one or more
events per simulation’’ passing information to the ERM model for quantifica-
tion. To perform this calculation, we need one additional risk-related input: the
impact of risk interactivity, or correlation between risk scenarios. Some risks
are more likely to occur together (positively correlated) than the multiplication
of their probabilities would otherwise indicate, some are less likely to occur
together (negatively correlated), and some are independent of each other
(uncorrelated).
After risk correlation is determined, we are able to quantify the potential
financial impact of individual risk events, as well as that of multiple simulta-
neous risk events, on company value and other key metrics. However, first we
must consider another natural filter which dampens the financial impact of key
risks: risk management tactics. Risk management tactics are implicit or explicit
actions that mitigate the likelihood and/or severity of risk events.
One example of a risk management tactic is the purchasing of insurance.
Consider an example of two companies—Company A and Company B—that
are virtually identical and across the street from each other. Now imagine a
disaster occurs whereby a hurricane totally destroys the headquarters of both
companies, but thankfully results in no injuries or deaths. The gross financial
impact on both companies is identical, amounting to the replacement cost of
their buildings. Assume this is $100 million. Now assume that there is just one
difference between the two companies: Company A had purchased $80 million
of insurance coverage on their building, but Company B had purchased only
$40 million. Although the gross risk exposure (also called inherent risk or
pre-mitigation exposure) is identical for both companies, the net risk exposure
(also called residual risk or post-mitigation exposure) is different:
Net risk exposure ¼ ðGross risk exposureÞ $ ðValue of mitigationÞ Company A :Net risk exposure ¼ ð$100 millionÞ $ ð$80 millionÞ ¼ $20 million Company B :Net risk exposure ¼ ð$100 millionÞ $ ð$40 millionÞ ¼ $60 million
Value-Based ERM Framework & 69
C03 01/12/2011 23:58:22 Page 70
Risk culture is another example of effective risk mitigation that dampens the
financial impact of risk events. Consider another example of two companies—
Company A and Company B—which are again virtually identical. However,
Company A has a risk culture of encouraging the early reporting of bad news,
whereas Company B has a risk culture of ‘‘shooting the messenger’’ when bad
news is delivered. Assume the same type of risk event occurs at both companies.
At CompanyA, the risk event is identified and reported early on in the process. As
a result, serious problems are averted long before the situation has an opportu-
nity to get out of hand. However, the same risk event occurring at Company B
might initially be hidden from management, causing it to grow and fester, until
by the time it is identified it can jeopardize the company’s very survival.
It is important to measure the potential impact of key risks on both a
pre-mitigation (gross exposure) and a post-mitigation (net exposure) basis.
There are two reasons for this:
1. Valuation of mitigation in place
2. Understanding the full potential impact of the risks
Valuation of Mitigation in Place
Measuring the potential impact of key risks on both a pre-mitigation (gross
exposure) and post-mitigation (net exposure) basis offers unique insights into
the value of the existing mitigation in place, which can highlight areas
of under-mitigation or over-mitigation, or confirm appropriate levels of
mitigation. These are significant insights.
As an example, consider the typical dilemma of those working in a risk
mitigation area such as helping the company stay in compliance with laws and
regulations. They often struggle to be fully appreciated within their organiza-
tion. They are usually seen only as an expense, and whenever the company
budget is under pressure, their department is often among the first to be
considered for cost cutting. Even worse, the better they perform their job, the
more unnecessary they can appear to be to upper management. Management
tends not to react to this by saying, ‘‘We have not gotten fined much at all this
year—great job!’’ Rather, more often, management will forget the potential
exposure to fines and secretly think, if not openly verbalize:
Do we really need all those folks in Compliance? We pay almost nothing in fines anyway! Is this risk really that important that we need to mitigate it so heavily with all of this costly overhead?
70 & ERM Framework
C03 01/12/2011 23:58:22 Page 71
However, quantifying risks on a pre-mitigation (gross exposure) as well
as post-mitigation (net exposure) basis offers management a clear ‘‘before
and after’’ picture of the impact on value (baseline company value) and value
volatility (enterprise risk exposure) of the risk mitigation in question. This
provides a rigorous quantitative approach to demonstrating the value added
by the compliance department, or the value of specific risk mitigation. This is
further discussed in Chapter 6, ‘‘Determining the Value of Mitigation in
Place,’’ where a formula for the ‘‘value of mitigation’’ metric is presented.
Understanding the Full Potential Impact of the Risks
A second reason that it is important to quantify risks on both a pre-mitigation
(gross exposure) and post-mitigation (net exposure) basis is that it offers a
deeper view of the full potential magnitude of the risk, because mitigation
does not always work out as expected. For example, consider two risk
events—Risk A and Risk B—each with identical potential financial impacts,
on a post-mitigation basis, equal to $1 million. This is a relatively negligible
impact for the company, which has annual profits of $1 billion. Informed by
only the post-mitigation exposure information, management is likely to be
equally indifferent to both Risk A and Risk B. Neither seems to deserve much
attention. However, when examined on both a pre-mitigation (gross expo-
sure) and post-mitigation (net exposure) basis, management is provided with
the information shown in Table 3.1.
With this additional information, the difference between these risks is
apparent. Management is now more likely to focus additional attention on
Risk A. Risk A will only be the same minimal risk as that of Risk B if the $99
million mitigation in place operates as expected. However, there are situa-
tions in which this does not happen. For example, the $99 million mitigation
may be an insurance contract, and the insurer may be unable or unwilling to
pay the claim.
TABLE 3.1 Quantifying Risks A and B on Both a Pre-Mitigation (Gross Exposure) and Post-Mitigation (Net Exposure) Basis
Pre-Mitigation
(Gross Exposure) Mitigation
Post-Mitigation
(Net Exposure)
Risk A $100 million $99 million $1 million
Risk B $1 million None $1 million
Value-Based ERM Framework & 71
C03 01/12/2011 23:58:23 Page 72
Now we are ready to quantify the risks. Recall that risk is defined as any
deviation from expected, and here expected is defined as the baseline company
value. Baseline company value is the present value of discounted distrib-
utable cash flows consistent with the strategic plan’s financial projection. The
ERM model is constructed to project these distributable cash flows into the
future, consistent with the strategic plan through the plan period (e.g., three
years), out beyond the plan period, and then discount them back to the
present time, with an appropriate discount rate. This is the same kind of
fundamental calculation that an equity analyst would use if he or she had
access to all the inside information that management does. This baseline
company value is the amount investors would pay today if they believed that
the company is going to perfectly execute its strategic plan and that every-
thing will go precisely as management expects. See ‘‘Do Companies Measure
Company Value?’’
DO COMPANIES MEASURE COMPANY VALUE?
Most public companies are in business to make money, and theirshareholders are their primary stakeholder. This means that distrib- utable cash flow is king and that the primary metric should be company value, which is the present value of distributable cash flows. Because you can’t manage what you don’t measure, it is natural to assume that most public companies would measure company value, both for baseline financial projections as well as to test the value of alternate strategies and tactics.
Unfortunately, this natural assumption is incorrect. Relatively few com- panies measure company value and model it dynamically. Instead, most rely on market capitalization, which is a poor proxy. Market capitalization is a static, point-in-time estimate of the company’s value, rather than a dynamic model which can be used to inform decision making. It is the market’s opinion of the company’s worth, rather than an internal management estimate, which would arguably be more accurate, because management has access to all the inside information. After all, why do rogue stock traders want inside information? Because it is valuable. Though nobody knows the future with certainty, local management can make the best guesses as to the expected distributable cash flows from their portion of the business, as well as reasonable ranges of volatility around that estimate. Capturing that information in a consistent manner around the entire enterprise and
72 & ERM Framework
C03 01/12/2011 23:58:24 Page 73
Risks are then quantified by ‘‘shocking’’ the baseline valuation with the
financial impacts of a simulation involving individual risk scenarios as well
as the combined impacts of multiple risk scenarios occurring simultaneously.
The two ‘‘Value Impact’’ charts on the extreme right side of Figure 3.1 depict
the results of both types of quantification.
The lower of the two charts (Individual Risk Exposures) shows the rank-
ing of each individual key risk scenario by the primary metric—the impact
on company value. This puts all types of risk on an apples-to-apples basis of
comparison, in quantitative form, and serves as a prioritization and ranking
of the key risks. For the key risks, this supplants the more rudimentary qualita-
tive ranking relied on in the qualitative risk assessment portion of the risk
identification process step. A modified case study example of the individual risk
exposures chart is enlarged and shown in Figure 3.2.
This individual risk quantification exercise is quite revealing, especially the
first time it is performed, in a way that is very surprising to management. Some
risks that management had assumed to be of low significance turn out to be
ranked highly, even among the top five risks, for example. Conversely, some
risks thought to be high on the list turn out to be far less potentially impactful,
sometimes due to their having already been over-mitigated, and some of these
are occasionally even deleted from the key risk list.
This is a very excitingmoment—one of the definingmoments—in the ERM
process. This is the first time that management sees a truly holistic list of key
risks, from all sources, quantified in terms of their potential impact on company
aggregating it to the enterprise level within a dynamic model produces a powerful tool for managing the firm.
Those companies that do build the capability to measure company value using such a dynamic model have a competitive advantage. They are able to strengthen their strategic planning process, because calculating the baseline company value in this way often identifies any areas of inconsistency in the strategic plan’s financial projection. These companies also gain an enhanced value-based management capability—the ability to understand the drivers of value and manage it upwards. Finally, they develop a more sophisticated communications strategy for external stakeholders—primarily equity analysts. Over time, management is able to consistently demonstrate to analysts an ability to quantify how market events can impact their value. This can eventually lead to a higher ‘‘management multiple’’ for the com- pany’s stock price.
Value-Based ERM Framework & 73
C03 01/12/2011 23:58:24 Page 74
value. This vision immediately shifts management’s attention and focus,
resulting in decision making to mitigate the largest potential threats (examples
of case studies are highlighted in Chapter 5). There are three main reasons why
this information leads to a clear and immediate shift in decision making. First,
company value is a metric everyone in the company can understand. Second, it
is also ametric that everyone knows they have to care about, both in protecting
it and increasing it. Finally, each quantitative result is based on a risk scenario
that is clearly documented and tangible, and as a result, this resonates with
management.
This last point is in sharp contrast to traditional risk quantification
methods, which commonly use convoluted formula-driven parameterized
mathematical distributions combined with stochastic simulations to generate
Individual Risk Exposures Company Value Impact
–25.0%–20.0%–15.0%–10.0%–5.0%0.0%
Consumer Relations Risk
Competitor Risk 1
Union Negotiations
International Risk 2
IT Risk 2
Loss of Key Distributor
Loss of Key Supplier
International Risk 1
Execution Risk
M&A Risk
Loss of Critical EEs
Legislation Risk
IT Risk 1
FIGURE 3.2 Individual Risk Exposures
74 & ERM Framework
C03 01/12/2011 23:58:24 Page 75
individual risk events. The results of such complex and abstract quantification
are not easily traceable to specific risk scenarios that are concrete or, at times,
even realistic. In fact, because the process involves random generation, the
specific risk scenarios produced by these complex traditional approaches
change every time. As a result, management has great difficulty getting
comfortable with the information, and when people are uncomfortable,
they hesitate to act.
Once calculated on the basis of the company value metric, the individual
risk exposure graph is also readily available for any other key metrics (revenue
growth, net income growth, etc., and for financial services companies, capital
ratios). This is easily done, because to calculate company value, every other
possible metric is required, so the value-based ERM model already has all the
elements needed for producing these other key metrics.
In Figure 3.1, the chart just above the individual risk exposures chart
is enterprise risk exposure. This is expressed in two forms. The first form is a
graph of the distribution of impacts on company value from simulations
involving one or more risk scenarios occurring simultaneously, including
both upside and downside events. The enterprise risk exposure graph is
enlarged and shown in Figure 3.3.
This illustrates a representation of the full range of potential outcomes, and
their likelihoods, for all key risk scenario combinations, recognizing the
interactivity of the risks. The horizontal axis is company value and the vertical
Li ke
lih oo
d
Company Value X
FIGURE 3.3 Enterprise Risk Exposure—Graph Form
Value-Based ERM Framework & 75
C03 01/12/2011 23:58:24 Page 76
axis is likelihood. The vertical dotted line in the middle intersects the horizontal
axis at the baseline company value (represented by an X), which is what the
company would be worth if they were to perfectly execute their strategic plan
and everything were to go as they expected. To the extreme right, the value of
the company is much higher, but with a very low likelihood; this is wheremany
upside risk events would have to occur at the same time. Similarly, to the
extreme left, the value of the company is much lower, but also with a very low
likelihood; this is where many downside risk events would have to occur at the
same time.
Unlike the individual risk exposures chart in Figure 3.2, it is difficult to gain
much information from just looking at the enterprise risk exposure graph. The
way this is used is to produce information about the likelihood of the company’s
‘‘pain points,’’ which are risk tolerance thresholds for whichmanagement wants
the likelihood of crossing them to be quite small. Management is always well
aware of what these are—they are the thresholds that, if crossed, would bring
great scrutiny down upon them by the board of directors, shareholders, and
other external stakeholders. Some examples of typical pain points include: a
decrease in company value of 10 percent or more; a ratings downgrade; falling
short of earnings expectations by more than 2 pennies per share; and so on.
Table 3.2 shows an example of the pain point information produced as a
representation of enterprise risk exposure in table form. Each piece of infor-
mation in the table (corresponding to each row) identifies a pain point and
the associated likelihood of its threshold being crossed based on current
exposures. This information is produced directly from the distribution in the
enterprise risk exposure graph (Figure 3.3) as the likelihood corresponding
to the area under the curve to the left of a vertical line intersecting the
horizontal axis at the pain point. This is illustrated in Figure 3.4.
Analogous to the individual risk exposures chart, once enterprise risk
exposure is calculated on the basis of the company value metric, both forms of
enterprise risk exposure—graph and table forms—are also readily available for
any other key metrics (revenue growth, net income growth, etc.).
TABLE 3.2 Enterprise Risk Exposure— Table Form
Pain Point Likelihood
DValue % 10% 15%
DValue % 20% 3%
76 & ERM Framework
C03 01/12/2011 23:58:25 Page 77
This is the end of the risk quantification process. At this point, manage-
ment now has all the current risk exposures—individual risk exposures
and both forms of the enterprise risk exposures. The next step is risk
decision making.
Risk Decision Making
We will discuss three aspects of risk decision making:
1. Defining risk appetite
2. Managing enterprise risk exposure to within risk appetite
3. Strategic planning and other business decision making
Defining Risk Appetite
The first step in risk decision making is for management to define risk appetite,
which is sometimes referred to as risk tolerance. Risk appetite is the level of
enterprise risk exposure with which management is comfortable, at the limit.
Because the current level of enterprise risk exposure may be different from the
desired level at any time, risk appetite represents the target maximum level of
enterprise risk exposure.
Li ke
lih oo
d
Company Value |
–10% Pain Point Likelihood
Value -10% 15%
Value -20% 3%
Li ke
lih oo
d
Company Value |
–20%
FIGURE 3.4 Developing Pain Point Data
Value-Based ERM Framework & 77
C03 01/12/2011 23:58:25 Page 78
The key step in defining risk appetite is the risk appetite consensus meeting.
This is where the ERM committee (which may be called by various names,
including the risk committee) gets together to review the enterprise risk
exposure metrics (see ‘‘Enterprise Risk Exposure’’) and decide on the target
level for enterprise risk exposure. In defining risk appetite, management is
essentially attempting to discern the level of risk in the enterprise that is desired
by the collective shareholders, which are often a highly diverse group with
different perspectives, expectations, and investment needs.
Each person on the ERM committee brings a different perspective to this
exercise. ERM committee members are individuals, and as such, each has a
different emotional, gut-level feel for how much risk he or she feels the
enterprise should be taking. However, intellectually, each person is looking
at a consistent set of metrics, along with the unifying metric of company value,
and this helps drive consensus on the definition of risk appetite.
Managing Enterprise Risk Exposure to within Risk Appetite
Once risk appetite is defined, the next step in risk decisionmaking can take place.
This is the most important exercise in enterprise risk management: moving
enterprise risk exposure to within risk appetite. This is the primary purpose of
ERM—not just to calculate and report risk exposures, but most critically to:
ENTERPRISE RISK EXPOSURE
Earlier, we defined individual risk exposure metrics as separate fromenterprise risk exposure metrics. And indeed, they are two separate types of information, used in different ways. However, technically, the former are included in the latter. Enterprise risk exposure is a distribution that contains the data points where one risk scenario occurs at a time (in addition to the far more robust and voluminous data points of two or more risk scenarios occurring simultaneously). Therefore, references to enterprise risk exposure, particularly in the context of metrics reviewed in the process of defining risk appetite, should be considered to include individual risk exposure information as well. Individual risk exposure information is pre- sented separately because it can be calculated prior to the full enterprise risk exposure calculation (because risk correlations are not required), and it is usually treated as a distinct element.
78 & ERM Framework
C03 01/12/2011 23:58:25 Page 79
A. Measure what the overall volatility of the enterprise is (enterprise risk
exposure)
B. To consciously decide on, and clearly define, what it should be, at the limit
(risk appetite); and
C. To manage A to within B.
Enterprise risk exposure is a calculation, whereas risk appetite is a
decision. This is a salient point, yet one that is missed by those who believe
that both are mere calculations. This results in confusion and leads the ERM
program down a twisted and tangled path, from which it is very difficult to
find the way back.
Now, let’s assume that the ERM Committee conducts the risk appetite
consensus meeting, and decides that the current level of enterprise risk
exposure is too high. In other words, the current level of enterprise risk
exposure exceeds the target level of risk exposure, or risk appetite. In this
case, there are only two things that management can do to decrease the level
of enterprise risk exposure and to manage it to within the risk appetite:
1. Change strategy
2. Change (risk management) tactics
This is illustrated at the top of Figure 3.1. As you can see, changing
strategy or tactics impacts the filters below. This in turn changes the calcula-
tions of enterprise risk exposure, as well as the calculation of the baseline
company value. What this illustrates is that the value-based ERM process
provides management with the ability to evaluate alternate risk decisions—
strategic and tactical—before they are made, by quantifying their impact on
the key metrics—enterprise risk exposure and the baseline company value.
Decision making is fully supported because management is provided with the
impact of each decision alternative on risk (enterprise risk exposure) and return
(baseline company value). This is one of the most effective elements of the
value-based ERM process and is certainly one of its most unique components.
This combination of both risk and return elements is a key ingredient that
supports decision making more generally.
To assist in the risk appetite consensus meeting, management usually
supplements the enterprise risk exposure information provided to the ERM
committee with some examples of how the enterprise risk exposure can be
changed by readily available strategic or tactical maneuvers. Helping the ERM
Value-Based ERM Framework & 79
C03 01/12/2011 23:58:25 Page 80
committee understand what is possible—how much the enterprise risk expo-
sure needle can feasibly be moved—is not only helpful, it is advisable.
Defining risk appetite should only be done after enterprise risk exposure is
calculated and, ideally, after getting some sense of the level to which it can be
feasibly managed. Unfortunately, this advice is not followed by everyone
implementing ERM, and it can lead to some difficulty. To see this, consider
an example of a company doing it the other way around—defining risk appetite
prior to knowing their current enterprise risk exposure. Imagine the following
sequence of events:
1. The ERM committee conducts a risk appetite consensus meeting, without
any quantitative information on enterprise risk exposure, and defines the
firm’s risk appetite.
2. Management reports risk appetite to internal stakeholders, and possibly to
some external stakeholders as well, such as rating agencies.
3. Six months later, management calculates enterprise risk exposure and
realizes that the enterprise risk exposure greatly exceeds their stated risk
appetite; even more problematic, after evaluating some strategic and
tactical changes designed to lower enterprise risk exposure, they realize
that there is no viable way to manage it to within risk appetite.
4. Management restates its risk appetite to allow for a higher level of
enterprise risk exposure.
The result of the unfortunate sequence of events in the example would
likely be, at a minimum, a loss of some confidence in management’s abilities in
enterprise risk management. This can be easily avoided by calculating enter-
prise risk exposure, and quantifying the impacts of potential strategic and
tactical maneuvers to manage it, prior to attempting to define risk appetite.
Nevertheless, it is useful to get an early sense, at a high level, of manage-
ment’s thinking on risk appetite, prior to finalizing the quantification. This is
only used for the ERM modeling team’s internal purposes, in defining metrics
and approximate breakpoints for the enterprise risk exposure pain points.
Strategic Planning and Other Business Decision Making
The value-based ERM framework provides an ability to quantify all key risks in
terms of their impact on company value (and other key metrics) and supports
the primary risk decision making in the ERM process—managing enterprise
risk exposure to within risk appetite. However, it does far more than that. This
80 & ERM Framework
C03 01/12/2011 23:58:25 Page 81
framework supports all management decision making, by informing decisions
with a more robust view on both the risk and return profile of any venture.
To see how, look once again at Figure 3.1. Imagine that you are standing
to the left of the figure, looking to the right. What the value-based ERM
framework appears to be doing is taking traditional ERM (identifying the risks
and developing risk scenarios, on the left side) and marrying it pretty tightly to
the company value metric (the value-based ERM model and value impacts, on
the right side).
Now, imagine that you are standing to the right of the figure, looking to
the left. From this vantage point, what this framework appears to be doing is
taking the traditional practice of value-based management (understanding
the drivers of company value and making the value of the company go up, on
the right side) and marrying it to more rigorous scenarios (risk scenario
development, on the left side). To see this, consider a key element of value-
based management: the strategic planning process. Management devises a
strategic plan, which, if properly executed, will increase the firm’s value. The
strategic plan is usually supported by a strategic plan financial projection.
Unfortunately, the result of most strategic planning processes—the ‘‘Plan’’—
is a binder on a shelf. The Plan is a static, single scenario projection of the
future, presented as if it will happen, just as expected, with 100 percent
certainty. This is a little unfair because the work done to develop the Plan by
the individual business segments often involves some excellent scenario
analyses, including SWOT analyses (strengths, weaknesses, opportunities,
and threats to the Plan) and sensitivity analyses, often with robust quanti-
tative workups. However, these are usually done in very different ways
throughout the company, by many different individuals, so that the scenario
analyses cannot be used on an aggregate basis:
& One person’s perspective of a worst-case scenario may be quite different
from another person’s (similarly, for all other scenarios, such as moder-
ately pessimistic, best-case, etc.). & Business segments, and even different individuals within business seg-
ments, may have different understandings of what is already embedded in
the strategic plan’s baseline scenario, and therefore, may have erroneously
constructed risk scenarios (in terms of how much deviation there is from
baseline in a given scenario). & Business segments may be taking different bets on, or have different
expectations of, the expected future environment (such as the direction
of the economy in the near future).
Value-Based ERM Framework & 81
C03 01/12/2011 23:58:25 Page 82
What the value-based ERM framework does is to align everyone in the
enterprise, in terms of what a best-estimate baseline projection of the future
strategy is, what a worst-case scenario is, what the future expectations of
the environment are, and so on, as well as how to define risk generally. The
importance of this alignment cannot be overstated. Through this alignment, the
value-based ERM approach provides management with a much more robust,
consistent, and dynamic strategic planning process and strategic plan financial
projection. The baseline company value is predicated on a set of business segment
financial projections with a consistent view on what constitutes a best-estimate
baseline scenario and future view of the internal and external environment.
In addition, the scenarios are consistent for all universal assumptions (the
economy, interest rate environment, currency exchange rates, weather, etc.)
and are consistently defined for all risk scenarios (for example, the definition of a
worst-case scenario is well understood, documented, and shared internally).
In addition to providing a dynamic strategic planning tool, the value-based
ERM approach provides a valuable ad-hoc ‘‘what-if ’’ tool, which can answer
such questions as:
& If a moderately pessimistic scenario for economic conditions occurs,
how would it impact revenues in each of our major business segments,
and the enterprise in total, including adjustments for any cross-segment
interactions? & If our worst-case scenario for currency exchange rates is realized, how
would it impact our earnings across the enterprise? & If our moderately optimistic scenario for the competitive environment
occurs, how would it impact our profit margins enterprise-wide?
These additional tools are not ancillary. Rather, they are critical to a
successful ERM program. A successful ERM program must be integrated into
key decision-making processes, such as strategic planning, strategic and
tactical decisions, and transactions.
In Chapter 2, we offered a commonly used short definition of ERM, which
offered a technical description of ERM:
The process by which companies identify, measure, manage, and disclose all key risks to increase value to stakeholders.
However, when ERM is implemented using a value-based approach, a
better definition may be as follows:
82 & ERM Framework
C03 01/12/2011 23:58:25 Page 83
A practical yet advanced approach to integrate both risk and return information into strategic planning and other business deci- sion making.
OVERCOMING THE CHALLENGES BY USING A VALUE-BASED ERM FRAMEWORK
At the beginning of this chapter, we stated that traditional ERM frameworks
often struggle to satisfy the 10 key criteria of an ERM program. We also
highlighted three core challenges, which are subsets of the 10 key criteria,
which are common symptoms of a suboptimal ERM framework. The emerging
value-based ERM framework was designed to effectively address the challenges
of traditional ERM programs, including these three core challenges. Now that
we have described the value-based ERM approach, we will discuss how this
emerging framework satisfies each of the 10 key criteria, and addresses the
three core challenges.
Criterion 1: Enterprise-Wide Scope
One of the main obstacles to achieving a consistent enterprise-wide adoption of
an ERM program is a limiting approach—an approach that simply cannot work
in every part of the organization. This is most common when the ERM program
is first developed with only the company’s primary business segment in mind.
This is especially common in financial services firms that have diverse busi-
nesses, some of which have to hold required capital on their balance sheets, and
some of which do not.
Required capital is an amount of capital that is required to remain on the
balance sheet in support of existing business on the books, and cannot be
employed to support future growth. The amount of required capital is set by
multiple stakeholders, including regulators, rating agencies, and management
itself, where each has its own approach to defining and calculating the required
amount. The company often holds the maximum of these amounts to ensure
satisfying all stakeholders.
Financial services companies where banking or insurance is the primary
business generally use a capital-based ERM framework; that is, they use capital
as their key metric. It is understandable that these types of organizations would
be drawn to a capital-based approach. It is an important metric for them. It is
also a metric that is a product of risk management—the required capital levels
are set based on assessing levels of risk in the firm. Unfortunately, this becomes
Overcoming the Challenges by Using a Value-Based ERM Framework & 83
C03 01/12/2011 23:58:26 Page 84
a nonstarter for those financial services companies that also have non-financial
services operations, in terms of achieving an enterprise-wide ERM program. A
capital-based approach simply can’t work in these non-financial services
operations, because they don’t have capital requirements.
For example, assume a bank holding company has a retail banking
division and a consulting division. They institute a capital-based ERM pro-
gram. Their key metric for quantifying risk exposure is the amount of
additional required capital generated by the risk exposure. The consulting
business clearly generates risk, yet it does not generate required capital,
because this part of the enterprise is not subject to capital requirements.
Capital requirements are not a universal currency that can be used to evaluate
risks across the enterprise, and as a result, the company has an incomplete
ERM program.
However, the value-based ERM program offers a metric that can, and does,
work across both financial services and non-financial services operations.
Company value is a unifying metric. Company value is the present value of
distributable cash flows for both types of operations. Each has a slightly different
definition for distributable cash flows, but once properly defined, they are
fully comparable:
Distributable cash f lowNon$f inancial services ¼Net income þ Depreciation and amortization $ Increase in working capital $ Capital expenditures
and
Distributable cash f lowFinancial services ¼Net income þ Depreciation and amortization $ Increase in working capital $ Capital expenditures $ Increase in required capital
Criterion 2: All Risk Categories Included
One of the most important of the 10 key criteria is the inclusion of all risk
categories in an ERM program. Ignoring a risk category, or not having a
balanced focus among all risk categories, can expose the company to excessive
risk and result in focusing limited risk mitigation resources on the wrong
84 & ERM Framework
C03 01/12/2011 23:58:26 Page 85
priorities. In addition, a lack of sufficient focus on certain risk categories can
result in unpleasant surprises; management doesn’t really care about which
risk source takes them by surprise . . . they just don’t want to be surprised.
Unfortunately, the vast majority of traditional ERM programs focus all, or most,
of their attention on financial risks, either ignoring or giving short shrift to the
strategic and operational risks, which are actually responsible for far more firm
volatility than the financial risks.
One of the main reasons for this imbalanced focus is an inability to quantify
strategic and operational risks. This is the first of the three core challenges to a
successful ERM implementation, which we discussed earlier. Let’s examine this
further.
Traditional Approach
There are three common approaches that traditional ERM frameworks use in
attempting to quantify strategic and operational risks:
1. Qualitative only
2. Industry data
3. Risk capital
Qualitative Only The most common approach used in traditional ERM frameworks is simply to not quantify strategic and operational risks, but instead
to develop qualitative information. This qualitative information takes the
form of key risk indicators (KRIs). For example, a qualitative KRI for the
risk of poor customer service might be the number of complaints per month.
KRIs can be useful. Changes in KRIs can indicate a potential underlying
problem, either existing or emerging, and prompt management to investigate.
However, KRIs are not enough to support ERM decision making; for example,
choosing between two alternate mitigation approaches. Management needs
numbers—quantitative data—to make decisions. Even quantitative data that
require estimates, or even guesses accompanied by confidence ranges, are
better than mere qualitative data.
Industry Data Another approach often used by traditional ERM frameworks is to rely on industry data to quantify strategic and operational risks. For some
risks this may be useful. However, the vast majority of strategic and operational
risks, and certainly the most important risks, cannot be quantified using this
approach. This is because industry data is often either unavailable or in-
appropriate or both.
Overcoming the Challenges by Using a Value-Based ERM Framework & 85
C03 01/12/2011 23:58:26 Page 86
Industry data is often unavailable for these risks. For example, there is no
industry data set that can quantify the potential impact of the company’s
strategic plan being flawed or the potential impact of poor strategy execution.
Each company’s strategy, or its ability to implement the strategy successfully,
is a completely unique risk.
Industry data is often useful as anecdotal supplementary data for risk
quantification. However, it is often inappropriate to rely on industry data as the
primary basis for risk quantification. The net impact of risk on an organization
varies significantly based on the risk mitigation tactics in place. For example, if
one company has more insurance coverage or a superior risk culture than
another apparently identical company, the first company will not suffer the
same consequences from a given risk event as the second company. How a risk
works its way through each organization can be radically different. Using an
industry data set does not take into account the specific nature of the company
and its risk management tactics.
Risk Capital The third approach routinely used to address quantification of strategic and operational risks is the one that may initially seem to be the most
rigorous quantitatively. Ironically, this is also the worst of the three traditional
ERM approaches. This approach is only used by financial services companies
that have capital requirements. This approach was introduced by Basel II, and
involves setting aside capital for operational risk. This effectively means that the
amount of required capital is increased to recognize balance sheet volatility
caused by the operational risks.
The first and most obvious failure is that Basel II ignores strategic risks
altogether. As shown in Chapter 2, strategic risks are more important than
operational risks, and appear to be at least twice as important. However, even
in terms of appropriately quantifying operational risks, there are significant
problems with the risk capital approach. Under Basel II, there are two
alternative methodologies:
Alternative 1: Set aside a percentage of revenues as operational risk capital.
Alternative 2: Use an internal model to calculate operational risk capital.
The vast majority of banks use alternative 1 and set aside approximately
15 percent of revenues as operational risk capital. A majority of insurance
companies have copied this method as well. The 15 percent is not risk-based.
The 15 percent, and therefore the amount of operational risk capital, is an
arbitrary number, totally unconnected to the reality of operational risks in the
86 & ERM Framework
C03 01/12/2011 23:58:26 Page 87
business. This is not a risk-based approach. But that is the least of its problems.
Worse still is the fact that this method produces an estimate of operational risk
whose changes are often even directionally incorrect.
Consider the following example. You are the head of the consumer
lending division of a large bank. The bank institutes an ERM program, and
in an attempt to quantify operational risk, defines operational risk capital as
15 percent of revenues. You are given the additional responsibility for opera-
tional risk management for your division. You excel at your new risk manage-
ment role. Within just the first year, you are a whirlwind of productivity,
and by everyone’s account, you have cut operational risk virtually in half.
You have decentralized key offices, instituted a litany of good operational
risk protocols, purchased more insurance coverage, and developed detailed
business continuity plans. In addition, in your primary role over the past year,
you have grown top-line revenues 25 percent. Congratulations: At year end,
operational risk capital—themeasure of howmuch operational risk there is in
your division—goes . . . up! This is not even directionally correct. The actual
risk was lowered by about 50 percent, yet the metric goes up 25 percent.
Clearly, this makes no sense, yet this is a very common approach employed in
the financial services sector.
Alternative 2 requires the bank to develop its own internal model to
measure operational risk capital requirements. Banks use VaR models and
insurance companies use economic capital models, both of which were
defined in Chapter 2. These models are risk-based in that they are generally
proportional to the risk: more risk means more risk capital, and less risk
means less risk capital. In addition, they can be, and sometimes are, used to
try to quantify strategic risks as well as operational risks. However, they do
not fully capture the financial impacts of strategic and operational risks. The
VaR and economic capital models are usually designed to quantify the impact
of risks on the balance sheet, to show the net impact to capital (assets less
liabilities) and to required capital. These models ignore the impact to future
revenues and expenses, which is often the bulk of the impact of strategic and
operational risks.
Consider the following case study. A large multinational insurance com-
pany is attempting to quantify the impact of a key risk involving a disaster at an
internal conference where top salespeople and managers are among those
killed. The key element to this risk quantitatively is that it significantly lowers
the entire future revenue projection of the strategic plan.
Unfortunately, the insurance company’s economic capital model woefully
understates this risk. Because most economic capital models are capital-centric
Overcoming the Challenges by Using a Value-Based ERM Framework & 87
C03 01/12/2011 23:58:26 Page 88
and therefore focus exclusively on balance sheet capital and required capital,
revenues for all future new business are generally not included, and so are not
available to be ‘‘shocked’’ downward to capture the full financial impact of
the risk. The baseline economic capital model includes a future projection
of revenues and expenses, but only those related to the current insurance
business ‘‘inforce,’’ or on the books. To add insult to injury, not only does the
economic capital model fail to fully quantify the downside impact of this worst-
case scenario, but it actually reports the event as good news, because it
accounts for a reduced allocation of expenses (due to fewer employees).
Value-Based Approach
Now, we will discuss the value-based ERM approach to quantifying strategic
and operational risks. After that, we will discuss how the value-based approach
addresses the shortcomings of the traditional ERM approach to quantifying
strategic and operational risks.
As discussed earlier, the ERM model projects distributable cash flows into
the future, consistent with the strategic plan, and then out beyond the
planning period in some reasonable way. The first metric calculated is the
baseline company value, which discounts the baseline distributable cash flows
to today, using the hurdle rate. The baseline company value is the price that an
investor would pay today, if they believed the company was going to perfectly
execute the strategic plan, and everything was going to go its way. Risk is then
defined as anything that shocks this baseline company value, up or down.
Failure Modes and Effects Analysis (FMEA) Technique The value-based ERM approach uses a technique called Failure Modes and Effects Analysis
(FMEA), adapted from the manufacturing sector, to develop the individual
deterministic risk scenarios for strategic and operational risks. There are four
steps to the FMEA process:
1. Identify interviewees. The first step in the FMEA process is to identify
the most appropriate internal subject matter experts for the risk in
question. For some risks, this might be the most senior person involved
with the risk, such as the executive risk owner, who has overall responsi-
bility for the risk, enterprise-wide. This might be the case for certain
litigation risks or human resources risks. However, the person closest to
the risk is usually the most appropriate choice.
88 & ERM Framework
C03 01/12/2011 23:58:26 Page 89
2. Develop risk scenarios. The second step is to begin the FMEA interview
with the identified interviewees by soliciting from thema set of risk scenarios
for the key risk in question. There are often several risk scenarios for eachkey
risk. For example, a single key risk may have the following risk scenarios: & Credible worst-case & Moderately pessimistic & Mildly pessimistic & Baseline (represents no risk) & Mildly optimistic & Moderately optimistic & Credible best-case
Not every key risk will have upside risk scenarios, but it is important to
consider these.
Each of these scenarios is an individual deterministic risk scenario. In
other words, these are hypothetical specific events. It is critical to develop
specific deterministic scenarios. Imagining a specific event occurring
makes it easier for interviewees to think through the sequential progres-
sion of likely events, as well as the consequences to the company.
It is best practice to begin with a credible worst-case scenario, by
asking the subject matter experts, ‘‘When your head hits the pillow at
night, what do you worry about?’’ This gets at something perhaps remote
in likelihood, but not out of the realm of all possibility, yet something that is
potentially very damaging to the company. Some of the less extreme risk
scenarios are often developed by modifying the credible worst-case sce-
nario (such as reducing its scale).
For each individual risk scenario, the FMEA process guides the experts
into thinking the event through in detail, chronologically. A series of
expert-led questioning extracts the internal subject matter expert’s knowl-
edge as to what eventualities in the external and internal environment
would likely flow from the initial event. What would be the initial damage?
What would be the secondary and tertiary repercussions? How would
management respond, and how quickly could they respond?
3. Assign likelihood. The third step is to assign likelihood to the event.
This is difficult because it is so uncertain. It is also difficult because the
interviewees are often not accustomed to making such estimates, and
usually do not speak the language of probability. They are unlikely to
respond in terms such as, ‘‘There is a 15 percent chance of this risk event
occurring this year.’’ This is another area where skill in conducting the
Overcoming the Challenges by Using a Value-Based ERM Framework & 89
C03 01/12/2011 23:58:26 Page 90
FMEA process is required to bridge the gap between the qualitative
language used by the interviewees and the quantitative language
needed for the ERM model.
4. Estimate quantitative impacts. The final step in the FMEA interview
is to develop estimates of the quantitative impacts of each deterministic
risk scenario on the baseline company value. This is done step by step,
using a series of questions: How would this impact revenues this year?
Future years? What are the impacts on fixed expenses? Variable expenses?
and so on. As with assigning likelihood, estimating quantitative impacts
can be difficult from the standpoint of getting interviewees comfortable
with making estimates. This is another reason why it is important to have
someone with experience conducting the FMEA interviews. See ‘‘But
Aren’t These Just Guesses?’’
An illustrative example is shown in Figure 3.5, which outlines the flow
of the four-step FMEA exercise, as well as an abridged summary of the kind
of information produced. Both the likelihood and the quantitative impacts
become inputs into the ERM model for shocking the baseline company
value, first to quantify individual risk exposures, and later to quantify
enterprise risk exposure.
Risk: Legislation Risk
Attendees: xxx, xxx, xxx
Scenario 1: Legislation passes reducing business opportunity in certain markets
Likelihood: 5%
Financial impact: • Revenue impact
ο 50% loss of planned revenues in market A • 1 st year: –$2.5M • 2 nd year: –$2.6M • etc.
ο 100% loss of planned revenues in market B • 1 st year: –$1.0M • 2 nd year: –$1.1M • etc.
• Expense impact ο Reduction in workforce
• –10% of salary and related benefits • +$100K severance costs
1) Identify interviewees - Those closest to the risk - Usually 1 or 2 subject matter experts
2) Develop risk scenarios - Begin with credible worst-case scenario - Select specific scenario and think it through
3) Assign likelihood
4) Estimate quantitative impacts - Determine distributable cash flow impacts
FIGURE 3.5 The FMEA Process and Sample Summary Output
90 & ERM Framework
C03 01/12/2011 23:58:26 Page 91
BUT AREN’T THESE JUST GUESSES?
A common initial concern raised in early discussions of the FMEA tech-nique is the claim that this information can’t possibly be useful because it is all based on mere guesses. Although the latter is largely true—the process does involve guesses—the former statement is incorrect: This information does add quite a lot of value to the ERMprocess. There are several factors that more than compensate for the uncertain nature of the information:
& Decisions happen anyway. As discussed in Chapter 2, the reality is that strategic and operational risks must be quantified in some way. They are far more impactful to firm volatility than financial risks, and management must make decisions involving these risks each and every day, with or without the benefit of quantitative data. Management is far better off with estimates, even highly subjective estimates, than with no quantita- tive information at all.
& Expert guesses. Although these are guesses, they are expert guesses, made by those closest to the risks and often those with decades of personal experience and even more anecdotal knowledge of risk events in the industry. There are many brilliant people in the firm, and there is much valuable knowledge trapped inside their heads. The FMEA pro- cess extracts this useful information out of the heads of the subject matter experts and puts it on the page in a consistent quantitative form, for all key risks, all across the company. Inmany cases, the FMEA process is the first time the subject matter experts have being asked to think through the risk scenarios and potential mitigation, and this thought- provoking process produces better guesses than previously existed anywhere, even inside the experts’ heads.
& Ranges. Ranges around the guess are used as a type of sensitivity analysis, which provides a level of comfort by showing how wrong the estimate could be. A case study illustrates this point. An ERM team presented a business opportunity, predicated on FMEA information, to a business unit, who initially objected based on the approximate nature of a single critical assumption. However, the business unit accepted the proposal once it was clear that, based on examining the ranges, the assumption would have to be off by a factor of 10 to negate the validity of the opportunity.5
In addition, the ranges themselves reveal useful information. The point estimates for two different risks might be identical at $10 million. However, the range for the first risk might be $8 million to $12 million, whereas the range for the second risk might be $5 million to $50 million.
(continued )
Overcoming the Challenges by Using a Value-Based ERM Framework & 91
C03 01/12/2011 23:58:26 Page 92
Advantages of Value-Based Approach
Now that we have described the value-based approach to quantifying strategic
and operational risks, we will compare the effectiveness of this approach with
the traditional ERM approaches. As discussed earlier, the three traditional ERM
methods used in attempting to quantify strategic and operational risks have
several disadvantages:
& Metrics don’t support decision making. & Data are unavailable or inappropriate. & Approach is not risk-based. & Inability to fully quantify risk impacts.
& Reduced bias. Another factor that makes this information better than pure guesses is the fact that the results of the FMEA interviews are documented. This reduces bias. When people know that their name is formally attached to something, they tend to be evenmore careful about its quality. This occurred during the initial implementations of SOX. At the end of the first major effort to gather and assess a large amount of data, senior executives had to sign their first attestation regarding the accuracy of the risk assessments, control assessments, and the financial reports. It was at this stage that the quality of the information increased somewhat, as the executives began scrutinizing the information more closely to increase their level of comfort before affixing their signatures.
& A crowd of experts. When the FMEA information is initially gathered, it is the product of just one or two experts. However, the FMEA informa- tion is published and shared with others in the company. This results in corrections and enhancements to the data, as others contribute their insights. This is much like the effect of Wikipedia, which benefits from shared knowledge leading to a collective consensus.6
& Relative comparisons. The FMEA process provides the ability tomake relative comparisons between risks. The FMEA exercise is performed in a consistent manner around the enterprise, for all risks, and expresses their potential impact quantitatively. Even though each individual risk scenario is quantified using subjective estimates, collectively this information becomes more powerful, because the relativities between risks are more reliable than any one estimate. The comparative analysis often leads to priorities shifting to those risks that are relatively more impactful.
(continued )
92 & ERM Framework
C03 01/12/2011 23:58:36 Page 93
The value-based approach addresses each of these issues.
Ability of Metrics to Support Decision Making The first traditional ERM method involves using only qualitative information, which leads to the inability
to make decisions based on the information. In stark contrast, the value-based
approach quantifies all key risks. In addition, the value-based approach
quantifies them in terms of the impact on company value, which robustly
supports decision making.
Availability and Appropriateness of Data The second traditional ERM method is to use industry data, which leads to the problem of unavailability and
inappropriateness. The value-based approach resolves these issues as well. The
data is available because the company is developing its own data primarily
using internal personnel. This information is abundant, because management
always knows who the one or two people are that are closest to a given risk, and
certainly has access to them. In addition, the data developed is company- and
culture-specific, because it is based on the specific situation within the firm.
Risk-Based Approach The third traditional ERM method involves using risk capital as the key metric. There are two alternative approaches: The first
uses an approach that is not risk-based and, worse, is sometimes directionally
incorrect in its measurement of changes in exposure. Clearly, the value-based
ERM approach is risk-based, because it begins with the company-specific
risk scenarios, and the ERM metrics properly rise and fall with the level
of exposures.
Ability to Fully Quantify Risk Impacts In addition, the value-based ap- proach allows for full quantification of the risks because the baseline company
value captures the full projection of future revenues, expenses, and other
components of distributable cash flow, and risk is measured as shocks to the
baseline. In our example discussed earlier, a disaster at an internal conference
results in the death of top salespeople and managers. The value-based ERM
approach has in its baseline company value the future revenues that these
salespeople were to generate. As a result, the quantification of the risk, which is
the shock to the baseline, would fully reflect all of the lost revenues.
Figure 3.6 summarizes the comparison between traditional ERM and value-
based ERM in terms of quantifying strategic and operational risks.
Overcoming the Challenges by Using a Value-Based ERM Framework & 93
C03 01/12/2011 23:58:36 Page 94
In the section titled ‘‘Case Studies’’ in Chapter 5, several case studies will
be discussed that more fully illustrate the value-based ERM methodology for
quantifying strategic and operational risks, as well as demonstrate its
effectiveness.
Criterion 3: Key Risk Focus
Many traditional ERM programs treat ERM as an expanded SOX exercise.
This is partly a result of the familiarity of the risk folks in the firm with SOX. It is
even more a result of the fact that the traditional ERM framework does not lend
itself to much beyond risk mitigation. As a result, without anywhere else to go,
management develops as comprehensive a laundry list of risks and risk controls
as it reasonably can.
Because the value-based ERM approach uses company value as the key
risk metric, it immediately focuses management on an appropriately limited
number of key risks. The key risks stand out quite distinctly in terms of their
potential impact—the amount of company value that they might destroy. This
naturally avoids an unnecessarily long list of risks, most of which would have
negligible impact on company value.
Criterion 4: Integrated across Risk Types
Risk management programs (precursors to ERM programs) almost always
involve ‘‘silo’’ approaches to risk, meaning each type of risk is handled
separately within the company. This leads to difficulties in three areas, as
discussed in Chapter 2:
Traditional Approach Value-Based Approach Method 1: Qualitative
Cannot support decision making
Quantifies impact to value/ supports decision making
Company/situation-specific
• Risk-based
• Fully quantifies risk impacts
Method 2: Industry data
Often unavailable or inappropriate
Method 3: Risk capital
• Not risk-based/often directionally incorrect
• Understates risk
FIGURE 3.6 Quantifying Strategic and Operational Risks
94 & ERM Framework
C03 01/12/2011 23:58:36 Page 95
1. Completeness
2. Efficiency
3. Internal consistency
Unfortunately, although all traditional ERM programs tout an integrated
approach as a key criterion, most of them still suffer from the same silo
mentality as their risk management predecessors. However, the value-based
ERM approach makes it easy to integrate an ERM program across risk types.
Let’s examine each of the three areas of potential difficulty regarding
integration, and compare the traditional ERM approach to the value-based
ERM approach.
Completeness
Traditional ERM programs using silo approaches are incomplete, because they
ignore multiple risks occurring simultaneously and fail to capture their inter-
activity—both offsets and exacerbations. In contrast, the value-based ERM
approach fully reflects this by directly measuring multiple risks and their
interactivity in the ERM model, producing the entire distribution of real-world
outcomes in the enterprise risk exposure graph (see Figure 3.1).
Efficiency
The inefficiencies in many traditional ERM programs caused by the lack of
centralized coordination and cross-departmental communication are resolved
in the value-based ERM approach. The structure provided by the value-based
ERM approach, as well as the unifying nature of the company value metric,
ensure a high level of ERM coordination and cross-pollination. The risk
scenarios are developed in a way that identifies and includes inputs from
any relevant area of the firm. In addition, the value-based approach uses a
central ERM model that can be used by business units anywhere in the firm to
measure the marginal impact of any risk decision. Finally, the top-down
approach to defining risk appetite, cascading down to risk limits, leads to
coordinated approaches by type of risk, enterprise-wide.
Internal Consistency
The internal inconsistencies of traditional ERM programs employing a silo
approach can manifest as conflicting projections of the internal and external
Overcoming the Challenges by Using a Value-Based ERM Framework & 95
C03 01/12/2011 23:58:36 Page 96
environment (for example, the performance of equity markets). However, the
value-based ERM approach clarifies where these exist and provides a single
consistent view for the company. The construction of the ERM model and the
calculation of the baseline company value correct these issues, as well as
strengthen the strategic planning process. In addition, risk scenarios are
developed in a way that includes all relevant viewpoints from anywhere in
the firm, partly during the FMEA process itself, and partly by the documen-
tation and internal sharing of the resulting risk scenarios.
Criterion 5: Aggregated Metrics
We will discuss two aspects of aggregated metrics:
1. Enterprise risk exposure and risk appetite
2. Top-down allocation of risk appetite to risk limits
Enterprise Risk Exposure and Risk Appetite
There are two key aggregate metrics required for ERM. The first one is
enterprise risk exposure and the second one is risk appetite. The former is a
calculated item, but the latter is a management-defined item. Enterprise risk
exposure represents the current level of overall enterprise volatility. Risk
appetite is the maximum limit of enterprise risk exposure to which manage-
ment would like the company to be exposed.
The two aggregate metrics should be mirrors of each other, because the
metric(s) used to define risk appetite should follow the metric(s) chosen for
enterprise risk exposure. This is because risk appetite is simply management’s
defined limit for the maximum acceptable level of enterprise risk exposure.
Recall that each of these aggregate metrics is actually an entire distribution
of outcomes (see Figure 3.1), which may be represented by multiple metrics,
each with multiple thresholds, and a corresponding likelihood for each
threshold. For enterprise risk exposure, one expression of these threshold-
likelihood pairs may be called a pain point. For example, one pain point
expression of enterprise risk exposure, and its risk appetite counterpart, might
be as follows:
Enterprise risk exposure pain point expression: 1 percent chance of losing
(amount X) of (metric Y)
Corresponding risk appetite expression: 5 percent chance of losing
(amount X) of (metric Y)
96 & ERM Framework
C03 01/12/2011 23:58:36 Page 97
So, because one (risk appetite) follows the other (enterprise risk exposure),
a key to producing these two aggregate metrics is that the enterprise risk
exposure metric(s) must be expressed, and calculated, at an enterprise level.
Without an aggregate level enterprise risk exposure, there is no aggregate level
risk appetite.
Unfortunately, most traditional ERM programs do not have this. Instead,
they commonly produce a large volume of key risk indicators (KRIs) to track
the exposure for their key risks. Disparate KRIs metrics are used for different key
risks. As a result, there is no single metric available to aggregate the exposures
to the enterprise level, which, in turn, means that there is also no aggregate
metric for risk appetite.
Without a quantitative definition of risk appetite, these companies com-
plicate matters in their attempt to produce some type of risk appetite statement.
What results is often a vague and confusing document. This is the second of the
three core challenges to a successful ERM implementation, which we discussed
earlier: An unclear definition of risk appetite. This leads to the inability to perform
the primary function of ERM—managing enterprise risk exposure to within risk
appetite. In addition, it also prevents the proper order of risk limit setting, which
should be top-down. Lacking a cascading top-down approach to setting risk
limits can sometimes lead to under-mitigation, which is potentially dangerous;
however, an even more common result is wasteful over-mitigation. This was
discussed in Chapter 2.
Unlike the traditional ERM programs, the value-based approach provides
both of the key aggregate metrics. All key risks can be quantified in terms of
their potential impact on company value. The company value metric works
consistently, regardless of geography or accounting system, because it is based
on distributable cash flow, which is a universal currency. It also works for all
types of risks, because it is the only metric that can fully quantify all risks,
particularly strategic and operational risks, which often impact future revenues
and expenses. This allows the calculation of enterprise risk exposure in terms of
company value as well, and as a result, risk appetite is easily expressed at the
aggregate level, on the same basis.
This facilitates the main goal of ERM: managing enterprise risk exposure to
within risk appetite. Both metrics are expressed consistently, so it is clear how
to do this because they can be compared directly. For example, modifying our
example discussed earlier, we might have the following:
Enterprise risk exposure: 1 percent chance of losing 30 percent or more in
company value
Overcoming the Challenges by Using a Value-Based ERM Framework & 97
C03 01/12/2011 23:58:37 Page 98
Risk appetite: 5 percent chance of losing 30 percent or more in company
value
Top-Down Allocation of Risk Appetite to Risk Limits
The value-based ERM approach also facilitates the appropriate top-down
allocation of risk appetite to risk limits. This is due to the same attribute
that allows the upward aggregation of individual risk exposures to enterprise
risk exposure: The company value metric is a consistent metric appropriate for
all key risks.
One way to visualize this is as a four-step process:
1. Upward aggregation of individual risk exposures to enterprise risk expo-
sure (graph form)
2. Developing pain point data (representation of enterprise risk exposure in
table form)
3. Defining risk appetite as a mirror of enterprise risk exposure (table form)
4. Downward cascading allocation of risk appetite to individual risk limits
This is illustrated in Figure 3.7. In Step A, the ERM model aggregates
the individual risk exposures, using the risk scenario information developed
in the FMEA process as well as the risk correlation data7 by running
simulations involving combinations of one risk event per simulation, two
risk events per simulation, and so on, producing the graph form of enterprise
risk exposure. In Step B, pain points are selected to produce the table form of
enterprise risk exposure. Step C involves two parts. The first part involves
mirroring the pain points from enterprise risk exposure, thus populating the
left-hand column of the risk appetite table. In the second part of Step C,
management defines the acceptable likelihood for each pain point during the
risk appetite consensus meeting, thus populating the right-hand column of
the risk appetite table.
Step D involves using the ERM model to reverse-engineer any desired
risk limits, below enterprise level, which will aggregate to risk appetite at
the enterprise level. Regardless of the type of allocation, or budgeting, of
risk appetite—whether the limits are by source of risk, by business unit, by
geography, and so on—the reverse-engineering aggregation is feasible,
because all exposures are measured with the consistent metric of company
value.
98 & ERM Framework
C03 01/12/2011 23:58:37 Page 99
Some illustrative examples of these types of risk limits may include:
& By source. No more than a 2 percent loss of company value from a risk
event caused by technology failure & By business unit. No more than a 5 percent loss of company value from
risk events arising from our retail business unit & By geography. No more than a 10 percent loss of company value from
risk events arising from our international operations
An example is provided in Chapter 6, ‘‘How to Define Risk Limits.’’
Criterion 6: Includes Decision Making
The third step in the ERM process cycle is risk decision making, which is most
central to the purpose of ERM—actually doing something about the risks,
acting on the information gathered up to this point in the process. Sadly, the
most common problem plaguing traditional ERM programs is the inability to
integrate ERM into decision making. This is the third, and final, of the core
challenges to a successful ERM implementation, which we discussed earlier.
Enterprise Risk Exposure Table Form
Enterprise Risk Exposure Graph Form
Pain Point Likelihood
∆Value ≤ –10% 15%
∆Value ≤ –20% 3%
∆Value ≤ –30% 1%
Individual Risk Exposures
… …
Li ke
lih oo
d
Company Value
Risk Appetite
Pain Point Likelihood
∆Value ≤ –10% 20%
∆Value ≤ –20% 5%
∆Value ≤ –30% 2%… …
ERM Model
ERM Model
Risk Limits
By Source
By Business Unit
By Geography …
A
B C
D
FIGURE 3.7 Aggregate Risk Metrics
Overcoming the Challenges by Using a Value-Based ERM Framework & 99
C03 01/12/2011 23:58:37 Page 100
There are three critical elements that must be in place for effectively
integrating ERM into decision making:
1. ERM metrics that support decision making
2. Practical ERM models
3. Consensus buy-in from business segments
Let’s evaluate both the traditional ERM approach and the value-based ERM
approach in terms of whether, and to what extent, they satisfy these three
critical elements.
Do the ERM Metrics Support Decision Making?
There are two aspects to having ERM metrics that support decision making:
1. Robust metrics for all types of risks
2. Metrics with both risk and return information
Traditional ERM programs do not have either of these in place, and
therefore do not have ERM metrics that support decision making. However,
the value-based ERM approach has both of these aspects and fully supports
decision making.
RobustMetrics for All Types of Risks Traditional ERM programs generally do not have robust metrics for all risks. Themetrics for strategic and operational
risks are either nonexistent or are simply not robust enough—not nearly as
robust as the metrics for financial risks. This was discussed earlier in this
chapter. As a result, the ERM metrics of traditional ERM programs cannot
support any decision in the company that involves strategy or operations,
which is the vast majority of important decisions. Essentially, traditional ERM
programs are more like financial risk management programs than holistic ERM
programs, and as such, their metrics are largely relegated to supporting
decisions solely involving financial risks.
Unlike traditional ERM programs, the value-based ERM approach quanti-
fies all types of risk, and does so in an equally robust way. All risks are quantified
on a consistent basis in terms of their potential impact on company value (and
other key metrics). As a result, all types of decisions can be informed by the
value-based ERM metrics, including strategic decisions, tactical decisions, and
transactions.
100 & ERM Framework
C03 01/12/2011 23:58:37 Page 101
Metrics with Both Risk and Return Information Traditional ERM metrics generally provide only half the picture needed for a business decision. Tradi-
tional ERMmetrics are only geared for capturing the downside. For example, in
financial services firms, they use capital loss or the increase in required capital
to measure the impact of a risk. But a business person needs to balance risk and
return to make risk–reward trade-off decisions. A decision cannot be made
without an ability to compare, within the givenmetric(s), the downside and the
upside of a decision.
Unlike traditional ERM programs, the central metric of the value-based
ERM approach—change in company value—is suitable for combining the risk
as well as the return side of the business decision-making equation. Not only
that, this provides the single most rigorous business case one can ever make for
a decision: the expected change in the company’s value, and the level of
certainty around achieving that change.
Are the ERM Models Practical?
Most traditional ERM models are overly complex. ERM models are designed,
built, modified, expanded, and maintained by modelers. And modelers, by their
nature, are like thoroughbreds—they love to run. It’s as if they have all this
pent-up capability and they are itching to unleash it. Modelers are tempted to
go down a rabbit hole of ever-increasing expansion of the model’s level of detail,
in a misguided belief that they are perfecting the model. However, this is
counterproductive to the whole point of the exercise, which is to support
decision making.
In contrast, value-based ERM models are not overly complex; rather, they
have an appropriate balance between robustness and practicality. The value-
based approach is designed specifically for connecting risk management to
business decision making. As a result, every aspect of the approach is tailored
and trimmed to keep it sleek and practical with this singular focus in mind, and
the model itself is no exception.
We will discuss four aspects of ERM model practicality:
1. Reliability. Traditional ERM models tend to be unreliable in terms of
their quality. Traditional ERM models require a large volume of inputs,
which makes them cumbersome to update every period. By the time the
model is refreshed, it is time to update the inputs again. As a result, the
model grows burdensome and the quality of updates deteriorates. In
addition, the voluminous and tangled programming code makes the
model prone to errors.
Overcoming the Challenges by Using a Value-Based ERM Framework & 101
C03 01/12/2011 23:58:37 Page 102
However, value-based ERMmodels are highly reliable in terms of their
quality. These models use a reasonable number of inputs, which makes
them easier to maintain, keeping the quality of the updates high. In
addition, the simplicity of the programming code makes the model less
prone to errors.
2. Speed. The response time for traditional ERM models is too slow to keep
up with the pace of business. In the financial services sector, these models
can literally take weeks to complete a single run. There are not many
decisions in the organization that can wait that long for an answer. In
addition, modifications to the model often require a lengthy time period
and a significant allocation of resources.
However, the response time for value-based ERMmodels is fast enough
to support business decision making even at the highest levels, where a
faster pace is required. Run time is usually kept to within a handful of
hours. With such a quick turnaround time, virtually all decisions can be
feasibly supported. In addition, modifications to the model can be made
rapidly, because the programming code is relatively straightforward.
3. Transparency. With a traditional ERM approach, the quantification
methodology is so murky that it tends to make management skittish at
the prospect of relying on it for use in decision making. For example, risk
scenarios might be based on a convoluted set of formulae, which are used in
conjunction with a stochastic process that generates new and abstract risk
scenarios every time. The lackof tangible risk scenarios canbedisconcerting.
However, with a value-based ERM approach, the methodology is
highly transparent to management, which gives them more comfort in
relying on it for decision-making purposes. For example, the underlying
individual risk scenarios that give rise to the entire set of exposure metrics
are tangible, specific, deterministic scenarios. Management can review
them directly, and even challenge the choice of assumptions, which gives
the approach a very concrete feel. This accelerates management’s adoption
of ERM into decision making.
4. Balance of significant digits. Traditional ERM models have an im-
balance of significant digits in their calculation and presentation of
results (this was discussed in Chapter 2). Traditional ERM models
purport to provide enterprise risk exposure calculated to a high level
of accuracy. However, these models cling to a hyper-accurate measure-
ment of financial risk while giving short shrift to the (more important)
strategic and operational risks, either ignoring them or estimating them
crudely. Yet, studies (discussed in Chapter 2) show that strategic and
102 & ERM Framework
C03 01/12/2011 23:58:37 Page 103
operational risk exposures generally represent the bulk of a firm’s
aggregate enterprise risk exposure. Therefore, claiming such a high
level of accuracy when reporting enterprise risk exposure is a violation
of the significant digits rule.
In contrast, the value-based ERM approach uses an appropriate balance
of accuracy in the calculation and reporting of its results. It uses a consistent
level of accuracy for both the financial risks and the strategic and opera-
tional risks. The value-based ERM approach develops aggregate information
that is correctly presented as approximate, by its nature, and is also
balanced, and thereby respectful of the significant digits rule.
Is There Consensus Buy-In from Business Segments?
In most traditional ERM programs, there is a lack of buy-in by the business
segments that ERM is something that is good for the business. This is all
too often the bane of the ERM program leader, who is faced with the task
of ‘‘selling’’ ERM to the business segments, whose receptivity remains cool.
Sometimes this is due to an ERM program that is, or is perceived to be, per-
petrated on the business segments by the corporate department. Perhaps
there was not enough input by the business segments in the risk identification
or risk quantification stages of the ERM process. Alternatively, the program
may be, or may be perceived to be, too compliance oriented.
This is another area in which the value-based ERM approach excels. There
are two features of the value-based ERM approach that result in rapidly
building consensus buy-in from the business segments:
1. Appropriate level of input by business segments
2. Support of business segment goals and initiatives
Appropriate Level of Input by Business Segments Most traditional ERM programs involve too much development exclusively within the bounds of the
corporate ERM team, particularly risk scenario development. Their thinking is
that if they first build a robust model fully populated with data and assump-
tions, and then unveil it, when people see what it can do, they will buy in to the
process. Unfortunately, this doesn’t work. Those closest to the risks—which are
largely those in the business segments—must be heavily involved, particularly
with risk scenario development.
The value-based ERM approach has an appropriate balance between
business segment and corporate input. The value-based approach uses the
Overcoming the Challenges by Using a Value-Based ERM Framework & 103
C03 01/12/2011 23:58:37 Page 104
FMEA process (described earlier in this chapter). The majority of the inputs
required for the FMEA process involve strategic and operational risks.
Those closest to these risks are mostly associates in the business segments,
who provide the bulk of the input. However, the corporate ERM team has
a right and responsibility to push back on some assumptions, to ensure a
consistent and credible process. For example, corporate ERM may know that
one of the FMEA interviewees is a particularly risk-averse individual, and
may tend to exaggerate the risks; alternatively, they may know that another
FMEA interviewee is a risk taker, and usually downplays the importance
of potential negative events. Or, someone else may be the champion for a
mitigation project under consideration, and that may color his or her
perspective. Knowing the people involved, and also seeing the FMEA exercise
across the enterprise, puts Corporate in a position to provide valuable input.
Support of Business Segment Goals and Initiatives Although most traditional ERM programs speak a lot about linkage to decision making, the
reality is that they are mired in mitigation. Knowing this, the business
segments are leery at the notion of inviting the risk folks into their business
discussions, lest they get in the way by throwing up risk roadblocks to progress.
The value-based approach is the diametric opposite to this. Its focus on decision
making permeates every step in the ERM process. One of the best examples of
this is during the FMEA risk scenario development exercises.
The FMEA interview is usually attended by business segment subject
matter experts who are closest to the risk, the interviewer (an ERM specialist
with experience in FMEA interviews), and representation from the corporate
ERM team. The subject matter experts will often exhibit unreceptive body
language at the outset of the meeting, leaning back in their chairs with arms
folded, looking at their watches, thinking (if not verbalizing):
This is just another corporate effort. You’re going to collect informa- tion and then try to use it to handcuff me in some way, imposing limits or controls on what you call ‘‘risk taking’’ but what I call doing business. So, let me get back to my work of running the business, because I’m generating the earnings that are paying all of your corporate salaries anyway.
This begins to change as the meeting unfolds. From the very beginning of
the FMEA process, the subject matter experts are being asked for all the inputs:
What could go wrong? What do you worry about? How bad might it be? How
104 & ERM Framework
C03 01/12/2011 23:58:37 Page 105
fast would we recover? And so on. The subject matter experts are appropriately
respected for the knowledge they have. Feeling this, they loosen up a little bit.
Arms become uncrossed.
Next, the ERMmodel, which quantifies the risks based on the risk scenario
inputs, is another potential barrier to business unit buy-in. Models are usually a
‘‘black box,’’ or nontransparent to those not in control of it. However, the
value-based approach uses a simpler, more accessible model that can be easily
explained. In addition, subject matter experts gain additional comfort when
they are told that they will have a chance to review the outputs and revisit their
inputs if results appear odd. They determine the inputs. They understand the
internal mechanics. They get to review the outputs. Suddenly, this begins to
feel like they own the model, and essentially they do. The buy-in builds further.
They are now sitting up straight.
Finally, at the end of the meeting, the subject matter experts from the
business segment are asked, ‘‘Is there any mitigation that you feel is needed,
or is there any project you had planned related to this risk scenario?’’ About a
third of them will pound their fist on the table, and exclaim, ‘‘Yeah, we know
we need such-and-such, but we just couldn’t make the business case and
Corporate did not approve it.’’ The corporate ERM folks are in a position to
respond, ‘‘Well, maybe we can help you. The ERM model is written in the
language of changes in company value, which is the strongest business case
possible. We can help you model the proposed decision, including its upside
and downside exposures, based on the marginal impact to the firm (including
any offsets elsewhere in the firm) and show you where the ‘edges’ are—what
revenues or cost savings are needed to make this viable.’’ Now the buy-in
goes into full gear. Now the subject matter experts lean all the way forward in
their chairs. Now they love you, because you are helping them get their
project accomplished. You are helping them achieve their goals, keep their
jobs, and get their bonuses. It is at this point that rather than pushing ERM
into the business segments, there actually begins to be a pull from them, once
they see how it can serve their needs.
The shift in consensus buy-in can be rapid and dramatic. As an example, a
financial firm was piloting the value-based approach in business segment A
before rolling it out to business segments B and C. After witnessing the rapid
shift in consensus buy-in resulting from this process, the CFO told me, ‘‘This is
fun. I thought I would have to push ERM into business segments B and C. But
once they heard what business segment A was getting, they were banging on
my door to get it, too.’’ As a result, the company moved quickly to implement
the value-based ERM approach enterprise-wide.
Overcoming the Challenges by Using a Value-Based ERM Framework & 105
C03 01/12/2011 23:58:37 Page 106
Table 3.3 summarizes the comparison between traditional ERM and value-
based ERM in terms of supporting decision making.
Criterion 7: Balances Risk and Return Management
Traditional risk management was exclusively about downside risk protection.
Though ERM is supposed to equally treat downside and upside volatility, most
traditional ERM programs lack the ability to deal with upside volatility. The
value-based ERM approach easily handles both, through its unifying metric—
changes in company value. Using the same language (value) for both risks
and opportunities clears the path for complete integration of both sides of
risk–return management.
Not only does the value-based ERM approach resolve this historical
problem with traditional risk management and even traditional ERM pro-
grams, but it also solves a problem more generally for business management.
One of the oldest and most used business phrases is ‘‘risk–reward’’ or ‘‘risk–
return’’ management. Incredibly, this is rarely done, at least not in a robust
way. Most companies have their reward or return management (e.g., strategic
planning) completely segregated from their risk management (e.g., internal
audit, corporate risk unit, etc.). Value-based ERM finally fulfills the promise of
TABLE 3.3 Supporting Decision Making: Traditional ERM versus Value-Based ERM
Traditional Approach Value-Based Approach
Do metrics support decision making?
NO & Not for operational or strategic risks
& Only risk, not return
YES & Metrics for all risks & DValue ¼ rigorous
business case
Do ERMmodels work?
NO & Unreliable quality & Slow response time & Lack of
transparency & Violates significant
digits rule
YES & Reliable quality & Fast response time & Transparency & Balance of significant
digits
Is there buy-in from business units?
NO & Corporate-driven & Compliance-
oriented
YES & Business unit-driven/ Corporate for consistency
& Supports business unit goals/initiatives
106 & ERM Framework
C03 01/12/2011 23:58:37 Page 107
balancing risk and return and integrating both into considerations of business
decisions, starting with strategic planning and cascading down through the
organization.
Criterion 8: Appropriate Risk Disclosures
The purpose of financial reporting is to inform investors about the potential
risks and opportunities of the company. As alluded to in Chapter 2, the most
defensible approach is to inform the development of risk disclosures with a
quantification of the potential impact of key risks on company value. After all,
the primary stakeholder is the shareholder, and company value is their
primary metric.
Unfortunately, companies using a traditional ERMapproach are unable to do
this, because they do not measure exposures in terms of the potential impact on
company value. However, companies using a value-based approach are easily
able to inform the risk disclosures with this type of information. The potential
impact on company value is a central output of the value-based approach.
Criterion 9: Measures Value Impacts
The ability to find the actions that truly add value depends fundamentally on the
activity of measuring value. Surprisingly, as discussed earlier in this chapter, few
companies measure company value. So, to fulfill the portion of the ERM
definition that describes its purpose as ‘‘to increase value,’’ an ERM program
would have to bring with it a measurement of value. Unfortunately, traditional
ERM programs do not do this. For example, at financial services companies, most
traditional ERM programs are capital-centric—they use the change in balance
sheet capital or the increase in required capital as the primary metric.
In comparison, the value-based ERM approach is all about value. Company
value is the central metric. The value-based ERM approach fully supports both
measuring the upside of value volatility (reward) as well as the downside of
value volatility (risk). This puts management in the best position possible to
manage value. Because value is fully measured, it can be fully managed.
Criterion 10: Primary Stakeholder Focus
Most traditional ERM programs focus on downside protection, and in that
tradition, they tend to focusmore on satisfying rating agencies than on satisfying
any other stakeholder. This is especially true for financial services companies,
which are, at times, overly focused on capital requirements. Maintaining an
Overcoming the Challenges by Using a Value-Based ERM Framework & 107
C03 01/12/2011 23:58:37 Page 108
appropriate level of capital is critical. However, focusing too heavily on capital
needs does not always lead to decisions that increase company value.
A better approach is to focus on the primary stakeholder, who, for most
public companies, is the shareholder, and treat all other stakeholders as
secondary. Secondary stakeholders should only be satisfied to the extent that
it optimally increases company value. The value-based approach provides the
framework to do just that. Every decision is viewed in terms of how it impacts
company value. See ‘‘Managing Secondary Constraints for Maximal Value.’’
In Chapter 10, we generalize the definition of the value-based ERM
approach to show how it can be adapted for entities that do not have public
shareholders and are not focused on company value or distributable cash flows.
MANAGING SECONDARY CONSTRAINTS FORMAXIMAL VALUE
The value-based ERM approach takes secondary stakeholders into ac-count as constraints to be managed in the process of increasing com- pany value. All types of decisions as to the optimal level of resources to expend in satisfying secondary stakeholders can be evaluated by the impact on company value. There is a ‘‘sweet spot’’ the company must find for the amount of resources to use in satisfying each such secondary stakeholder. The following two examples will illustrate this point:
Rating Agencies
& If the company does too little, in the extreme, then the likelihood of a ratings downgrade increases. A ratings downgrade risk scenario would include an increase in the cost of debt capital (i.e., interest expense), decreasing distributable cash flows, and lowering company value. This risk scenario may rise in the key risk ranking, which would increase the enterprise risk exposure. If the enterprise risk exposure is increased enough, this would imply a higher cost of equity capital, further lowering company value.
& If the company does too much, in the extreme, it may take the form of expensive risk mitigation efforts related to some issue about which the rating agency has expressed concerns, or abandoning plans for aggressive new ventures about which the rating agency had nega- tive, perhaps overly conservative, views. This would directly result in higher-than-expected expenses or lower-than-expected revenues,
108 & ERM Framework
C03 01/12/2011 23:58:38 Page 109
SUMMARY
Traditional ERM frameworks do not satisfy many of the 10 key ERM criteria,
and often fail to achieve most of them. In addition, traditional ERM programs
have three core challenges to successful ERM implementation, which are like
flags, or symptoms, identifying those companies that are using a suboptimal
ERM framework, and as a result, are struggling to satisfy the 10 key criteria.
These three core challenges are:
1. Inability to quantify strategic and operational risks
2. Unclear definition of risk appetite
3. Lack of integration of ERM into decision making
respectively, decreasing distributable cash flows and directly lowering company value.
& There is an optimal balance of efforts that maintains the desired rating at an appropriate cost, which results in the best risk–return trade-off, maximizing company value.
Charities
& If the company does too little, in the extreme, it increases the risk of negative media coverage resulting in reputational damage. This risk scenario may include a decrease in revenues due to loss of cus- tomers, an increase in expenses to fund an expensive public relations advertising campaign to mitigate the damage, or both, decreasing distributable cash flows and lowering company value. This risk sce- nario may rise in the key risk ranking, which would increase the enterprise risk exposure. If the enterprise risk exposure is increased enough, this would imply a higher cost of equity capital, further lowering company value.
& If the company does too much, in the extreme, it will overspend on charitable donations. This would directly result in higher-than-expected expenses, decreasing distributable cash flows and directly lowering company value.
& There is an optimal balance of efforts that satisfies the company’s image as a decent corporate citizen at a reasonable level of donations, which results in the best risk–return trade-off, maximizing company value.
Summary & 109
C03 01/12/2011 23:58:39 Page 110
The value-based approach was designed to address these shortcomings.
Through a synthesis of ERM and value-based management, the value-based
approach offers an advanced yet practical ERM approach that fully satisfies all
10 key ERM criteria, including the three core challenges.
Now that we have provided the recent historical context for ERM (Chapter
1), properly defined both risk and ERM (Chapter 2), and presented the value-
based ERM framework (this chapter), we conclude Part I, ‘‘Basic ERM Infra-
structure.’’ We are now ready to explore Part II, ‘‘ERM Process Cycle,’’ where
we will discuss the four steps in the ERM process cycle: risk identification
(Chapter 4), risk quantification (Chapter 5), risk decision making (Chapter 6),
and risk messaging (Chapter 7).
NOTES
1. Insurance risks are another category, primarily for insurance companies, but
also for other companies offering certain types of guarantees.
2. Some non-key risks also receive quantitative treatment, but not in the same
robust manner as described in the remainder of this section. Identifying
‘‘emerging risks’’—those risks that may become key risks in the future—is
a process that includes some quantitative analysis of risk scenarios for certain
non-key risks.
3. This is very different from traditional ERMmethods, which attempt to generate
risk scenarios from continuous distributions, most of which must be artificially
developed specifically to enable this approach.
4. This only represents the portion of the volatility arising from the key risks,
because these are the only ones quantified.
5. See Chapter 6, ‘‘Integrating ERM into Business Decision Making,’’ ‘‘Dealing
with Soft Assumptions’’ for more detail on this case study.
6. See also The Wisdom of Crowds, a book by James Surowiecki, which discusses
how collective information can improve even the estimates of the smartest
individual expert.
7. Correlation data adjusts for the fact that some risks are more likely to occur
together (positively correlated) than the multiplication of their probabilities
would otherwise indicate, whereas other risks are less likely to occur together
(negatively correlated). Risk correlations are discussed in more detail in
Chapter 5.
110 & ERM Framework
C04 01/12/2011 10:42:5 Page 111
IIPART TWO ERM Process Cycle
C04 01/12/2011 10:42:5 Page 112
C04 01/12/2011 10:42:5 Page 113
4CHAPTER FOUR Risk Identification
The dangers of life are infinite, and among them
is safety.
Goethe
ONCE AN ERM framework is chosen, and after at least some basicrisk governance is established, the four-step ERM process canbegin. Risk identification is the first step in this process, which, as discussed in Chapter 2, is a continuous, evolving, and integrated process.
COMPONENTS OF RISK IDENTIFICATION
There are three components to the risk identification ERM process step, as
performed using the value-based ERM approach:
1. Risk categorization and definition
2. Qualitative risk assessment
3. Emerging risk identification
113
C04 01/12/2011 10:42:5 Page 114
The first time these three components are conducted, they must be
performed in the order shown, because the outcome of each preceding
component is used as input into the following one.
Before we discuss these three components, we will discuss the five keys
to successful risk identification.
FIVE KEYS TO SUCCESSFUL RISK IDENTIFICATION
Many companies have at least begun the ERM process and have at least
completed the first step in the ERM process cycle—risk identification. Therefore,
many believe that common practices in risk identification are, by now, best
practices, and that this step is fairly straightforward. Unfortunately, quite the
contrary is true. There are several aspects of risk identification that are still
routinely performed in a suboptimal way. Not only does this hamper the risk
identification process step, but it also significantly impacts the quality of the
entire ERM program, because every other step in the ERM process is down-
stream from the risk identification step, relying on information from it.
To avoid these problems, ERM programs must employ the following five
keys to a successful risk identification process step:
Key #1: Define risks by source
Key #2: Categorize risks evenly
Key #3: Define metrics clearly
Key #4: Gather data appropriately
Key #5: Identify risks prospectively
The first two keys to success are primarily related to the risk categorization
and definition component of risk identification. The last three keys to success
are primarily related to the qualitative risk assessment component of risk
identification. These keys to success will be discussed later, within the context
of their corresponding component.
We will now discuss the three components of the risk identification ERM
process step, starting with risk categorization and definition.
RISK CATEGORIZATION AND DEFINITION
The risk categorization and definition component of the risk identification
process step consists of constructing a comprehensive list of known potential
114 & Risk Identification
C04 01/12/2011 10:42:5 Page 115
risks. The result is the risk categorization and definition (RCD) tool. The RCD
tool includes a risk categorization hierarchy including risk categories, risk
subcategories, risk divisions, the risks themselves, and a definition clarifying the
scope of the risk. Table 4.1 shows a partial sample of an RDC tool.
TABLE 4.1 Partial Sample of Risk Categorization and Definition (RCD) Tool
Risk
Category
Risk
Subcategory Risk Division Risk Definition
Operational Human resources
Talent management
Ability to recruit or retain
Ability to recruit or retain staff not matching expectations
Operational Human resources
Talent management
Succession planning
Ability to develop new leadership not matching expectations
Operational Human resources
Talent management
Critical employee(s)
Unexpected loss of employee(s) with critical and rare knowledge or skills
Operational Human resources
Talent management
Labor or producer relations
Employees or producers take unexpected action against the company (e.g., union strike)
..
. .. . ..
. .. . ..
.
Operational Technology Data security and privacy
External attack
External attack (e.g., phishing) steals company or customer data, including privacy data, and/or destroys programs or data
Operational Technology Data security and privacy
Internal attack Internal attack steals company or customer data, including privacy data, and/or destroys programs or data
Operational Technology Data security and privacy
Accidental breach
Employee accidentally exposes company or customer data, including privacy data, and/or destroys programs or data
Risk Categorization and Definition & 115
C04 01/12/2011 10:42:6 Page 116
The risk categorization in the RCD tool should be reasonably comprehensive
in terms of categories and subcategories, but certainly not in terms of individual
risks. A full list of categories and subcategories is needed to serve as a prompt
to participants in the qualitative risk assessment interviews, to trigger them to
consider myriad potential key risks that may lie within each category or sub-
category. However, it is not advisable to attempt to construct a comprehensive
list of all potential risks. Even if such a task were possible, the list of risks would be
too long. In addition, any list that purports to be comprehensive in terms of risks
tends to lower the level of imagination used by participants in the qualitative risk
assessment. Rather than meditate for a while on the business and its risks, they
simply look down the list and check off the ones that look relevant.
The main risk categories, and their definitions, are as follows:
Financial risk. Unexpected changes in external markets, prices, rates,
and liquidity supply and demand. This includes market risk, credit risk, and
liquidity risk
Strategic risk. Unexpected changes in key elements of strategy formula-
tion or execution
Operational risk. Unexpected changes in elements related to operations,
such as human resources, technology, processes, and disasters
There is one additional risk category—insurance risk, which generally
applies only to insurance companies. Insurance risk involves poor performance
of the pricing, underwriting, reserving, or setting of required capital for
insurance products.
An example of some common risk categories and subcategories, and their
definitions, is shown in Table 4.2.
TABLE 4.2 Common Risk Categories and Subcategories
Risk
Category
Risk
Subcategory Definition
Financial A category of risks related to unexpected changes
in external markets, prices, rates, and liquidity
supply and demand. See also market risk, credit
risk, and liquidity risk.
Financial Market Unexpected changes in external markets (such as stock markets), prices (such as commodity prices), or rates (such as interest rates), related to (a) general market movements (although the source for this is often economic risk) or (b) a specific asset on the company’s balance sheet. Some examples include equity market risk, interest rate risk, and currency risk.
116 & Risk Identification
C04 01/12/2011 10:42:7 Page 117
Financial Credit Unexpected changes in credit markets (availability), prices (credit spreads), or credit-worthiness of issuers, related to (a) general credit market movements (although the source for this is often economic risk) or (b) a specific issuer of a fixed-income security on the company’s balance sheet or (c) a counterparty to whom the company has extended credit.
Financial Liquidity Unexpected changes in liquidity supply or demand, related to three different levels of impact on the company: (a) untimely asset sales; (b) inability to meet contractual demands; or (c) default. A change in liquidity supply involves an unexpected change in the ability to sell assets as expected in the market, in terms of price, volume, or timeliness. A change in liquidity demand involves an unexpected change in demand for liquidity by option holders, such as bondholders exercising early put options or ‘‘run-on- the-bank’’ situations for financial services companies, where account holders suddenly request the withdrawal of funds from their accounts, en masse.
Strategic A category of risks related to unexpected changes in
key elements of strategy formulation or execution.
This is highly variable by company and must be
customized.
Strategic Strategy Viability of strategy—such as choice of products, distribution channels, markets, or value proposition— does not match expectations. This is highly variable by company and must be customized.
Strategic Execution Strategy is not implemented as expected. This is highly variable by company and must be customized.
Strategic Governance Governance is not functioning as expected.
Strategic Strategic relationships
Unexpected change in strategic relationships, such as a parent company or joint venture partner.
Strategic Competitor Unexpected change in competitive landscape, such as new entrants, aggressive competitor actions against the company, price wars, and so forth.
Strategic Supplier Unexpected changes in supplier environment, such as supplier capacity, supplier failure, or change in the cost of goods or services. This also includes unexpected changes in rating agency ratings or regulatory licenses.
Strategic Economic Unexpected changes in the economy. This is often the source of risk that triggers multiple simultaneous unexpected changes in other items, such as consumer
(continued )
Risk Categorization and Definition & 117
C04 01/12/2011 10:42:8 Page 118
TABLE 4.2 (continued )
Risk
Category
Risk
Subcategory Definition
disposable income (impacting demand for the company’s products or services), employment markets (impacting the company’s fixed expenses), inflation/ deflation (impacting the company’s variable costs), items related to market risk, and items related to credit risk.
Strategic External relations
Unexpected changes in the company’s relationship with external stakeholders with public voices, such as the media, consumer advocates, equity analysts, rating agencies, regulators, and politicians.
Strategic Legislative/ regulatory
Unexpected changes in laws or regulations.
Strategic International Unexpected changes in the business environment of foreign countries in which the company operates, such as unexpected changes in the government’s stability, attitude toward foreign companies, and tariffs.
Operational A category of risks related to unexpected changes in
elements related to operations, such as human
resources, technology, processes, and disasters.
Operational Human resources
Human resources (i.e., people) are not performing as expected, such as unexpected changes in talent management, performance, productivity, and conduct.
Operational Technology Technology not performing as expected. Some examples include data security, data privacy, data integrity, capacity, and reliability.
Operational Litigation Unexpected civil suits or judgments against the company.
Operational Compliance Level of compliance not matching expectations, such as financial reports are not as accurate as expected.
Operational External fraud Unexpected change in the amount of fraud by external parties.
Operational Disasters Unexpected natural or man-made disasters, such as weather-related (such as hurricane, flood, tornado, earthquake, and drought), health-related (such as pandemic), accidental (such as fire), general acts of destruction (such as war, terrorism, and rioting), and specific acts of destruction against the company (such as product tampering, attack on employees, and sabotage). This also includes unexpected man-made disasters caused by company employees or agents, such as environment damage.
Operational Processes Company processes not functioning as expected.
118 & Risk Identification
C04 01/12/2011 10:42:9 Page 119
Nomenclature
Although it is important for the RCD tool to include a comprehensive list of risk
categories and subcategories, it is not particularly important that its nomen-
clature conform to any external standard. What is important regarding RCD
nomenclature is that it be clearly defined and consistently used throughout the
organization. In fact, internally, it is often best not to use an externally defined
standard for RCD nomenclature. External standards are often poorly con-
structed; for example, they are not consistently defined by source. In addition, it
is preferable to customize the nomenclature with terminology already in use by
the businesses, which can help to pave a smoother path toward adoption and
integration of the RCD tool, specifically, as well as ERM generally.
RCD Tool Applications
The RCD tool provides a uniform lexicon for risks throughout the enterprise.
This assists the development of risk culture, which is the integration of ERM
into key company processes. Having a consistent language for risk is critical to
a uniform adoption and integration of ERM into the organization over time. The
importance of having a common language for risk cannot be overstated, and
will be further explored later, during discussion of the first two keys to
successful risk identification. Suffice to say that there are many ways that
the categorization and definition of risks can go awry, and the RCD tool helps
keep this on a consistent track.
As a result of this unifying quality, the RCD tool becomes a natural focal
point for many aspects of the ERM program, and is commonly used in several
ways. The main applications for the RCD tool include the following:
& Catalyst & Collection and coordination & Monitoring & Reporting & Comparative analysis & Recording
Catalyst
Often, the very first use of the RCD tool is as a catalyst in the qualitative risk
assessment phase of the risk identification process step. The RCD tool is part of
the advance communication provided to the qualitative risk assessment survey
Risk Categorization and Definition & 119
C04 01/12/2011 10:42:9 Page 120
participants. This helps trigger survey participants’ imagination of potential
key risks to consider. At a minimum, it confronts survey participants with the
specific risks listed in the RCD tool, and calls on them to consider whether these
are potential key risks for their business or for the enterprise as a whole. In
addition, the reasonably comprehensive nature of the RCD tool reminds survey
participants of risks that they may well know, but that may have otherwise
slipped their mind during the qualitative risk assessment exercise. Finally, for
qualitative risk assessments subsequent to the initial one, the RCD tool shared
with survey participants is often populated to show which risks were identified
as potential key risks in the prior qualitative risk assessment, as well as their
consensus ranking and likelihood-severity scores. This helps survey partici-
pants consider whether, and to what extent, the importance of these previously
identified risks has changed.
This also gets qualitative survey participants to think in terms of risk
defined and categorized in a consistent manner. The RCD tool illustrates the
proper way to define risks by source and to categorize risks evenly.
Collection and Coordination
The RCD tool is useful for the collection of data and coordination of activities
during the qualitative risk assessment. The RCD tool is easy to use as a
template to populate risks as they are identified by survey participants during
the qualitative risk assessment. In addition, it helps interviewers as they
interpret and document the risks provided by survey participants. Often, the
risks, as stated by survey participants, are either not worded clearly or are
not properly defined as a source of risk (see later ‘‘Key #1: Define Risks by
Source’’). By mapping the inputs provided into the RCD tool, interviewers
can quickly identify any problems. When the qualitative risk assessment is
performed via live interviews, the RCD tool helps interviewers identify any
issues in real time, which affords them the immediate opportunity to ask
clarifying questions of survey participants, and to make any necessary
corrections.
In addition, when interviews are used for the qualitative risk assessment,
the RCD tool facilitates coordination among multiple interviewers. In addition to
their uniform interview script, all interviewers have the same RCD tool, which
serves as a central touchstone keeping all interviewers aligned. Also, as new po-
tential risks are identified by survey participants in early interviews, interviewers
canquickly andeasily coordinatewitheachother to include the additional risks in
the RCD template, making them more complete for the remaining interviews.
120 & Risk Identification
C04 01/12/2011 10:42:10 Page 121
Finally, the RCD tool is used to coordinate the qualitative risk assessment
consensus meeting. This is where the individual results of the qualitative risk
assessment are aggregated and shared with all survey participants, and a
meeting is held to clarify any results with significant dispersion and enhance
the level of consensus before finalizing results.
Monitoring
After the qualitative risk assessment, the RCD tool is used to store all the
results—key risks as well as those risks confirmed as risks in the consensus
meeting, but which did not rise to the level of key risks on the basis of their
likelihood-severity scores. In between periodic reperformance of the qualitative
risk assessment, the fully populated RCD tool is used to monitor any potential
changes in the importance of any of the risks listed therein. This is part of
emerging risk identification.
Reporting
The RCD tool can also be used as part of the internal reporting of key risks to
management and to the board of directors. Seeing the key risks listed within the
RCD tool provides a context within which to better understand the key risks.
This highlights those risks selected as key risks, and contrasts them against
those risks not selected as key risks. This provides more information and elicits
the kind of engaged dialogue that builds risk awareness and risk culture at
senior levels. In addition, using the RCD tool for internal reporting provides a
standard report format that can be sustained over time.
Comparative Analysis
Another useful application of the RCD tool is to provide a basis for conducting a
comparative analysis between the company’s own risk disclosures and that of
its key competitors. When available, competitors’ risk disclosures are examined
and the risks are mapped into the RCD tool. This puts the disparate formats and
terminology on a consistent basis, which allows direct comparison. This
analysis often reveals interesting information, such as the following:
& Risks disclosed by the company and by competitors & Risks disclosed by the company but not disclosed by competitors & Risks disclosed by competitors but not disclosed by the company & Relative emphasis placed on certain risks by competitors and how that
differs from the company’s relative emphasis
Risk Categorization and Definition & 121
C04 01/12/2011 10:42:10 Page 122
Recording
TheRCD tool is also useful as a platform for the risk event database,which records
actual occurrences of risk events impacting the organization. The risk event
database captures various information about the events, including, for example,
originating source of the risk, how the event emerged and unfolded, manage-
ment’s actions, and the ultimate financial impacts. This is used for two purposes.
The first is to capture information that can beused to enhance the development of
risk scenarios. Capturing historical experience related to a specific risk can inform
the estimates of future likelihood as well as future severity of impact. A second
purpose is to enhance the entire ERMprogram throughwhat is often referred toas
‘‘risk learnings.’’1 Risk learnings are the lessons learned from the risk event,
including, for example, answers to the following questions:
& Was the originating source for the risk event on our radar? If not, can we
improve our risk identification process? & How did the risk emerge? Should we have caught it earlier on? & How did the risk event unfold, and what financial impacts occurred? Can
we use this information to enhance our risk scenario development process? & Was there any existing pre-event mitigation in place (i.e., fraud detection
systems) to make the event less likely or less impactful, and was it effective? & Was there a management reaction plan in place (e.g., business continuity
plan), did management follow it, and was it effective? & Was there post-event mitigation (e.g., insurance coverage) and did it
perform as expected?
For the RCD tool to be effective, its constructionmust reflect the two related
keys to successful risk identification, listed earlier:
Key #1: Define risks by source
Key #2: Categorize risks evenly
Key #1: Define Risks by Source
Most ERM programs fail to properly define all risks by their source. Typically,
they define some risks by their source, but they define others by their outcome.
For example, here is a sample list of seven risks:
1. Competitor risk
2. Supplier risk
122 & Risk Identification
C04 01/12/2011 10:42:10 Page 123
3. Technology risk
4. Regulatory risk
5. Terrorism risk
6. Reputational risk
7. Ratings downgrade
Unfortunately, these risks are inconsistently defined. The first five risks
are defined by their source, but the last two risks are defined by their
outcome.
Let’s look first at reputational risk. Clearly, protecting their reputation is a
major concern for most companies, and this is a risk that is very commonly
included in company’s key risk lists. However, reputation risk is not a risk.
That is, it is not stated in the form of a source of risk. Rather, reputational
damage is a result, an outcome, which can occur as a direct result of several
distinct sources of risk. Product quality may not be living up to expectations
or to company advertising campaigns. Customer service may have deteriorated
past a tipping point. A significant case of internal fraud may be discovered, or
an internal scandal may become public. Company management of external
relations may have gone awry. There are various risk events that are the
originating sources, or root causes, that lead first to negative media coverage,
and then, possibly, to reputational damage.
In fact, not only is reputational damage not a true source of risk, it is also
not even the true outcome, at least not the outcome that matters most.
Reputational damage is only relevant to the point that it actually causes
financial consequences, which are the ultimate outcome in terms of impor-
tance. To matter, reputational damage must manifest in some financial way,
either in lowering future revenues, increasing future expenses, and/or
increasing the cost of capital. At least one of these must occur for company
value to be reduced. So, reputational ‘‘risk’’ is only a stopover—an interme-
diate outcome—along the way. Figure 4.1 illustrates these relationships in
terms of their flow from multiple true sources of risk to negative media
coverage and then reputational damage, and, finally, to the true outcome of
financial impacts. See ‘‘LifeLock.’’
A similar observation is presented for the second of the two risks from our
earlier example, which was the risk of a ratings downgrade. Companies with
public debt are concerned with their debt ratings assigned by rating agencies.
And it is quite common to find ‘‘ratings downgrade’’ on a company’s key risk
list. Yet, as in the situation for reputational risk, ratings downgrade is not a
source of risk. Rather, a ratings downgrade is an intermediate outcome that
Risk Categorization and Definition & 123
C04 01/12/2011 10:42:10 Page 124
OUTCOME Lower
Revenues
Higher Expenses
INTERMEDIATE
Negative Media Coverage
SOURCE Poor Product
Quality
Poor Customer Service
Internal Fraud or Scandal
Poor External Relations
Reputation Damage
Lower Company Value
Higher Cost of Equity Capital
FIGURE 4.1 Reputational Risk Can Result from Several Different Risk Sources
LIFELOCK
Risk events involving reputational damage do not always result in largefinancial impacts. This is often the case for companies with lesser- known brands, which tend not to generate a sustained level of media interest after a story initially breaks. This is also often the case for risk events for which people tend not to hold the company accountable. However, a risk to avoid would be one that betrays the core branding of the company. For example, if a home security alarm company suffers a break-in at its headquarters, it can be very bad for business. A company called LifeLock got itself into such a situation.
Founded in 2005, LifeLock became one of the leading names in identity theft protection in the United States, using a marketing campaign with CEO Todd Davis’ social security number painted on the side of a truck. In May 2007, the Phoenix New Times, a free weekly newspaper in Phoenix, ran an article indicating that Robert J. Maynard, Jr., a cofounder of LifeLock, may have stolen his own father’s identity to get an American Express card, and used it to make $150,000 in fraudulent charges. Maynard resigned within days. In May 2010, the same newspaper ran another article revealing that Todd Davis had himself been a victim of identity theft at least 13 times since 2007. LifeLock’s earnings are not public, but this could not have been good for business.
124 & Risk Identification
C04 01/12/2011 10:42:20 Page 125
can be triggered by many different sources of risk. The strategy itself may be
flawed. Management may be struggling to effectively implement the strategy.
Management may have a deteriorating relationship with one or more of the
rating agencies.2 These are examples of true sources of risk that can give rise
to a ratings downgrade. The ratings downgrade is a direct result of one or
more of these sources of risk. Once it occurs, the ratings downgrade is merely
an intermediate outcome; it can then lead to financial impacts, including
lower revenues, higher expenses, and/or a higher cost of capital. Figure 4.2
illustrates these relationships in terms of their flow from multiple true sources
of risk, to the intermediate outcome of a ratings downgrade, and on to
financial impacts.
Another example is equity market risk. This is a common risk found on key
risk lists for companies that have equities among their invested assets,
particularly financial services companies. Yet, most of the time, this is not
the source of risk, but rather merely one expression—an intermediate out-
come—of the true source of risk, which is volatility in the economy. Identifying
the true source for market risk has additional implications beyond the earlier
examples of reputational risk and ratings downgrade. In this example, eco-
nomic volatility is not the only possible source driving equity market volatility,
but it is perhaps the primary one. The more important distinction here, though,
OUTCOMEINTERMEDIATE
Ratings Downgrade
SOURCE
Poor Strategy
Poor Execution
Poor Rating Agency
Relations
Lower Revenues
Higher Expenses
Lower Company Value
Higher Cost of Equity Capital
FIGURE 4.2 A Ratings Downgrade Can Be Triggered by Several Different Risk Sources
Risk Categorization and Definition & 125
C04 01/12/2011 10:42:24 Page 126
is that the single source of risk—economic volatility—drives multiple interme-
diate outcomes, many of which impact each other, in complex ways, and all of
which ultimately can impact the financial components of company value. The
intermediate outcomes of economic volatility include, for example:
& Equity market risk (unexpected changes in equity markets) & Credit risk (unexpected changes in credit markets) & Unexpected inflation or deflation & Unexpected changes in employment levels & Unexpected changes in consumer spendable income
Figure 4.3 illustrates the basic order of these relationships in terms of their
flow from the single true source of risk highlighted here, to the multiple
intermediate outcomes, and on to financial impacts.
Failing to define all risks consistently by source lowers the quality of three of the
ERM process steps:
& Risk identification & Risk quantification & Risk decision making
OUTCOMEINTERMEDIATESOURCE
Unexpected Economic Volatility
Equity Market Risk Lower
Revenues
Higher Expenses
Lower Company Value
Higher Cost of Equity Capital
Credit Risk
Unemployment
Consumer Spendable Income
Inflation/Deflation
FIGURE 4.3 Economic Volatility Is Often the Source of Equity Market and Other Risks
126 & Risk Identification
C04 01/12/2011 10:42:27 Page 127
Impact on Risk Identification
Failing to define all risks consistently by their source lowers the quality of the
qualitative risk assessment component of the risk identification process step.
The qualitative risk assessment involves asking survey participants to assess
potential key risks by providing a qualitative ranking (e.g., high, medium, or
low) for both likelihood and severity. To have meaningful survey results, survey
participants in the qualitative risk assessment must have a clear definition and
consistent understanding of the risks they are assessing. Unfortunately, when
risks are defined by their outcome, this often causes confusion. In considering a
given risk defined by its outcome, different survey participants may be imagin-
ing a different corresponding source of risk, and as a result, the likelihood and
severity scores will be provided on an inconsistent basis. This inconsistency is
even more insidious to the ERM process, because it usually goes undetected.
Impact on Risk Quantification
Failing to define all risks consistently by their source also impedes the risk
scenario development portion of the risk quantification ERM process step. It
does so in three ways:
1. Inability to identify subject matter experts. When risks are im-
properly defined by outcome, it is even difficult to identify the appropriate
subject matter experts to begin with, because this depends on the source of
risk. Risk scenarios for reputational damage caused by poor product quality
should involve subject matter experts from the quality or production areas.
However, risk scenarios for reputational damage caused by poor customer
service should involve those from the customer service center.
2. Difficulty imagining risk scenarios. The ambiguity of a risk that is
improperly defined by outcome makes it difficult to imagine individual
deterministic risk scenarios. Something amorphous such as reputation
risk does not immediately bring to mind a specific risk scenario. In fact,
this just leads those responsible for developing the risk scenarios—subject
matter experts—into an attempt to identify a source of reputational risk
on an impromptu basis. Trying to trace this back to a source of risk does
not belong in the risk scenario development exercise. In this forum, the
subject matter experts are likely to omit one or more potential sources
of risk.
3. Incomplete risk scenarios. Defining risks by their outcome can lead to
incomplete risk scenarios. When the true source of risk is not identified, it
Risk Categorization and Definition & 127
C04 01/12/2011 10:42:27 Page 128
is easy to omit other intermediate outcomes that would naturally ac-
company the outcome identified in a given scenario. Consider our earlier
example of equity market risk. As Figure 4.3 shows, if equity market risk
was the only item identified, the risk scenario would include only the
financial impacts from equity volatility. However, in most cases, eco-
nomic risk (unexpected economic volatility) is the true source of risk.
Realistic economic scenarios include impacts on multiple intermediate
outcomes (credit risk, inflation/deflation, etc.), all of which have varying,
and interacting, financial impacts, each of which must be included.
Impact on Risk Decision Making
Failing to define all risks consistently by their source also inhibits the risk
mitigation portion of the risk decision-making process step. Although some
risk mitigation relates to the outcome (for example, insurance coverage),
most mitigation is performed at the source of risk. As a result, it is difficult to
evaluate mitigation options for risks when you don’t know the source. For
example, if management became concerned about a ratings downgrade, their
actions to mitigate this risk would depend on what is driving this concern. Is
it a poor strategy? If so, what aspect(s) of strategy must be corrected? Is it poor
execution of strategy? If so, what aspect(s) of execution must be better
managed? If the source is not identified, then management is hard-pressed to
come up with a vision of the mitigation options to consider.
Consistently defining risks by their source resolves all of these issues. It allows
for consistent scoring provided by survey participants in the qualitative risk
assessment, because they all have a common understanding of the specific
source for each risk. It makes it easy to identify the appropriate subject matter
experts responsible for developing risk scenarios for each individual risk source.
It provides a smooth path for imagining the specific risk scenarios, which can
flow logically from their originating source. It provides the ability to construct
complete risk scenarios. And, finally, it enables consideration of all mitigation
options, which occur mostly at the source.
Now, let’s look at the second key to success, which must be reflected in the
construction of the RCD tool.
Key #2: Categorize Risks Evenly
Many RCD lists do not categorize risks at an even level of abstraction. Some
portions of the RCD tool are often categorized at too high a level, and others are
128 & Risk Identification
C04 01/12/2011 10:42:27 Page 129
often categorized at too low a level. Either one of these problems lowers the
quality of the risk identification process step. Those categorized at too high a
level can lead to failure to consider subcategories (or divisions or individual
risks) within the category (or subcategory or division) identified. As an example
consider the risk division ‘‘Talent management’’ shown in Table 4.1. If the RCD
tool had only identified this division and not identified any of the risks below it,
it is possible that some of the risks under this division may have been missed,
such as ‘‘Critical employee(s).’’
Similarly, some portions of the RCD tool are categorized at too low a level,
which can lead to failure to consider the divisions above the identified risks, as
well as some of the individual risks to which they correspond. As an example,
again consider the risk division ‘‘Talent management’’ shown in Table 4.1. If
the RCD tool had only identified some of the individual risks, such as ‘‘Ability to
recruit or retain’’ and ‘‘Succession planning,’’ it is possible that the overarching
division, ‘‘Talent management,’’ may have been missed. This might result in
omitting other risks within the division such as ‘‘Critical employee(s)’’ or
‘‘Labor or producer relations.’’
QUALITATIVE RISK ASSESSMENT
Once the RCD tool is properly constructed, the main activity in the risk
identification process step can take place: the qualitative risk assessment.
The qualitative risk assessment is the second component in the risk identifica-
tion ERM process step. We will describe the qualitative risk assessment by its
purpose, its process, and its product.
Purpose
The primary purpose of the qualitative risk assessment is to prioritize the list of
potential risks and narrow them down to the list of key risks. The key risk list is
a list of approximately 20 to 30 of the most important risks, which will be
advanced to the next step in the ERM process cycle: risk quantification. A
secondary purpose of the qualitative risk assessment is to support the emerging
risk identification process.
Process
The process of the qualitative risk assessment involves soliciting input from
internal personnel regarding the organization’s key risks, and a high-level
Qualitative Risk Assessment & 129
C04 01/12/2011 10:42:27 Page 130
qualitative scoringofeachpotential keyrisk’s likelihoodofoccurrenceandseverity
of impact. The qualitative risk assessment is conducted in a four-step process:
Step 1: Participant identification
Step 2: Advance communication
Step 3: Qualitative risk assessment surveys
Step 4: Consensus meeting
Step 1: Participant Identification
The first decision in the participant identification step is the number of survey
participants to include. This does vary somewhat by size and complexity of the
organization. However, it is best to keep the number to a manageable size,
keeping in mind that this exercise must be repeated periodically, and possibly
annually, depending on the dynamic nature of the internal and external
environments. For most companies, an appropriate number of survey partic-
ipants may be between 25 and 35. This number may naturally flow from the
second decision, which is selection of the survey participants themselves, but it
is helpful to begin with at least a target number in mind, to prevent the list from
growing so large that the process becomes unworkable.
The second decision is selection of the most appropriate survey parti-
cipants. This is unique to each company. However, a partial list of suggested
individuals to include, as well as the perspectives they offer, is shown in
Table 4.3.
Political concerns are, as always, a consideration. If there is a segment of
the organization, or individual, with whom there is a need or desire to
accelerate the pace of buy-in for the ERM program, it may be wise to include
a key representative from that segment, or the specific individual, as a survey
participant.
Step 2: Advance Communication
After the qualitative risk assessment survey participants have been identified,
the next step in the qualitative risk assessment is to send them an advance
communication. The advance communication should be designed to achieve
the following objectives:
& Request participation & Prepare participants & Schedule time
130 & Risk Identification
C04 01/12/2011 10:42:27 Page 131
Request Participation Although requesting the participation of the invitee may be the most obvious goal of the advance communication, the approach is
not necessarily straightforward. It must be done skillfully. If not crafted
properly, it could have the opposite of its intended effect: it might produce
resistance. However, if constructed carefully, it can garner participation and
begin to build the buy-in process for the ERM program. To do this, the advance
communication must effectively convey the following:
& High-level support for the ERM program & Importance of the qualitative risk assessment & Critical need for their input
TABLE 4.3 Suggested Participants for Qualitative Risk Assessment Survey (Partial List)
Suggested Survey Participant Perspective Offered
Independent director (1 or 2) Objective
Chief executive officer (CEO) Enterprise-wide
Chair of audit committee and head of internal audit
Knowledge gained through audit activities
General counsel Litigation risk
Chief risk office (CRO) or equivalent
Enterprise-wide
Heads of major business segments and one of their lieutenants
Risks in the business segments; lieutenants are often closer to the risks and offer more insights
Head of human resources Human resources risk
Chief technology officer (CTO) Technology risk
Head of marketing Brand risks
Head of investor relations Investor relations risk
Head of compliance Compliance risks
Chief financial officer (CFO) Financial reporting risk
Head of strategic planning Enterprise-wide
Chief investment officer (CIO) Financial risk
Personnel with long experience in the industry (1 or 2)
Industry-related risks
Personnel with longevity in the organization (1 or 2)
Organizational risks
Qualitative Risk Assessment & 131
C04 01/12/2011 10:42:28 Page 132
& Finite time commitment & Level of confidentiality
Communicating the level of endorsement for the ERM program signals to
invitees that this should be given some priority, and to make time in their
schedule. This can include support from the board of directors, the CEO, other
senior executives, as well as any leader(s) of the survey participant’s particular
business segment. Explaining the importance of the qualitative risk assessment
to the overall ERM program provides the context for the exercise and the
linkage of survey participant efforts to the overall ERM program. Stressing the
need for their valuable input—based on their industry knowledge, their
experience, and their expertise—expresses respect for survey participants,
and sets a tone that is conducive to building consensus buy-in. Describing
the specifics of the required activities—before (preparation), during (survey),
and after (follow-up and consensus meeting)—including the logistics and time
commitment, gives invitees a level of comfort that the exercise will not suffer
from ‘‘scope creep,’’ where the time and effort far exceed initial expectations.
Finally, stating the level of confidentiality up front helps establish trust.
Prepare Participants The advance communication should include four types of information to properly prepare the survey participant for the qualita-
tive risk assessment survey:
1. Inputs needed from survey participants. The advance communica-
tion should include a clear description of what survey participants will be
expected to provide during the survey; for example: & The type of key risks they should identify & The number of key risks they should provide (e.g., three to five) & The credible worst-case scenario for each key risk (this will be discussed
later; see ‘‘Key #3: Define Metrics Clearly’’) & The likelihood score for each key risk they identify & The severity score for each key risk they identify & Likelihood and severity scores for the risks identified by other survey
participants
2. ERM background. The qualitative risk assessment survey participants
have varying levels of knowledge of the ERM approach and ERM termi-
nology. To maintain a consistent level of quality in the survey, it is
necessary to provide some background information on ERM, or at least
the portion of ERM relevant to this exercise. A very brief primer on ERM
can be provided. This can be provided in various forms, such as a
132 & Risk Identification
C04 01/12/2011 10:42:28 Page 133
document, a brief video, or a brief webinar. Whatever the form, it is useful
to include the following items: & Basic outline of the ERM framework and process cycle & How the qualitative risk assessment fits into the ERM program & How information from the qualitative risk assessment will be used & ERM approach to defining risk, in general (e.g., by source) & ERM approach to defining key risks (e.g., top 20 to 30 threats) & Explanation of the company value metric & ERM terminology
3. Risks to consider. To get survey participants thinking about the poten-
tial key risks to the enterprise, it is helpful to provide them with the RCD
tool, and this should be done as part of the advance communication. This
serves two purposes: As a prompt to help participants consider key risks,
and to illustrate the ERM approach to defining risk.
As discussed earlier, the RCD tool is a catalyst to help trigger the
participant’s imagination of potential key risks to consider, as well as, at a
minimum, get them thinking about the specific risks listed in the RCD tool.
In addition to providing a reasonably comprehensive list of risk categories,
risk subcategories, risk divisions, and a good number of individual risks as
well, the RCD tool may be used to provide additional fodder. The RCD tool
may indicate the list of risks, including key risks, identified in the prior
qualitative risk assessment (if available). Finally, the RCD may also be
populated with the company’s disclosed risks, and, if available from a
comparative analysis, the disclosed risks of key competitors.
In addition, the RCD tool offers participants a clear illustration of the
proper way to think about risks. Risks are defined by source. Also, risks are
categorized at a consistent level of abstraction. Finally, risks are prospective
future events (discussed later; see ‘‘Key #5: Identify Risks Prospectively’’).
4. Definition of metrics. For the advance communication to be effective, it
must define the likelihood and severity metrics clearly. This was the third of
the five keys to successful risk identification listed earlier: Key #3: Define
metrics clearly.
Key #3: Define Metrics Clearly Survey participants are asked to consider the likelihood and severity of the potential risks, and provide these scores in the
qualitative risk assessment survey. Guidance for these qualitative metrics is
traditionally provided to participants in the form of the likelihood and severity
scoring criteria to ensure a consistent form of input from participants. A typical
example of likelihood and severity scoring criteria are shown in Table 4.4.3
Qualitative Risk Assessment & 133
C04 01/12/2011 10:42:28 Page 134
For the qualitative risk assessment results to be meaningful there must be
consistency in how it is conducted. Participants must have a consistent
understanding of the qualitative metrics and how to assign the qualitative
scores to the risks, for both likelihood and severity. Unfortunately, when
traditional criteria such as those in Table 4.4 are provided without further
clarification, participants do not have a consistent interpretation of either the
likelihood or the severity metrics. To correct this, both the likelihood and
severity metrics must be clearly defined.
Let’s begin with the qualitative likelihood metric. Participants are not
given clear guidance on how to consistently assign the qualitative likelihood
score. Participants are asked to qualitatively score the likelihood of the potential
key risk . . . but there is usually no guidance on the type of risk scenario. Each
risk can occur under a number of wide-ranging scenarios. Is it an Armageddon
scenario? Is it a ‘‘most likely’’ downside scenario? Something else? Each
participant, in considering the same risk, may be imagining, and providing
a qualitative likelihood score for, a different scenario. As a result, the qualitative
scoring of likelihood is inconsistent across participants, significantly lowering
the quality of the survey.
For example, imagine that you are a participant in the qualitative risk
assessment survey, and you have just been asked to provide a qualitative score
for the likelihood of a data breach risk event occurring. The first thing youmust
do is imagine the data breach scenario. But you are given no guidance on this.
You might imagine a disaster scenario, where an unencrypted file containing
the privacy data for all the company’s customers is stolen with intent to use it.
You might estimate that such a rare event has only a 1-in-1,000 chance of
occurring this year. Alternatively, you might imagine a moderately pessimistic
scenario, where an encrypted file containing privacy data for 1 percent of the
company’s customers is merely lost. You might estimate that this event has a
1-in-10 chance of occurring this year. Or, you might imagine any number of
TABLE 4.4 Example of Traditional Likelihood and Severity Scoring Criteria
Likelihood Severity
5 Very high 1-in-5 or greater chance of occurring 5 Very high > $200 million
4 High 1-in-10 chance of occurring 4 High $50 million–$200 million
3 Medium 1-in-20 chance of occurring 3 Medium $20 million–$50 million
2 Low 1-in-50 chance of occurring 2 Low $10 million–$20 million
1 Very low 1-in-100 or less chance of occurring 1 Very low < $10 million
134 & Risk Identification
C04 01/12/2011 10:42:29 Page 135
other risk scenarios across the spectrum of possibilities. The qualitative score
you assign to likelihood will depend entirely on your chosen risk scenario.
Similarly, other participants’ qualitative likelihood scores will depend on their
chosen risk scenarios. Without any guidance, the risk scenarios imagined tend
to vary significantly from participant to participant, rendering the survey
results practically meaningless.
A best-practice solution does exist which can correct the problems inher-
ent in a lack of guidance on what type of risk scenario to envision for the
qualitative scoring of likelihood. Instructing participants to imagine, and then
provide scores for, a credible worst-case scenario tends to ensure a reasonable
level of consistency in scoring, yet is not overly prescriptive to the point of
impinging upon survey participants’ freedom to provide their own input. A
credible worst-case scenario is not the most unlikely of events, but neither is it a
common event. It is somewhat in between, but still represents a fairly
pessimistic scenario with a severe impact. A depiction of the credible worst-
case scenario is shown in Figure 4.4.
One advantage of using a credible worst-case scenario is that it is not a
worst-case scenario that may be so unlikely as to engender a lack of confidence
in the exercise, yet it is a robust enough risk scenario to capture the full impact
Se ve
rit y
| Credible Worst-Case Likelihood
FIGURE 4.4 Credible Worst-Case Scenario
Qualitative Risk Assessment & 135
C04 01/12/2011 10:42:32 Page 136
of this type of risk. Another advantage is that this bit of guidance is flexible
enough to accommodate varying types of risks. A worst-case scenario for one
type of risk, such as technology risk, may be far more likely than a worst-case
scenario for litigation risk, yet they are both within the guidance and both may
be defined as a credible worst-case scenario, even though their consensus
qualitative likelihood scores may differ significantly.
Now, let’s address the lack of consistency involving the qualitative
severity metric and caused by traditional criteria, such as those in Table 4.4.
Typically, participants are not given a clear definition of the qualitative
severity metric. The severity criteria do provide a specific range of dollar
impacts, but they often do not clarify what is impacted. A $10 million impact
on . . . what metric? Is it the balance sheet? Is it earnings? If so, is it just this
year’s earnings or the cumulative impact over multiple years? Is it company
value? Is it revenues? Participants will have varying interpretations of this,
and as a result, the quality of the survey declines precipitously.
A best-practice solution is to clearly define the severity metric, and to
define it using a single, unifying metric, which can fully and appropriately
capture all financial impacts, including those to the income statement,
balance sheet, and cost of capital. The solution is to define the qualitative
severity metric as the financial impact on company value.4 This results in a
subtle but critical change to the severity scoring criteria shown earlier in
Table 4.4. Tables 4.5 and 4.6 illustrate two examples of value-based severity
scoring criteria.
Because most survey participants will not have a firm understanding of
the company value calculation, the ERM primer provided in the advance
communication should include a brief description. However, the company
value metric is surely intuitive—the value of the firm is something that
TABLE 4.5 Value-Based Severity Scoring Criteria: Dollar Form
Severity
5 Very high > $200 million loss in company value
4 High $50 million–$200 million loss in company value
3 Medium $20 million–$50 million loss in company value
2 Low $10 million–$20 million loss in company value
1 Very low < $10 million loss in company value
136 & Risk Identification
C04 01/12/2011 10:42:33 Page 137
everyone understands. To make the company value metric even more tangible,
it may be analogized to market capitalization, which is similar in magnitude.
This may serve the purpose, because the qualitative risk assessment survey is a
broad tool with the sole intent of approximating the relative importance of
potential key risks. Additionally, a couple of examples may be provided to
illustrate how different types of risks can impact company value.
There is another dimension to consider scoring when conducting the
qualitative risk assessment. See ‘‘Time Horizon.’’
TABLE 4.6 Value-Based Severity Scoring Criteria: Percentage Form
Severity
5 Very high > 10% loss in company value
4 High 2.5%–10% loss in company value
3 Medium 1.0%–2.5% loss in company value
2 Low 0.5%–1.0% loss in company value
1 Very low < 0.5% loss in company value
TIME HORIZON
In addition to likelihood and severity, some qualitative risk assessments usean approach where a third dimension is added to the scoring criteria: the time horizon. Qualitative risk assessment survey participants are asked to indicate whether the speed of onset corresponding to the risk is fast or slow, or whether the risk is a near-term risk event (such as in the next three years) or a long-term risk event (such as beyond three years). Although this makes the time-to-onset more explicit, this potentially complicates the interpretation of the likelihood scores. Likelihood of occurrence must correspond to a time horizon. By allowing survey participants to provide a time horizon score, survey participants may also be providing likelihoods corresponding to a variety of time horizons, some near-term and some long-term. For example, risk A may have a 10 percent chance of occurring next year, but risk B may have a 10 percent chance of occurring in 10 years. These likelihoods cannot be compared directly. The survey participant, if asked, may have estimated
(continued )
Qualitative Risk Assessment & 137
C04 01/12/2011 10:42:34 Page 138
Schedule Time There are a few factors to consider when scheduling time with survey participants. Their calendars are usually booked several weeks in
advance; these are busy people. As a result, advance planning is necessary to
avoid having a gap in the ERM implementation time line. Also, if possible, it is
more efficient to schedule all interviews sequentially, rather than having some
simultaneously, because risks identified in earlier interviews may be incorpo-
rated into subsequent interviews. Further, interviews should not be scheduled
back-to-back. An interval of time should be allotted between interviews to
clarify and document meeting notes, and to make any required changes to the
RCD tool prior to the next meeting. Finally, the period over which all the
interviews are conducted—from the first interview to the last one—should be
as short as possible, to reflect a consistent snapshot in time; as time goes by, the
environment may change, which can skew the results between those inter-
viewed prior to the change, versus those interviewed afterward. This is true
even for small changes in the environment that merely change the mood of
personnel; it is best to capture all participants’ impressions when they are in a
relatively similar point in time and frame of mind.
(continued ) the likelihood of risk B occurring in the next year to be less than 10 percent. It is not an apples-to-apples basis of comparison. Allowing a separate time horizon score can still work, but it requires combining two pieces of data, both time horizon and likelihood, to properly interpret.
An alternate approach is to capture the time horizon, but not to use it as an explicit additional dimension in the scoring criteria. In this approach, the time horizon is defined as near-term only (such as the next three years), and whenever possible, just the coming year. For the vast majority of the risks, survey participants provide the likelihood corresponding to the risk occur- ring in the coming year. For those risks not expected to occur until later years, the time to onset is captured in the credible worst-case scenario, and the likelihood corresponds to the earliest possible time of onset, but still limited to the near-term time horizon. For example, the risk of a union strikemight be considered as occurring at the next contract negotiations, scheduled two years from now. For some high-severity risks which develop slowly, over several years, the likelihood of occurrence within the near-term may be zero. These will receive the lowest likelihood score, which is fine, because they will still be accounted for through their high severity score. If the risk does not rank highly enough on a combined likelihood-severity basis to become a key risk, it will remain on the non-key risk list, and will be monitored over time as part of the emerging risk identification process.
138 & Risk Identification
C04 01/12/2011 10:42:35 Page 139
Step 3: Qualitative Risk Assessment Surveys
The third step in the qualitative risk assessment is conducting the surveys. The
last two of the five keys to successful risk identification, discussed earlier, relate
to the qualitative risk assessment surveys:
Key #4: Gather data appropriately
Key #5: Identify risks prospectively
Key #4: Gather Data Appropriately Gathering data appropriately means collecting the right data, at the right time, in the right way. Unfortunately,
most qualitative risk assessment surveys do not satisfy these criteria.
For a survey to be most effective, it must focus its requests exclusively
on the data truly needed. Survey designers are often tempted to include
some of the ‘‘nice to have’’ data, but must be ever-vigilant in identifying and
eliminating extraneous portions of the data request. Survey participants
have limited time and limited patience for unnecessary efforts. Unfortunately,
most qualitative risk assessment surveys have data requests that are far
more extensive than they need to be. These data requests include not only
some ‘‘nice to have’’ data, but also some ‘‘no need to have’’ data. An example
of such a larger-than-necessary data request commonly used in qualitative
risk assessment surveys includes the list of items shown in Table 4.7
requested for each identified risk.
TABLE 4.7 Example of Larger-Than-Necessary Data Request
Item # Data Request Item
1 Likelihood score
2 Severity score
3 Historical experience data
4 Mitigation in place
5 Mitigation planned
6 Person(s) responsible for mitigation
7 Effectiveness of mitigation
8 Name of risk owner
9 Risk and mitigation documentation
10 Other data
Qualitative Risk Assessment & 139
C04 01/12/2011 10:42:36 Page 140
Some of this data is not needed during the qualitative risk assessment,
and most of this data is actually not even needed at all in the ERM process.
The sole purpose of the qualitative risk assessment is to prioritize and rank the
potential key risks. To accomplish this, the only data needed from Table 4.7
are Items 1 and 2—the likelihood and severity scores. One additional item
not appearing in Table 4.7 is needed when employing the best-practice
approach for consistent likelihood scoring: a brief description of the credible
worst-case scenario.
Some of the remaining items in Table 4.7 are needed, but only later, during
the risk scenario development portion of the risk quantification ERMprocess step.
At this later stage, themitigation in place should be captured, which is Item#4 in
Table 4.7. The historical data experience, which is Item #3, is needed as well,
although rather than document this, it is merely drawn upon by the subject
matter expert in estimating the potential financial impacts as part of the Failure
Modes and Effects Analysis (FMEA) exercise.
There are three disadvantages of gathering this data in the qualitative risk
assessment exercise. First, as discussed earlier, making the survey longer than
necessary annoys survey participants, and inevitably lowers the quality of the
survey. In addition, gathering this information earlier than it is needed often
results in portions of it being out of date by the time it is needed; this necessitates
a repeat data request to refresh the information, which, aside from further
aggravating survey participants is also inefficient. Finally, gathering this data
too early—in the qualitative risk assessment survey rather than during the FMEA
risk scenario development interviews—results in more inefficiency, collecting far
more data than is needed. This is because it causes these data items to be collected
for all identified risks, which may be upwards of 80 to 100 risks. However, this
data is only needed for those risks that will advance to the risk quantification
process step—the key risks—which may be between 20 and 30 in number.
A more appropriate data request that is more efficient and effective
includes only the data needed at the time of the qualitative risk assessment
survey. An example of an effective data request is shown in Table 4.8, which
is requested for each identified risk.
TABLE 4.8 Appropriate Data Request
Item # Data Request Item
1 Likelihood score
2 Severity score
3 Credible worst-case scenario
140 & Risk Identification
C04 01/12/2011 10:42:37 Page 141
This data request is all that is needed to prioritize and rank the risks
identified in the qualitative risk assessment survey. Once the key risks are
identified and promoted to the risk quantification ERM process step, additional
data will be needed, but only for the key risks, which are fewer in number. At
that point, during the FMEA risk scenario development interviews, additional
data will be collected.
Now that we have discussed gathering the right data at the right time, we
will address gathering data in the right way. Although there are many
variations employed in conducting surveys, there are two basic methods
that are commonly used. One is templates and the other is interviews.
A template approach to conducting the qualitative risk assessment survey
is the more commonly used of the two survey methods. This involves sending
templates or questionnaires to survey participants and requesting that they
complete and return them. There are some advantages to a template survey:
1. 100 percent consistent communication to participants. Using a
template survey ensures 100 percent consistency in terms of what is
communicated to the survey participants. Unlike interviews, where mul-
tiple interviewers may deviate from a script, or have varying levels of skills,
a template is a controlled and uniform communication.
2. Easily scalable. Templates are easily scalable from the point of view of the
ERM team. Once the template is designed, it is nearly as easy to send it to
60 individuals as it is to send it to 30. Templates also make the collection
and compilation of data easier, from the perspective of the ERM team,
because survey participants must use a standard format within which to
populate the data requested.
Unfortunately, the template survey method has several disadvantages,
which far outweigh the advantages:
1. Not well received. Templates are not well received by survey partic-
ipants. Rather than building buy-in for the ERM program and advancing
the risk culture, they produce resistance and resentment among survey
participants. Consider their perspective. One day, they open an e-mail from
the ERM team and it is a request for data, along with a template and
instructions on how to complete it. Someone, whom they may not know,
just gave them one more task to complete. This is not a good first
impression. The instructions are lengthy, and participants feel like they
are on their own to figure it out and do all the work. This comes across as
impersonal and inconsiderate. Data requests using templates tend to be
Qualitative Risk Assessment & 141
C04 01/12/2011 10:42:37 Page 142
more extensive, because adding items to the request is easy for the ERM
team, and survey participants wonder if all this is really necessary. This
casts a shadow on the credibility of the entire ERM effort.
2. Inconsistent time and effort. There is an inconsistent level of time and
effort given to completing the templates. Some survey participants dili-
gently focus on the exercise, carefully reading the instructions, thought-
fully pondering the business and its potential key risks, and gathering all
the ancillary data requested. Other survey participants just complete it
quickly to get it done and out the door. This results in an inconsistent level
of quality in survey results. Although it is apparent when reviewing the
populated templates that the quality varies, at this point, after the fact,
there is little or no recourse for the ERM team.
3. Difficult to fix errors. Many survey participants, despite the advance
communication provided to them, are not ERM-savvy. Some participants
will identify risks that are not properly defined by source. Some will identify
risks that are clearly not key risks. Others will identify risks that are too
detailed or not detailed enough. Some will identify risks that are retrospec-
tively focused (discussed later; see ‘‘Key #5: Identify Risks Prospectively’’).
Many will misinterpret the definition of ERM metrics and improperly score
the qualitative likelihood and severity metrics. Correcting these errors may
not be feasible for the ERM team, or, at a minimum, will require much
iterative effort.
4. Less confidential. Templates are usually conducted on a nonconfiden-
tial basis. Confidentiality can be achieved with templates, but the nature
of completing documents with names attached and sending them to
another department makes anonymity more difficult to ensure, and offers
survey participants less comfort. As a result, the free flow of information
suffers, and some of the most important risks may remain hidden or
underemphasized.
Rather than use templates, the best-practice method for conducting the
qualitative risk assessment survey is through interviews. First, let’s address the
shortcomings of this method:
1. Less than 100 percent consistent communication to participants.
Unlike the template approach, when using interviews, it is more difficult to
maintain 100 percent consistency in terms of what is communicated to the
survey participants. However, this can be mitigated in one of two ways.
One way is to use a small number of interviewers with similar levels of ERM
142 & Risk Identification
C04 01/12/2011 10:42:37 Page 143
training, experience, and expertise, and having them stay in close com-
munication. Another way is to use just one interviewer, which is feasible
given the reasonable number of interviewees. Though this lengthens the
time required to complete the qualitative risk assessment, the trade-off may
be worthwhile, assuming time constraints allow this.
2. Not as easily scalable. Interview surveys are not easily scalable. To
survey more participants requires more time or more qualified inter-
viewers, and adding more interviewers lowers the consistency of messag-
ing, as discussed earlier. However, this is a minor issue. The scalability of
templates is only gained at the expense of quality. In addition, for most
organizations, 25 to 35 survey participants are usually enough to produce
robust survey results.
Now, let’s discuss the advantages of using interviews as opposed to
templates:
1. Well received. Unlike the template approach, the interviews are well
received by survey participants. Conducting interviews tends to build
buy-in for the ERM program and advance the risk culture. It builds good
will with survey participants. Unlike templates, which feel like an
impersonal request to do work on behalf of the ERM team, the interview
is personal—a face-to-face, one-on-one interaction.5 This gives a good
first impression. Rather than leaving survey participants stuck to figure
out the instructions on their own and do all the work, the interviewer is
present, spending his or her time as well; this is a highly personal
approach. The interviewer reiterates highlights from the advance com-
munication, answers any questions, and dynamically guides the survey
participant through the interview. In addition, rather than requiring the
survey participant to populate a template themselves, the interviewer
takes notes, documents the interview in a set of minutes, and sends them
to the interviewee to confirm accuracy. This creates an atmosphere of
collaboration, and is respectful of the survey participant’s time. Finally,
data requests using interviews tend to be more focused, because adding
items to the request would make more work for the ERM team as well,
and survey participants appreciate the minimalist attitude. This enhan-
ces the credibility of the ERM effort.
2. Consistent time and effort. Using interviews compels a more consistent
level of time and effort by each survey participant. Unlike templates, where
the ERM team is not present to verify the level of care used to complete the
Qualitative Risk Assessment & 143
C04 01/12/2011 10:42:37 Page 144
survey, the ERM teammember is present during the interview, and ensures
that a consistent level of effort is put forth for each survey. This consistency
enhances the quality of the survey results.
3. Easy to fix errors. Interviews provide an opportunity to compensate for
the lack of ERM-savvy among many survey participants. Interviewers can
dynamically correct any errors immediately, during the interview.
Whether someone fails to identify a risk by its source, identifies risks
that are too detailed or not detailed enough, identifies risks that are
retrospectively focused, or misinterprets the definition of ERM metrics,
the interviewer is present to correct it on the spot. This significantly
enhances the quality of the exercise, and is also highly efficient, eliminating
the need for iterative corrections.
4. More confidential. It is easier for interviews to be conducted on a
confidential basis, meaning that survey results are not attached to partici-
pant names, but merely reported anonymously. Compared to templates, a
personal, one-on-one, closed-door interview, where only one set of notes
exists, is easier to conduct on a confidential basis. More importantly, survey
participants feel more confident in the anonymous nature, become more
relaxed, and, as a result, tend to share more information. In particular,
they are most likely to identify risks which are not usually discussed
openly, and these kinds of risks can be of the most value in this exercise.
Ideally, the interviewer is not an employee but rather a consultant, which
offers an even higher level of anonymity.
Key #5: Identify Risks Prospectively The last of the five keys to successful risk identification is to identify risks on a prospective basis during the
qualitative risk assessment. This may seem obvious. Certainly, risks are not
in the past, but in the future. Risk is the uncertainty of achieving our future
goals. However, there are usually some risks that appear which are actually
retrospectively identified, in that they are rooted in the past. This problem is
commonly diagnosed as ‘‘fighting the last battle’’ syndrome. Continuing the
medical analogy, the underlying cause of this disease is an overemphasis,
during the qualitative risk assessment, of recent past risk occurrences. This is
often present when a recent past event caused significant trauma to the
organization, hemorrhaging in the financial results, and psychological scar-
ring tomanagement. Themain symptom is the appearance of identified risks in
the qualitative risk assessment that seem overly specific in nature, that
precisely match the source of risk that caused a recent negative event still
etched in management’s collective consciousness, and that are often already
144 & Risk Identification
C04 01/12/2011 10:42:37 Page 145
well mitigated, possibly even over-mitigated. Despite this being a past event,
management is simply not comfortable unless such risks appear on the risk list.
The prognosis of this disease, if left untreated, is that the qualitative risk
assessment scoring will be skewed, overemphasizing risks with recent occur-
rences. In addition, the inclusion of these risks, many of which should be
excluded, can crowd out some other risks that should be on the radar.
When a risk is suspected of being identified on a retrospective basis, some
simple questioning can be helpful. Ask about the past events that may have
caused this risk to be overweighted in the mind of the survey participant.
What was the event? What were the financial impacts? What did manage-
ment do in response? What mitigation is in place to lower the likelihood or
mitigate the severity of this risk? If the inquiries confirm suspicions that this
risk may not belong on the risk list, presenting the case for its removal to the
participant who raised it may resolve the issue. If not, there are two other
opportunities to resolve this issue: the other participants may not score it
highly, or this may be resolved by raising and addressing the issue at the
consensus meeting.
In addition to the two keys to successful risk identification related to the
qualitative risk assessment survey—Key #4: Gather data appropriately and
Key #5: Identify risks prospectively—there are additional techniques that are
helpful. See ‘‘Additional Techniques’’ for two examples.
ADDITIONAL TECHNIQUES
There are two additional techniques that are helpful when conducting thequalitative risk assessment surveys: 1. Collect two perspectives. The first technique is simply to ask survey
participants to identify potential key risks from two perspectives: the overall enterprise perspective and the perspective pertaining just to their area of responsibility or expertise. Getting survey participants to look from both of these vantage points adds value to the survey. Participants with areas of responsibility or expertise that are not enterprise-wide can identify potential key risks related to their areas of specialty, and they can also bring a fresh perspective that may highlight new potential key risks for the overall enterprise. Consider an example where the survey partici- pant is the head of a business segment. Although most risks that are significant to a single business segment may not rank highly from the
(continued )
Qualitative Risk Assessment & 145
C04 01/12/2011 10:42:38 Page 146
(continued ) enterprise perspective, some do rank highly. For example, a risk origi- nating within a single business segment can impact other business segments or the enterprise as a whole. In addition, a participant usually focused on a single business segment may bring a bit of an ‘‘outsider’’ perspective when viewing the overall enterprise, and may identify an important potential key risk that, once identified, receives a high consen- sus ranking in the qualitative risk assessment.
2. Use a retrospective-outcome provocation. Earlier, we discussed the importance of employing five keys to success when conducting the qualitative risk assessment. We will now briefly discuss a technique that temporarily seems to violate two of these: Key #1: Define risks by source, and Key #5: Identify risks prospectively. It is important to follow these keys for best results, but it is also helpful to step outside of these rules, for a brief moment, to allow for a provocation from a different perspec- tive that may help identify risks as yet uncovered. Although it is always important to categorize and define risks prospectively and by source, and initially ask survey participants to think of risks prospectively and by source, sometimes this may not capture all the known risks, because this is not the usual way in which people think. Toward the end of the survey, once you have captured all the risks
that you can with this ‘‘prospective-source’’ approach, it is helpful to switch, temporarily, to a ‘‘retrospective-outcome’’ approach, using the following provocation: Ask the participant questions such as, ‘‘In the past, what events resulted in a large decrease in revenues? In earn- ings? In company value?’’ These types of questions are more tangible and will lead to very specific discussions. For each such discussion, you must trace the story provided by the survey participant back to the event’s originating source of risk. This reverses the outcome-driven aspect of the provocation, and we arrive, once again, at the source of the risk. Once this is done, you can compare the risks identified by the provocation to the initial list of risks provided by the participant and by others to determine if this technique results in any newly identified risks. For any such newly identified risk, the next step is then to examine whether it is a viable prospective risk, which reverses the retrospective-driven aspect of the provocation. Those risks that ad- vance past both of these reversal stages are then added to the potential key risk list and will be included in the remaining individual surveys, as well as the consensus meeting. One cautionary note for the retrospective-outcome provocation:
Use it judiciously. It should only be used with survey participants who are ERM-savvy and have more immunity to the ‘‘fighting the last battle’’ syndrome.
146 & Risk Identification
C04 01/12/2011 10:42:38 Page 147
Step 4: Consensus Meeting
The fourth and final step in the qualitative risk assessment is the consensus
meeting. The qualitative risk assessment survey produces a list of risks that
typically number in the range of 80 to 100, each of which is scored by both
likelihood and severity. The next step is the consensus meeting, which includes
all survey participants and relevant members of the ERM team. The consensus
meeting has two purposes:
1. Enhance consensus
2. Select key risks
Enhance Consensus The first goal of the consensus meeting is to enhance the level of consensus for qualitative scores, either for likelihood or severity,
which meet both of the following conditions:
& Scoring data has a high level of dispersion & Scoring data corresponds to a risk with a high ranking
The reason for selecting scores with a high level of dispersion is that those
are the scores for which there is not a strong level of initial consensus. The
reason for limiting the focus to those with high rank is to be respectful of survey
participants’ time. The main purpose of the risk identification exercise is to
identify the key risks. The key risks will be those 20–30 or so risks that have the
highest rank. Enhancing consensus on all risks is nice to have, but this is only
necessary for scores corresponding to risks ranked highly enough that they
might become key risks.
To determine which scores meet both of these criteria, the ERM team must
perform the following three tasks:
1. Define the risk-ranking criteria. The ERM team must define the risk-
ranking criteria. The risk-ranking criteria are either rules or guidelines
for combining the qualitative likelihood and severity scores into a single
number which is used to rank all the risks identified in the qualitative risk
assessment. The first step is often to convert the qualitative scores into
numeric scores. An example of a nonproportional conversion is shown
in Table 4.9.
Another approach is to use a conversion scale proportional to the
actual relative values from the midpoint of the ranges in the scoring
Qualitative Risk Assessment & 147
C04 01/12/2011 10:42:38 Page 148
criteria, an example of which was shown in Table 4.4. The conversion
for the highest score must be made somewhat arbitrarily, because it has
no upper bound. An example of a proportional conversion is shown in
Table 4.10.
There are numerous methods for defining the risk-ranking criteria.
One set of methods involves weighting each nonproportional numerical
score separately and then adding them together. Usually, the weights are
either equal—producing a straight summation of the two numerical
scores—or a higher weight is assigned to the severity scores. Another
method involves multiplying the proportional numerical scores together.
This is equivalent to calculating a probabilistic expectation. Another
TABLE 4.9 Example of Nonproportional Conversion of Qualitative to Numeric Scoring
Qualitative Score Numerical Score
Very High 5
High 4
Moderate 3
Low 2
Very Low 1
TABLE 4.10 Example of Proportional Conversion of Qualitative to Numeric Scoring
Qualitative
Likelihood
Score
Numerical
Likelihood
Score
Qualitative
Severity
Score
Numerical
Severity
Score
1-in-5 or greater chance of occurring
25% > $200 million loss in company value
$250 million
1-in-10 chance of occurring
10% $50 million–$200 million loss in company value
$125 million
1-in-20 chance of occurring
5% $20 million–$50 million loss in company value
$35 million
1-in-50 chance of occurring
2% $10 million–$20 million loss in company value
$15 million
1-in-100 or less chance of occurring
0.5% < $10 million loss in company value
$5 million
148 & Risk Identification
C04 01/12/2011 10:42:40 Page 149
method first excludes all risks not meeting a minimum numerical score
for likelihood or severity; the likelihood minimum may be different from
the severity minimum. Yet another method is to plot the average
likelihood and severity scores on a graph and draw a line or a curve
separating out the 20 to 30 risks with the higher scores; an example of
this will be shown later.
2. Rank the risks. The ranking criteria are applied to the risks identified in
the qualitative risk assessment to produce a tentative ranking. The ranking
is reviewed for reasonability by the ERM team, and any odd results are
noted and discussed at the consensus meeting. One example of an odd
result would be a risk that received a low ranking whereas the ERM team,
based on their extensive experience, would have expected it to receive a
high ranking.
3. Conduct a dispersion analysis. A dispersion analysis is performed on
both the likelihood and severity scores to identify any scores for which
there is not a clear initial consensus. These scores are identified by a high
level of dispersion, and generally appear in one of two forms—bimodal or
highly disparate. A bimodal result indicates two distinct opinions within
the group of participants. For example, consider a risk for which survey
participants scored the severity as shown in Figure 4.5. There is clearly not
a single consensus among participants, but rather two distinct clusters of
votes; one group of participants thinks the severity is low but another
group believes the severity is high.
0
2
4
6
8
10
12
14
Very Low Low Moderate High Very High
Pa rti
ci pa
nt s
Severity Scores
FIGURE 4.5 Bimodal Results
Qualitative Risk Assessment & 149
C04 01/12/2011 10:42:46 Page 150
A highly disparate result indicates that there is no consensus at all.
For example, consider a risk for which participants scored the severity as
shown in Figure 4.6. There is no consensus at all among the participants.
Now, the ERM team is in a position to determine which scores meet both of the
criteria specified earlier: scores with a high level of dispersion and that
correspond to a risk with high ranking. The first goal of the consensus meeting
is to examine these results, discuss them, and conduct a second round of
scoring. The discussion is voluntary when the qualitative risk assessment has
been performed with a cloak of anonymity. However, the anonymity is mainly
about who identified which risks, rather than the scoring. It is helpful to solicit
at least one or two opinions from each camp for the bimodal results. More
opinions may need to be brought out for the highly disparate results. A brief
discussion usually resolves some differences in the group, and the second round
of scoring usually produces a tighter consensus.
Select Key Risks Once the level of consensus has been enhanced to the extent possible, the qualitative scores and the resultant rankings are finalized.
The main event can now take place: identifying the key risks. Attendees of the
consensus meeting review the rankings, discuss the highly ranked risks, and
decide on where to delineate between key and non-key risks. The cutoff point
should be in the neighborhood of the 20 to 30 most highly ranked risks. One
0
1
2
3
4
5
6
7
Very Low Low Moderate High Very High
Pa rt
ic ip
an ts
Severity Scores
FIGURE 4.6 Highly Disparate Results
150 & Risk Identification
C04 01/12/2011 10:42:50 Page 151
example of how this is conducted is illustrated in Figure 4.7. Those risks to the
upper right of the line are the key risks. Attendees of the consensus meeting
must decide where, literally, to draw the line: how far to the upper right versus
lower left to draw it, and also at what angle to draw it.
Product
There are three main results, or products, of the qualitative risk assessment.
The first and most important is the key risk list. The second is the tool to
monitor any potential changes in the importance of any of the risks. Both
of these products follow the format of the RCD tool. The third result is an
advancement of the organization’s risk culture. The qualitative risk assess-
ment has involved key personnel from all corners of the enterprise, and
enhanced their knowledge of, and experience with, enterprise risk manage-
ment. This is one of the first steps in developing consensus buy-in for the
ERM program.
An example of a key risk list is shown in Table 4.11. There are three
important characteristics of the key risk list. First, it is a short list—the
example shown has just 20 key risks. Second, it follows the consistent
hierarchical format and nomenclature of the RCD tool. Third, and surprising
to some, it does not include the likelihood-severity scores. It has shed them.
The reason for this is that the likelihood-severity scores are only useful in
helping to identify the key risks. That was their sole purpose, and that has
now been achieved. Going forward, the ranking of the key risks will no longer
1
2
3
4
5
1 2 3 4 5 Likelihood
Se ve
rit y
FIGURE 4.7 Example of Selecting Key Risks
Qualitative Risk Assessment & 151
C04 01/12/2011 10:42:51 Page 152
TABLE 4.11 Example of Key Risk List
Rank
Risk
Category
Risk
Subcategory
Risk
Division Risk
1 Strategic Legislative/ regulatory
Product/services- related
Product Y impacted by new regulation
2 Strategic Economic Economic risk U.S. economic downturn
3 Strategic Supplier Supplier failure Supplier partial failure
4 Operational Human resources
Talent management
Loss of critical employees
5 Strategic Strategic relationships
Joint ventures and alliances risk
Joint venture risk
6 Strategic Execution M&A risk International M&A risk
7 Strategic Execution Product execution risk
Product quality risk
8 Strategic Competitor Struggling competitor(s)
Price war
9 Strategic Supplier Supplier relationships
Cost of goods/services increases
10 Strategic Strategy Channel strategy risk
Change in performance of intermediaries
11 Strategic Competitor Innovation Competitor introduces new features
12 Operational Human resources
Performance Research & development (R&D) risk
13 Operational Human resources
Talent management
Labor relations risk
14 Operational Disasters Environmental damage
Environmental damage at Site X
15 Operational Litigation Litigation risk Class action lawsuit
16 Strategic Supplier Supplier relationships
Change in status of regulatory licenses
17 Strategic Strategy Channel strategy risk
Distribution channel risk
18 Operational Technology Data security and privacy
External attack
19 Operational Human resources
Talent management
Inability to recruit enough to support growth plans
20 Financial Credit Counterparty risk Change in creditworthiness of counterparties
152 & Risk Identification
C04 01/12/2011 10:42:51 Page 153
be based on the qualitative scores. The key risks are now advanced to the risk
quantification ERM process step, which provides quantitative metrics—a far
superior tool for prioritization and ranking.
The second product—the tool to monitor any potential changes in the
importance of any of the risks—is simply the entire list of risks from the
qualitative risk assessment. This list retains the likelihood-severity scores. This
is used in the ongoing emerging risk identification work, discussed next.
EMERGING RISK IDENTIFICATION
Emerging risk identification consists of two components:
1. Monitoring known risks
2. Environmental scanning for unknown risks
Monitoring Known Risks
The first component of emerging risk identification is to monitor known non-
key risks for any changes which might increase their ranking enough to
become key risks. There are two aspects to this. One aspect is monitoring any
changes in the internal and external environment that would make the risk
event more likely to occur. Another aspect is monitoring changes that would
increase the severity of the risk event. Monitoring for severity changes is
sometimes supported by conducting limited quantification exercises for these
risks. These exercises must be kept to a limited effort, because there are a large
number of identified non-key risks, often in the range of 50 to 80. One way to do
this is to simply take the credible worst-case scenario obtained in the qualitative
risk assessment and quantify that one scenario for each non-key risk, or, more
feasibly, for selected non-key risks.
Monitoring known risks is a reasonably straightforward and doable
exercise. It consists of targeted monitoring of a limited and defined set of
risks—those identified in the qualitative risk assessment. As mentioned earlier,
the RCD tool, which houses these risks, is used for this purpose.
Environmental Scanning for Unknown Risks
The second component of emerging risk identification is environmental scan-
ning for unknown risks. Unlike monitoring known risks, this task is not at
Emerging Risk Identification & 153
C04 01/12/2011 10:42:51 Page 154
all straightforward and can never be completed. There is no definitive science
for identifying unknown risks. In addition, the sources of potential risks that
someday might become key risks are virtually limitless.
Unfortunately, a common and dangerous misconception of ERM is that it
can indeed effectively perform environmental scanning for unknown risks,
and afford a good level of protection against such surprises. This false belief is
partly fostered by the fact that these types of risks are the most feared. The
sudden emergence of a risk event that takes us by surprise is a primal fear.
The fact that many people hold the false belief that ERM can protect them
from unknown risks is evidenced by the fact that chief risk officers are often
fired after a major risk event occurs. This would be warranted in cases where
the ERM program was poorly designed or implemented and where the risk
event that materialized was one that should have been known, more highly
prioritized, or more effectively mitigated. Although some firings have taken
place under these circumstances, this has not always been the case. In these
other cases, either senior management falsely believed that ERM can protect
the firm from unknown risks, or they believed that shareholders hold such
a fantasy.6
It is an inescapable truism of our existence that we will always be
exposed to the element of surprise. ERM is not designed to prevent unknown
events from emerging that can damage or even destroy the organization, nor
could it, or any other system, be so designed. It is critical for the CRO and the
ERM team to set proper expectations right from the start of ERM adoption and
implementation. ERM cannot predict the future. It cannot know the un-
known. All it promises is to make better sense out of how we make risk–
reward decisions, and to organize and leverage information about the risks
we do know about.
Unfortunately, because we, as humans, have such a high utility for
avoiding negative surprises, we are tempted to believe those who present a
system that can make us safe. Naturally, there are those that prey on these
temptations, claiming that they have a system capable of identifying un-
known risks. They often present elaborate and esoteric methods and claim
that advanced mathematics can capture hidden information, leading to
better identification of unknown risks. The seduction of such promises
must be strongly resisted. Any system that involves the randomness of
human behavior, such as your business does, can never be reduced to an
automatic mathematical system that can determine unknown risks. Upon
close examination, the faScade of these approaches always falls away to reveal a delicate array of assumptions that must be constructed by the subject
154 & Risk Identification
C04 01/12/2011 10:42:52 Page 155
matter experts to begin with. This leads right back to your people and their
best guesses regarding unknown risks.
Knowing all this, we must resign ourselves to the fact that all we can do
is institute a simple approach in attempt to discover unknown risks as early
as possible. Therefore, this component—environmental scanning for un-
known risks—is a more mundane but realistic approach: conducting vigilant
advance scouting for risks that are not currently on the risk list but that
might suddenly become key risks. This consists of one or more of the
following activities to gather information and intelligence from multiple
sources:
& Attend industry conferences & Research industry journals & Serve on industry committees & Conduct comparative analysis of competitors’ disclosed risks & Read ERM surveys & Make other investments in information and intelligence gathering
KILLER RISKS
There are two particular types of risks that warrant highlighting separately
because of their special nature. These risks share three qualities. They are:
& Politically difficult to introduce & Easily identifiable & A leading indicator of high-severity risk events
Two such risks which we will discuss are arrogance and concentration
risk.
Arrogance
Let’s discuss each of the qualities listed earlier, and then briefly examine
possible risk mitigation.
Politically Difficult to Introduce
Arrogance, whether present in one particular business segment or a char-
acteristic shared enterprise-wide, is certainly a difficult risk to mention to
Killer Risks & 155
C04 01/12/2011 10:42:52 Page 156
management. Who likes to hear that they are arrogant? Even more rele-
vant, who likes to be the one to have to tell someone else that he or she
is arrogant? To suggest such a risk internally is tantamount to challenging
the culture within the organization: not a happy prospect for a corporate
employee.
Easily Identifiable
Another seemingly difficult aspect of this risk is recognizing it in the first
place. What company has the collective clarity and objectivity to recognize
that they are arrogant, as well as the level of maturity to admit it? Fortunately,
arrogance is easily identifiable. The companies or areas that exude arrogance
are usually those that have some basis for it, such as having achieved external
recognition of their superiority. They may have dominant market share,
awards for quality or innovation, or something similar. Internal talking points
are often laced with evidence that there is a belief in their own superiority.
There may be an undue amount of fanfare and celebration of achievements,
which is noticeable by its excess. Thismay also take the form of self-satisfaction
or a lack of self-criticism. This is combined with a dismissive attitude toward
competitive analysis, fueled by the belief that all eyes are on them and that
nothing can be learned from the competition. This can be easily observed as
a lack of participation on industry committees or shrinkage in the budget for
competitive analysis. In addition, there is a marked tendency to overestimate
their strengths and underestimate weaknesses. This can be seen by exami-
nation of the strengths, weaknesses, opportunities, and threats (SWOT)
analysis performed as part of the strategic planning process. Finally, it is often
apparent to those outside the organization or business area that there is
an attitude of arrogance present, and a simple inquiry with external parties
can quickly identify the presence of this risk.
Conversely, it is often easy to spot the companies that do not succumb to
arrogance. They may be leaders in their field but they are never satisfied.
They are always examining what they can do better. They still fear the
competition. They are never complacent. A good illustration is from the
sports world. The team that is excellent but not arrogant has a relentless
focus on areas to improve. Even after a victory by a wide margin, the coach of
such a team will remain focused on what they can do better next time.
Rather than strut or crow about a victory, the team is humble and vigilant,
which is, in part, what keeps them on top.
156 & Risk Identification
C04 01/12/2011 10:42:52 Page 157
A Leading Indicator of High-Severity Risk Events
Arrogance is a leading indicator of one or more high severity risk events. This is
a risk that can do much damage, and often does. This is a natural recurring
cycle that is visible in organizations, in people, and even in countries that
achieve some level of success. The organization begins by struggling to survive.
After a while, it becomes competitive and eventually starts to excel. Eventually,
it gets to the top and begins to really dominate its field. This is where arrogance
can take hold. When it does, it is a leading indicator of failure. This cycle is
exhibited in Figure 4.8.
When arrogance takes root, it can sprout many different types of risk
events. Arrogance is like dropping one’s guard. Once you unknowingly drop
your guard, attacks can come in any form. One example is that it might lead to
a lack of innovation in developing products and services. Another example is
that it might lead to a feeling of entitlement which encourages bad behavior or
abuses by management.
Possible Risk Mitigation
The cycle illustrated in Figure 4.8 is not inevitable. Even for those organizations
or areas already suffering from arrogance, if this is identified in time and
properly treated, it can be corrected. Sometimes, this is only possible after an
embarrassing and public incident that hints at the fact that the organization or
area may be slipping off its perch, and gets people murmuring.
One example of this is the United States, which, after victory in World
War II, had arguably entered into a phase of arrogance, leading to
Time
Su cc
es s
Struggle
Excel
Dominate Arrogance
Failure
Compete
FIGURE 4.8 Arrogance Is a Leading Indicator of Failure
Killer Risks & 157
C04 01/12/2011 10:42:53 Page 158
complacency. In 1957, Russia, the main adversary of the United States at
that time, was first into space with a satellite called Sputnik. This was a wake-
up call for the United States. Through appropriate recognition of the problem,
an ability to admit it publicly, and strong leadership by President Kennedy,
the United States enhanced its math and science curriculums and reinvigo-
rated its space program. As a result, the United States was able to regain a
competitive position in space exploration and related technologies.
Addressing this risk directly is unlikely to succeed. One way to approach
it is to focus attention on the weaknesses resulting from the behavior without
having to mention the behavior itself. An example is to challenge whether
the organization is performing enough competitive analysis. This can be ad-
dressed either directly through the business segments, or indirectly through
the ERM team, via the emerging risk identification exercise. Another example
is to challenge the amount of benchmarking being performed where results
are measured against key competitors. This can help get the culture back a
quantum of realism, and get away from an insular attitude.
Concentration Risk
Concentration risk is another risk that warrants special attention. First, we
must define it. One popular definition of concentration risk is a lack of
diversification in the investment portfolio, resulting in too much risk exposure
in one area. A common example is a high percentage of assets invested in one
particular asset class, such as real estate in one location. Another example is a
concentration of a bank’s loans in one industry sector.
Technically, this definition does not conform to the approach discussed
earlier in this chapter for properly defining and categorizing risks by source.
The level of concentration is no more than an expression of the level of
exposure of a given source of risk. For example, concentration risk related to
equities is properly defined and categorized as equity market risk, where the
concentration aspect of this risk merely points up a concern for the level of
equity market risk exposure.
Nevertheless, we will temporarily depart from our convention of catego-
rizing and defining risks by source, but only for the purposes of discussing a set
of risks that meet our definition of killer risks. However, we will not define
concentration risk in terms of poor diversification of investments. Rather, we
will define concentration risk here as an unhealthy level of internal or external
concentration of power. Power can take many forms, including authority,
information, access to markets, and so on.
158 & Risk Identification
C04 01/12/2011 10:42:53 Page 159
There are two types of power concentration risks: internal and external.
There are numerous examples. We will first discuss two internal examples
followed by three external examples.
1. Rainmaker. A rainmaker is an individual or group that achieves out-
standing results; for example, growing revenues or profits. One example of
a rainmaker power concentration risk is a ‘‘golden boy’’ unit, described in
Chapter 2, which generates such a high level of revenues or profits that its
authority appears to be above the rules.
2. Mastermind. Amastermind is someone who stands out in terms of his or
her intellectual abilities. There are two main types of mastermind power
concentration risks. One is an executive with an entire fiefdom, and the
other is a sole individual, perhaps in middle management.
3. Critical Supplier. A critical supplier is a provider of a necessary set of
goods or services operating in a supplier market without a sufficient level of
competition. An extreme example is a sole-source supplier, which means
there is currently only one active supplier with which the organization
currently has, or is able to have, a business relationship.
4. Large Customer. A large customer is one that represents a significant
portion of the business. One example is a large customer of the organiza-
tion’s core business. However, another example is a minor business
segment’s customer that is so large that its loss could significantly damage
the business and possibly destroy it.
5. Large Distributor. A large distributor is one that controls a significant
portion of the customer’s access to its markets. As with the large customer
situation, this can either relate to a significant portion of a core business,
or a large enough portion of a non-core business such that its loss could
be catastrophic for that business.
Let’s again discuss each of the qualities listed earlier for killer risks, and
then briefly examine possible risk mitigation.
Politically Difficult to Introduce
Clearly, the internal power concentration risks are also politically challenging to
bring up. By definition, you are threatening a very powerful entity. Their
demonstrated abilities in amassing power prove them to be formidable players.
Though external power concentration risks are usually politically easier to
discuss, these can sometimes be treacherous as well; these external entities may
have internal allies with a vested interest in maintaining the status quo.
Killer Risks & 159
C04 01/12/2011 10:42:53 Page 160
Easily Identifiable
There is one easily recognizable characteristic that virtually always accom-
panies any concentration of power, including our five examples: arrogance.
The lack of competition leads to an arrogant attitude, which was discussed
earlier as its own killer risk.
Rainmaker Everyone is aware of the rainmakers in the organization, the special treatment they receive, and the financial rewards lavished on them.
They often have a peacock-like attitude, which makes them nearly impossible
to ignore.
Mastermind Masterminds are highly respected and widely known internally, and often externally, for their knowledge and skill in a specific area of expertise.
Ironically, this risk is often evident by its highly prized nature. It is often touted as
an advantage. Management often feels proud of their mastermind. They feel
comfortable knowing they have this reliable and valuable resource. Yet, having
so much to lose, all in the person of one individual, is itself a risk.
Critical Supplier Management is well aware of their critical suppliers, particularly the sole-source suppliers. Supply chain management is part and
parcel of routine management activities.
Large Customer Large customers are not hard to identify. Management is aware of the large customers of its core businesses, and will often visit with
them to maintain the relationship. Customers large enough to be significant
to individual business segments are top-of-mind to local management, and a
list of them can easily be obtained.
Large Distributor Similar to large customers, large distributors are well known internally, either at the executive or local management level.
A Leading Indicator of High-Severity Risk Events
All power concentration risks are leading indicators of potential high-severity
risk events. The higher the concentration of power, the more severe the
ultimate risk event can be.
Rainmaker There are countless stories of rainmakers, either individuals or groups, that emerge, become highly successful for a time, and then crash and
160 & Risk Identification
C04 01/12/2011 10:42:53 Page 161
burn, sometimes taking the organization with them. The Financial Products
division of AIG is only one recent example. Generating huge growth for AIG
through its sales of credit default swaps (CDSs), the Financial Products division
used this power to ignore internal phone calls from corporate personnel
responsible for oversight . . . until the division bankrupted AIG through mas-
sive losses, contributing to the global financial crisis that began in the United
States in 2007. The natural progression of these types of stories often seems to
be in three steps:
1. Recognition of talent
2. Massive, rapid growth
3. Implosion
Initially, the rainmaker talent is identified by its early success. It is the next
step that fuels the high-severity nature of this power concentration risk.
Growth is difficult to achieve. It is management’s excitement at the prospect
of dramatic growth that leads them to quickly scale up a business producing
dramatic results. Blinded by the potential rewards, they often either ignore the
risks, or, more commonly, they do not thoroughly examine the risks. This urge
to grow quickly is what transforms a simple risk into a killer risk. Often, the
more inordinately large the returns, the more everyone wants to believe that
this is a good business to expand, and yet, the more likely it is that the risks are
also inordinately large.
Just as with arrogance, when a concentration of power exists, it can
result in manifold types of risk events. The risks involved with rainmaker
individuals or groups are mainly a lack of scrutiny, transparency, and
accountability, which encourages bad behaviors or abuses by management.
The normal checks-and-balances of power, such as internal audit or an
ERM program, are not permitted to properly monitor the goings-on within
the unit. Sometimes the high-severity risk event takes the form of internal
fraud or theft. In the aftermath of an investigation uncovering such events,
and the ensuing criminal prosecution, it is common for the perpetrators of
the crime to convey feelings of entitlement that led them to believe the
normal rules did not apply to them. In many cases, this is such a compelling
factor leading to the crime, that even after a criminal conviction, the
wrongdoers rationalize that their contribution to the company entitled
them to what they usurped.
Other times, this takes the form of excesses in terms of perquisites.
Management is often overly trusting of rainmakers, giving them anything
Killer Risks & 161
C04 01/12/2011 10:42:53 Page 162
and everything they desire. Once exposed, these excesses can lead to negative
media coverage, potential reputational damage, and the resultant negative
financial impacts.
In addition, the sheer nature of the pressure to continue to perform at a
consistently miraculous level can lead to excessive risk taking or even outright
fraud. It is human nature to want to avoid falling off from a peak performance
period, which means losing the high level of recognition and financial rewards.
Sometimes, this leads to desperation and an at-all-costs mentality to maintain
personal status.
Mastermind Masterminds are also common; most companies have at least one. The existence of a midlevel manager mastermind is not as risky as an
executive mastermind with a fiefdom. A larger level of responsibility leads to a
higher level of risk severity. The high level of dependency the organization
has on this individual can lead to an imbalance in leverage, resulting in
similar risks as with the rainmaker: a lack of scrutiny, transparency, and
accountability, which can lead to bad behavior or abuses by the mastermind
or his or her staff. Another example of risk exposure is a sudden and hard-to-
fill vacuum in this area of expertise should the mastermind fall ill, pass away,
or retire. Worse still, this can also lead to competitive risk if the mastermind
is lured away by a competitor. An example will help illustrate the level of
potential damage.
A Fortune 500 company was very proud of their chief financial officer
(CFO). He was well known in the industry. He was highly respected
internally. He was a high performer. The company considered him a
competitive advantage, and thought they were getting quite a lot for their
money. They were aware, however, that his interpersonal skills chased away
many others with whom he worked. He was very arrogant and often verbally
abusive of others. Nevertheless, the company figured he was well worth the
trade-off.
One day, the CFO left the company. He retired. In addition to the large
hole he left in the CFO position, the company learned, over time, that
there were many other holes. The CFO didn’t like to be challenged, and
filled all his supporting positions with weak players. When the CFO retired,
the entire department virtually collapsed. Several of the individuals simply
could not perform their jobs without the prior CFO around. Many projects
languished for months or years. It took the company several years to fully
recognize what had happened and to effectively repair and rebuild the
department.
162 & Risk Identification
C04 01/12/2011 10:42:53 Page 163
Critical Supplier A power concentration in a single critical supplier exposes the organization to high-severity risk events. Three examples are
discussed here. The first example is a temporary loss of the critical supplier’s
capacity, for example, due to a fire. This can result in a temporary inability to
sell goods and services and/or a temporary failure to adequately serve the
existing customer base or even honor contractual commitments. This can
result in decreased revenues due to a lack of sales for a period of time, and
increased expenses due to attempts to work around the situation or due to
litigation. An even more damaging possibility is a permanent loss of mar-
ket share due to reputational impacts: The market may interpret the event
not as a one-time incident, but as an instability in the organization or its
management.
The second example is a permanent loss of a sole-source supplier. Where
other suppliers are available, it may take a while to establish a business
relationship. This down time can result in the same financial impacts described
earlier for the temporary loss example. In addition, expense margins will
increase further due to the lack of negotiating leverage with the new supplier.
However, in some cases, a backup supplier simply may not exist. This may
require a major change to the goods or services sold by the company, which
can dramatically exacerbate the severity of the event.
The third example involves a supplier to whom the company has
extended a large amount of credit, or who holds a large amount of company
assets. One recent example of such a situation has the distinction of also
satisfying our definition of both a rainmaker and a mastermind, except that it
was not an internal entity. For decades, Bernie Madoff supplied asset
management services to companies as well as individuals. For many inves-
tors, Madoff was a critical supplier with whom they had an extremely high
concentration risk. Some individuals even invested all of their assets with
Madoff. The high level of returns Madoff appeared to generate qualified his
business as a rainmaker. In addition, the ability to generate these returns
routinely, with little or no volatility, despite turbulent market conditions,
made him seem like a legitimate mastermind. According to Business Insider7,
HSBC had approximately one billion dollars invested with Madoff. This is
significant exposure, even for a bank the size of HSBC; it represented
approximately 15 percent of HSBC’s post-tax profits for 2008. According
to Bloomberg, Ascot Partners LLC, a money management firm, had invested
nearly all of its $1.8 billion in assets with Madoff.8 There is a long list of other
companies and individuals that had large concentration risk exposure to
Madoff’s firm. Bernie Madoff was arrested in December 2008 for what is now
Killer Risks & 163
C04 01/12/2011 10:42:53 Page 164
known as the largest Ponzi scheme in history. The consequences for the
companies and individuals whom Madoff served as a critical supplier were
high-severity events, and often catastrophic; some companies, including
Ascot, went bankrupt, and some individuals committed suicide.
Large Customer Having a large customer brings with it great risk. The loss of a large customer immediately leads to a loss in company value equal to the
corresponding loss of future profits. In addition, if the customer is lost to a
competitor, this may be taken by the market as a signal that something is
amiss, leading to a lack of confidence in management, a further loss of market
share, and possibly an exodus of key employees. This can lead to a downward
spiral, magnifying the loss further.
Large Distributor A large distributor is an example of a concentration of power in the form of access to markets. The loss of a distributor can instantly
destroy a large amount of value. First, there is the loss of value corresponding
to the proportion of expected future sales through that distributor. In
addition, depending on the nature of the goods or services the company
provides, the distributor may be able to immediately move the entire existing
book of business to a competitor. For example, an association promoting a
service to its membership base might encourage members to immediately
switch over to its new provider. In addition, just as with the loss of a large
customer, the loss of a large distributor may be taken as a negative signal by
the market and/or by key employees, leading to a downward spiral that
magnifies the loss.
Possible Risk Mitigation
Let’s briefly explore risk mitigation possibilities for each of our five examples of
power concentration risks.
Rainmaker As with arrogance, addressing the rainmaker power concentra- tion risk directly is tantamount to corporate suicide. Even addressing it
indirectly is still a rough road. There are only two indirect mitigation
approaches discussed here that may be of some, although still limited, use.
The first mitigation approach is intended to combat the lack of scrutiny,
transparency, and accountability that often protects rainmakers. An indirect
form of mitigation is to embed, in the audit plan or ERM program, an explicit
recognition that rapid growth, in and of itself, generates risk, and therefore
164 & Risk Identification
C04 01/12/2011 10:42:53 Page 165
must be subject to additional examination. It is a fundamental precept in
finance that risk and return go hand in hand. You cannot have higher returns
without higher risk (except for arbitrage opportunities, which evaporate
quickly in a reasonably efficient market). Capturing the rainmakers, including
any golden boy units, under the umbrella exercise of examining all high-
growth areas, may make it slightly easier to penetrate the cloak of secrecy that
usually envelops rainmakers.
The second mitigation approach is intended to negate arguments such
as, ‘‘Don’t worry about the risks here, we are generating far more value than
other departments.’’ An indirect form of mitigation is for the ERM team to
offer to measure the value as well as the risks. This is possible when the ERM
program employs a value-based ERM approach, which is described in Chapter
3. The value-based ERM approach measures risk and return on an integrated
basis, because risk is defined as volatility—both upside and downside—in
company value. This approach can provide the proper analysis as to whether
the extra returns generated are indeed worth the additional risk exposures.
Mastermind For the mastermind power concentration risk, one way to approach it is to highlight this type of problem generally as a talent manage-
ment issue, and define an approach to identify and remediate such situations.
Getting broad buy-in for the approach can then lead to a committee or team to
implement it. The implementation might scan the enterprise to identify all
such areas of ‘‘rare talent concentration risk,’’ emphasizing the invaluable
nature of the individuals identified. Committee suggestions for mitigation
might include ensuring the development of a strong cast of supporting players
for succession planning.
Critical Supplier For the critical supplier power concentration risk, there is likely to be a fatalistic attitude in the company. Management is well aware of
the situation, and the feeling may generally be that not much can be done
about the situation. This is another area where a value-based ERM approach
can enhance mitigation efforts. Once this risk is quantified, in terms of the
devastating impact it can have on the value of the firm, it tends to ratchet up
the level of attention and spurs more urgent and aggressive actions. An
example of this is given in a case study discussed in the section titled ‘‘Case
Studies’’ in Chapter 5. Mitigation efforts certainly include the obvious: attempt-
ing to get one or more additional suppliers, or at least to line up a backup
supplier. When this is not possible, and where the likelihood and severity of
losing the supplier is dire enough, it may be worthwhile to at least explore the
Killer Risks & 165
C04 01/12/2011 10:42:53 Page 166
possibility of deliberately diversifying the strategy—new goods and services,
other markets, different distribution channels, and so forth—to dampen the
risk. Alternatively, the company could explore the possibility of increasing its
scale, through a merger or acquisition, to decrease the severity of this risk to a
more acceptable level.
Large Customer For the large customer power concentration risk, man- agement is usually focused on preserving the customer relationship. Business
segment management is aware of their largest customers, and their incentives
are highly aligned to keeping this business. However, upper management may
not always appreciate business segment management concerns about these
large customers, and may not always approve unusual measures proposed to
keep these customers happy. What can help, similar to the critical supplier
risk, is to quantify the impact of this risk on company value. Putting the risk
in terms of the potential value lost allows a proper assessment of which miti-
gation actions are worthwhile.
Large Distributor The mitigation suggested here for large distributor power concentration risk is similar to a combination of that proposed for
the prior two examples of power concentration risk. There may be a perva-
sive feeling that not much can be done about this risk. However, once this
risk is quantified, in terms of its potential disastrous impact on company
value, it tends to precipitate action. Efforts to gain additional distributors are
undoubtedly constantly underway, because this increases revenues and is
fully aligned with incentives. Barring that, mitigation to consider may
include diversifying the strategy or increasing scale through merger or
acquisition. Either of these can decrease the severity of this risk exposure
to a more acceptable level. In addition, the quantification of this risk high-
lights another mitigation opportunity. Framing the risk in terms of the
potential impact on value allows for a more informed decision by manage-
ment as to which mitigation actions, intended to maintain a beneficial
relationship with the distributor, are advisable.
SUMMARY
Risk identification, the first step in the ERM process cycle, consists of three
components: risk categorization and definition; qualitative risk assessment;
and emerging risk identification. Despite being the most commonly
166 & Risk Identification
C04 01/12/2011 10:42:53 Page 167
performed ERM process step, there remain several aspects of risk identifica-
tion that are routinely performed in a suboptimal way. This significantly
impacts the quality of the entire ERM program, because every other step in
the ERM process is downstream from the risk identification step. To avoid
these problems, ERM programs must employ the five keys to a successful risk
identification process step: define risks by source; categorize risks evenly;
define metrics clearly; gather data appropriately; and identify risks prospec-
tively. The first two keys to success relate to the risk categorization and
definition (RCD) tool, which has several applications in an ERM program. The
remaining three keys to success relate to the qualitative risk assessment. In
addition to taking care to employ the five keys to successful risk identification,
there are two killer risks that companies must be vigilant against: arrogance
and concentration of power.
With the conclusion of risk identification, the ERM program arrives at a
major milestone: identification of the key risks. The key risks are those that
will advance to the next step in the ERM process cycle, which is the topic of
our next chapter: risk quantification.
NOTES
1. Standard & Poor’s uses this term in their ratings guidance.
2. This refers to deterioration in the relationship itself, due to personal friction, as
opposed to, for example, impatience with management’s ability to address
issues raised by the rating agency. This indicates a failure of external relations.
3. The absolute amounts in the severity column will vary by size of the
organization.
4. In the qualitative risk assessment, both severity and likelihood are typically
scored on a net risk exposure basis.
5. Some interviews may need to be conducted by videoconference or phone, due
to the remote location of some survey participants.
6. Of course, other possibilities include the political expedience of offering a
scapegoat to deflect criticism, as well as the psychological benefits of taking
some action that gives the appearance of restoring safety and preventing a
recurrence.
7. Businessinsider.com, Henry Blodget, December 23, 2008.
8. Bloomberg.com, Joshua Fineman, December 19, 2008.
Notes & 167
C05 01/12/2011 11:1:3 Page 168
5CHAPTER FIVE Risk Quantification
Any intelligent fool can invent further complica-
tions, but it takes a genius to retain, or recapture,
simplicity.
E.F. Schumacher
T HE RISK QUANTIFICATION ERM process step is the lynchpin of theERM process cycle. It enhances the key risk ranking and prioritizationperformed in the prior ERM process step—risk identification—and it also provides the information necessary to perform the next ERM process
step—risk decision making. The key linkage performed in this step is the
connection of risk and value by quantifying risk in terms of its value impact.
This is the bridge between risk and return.
In this chapter, we will address risk quantification as performed using
the value-based ERM approach. Risk quantification is performed with the
value-based ERM model. By model, we mean a financial model in the form of a
spreadsheet-based tool. The model receives input of data and assumptions,
performs calculations, and produces output of results.
Before we discuss the risk quantification activities, we will emphasize the
most critical overriding characteristic of the value-based ERMmodel: practicality.
168
C05 01/12/2011 11:1:3 Page 169
PRACTICAL MODELING
The single most important characteristic of the value-based ERM model is that
it is practical. All aspects of the model—inputs, calculations, and outputs—are
kept simple, with the sole purpose, constantly in mind, of supporting decision
making. As was discussed in some detail in Chapter 3, there are four aspects
to this practicality:
1. Reliability. The inputs are few in number and so are more easily main-
tained at a high level of quality. In addition, simplicity in the calculations
reduces the number of errors.
2. Speed. Simplicity in the calculations also translates to fast run times. The
model provides answers in hours rather than the typical days or weeks
for traditional ERM models.
3. Transparency. Simplicity in methodology means easier scrutiny by
management. For example, tangible individual deterministic risk sce-
narios can be reviewed directly, unlike formula-generated, difficult-to-
understand, and ever-changing stochastic risk scenarios. Deterministic
and stochastic scenarios are discussed later in this chapter (see ‘‘The
Power of Deterministic Risk Scenarios’’).
4. Balance of significant digits. The level of rigor is balanced with the
inherent lack of precision in the assumptions. The value-based approach
recognizes that a high level of complexity is simply not warranted, in light
of the significant digits rule.
It is paramount to keep these four aspects of practicality constantly in mind
when building the model. A perpetual vigilance is required against adding
complexity. There is a natural tendency to build out additional complexity,
often merely because the person trained in modeling is able to do it, enjoys
doing it, and, it is actually much easier than keeping it simple. It is good to keep
the following quotes in mind:
Perfection is achieved, not when there is nothing more to add, but when there is nothing left to take away.
Antoine de Saint-Exup!ery
Simplicity is the ultimate sophistication.
Leonardo da Vinci
Practical Modeling & 169
C05 01/12/2011 11:1:4 Page 170
There is also another force that continually pushes people toward
over-modeling. Those performing the modeling find it difficult to believe
that something simpler can be better. See ‘‘Can Simpler Actually Be Better?’’
CAN SIMPLER ACTUALLY BE BETTER?
Technical professionals, including modelers, tend to want to add com-plexity. It’s encouraged by their training. It’s aligned with their skills. It’s in their DNA. Additional technological sophistication is useful, but only if it increases utility (it is used more) and enhances performance (results im- prove). However, technological complexity is often in direct opposition to those two criteria. One such example, highlighted in an article by The New Yorker,1 is presented here, and comes to us from the field of obstetrics.
In the United States, in the 1950s, the field of obstetrics was in poor shape. One out of every thirty babies was stillborn (3.3 percent). Despite the availability of an abundance of individual detailed metrics on the health of the baby, there was poor care of newborns deemed ‘‘too sick to live.’’ This included babies that were thought to be too small or had poor coloring or were not breathing well at the time. These babies were simply listed as stillborn, placed out of sight, and allowed to die.
In 1953, Dr. Virginia Apgar introduced a new metric to gauge the viability of newborns in an attempt to improve newborn care and, as a result, the mortality rate. The Apgar score was a zero-to-10 point scale: two points for pink all over, two for crying, two for good breathing, two for limb movement, and two for a heart rate over one hundred beats per minute.
Imagine the reaction of the technical professional in obstetrics at the time: ‘‘This metric is ridiculously simplistic and cannot possibly capture a baby’s viability. It oversimplifies the complexities of each individual metric already available to us, and equates them all to each other in importance. Is breathing really only as important as crying? How could the Apgar score be of any value?’’
In fact, the Apgar score is widely credited with revolutionizing the field of obstetrics. It was adopted globally, and succeeded in its goals to improve newborn care and themortality rate. How can this be? How could simpler have been better? Simplicity translated into practicality, and practicality drove results. The Apgar score was easy to measure without sophisticated tools or know-how. It could be calculated by anyone that could count to 10. It was easy to compare results, from one baby to the next, from one doctor to the next, and from one hospital to the next. Availability and comparability drove competition to improve scores. This led to experimentation and eventually to
170 & Risk Quantification
C05 01/12/2011 11:1:5 Page 171
There are a few guidelines to help achieve and maintain a practical level of
ERM modeling. If these guiding principles can become a mantra to those
performing the model building, then the ERMmodel can become, and continue
to be, a valuable element supporting decision making:
& Start fresh & Expand judiciously & Consider practicality
Start Fresh
When building the value-based ERM model for the organization for the first
time, the model must be built anew, using basic principles as opposed to using a
generic model. Generic models are, by their nature, overly complex. A generic
model is designed to handle all the different types of businesses that it may
standardized improvements. The Apgar score led to hundreds of improve- ments in newborn care now known as the ‘‘obstetrics package.’’ One example was the shift away from general anesthesia to epidural anesthesia during childbirth once this was shown to improve Apgar scores. To date, in the United States alone, the Apgar score has saved literally millions of lives; for full-term babies, the stillborn rate is now just 1 in 500 (0.2 percent).
What is the lesson here? It’s partly about seeing the bigger picture, staying focused on how technical information will work in practice, and, when necessary, letting go of unnecessary detail and complexity. Rather than getting caught up in the detailed individual pieces of data, and the new and more advanced equipment available to some hospitals and usable by some doctors, Apgar realized that a less accurate but more accessible metric could drive improvements and save lives. Whereas technical professionals often indulge personal desires to employ their most complex techniques, the businesspeople they serve more often just need practical metrics that are easy to calculate, easy to understand, and easy to use in practice. The lesson for those building ERM models: Trying to perfect the model by increasing its complexity may in fact kill it. If they choose to downshift their intellectual capabilities a bit, they may actually gain more traction. Or, using a different analogy, when ERM model builders are invited to the business table, they need to bring more than their stochastic forks and knives. They need to develop practical, market- able solutions that will catch on.
Practical Modeling & 171
C05 01/12/2011 11:1:6 Page 172
encounter. As a result, generic models contain a lot of excess coding and
functionality that is not needed for the specific entity that uses it.
Expand Judiciously
When building the value-based ERM model for the first time, or expanding the
model over time, the model must be expanded judiciously. Model capabilities
should only be developed to the extent needed to match their intended usage.
Consider what decisions the model must support, and how quickly the results
must be provided.
Although it is important to be vigilant against unnecessary model expan-
sions, there are three main types of expansions that are both valid and natural
to the development of the value-based ERM model:
1. Business segments
2. Value drivers
3. Outputs
Business Segments
The value-based ERM model must be expanded to include detail at the level of
business segments or sub-segments appropriate to the risk quantification
exercise. At one level, it is important to include the same breakdown as
that used in other key business processes, such as strategic planning or internal
reporting. This makes it easier to integrate ERM into key company processes. At
another level, a more detailed breakdown may be required depending on key
risk scenarios. For example, if a risk scenario impacts a major product line
within a business segment, it may be necessary to break the business segment
projection into two parts—one for the major product line and one for the
remainder of the business segment.
Value Drivers
The model must also be expanded to include a level of detail sufficient to
support the dynamic nature of the business by including value drivers. For
example, if the company has salespeople, rather than model revenues as a
single line item, revenues should be broken up into its detailed value driver
components, such as:
& Number of new salespeople hired & Retention rate of salespeople
172 & Risk Quantification
C05 01/12/2011 11:1:6 Page 173
& Average number of items sold per salesperson & Average price of items sold per salesperson
In addition, more detail may be required if some of these components are
not homogeneous enough; for example, retention and productivity may vary
significantly by salesperson experience level.
Outputs
The company value metric is the dominant metric, and the primary set of
outputs is expressed in these terms. However, management usually requests
that outputs be expressed in terms of at least three or four additional key
metrics. The model must be expanded to accommodate these. Examples of
additional key metrics include revenue growth rate, net income growth
rate, earnings per share growth rate, and, for financial services companies,
capital ratio.
Consider Practicality
When faced with each new request or decision point related to potentially
increasing the level of model complexity designed to ‘‘increase accuracy,’’
consider its appropriateness. Stop, take a breath, and carefully think it
through. Ask yourself, ‘‘Is it worth it?’’ Balance the desire for robustness
against the need for practicality. Is the enhancement truly needed? What
is gained and what is lost? Consider that every time the model is made
more complex to better address one specific additional item, it puts the
overarching goal of practicality slightly more at risk. Does the change
make the model less reliable? Does it slow down the response time? Does
the methodology on which calculations are based become less transparent?
Is the added complexity mathematically appropriate in light of the significant
digits rule?
This last question in particular—regarding significant digits—should
always be top-of-mind. Consider the weakest link in the calculation chain,
the lowest common denominator of inaccuracy, if you will. Is the en-
hancement merely an illusion of more accuracy, because the approxi-
mate nature of one of the assumptions overwhelms the equation anyway?
Would it be insincere, and potentially misleading, to embed model calcula-
tions implying a higher level of accuracy than can possibly be achieved in
the result?
Practical Modeling & 173
C05 01/12/2011 11:1:6 Page 174
COMPONENTS OF RISK QUANTIFICATION
There are three distinct components in the risk quantification ERM process step:
1. Calculate baseline company value
2. Quantify individual risk exposures
3. Quantify enterprise risk exposure
The value-based ERM model evolves with each of these sequential
activities.
CALCULATE BASELINE COMPANY VALUE
The first activity in the risk quantification ERM process step is to calculate the
baseline company value. In the value-based ERM approach, risk is defined and
quantified in terms of a deviation from expectations. A company’s expectations
are represented by its strategic plan. The baseline company value is an internal
valuation based on achieving the strategic plan.
We will discuss three aspects of calculating the baseline company value:
1. Input of data and assumptions
2. Model calculations
3. Output of results
Input of Data and Assumptions
The data and assumptions needed to calculate the enterprise baseline value
include the following three items:
1. Strategic plan financial projection. The first item needed as input for
the calculation of the baseline company value is the strategic plan financial
projection. This is a financial projection that extends out to the end of the
formal planning period; for example, a three-year period. This should
include the latest version of the official strategic plan projection as well as
any detailed supporting documents. This should also include any informa-
tion available internally regarding projections or expectations beyond the
formal planning period; this is often limited to additional revenue growth,
expense reduction, and known or scheduled changes in investments.
174 & Risk Quantification
C05 01/12/2011 11:1:6 Page 175
2. Recent financials. The second item needed as input for the calculation of
the baseline company value is recent financial results that are normalized
for any one-time or anomalous items. This includes the income statement,
balance sheet, cash flow statement, and, for financial services companies,
required capital calculations. In addition, this includes the detailed data
supporting the construction of the financials; for example, rates of returns
on invested assets, tax rates, and so forth.
3. Discount rate. The third item needed as input for the calculation of the
baseline company value is the discount rate, or cost of equity capital. This
is the rate that will be used to discount all future distributable cash flows
back to the present time in the calculation of company value. This is the
return on investment assumed to be demanded by the collective share-
holders. This is based on the long-term average required return. For a
discussion on determining an appropriate discount rate, see ‘‘Setting the
Discount Rate.’’
SETTING THE DISCOUNT RATE
There are numerous methods of determining an appropriate discountrate. One popular method is to use the capital asset pricing model (CAPM).2 The various methods will not be explored here for three reasons. One reason is that this is basic corporate finance, and is not unique to enterprise risk management. A second reason is that the discount rate is readily available, because it is already used in routine corporate budgeting decisions as a hurdle rate.
A third reason that it is not worth spending much time on this is, again, the significant digits rule. Much time and effort can be spent tinkering with different methodologies for estimating the cost of equity capital, yet its true value cannot really ever be known with much accuracy. The cost of equity capital is the weighted average of the return required from every single shareholder, ranging from day traders to institutional long-term holders, and everyone in between. Even if you were able to individually ask each of these investors, ‘‘What is the return you require from your investment in our stock?’’ the following would be true:
& The answers would vary from investor to investor.
& The answers would probably change from day to day.
& Many investors would not be able to give you a definitive answer. (continued )
Calculate Baseline Company Value & 175
C05 01/12/2011 11:1:7 Page 176
Model Calculations
The baseline company value calculation involves a common valuation ap-
proach and can be considered in three parts:
1. Build a dynamic reproduction of the strategic plan financial projection to
project financials to the end of the formal planning period (e.g., three
years), and modify it to create a distributable cash flow projection.
2. Project the distributable cash flows beyond the formal planning period
(e.g., up to model year 20) and add a terminal value.
3. Discount the distributable cash flow projection back to time zero using the
discount rate.
Before we present an illustrative example, we will discuss three aspects of
this calculation:
1. Company value formula. We will discuss four aspects of this formula:
1. General formula. The general formula for the calculation of company
value was presented in Chapter 2 (see ‘‘Company Value’’), and is
repeated here:
Company value ¼ X1
n¼1 DistCFn ð1þ dÞn
Where:
& n¼ year of projection & DistCFn¼ distributable cash flow for projection year n & d¼ discount rate, which is management’s estimate of the rate of
return required by the shareholders for their investment, i.e., the
cost of equity capital
There are many variations of this formula. Different companies
define value differently. It is up to management to determine what
is appropriate, based on the unique characteristics of the organization.
(continued ) Given the elusive nature of the discount rate, and in consideration of the
high level of uncertainty in so many of the inputs into the value-based ERM model, it is a much better use of time to simply estimate the discount rate using some reasonable approach or use the readily available hurdle rate, and move on.
176 & Risk Quantification
C05 01/12/2011 11:1:9 Page 177
2. Distributable cash flow. Distributable cash flow is king. To investors,
it is distributable cash flow that matters, as opposed to representations
made by any particular accounting system. Cash flow is the universal
equation for value. If I ask you to invest in my business, you will only
take into account the following factors in valuing the opportunity3: & How much cash you must give me & When you must give cash to me & How much cash I plan to give to you in the future & When I plan to give cash to you & How likely you think I am to achieve my plans to give cash to you (in
terms of amount and timing)
Whatever accounting basis is used for the strategic plan financial
projection, the distributable cash flow formula essentially removes the
accounting and reduces everything to cash flows.
Distributable cash flow (DistCF) is calculated as:
Net incomeþ Depreciation and amortization% Increase in working captial % Capital expenditures
3. Truncated formula. As a practical matter, to limit the projection to N
years, a terminal value is used to truncate the calculation:
Company value ¼ DistCF1 ð1þ dÞ1
þ DistCF2 ð1þ dÞ2
þ & & & DistCFN ð1þ dÞN
þ TVN ð1þ dÞN
Where:
& DistCFn ¼ distributable cash flow for period n & TVN ¼ terminal value at end of period N & d ¼ discount rate & N ¼ final year of projection
4. Terminal value formula. The terminal value represents the value
remaining at the end of the projection period. This is used as a trunca-
tion, to limit the number of years projected in the model. There are
various methods of calculating the terminal value. One common ap-
proach is to assume that the distributable cash flow from the final year of
the projection, year N, continues to grow annually, in perpetuity, at a
constant growth rate. This results in the following shorthand formula:
TVN ¼ DistCFN ' ð1þ gÞ
ðd % gÞ
Calculate Baseline Company Value & 177
C05 01/12/2011 11:1:9 Page 178
Where:
& TVN ¼ terminal value at end of period N & DistCFN ¼ distributable cash flow for period n & g ¼ growth rate & d ¼ discount rate & N ¼ final year of projection
As with calculations of the discount rate, we will not further explore
the alternate methods for calculating the terminal value. Terminal
value is a standard component of valuation techniques and is not
unique to enterprise risk management.
2. Projection. The distributable cash flow projection derived from the
strategic plan financial projection only extends to the end of the formal
planning period. The model calculations must project beyond that for
several more years. For example, if the formal planning period is three
years, and there is a desire to project distributable cash flows for 20 years,
the projection must be extended an additional 17 years.
To do this, we must build two features into the model calculations:
1. Dynamic relationships. Developing a dynamic relationship involves
identifying the financial line items in the distributable cash flow
projection, or the value driver components, that drive other financial
line items, and finding a way to dynamically estimate their relationship.
One simplified example is identifying revenues as a driver of variable
expenses, and representing future variable expenses in the projection as
a percentage of revenues. Another example is identifying that one
year’s fixed expenses are a driver for the following year’s fixed expenses,
along with inflation, and representing future fixed expenses in the
projection as the prior year’s fixed expenses increased for inflation.
2. Reasonable trend lines. The distributable cash flow projection must
have reasonable trend lines for key financial line items such as revenues
and expenses. There are two projection periods involved—the strategic
plan projection period and the period beyond that. Strategic plan
projections have a tendency to include revenue growth that exceeds
that achieved in recent years. In addition, strategic plan projections
have a tendency to be overly optimistic in the ability to achieve sudden
expense reductions that have not been possible previously. Examining
the trend lines in the recent financial data and comparing them to those
of the projection during the strategic planning period can serve as a
reasonability check.
178 & Risk Quantification
C05 01/12/2011 11:1:9 Page 179
For the period beyond the financial plan projection period, the trend
lines must be created. This is done using a combination of the recent
financial data, the strategic plan projection, and information about
expectations for the industry sector, such as growth prospects. A con-
servative set of steady trend lines are then developed for projecting
beyond the strategic plan period.
3. Reasonability check. A reasonability check can be performed on the
baseline company value calculation by comparing it with market capitali-
zation. Market capitalization is the market’s estimate of the company
value, and is calculated as follows:
Market capitalization ¼ Outstanding shares' Stock price per share
The relationship between the baseline company value and market
capitalization varies by situation. However, in many cases, the baseline
company value is 5 to 15 percent higher than the market capitalization.
Whatever the percentage, the relationship should make sense in light of
the company’s circumstances and market conditions.
Illustrative Example: Pear Inc.
Pear Inc. is a hypothetical competitor to Apple in the handheld electronic
device market. Pear manufactures smartphones and sells them through
retail outlets in the United States. Its major competitive advantage is a
more sophisticated network called InfinityG.
Input of Data and Assumptions Last year, Pear had 5,000 salespeople, each selling an average of 750 units annually, based on a $250 purchase
price per unit. The purchase price is expected to remain constant in the
future. Pear tends to lose 15 percent of its salespeople each year. Last year,
Pear hired 1,000 new salespeople. Starting this year, Pear plans to grow
more aggressively. Each year going forward, Pear plans to hire 100 more new
salespeople than the year before. Pear earns net investment income at an
earned rate of 4.5 percent on invested assets of $150 million.
Pear’s variable costs—its costs of goods sold (COGS)—are equal to
67 percent of sales. Last year, research and development costs (R&D)
were $50 million, and this is expected to remain constant in the future.
Last year, Pear’s fixed expenses—its selling, general, and administrative
(SG&A) expenses—were $35 million, and are expected to increase with
an annual inflation rate of 3.5 percent. Pear pays interest expense of
Calculate Baseline Company Value & 179
C05 01/12/2011 11:1:9 Page 180
6 percent on long-term debt of $150 million. Pear’s effective tax rate is
35 percent.
Pear uses a discount rate of 13 percent for internal valuations, believing
that this fairly represents the long-term average required return of the collec-
tive shareholders.
Pear has 200 million shares outstanding. The current stock price is $8.75
per share, resulting in a market capitalization of $1.75 billion.
Calculation of Baseline Company Value For our illustrative example, we will make the following simplifying assumptions:
& There are no items of depreciation, amortization, change in working
capital, or capital expenditures; this equates net income with distributable
cash flow. & All net income is paid out in shareholder dividends. & The extension of the strategic plan projection beyond the formal planning
period uses the same trend lines as the strategic plan projection itself. & The projection period is twenty years. & The growth rate for distributable cash flows beyond the projection period
(used for calculating terminal value) is 0 percent.
The first three years of Pear’s distributable cash flow projection is shown in
Table 5.1.
Pear’s baseline company value calculation is as follows:
Company valueBaseline
¼ DistCF1 ð1þ dÞ1
þ DistCF2 ð1þ dÞ2
þ & & & DistCFN ð1þ dÞN
þ TVN ð1þ dÞN
¼ DistCF1 ð1þ dÞ1
þ DistCF2 ð1þ dÞ2
þ & & & DistCFN ð1þ dÞN
þ DistCFN ' ð1þ gÞ=ðd % gÞ ð1þ dÞN
¼ $147M ð1:13Þ1
þ $155M ð1:13Þ2
þ $165M ð1:13Þ3
þ & & & $468M ð1:13Þ20
þ $468M=0:13 ð1:13Þ20
¼ $1:91B
Performing a reasonability check by comparing baseline company value
to market capitalization reveals that the former is higher than the latter by
9.0 percent:
1:91B
1:75B % 1 ¼ 9:0%
180 & Risk Quantification
C05 01/12/2011 11:1:10 Page 181
Although we are not given enough information in this illustrative example
to determine if this is within reasonable bounds, it is within the common range
provided earlier of 5 to 15 percent.
Output of Results
The main output is the baseline company value itself. This is the price that
investors would pay today if they believed that the organization was going to
perfectly execute its strategic plan and that everything was going to go its way.
The first time this is calculated is an exciting moment. For most companies, the
most important metric is company value. Up until this point in time, manage-
ment has relied on equity analyst valuations or market capitalization as a proxy
for company value. Now, management has their own valuation, which has
three main advantages over external estimates of company value. It is:
1. More accurate
2. More detailed
3. More dynamic
TABLE 5.1 Pear’s Distributable Cash Flow Projection
(in $ millions)
Projection
Year 1
Projection
Year 2
Projection
Year 3 . . .
Projection
Year 20
Sales 955 995 1,045 2,552
Net Investment Income 7 7 7 7
Total Revenues 962 1,002 1,052 2,559
Cost of Goods Sold (COGS) 640 667 700 1,710
Research & Development (R&D)
50 50 50 50
Selling, General & Administrative Expenses (SG&A)
36 37 39 70
Interest Expense 9 9 9 9
Total Expenses 735 763 798 1,839
Income Taxes 79 84 89 252
Net Income 147 155 165 468
Distributable cash flow 147 155 165 468
Calculate Baseline Company Value & 181
C05 01/12/2011 11:1:11 Page 182
More Accurate
The baseline enterprise valuation has the potential to be a more accurate
estimate of company value than market capitalization or analyst valuations.
As discussed in Chapter 3, the internal baseline enterprise valuation leverages
inside information—the information so valuable that rogue stock traders want
to get their hands on it. Nobody can know with certainty what the future
financial results will be. However, each local manager is in the best position to
make an informed estimate as to what their part of the business is likely to
generate, as well as ranges around that estimate. Collecting these estimates and
ranges from local managers all around the company, in a consistent manner
and in as unbiased a way as possible, and aggregating them into a single
valuation model, results in a powerful tool and a more accurate estimate of
company value.
The baseline company value calculation is also less volatile than external
valuations such as market capitalization. This is a direct consequence of its
being more accurate. The market tends to initially overreact to new infor-
mation in both directions, causing additional volatility. Sometimes the
market initially reacts broadly, for example, regarding bad news in an
industry sector, and only some time later differentiates the reaction between
individual stocks. The baseline company value calculation doesn’t share this
extra volatility. Management is more knowledgeable about the impact of new
information on the company, and therefore doesn’t overreact.
Virtually every time I have seen this done, the initial internal calcula-
tion of the baseline company value exceeds the market capitalization. This
makes sense. It is the job of management to grow the value of the firm.
Management sets the strategy and supporting objectives that, if and when
achieved, will increase company value. However, an excessively optimistic
strategic plan projection produces a baseline company value that is less,
not more, accurate than external valuations. Later activities in the risk
quantification ERM process step, such as the calculation of enterprise risk
exposure, serve to strengthen the strategic planning process. These activi-
ties can help identify an achievable strategic plan, as well as a separate
strategic plan that is most likely and which facilitates a baseline company
value calculation that delivers on the promise of a more accurate measure
of company value.
There are numerous applications of a more accurate calculation of
company value. Two are discussed here. One application is to support better
decision making. For example, having a more accurate estimate of company
182 & Risk Quantification
C05 01/12/2011 11:1:11 Page 183
value than the general market supports more advantageous decisions
regarding stock issuance or buy-back. A more advanced version of this basic
company value model, in the form of the fully evolved value-based ERM
model, and its ability to support decision making, is discussed in Chapter 6.
Another application is to support better communications with external
stakeholders. For example, having an internal stock valuation that is
more accurate than the one used by equity analysts supports more effective
communications with them. This will be further discussed in the section titled
‘‘Communications with Stock Analysts’’ in Chapter 7.
More Detailed
Unlike an external valuation of the company, which offers one number
representing firm value, the value-based ERM model provides more detail.
The value-based ERM model provides an ability to estimate the portion of
company value attributable to parts of the company below enterprise level.
Each business segment or sub-segment for which the value-based ERM model
has detail has its own valuation. In addition, if desired, a valuation can be
produced for any portion of business, or even individual projects, for which the
corresponding financial information can be isolated and incorporated into
the value-based ERM model.
This information offers a new way to look at the business that can result in
a shift in management focus and attention. Consider the following hypothetical
example. A technology company, SFX Computers, manufactures computers
and accessories and has five business segments:
1. Laptop
2. Notebook
3. Workstation
4. Server
5. Accessory
Historically, SFX has given priority, of attention and budget, to each
business segment roughly in proportion to recent earnings. This relative
emphasis is shown in Figure 5.1, which highlights business segment earnings
for the prior year. SFX management had been giving about half of its time
and attention to the Laptop business segment, which represented half of
its earnings, with the remainder evenly split between its other business
segments.
Calculate Baseline Company Value & 183
C05 01/12/2011 11:1:11 Page 184
However, recently SFX performed a baseline company value calculation,
with details supporting valuations for its five business segments. The results of
the calculation are shown in Figure 5.2.
The attribution of SFX’s company value into its five business segments
reveals the true relative value of the segments. The Laptop and Workstation
Laptop 50.0%
Notebook 12.5%
Workstation 12.5%
Server 12.5%
Accessory 12.5%
FIGURE 5.1 SFX Prior Year Earnings by Business Segment
Laptop 35.0%
Notebook 30.0%
Workstation 5.0%
Server 20.0%
Accessory 10.0%
FIGURE 5.2 SFX Company Value by Business Segment
184 & Risk Quantification
C05 01/12/2011 11:1:16 Page 185
segments are less important than their prior year earnings would indicate,
reflecting SFX’s expectation, contained in the strategic plan projection, that
demand for laptops and workstations will decline over the next several years.
Similarly, the Notebook segment is more than twice as important as prior year
earnings might suggest, reflecting SFX’s expectations that demand for note-
books will increase significantly in the coming years. Changes in the relative
importance of the Server and Accessory segments reflect SFX expectations
related to shifting trends in revenue growth and profit margins.
With a clear picture of the relative contributions to company value
made by each business segment, SFX management has since shifted its focus.
This shift is reflected in the amount of attention and budget now afforded
to each segment.
More Dynamic
External estimates of company value are not as dynamic as internal calcula-
tions of company value. External valuations only reflect information that is
publicly available, whereas internal valuations reflect any inside information
available to management. Having an internal valuation model allows man-
agement to revise the baseline company value calculation for new develop-
ments or decisions that change future expectations. New developments in
the external or internal environments may either be unknown to the public
or the public may not yet realize, or appreciate, the significance of the infor-
mation vis-"a-vis a specific company’s future prospects. However, manage- ment may have this information, is in a better position to interpret its impact
on the company’s future distributable cash flows, and can revise its internal
calculation of the baseline company value as necessary.
This dynamic internal valuation model can be used for decision making.
For any decision, management can determine its marginal impact on the
distributable cash flow projection, or the discount rate, and then recalculate
the baseline company value. Having a valuation of the enterprise on a pre-
and post-decision basis provides a dynamic basis for decision making.
QUANTIFY INDIVIDUAL RISK EXPOSURES
The second step in the risk quantification ERM process step is to quantify the
individual risk exposures. This involves the quantification of multiple determi-
nistic risk scenarios for each key risk, in terms of its potential impact on the
Quantify Individual Risk Exposures & 185
C05 01/12/2011 11:1:16 Page 186
baseline company value. The baseline company value represents the expec-
tations embedded in the strategic plan. Risk, in the value-based ERM approach,
is defined in terms of deviation from expected. We will first discuss three aspects
of quantifying individual risk exposures:
1. Input of data and assumptions
2. Model calculations
3. Output of results
Following this discussion, we will present several case studies.
Input of Data and Assumptions
We will discuss the following aspects of developing inputs for the individual
risk quantification exercise:
& The power of deterministic risk scenarios & Range of individual risk scenarios & Labeling of individual risk scenarios & Approaches to developing individual risk scenarios
The Power of Deterministic Risk Scenarios
There are two basic approaches used to generate risk scenarios: stochastic and
deterministic. The stochastic approach involves some type of automation. It
is designed to generate a large number of random scenarios without human
involvement beyond setting up the process. Setup involves developing a
formula, which attempts to capture the shape of the risk distribution, and a
random number generator. The deterministic approach involves human
judgment to select and define each individual risk scenario.
Deterministic scenarios offer four advantages over stochastic scenarios.
Deterministic scenarios produce more robust scenarios, produce more accurate
scenarios, enhance risk culture, and support decision making.
1. Produce more robust scenarios. The stochastic approach automates
scenario generation, which means that it doesn’t require additional
thinking. Unfortunately, additional thinking is precisely what is needed
to develop robust risk scenarios. There are numerous variables that require
consideration, and these can only be brought to light by having subject
matter experts think through each risk scenario individually. This is what
186 & Risk Quantification
C05 01/12/2011 11:1:16 Page 187
the deterministic approach does best. Subject matter experts are asked to
think through, step by step, the downstream consequences flowing from
an originating risk source. Having a specific, deterministic scenario to work
with is a powerful catalyst in sparking dialogue with the subject matter
experts and in extracting their good knowledge of how the specific
situation would likely play out. Imagining a specific event actually
occurring makes it easier for them to think through the sequential
progression of likely events and the consequences to the organization.
One type of variable to consider is that each risk scenario may trigger
different types or levels of mitigation. For example, different levels and/or
causes of damage to company property may activate different levels of
insurance coverage. Another example is that each scenario, for a given
risk, may involve a different level of management response; higher levels of
management may be involved at higher levels of severity, bringing more
corporate resources to bear in mitigating the impacts of the risk event.
Another type of variable to consider is that certain scenarios, particu-
larly those of extreme severity, may trigger secondary events that are
usually associated with separate risk sources. This allows for the incorpo-
ration and reflection of correlations between risks, within the risk scenario
itself. For example, a worst-case pandemic scenario may trigger an
economic downturn.
2. Produce more accurate scenarios. A deterministic approach results in
more accurate risk scenarios by reducing errors and bias, avoiding
unrealistic scenarios, and producing better ‘‘tail’’ scenarios.
1. Reducing errors and bias. With a stochastic approach, risk sce-
narios cannot be easily documented and shared with others. The risk
scenarios can change with every run of the model; documentation
would involve providing formulae rather than specific scenarios.
However, with a deterministic approach, risk scenarios can be easily
documented and widely shared, because they are specific and well
defined. This reduces errors and bias in deterministic scenarios.
Dissemination of deterministic risk scenarios leverages the knowledge
of the wider group, providing opportunities to identify and correct
errors. For example, a risk scenario may include an assumption about
mitigation in the form of an insurance contract, and the risk manager
in charge of these contracts can review the documentation and
provide any needed corrections (e.g., the insurance coverage may
have recently been modified). In addition, the enhanced transparency
reduces bias. The subject matter experts developing the risk scenarios
Quantify Individual Risk Exposures & 187
C05 01/12/2011 11:1:16 Page 188
are aware that their assumptions will be reviewed by others, which
provides an extra incentive to be as accurate as possible.
2. Avoiding unrealistic scenarios. The stochastic approach often uses
interpolation, particularly for strategic and operational risks, for which
there is less data. The stochastic formula automatically generates future
risk scenarios by relying on interpolation to construct risk scenarios in
between available data points. Unfortunately, this can produce unrealis-
tic scenarios. Some risks, or aspects of risks, can only occur in two dis-
crete states. For example, a scandalous internal event either becomes
public knowledge or it does not. The severity of the former can be much
higher than the latter, with media coverage causing reputational dam-
age. Interpolating between these two, in terms of impact severity, is not
realistic. In contrast, the deterministic approach avoids producing such
unrealistic scenarios. It does not rely on unthinking interpolation based
on historical data points. Each risk scenario is consciously, thoughtfully,
and prospectively developed by subject matter experts.
3. Producing better ‘‘tail’’ scenarios. Stochastic approaches have be-
come less popular since the global financial crisis that began in the United
States in 2007. A major reason is that they failed to produce good ‘‘tail’’
scenarios—extremely pessimistic scenarios that are in the tail portion of
the distribution. Stochastic methods rely on formulae to represent the
shape of the risk distribution. The inherent inaccuracy of formula-fitting
to historical data is exacerbated when this is blindly followed into areas
with very few data points, of which the tail portion of the distribution is an
example. Leading up to the financial crisis, scenarios that were described
by stochastic methods as extremely rare were actually occurring fairly
routinely, exposing a glaring weakness of this approach. Rather than
follow a mathematical method into statistical silliness, the deterministic
approach relies on subject matter experts to individually think through
each tail scenario, and to assign a reasonable likelihood. Although
the experts do review the limited historical data points, the tail scenarios
relymore on their judgment, which results inmore sensible tail scenarios.
3. Enhance risk culture. The stochastic approach, by its design, engages
fewer people from the business segments. It relies more on a few financial
personnel, leveraging historical data and mathematical formulae to
produce a scenario-generating machine. In contrast, the deterministic
approach engages more people. This is a good thing. This enhances the
risk scenarios by leveraging the knowledge of the subject matter experts,
those closest to the risks. However, this also enhances the organization’s
188 & Risk Quantification
C05 01/12/2011 11:1:16 Page 189
risk culture. The deterministic approach to risk scenario development
involves a broad range of people throughout the organization, exposing
them to ERM and getting them thinking more about risk in general. This
is particularly true for strategic and operational risks, which require
subject matter experts beyond the finance departments into human
resources, strategic planning, legal, information technology, external
relations, and other areas. In addition to educating personnel about
ERM concepts, the interactive dialogue generated in the risk scenario
development exercises helps build buy-in for the ERM program.
4. Support decision making. There are two critical characteristics that
scenarios need to effectively support decision making:
1. Transparency. Stochastic scenarios are not easily accessible to man-
agement. They involve formulae andmathematics that are not intuitive
to non-financial personnel. The mysterious nature of a risk scenario
generator, humming away in a ‘‘black box,’’ generates more than
scenarios . . . it generates suspicion. Management cannot ‘‘touch and
feel’’ the risk scenarios and see how they are developed. Without the
ability to scrutinize, management hesitates to use the information for
decision making.
However, scenarios produced with a deterministic approach are fully
transparent. Each specific individual risk scenario, along with all of its
assumptions, is clearly laid out in easy-to-read, concise documentation.
The scenarios are tangible, and resonate with management. The
scenarios can easily be reviewed, and management can challenge
and sensitivity-test any assumption. This engenders trust. As a result,
management becomes comfortable relying on the information and
using it for decision-making purposes.
2. Stability. Risk scenarios generated by a stochastic approach tend to
change every time the ERM model is run. That is the nature of the
randomizing function. This produces ‘‘noise’’ in the ERM model results.
This causes some discomfort with management. Eyebrows are raised
when they see changes to results when no explicit changes have been
made to the model. The ever-shifting nature of the stochastic risk
scenarios causes an uneasy sense of instability and a decreased desire to
use the information in decision making. In contrast, deterministic
scenarios have stability. They tend to remain unchanged, unless a
change to the business occurs, necessitating valid updates. This con-
sistency gives management the comfort they need to incorporate the
information into decision making.
Quantify Individual Risk Exposures & 189
C05 01/12/2011 11:1:16 Page 190
Range of Individual Risk Scenarios
There are often several risk scenarios for each key risk. Some key risks will have
both upside and downside scenarios, some will not have any upside scenarios,
and all will have a baseline scenario.
Upside and Downside Scenarios Some key risks will have both upside and downside scenarios. One example is competitor risk. New competitors may
enter the field, whichmay be a downside risk scenario, or a competitor may fail,
which may be an upside risk scenario. Several risk scenarios might be
developed for this risk, such as:
& Extremely pessimistic & Moderately pessimistic & Baseline (represents no risk occurring) & Moderately optimistic & Extremely optimistic
No Upside Scenarios Some risks will not have any upside scenarios. These are risks for which there is no expectation (in the strategic plan) for the event to
occur. One example may be a terrorist attack. There is usually no expectation
that a terrorist attack will occur that will directly impact the company. The risk
scenarios might include the following:
& Extremely pessimistic & Moderately pessimistic & Mildly pessimistic & Baseline (represents no risk occurring)
Although most companies will not have any upside risk scenarios for
terrorist attacks impacting the company, this would not be true for all
companies. A company that operates in a conflict region may well have a
baseline expectation built into their strategic plan, and resulting distributable
cash flow projections, that a certain number of terrorist attacks will occur. In
such a case, downside risk scenarios are those where the experience is worse
than expected—higher than expected frequency and/or larger than expected
impact. The upside risk scenarios here would be those where the experience is
better than expected—lower than expected frequency and/or smaller than
expected impact.
190 & Risk Quantification
C05 01/12/2011 11:1:16 Page 191
Another example of a company that might have upside risk scenarios for
terrorism risk is an insurance company that provides coverage for this risk. The
insurance company will have expectations, reflected in its pricing and
embedded in its strategic plan and resultant distributable cash flow projections,
regarding the likelihood and severity of terrorist attacks. Downside risk
scenarios are those where the experience during the period is worse than
expected, resulting in higher-than-expected claims payments. Upside risk
scenarios are those where the experience during the period is better than
expected, resulting in lower-than-expected claims payments.
Baseline Scenario All key risks have a baseline scenario. This is the scenario when no risk event occurs, but instead, the expectations of the strategic plan,
and resultant distributable cash flow projection, aremet. Technically, this is not
a risk event at all. However, it is important to keep this as a placeholder. This
will be useful in the next, and final, activity in the risk quantification ERM
process step: quantifying enterprise risk exposure. At that point, we will address
simulations where multiple risk scenarios can occur simultaneously. One of the
inputs needed for this is the likelihood of each individual risk scenario, and
the baseline scenario has its own likelihood to take into account. In addition,
the mechanics of the calculation are easier to visualize and perform if the
baseline scenario is treated as just another individual risk scenario.
Labeling of Individual Risk Scenarios
The ranking of an individual risk scenario implied by its label, such as ‘‘worst-
case,’’ may not always be borne out by the risk quantification. When initially
crafting the individual risk scenarios, the labels attributed to each risk scenario
are based on an early impression of the severity of impact. However, this does
not necessarily match the actual calculated financial impact. The risk quanti-
fication is a complex calculation. It involves projecting financial impacts into
future years, interactivity between dynamic financial line items, and the effect
of discounting for the time value of money over multiple years. In addition,
different mitigation arrangements come into play. Finally, risks impact different
business segments differently; for example, some regulations may negatively
impact one business segment, while simultaneously positively impacting
another business segment. How all these complexities play out is not always
apparent at the outset.
The good news is that the labeling of individual risk scenarios doesn’t
matter. All that is needed here is to produce an array of individual risk scenarios
Quantify Individual Risk Exposures & 191
C05 01/12/2011 11:1:16 Page 192
that adequately represent a robust range of possible events for each key risk.
The results of the individual risk quantification—quantifying each risk scenario
in terms of its potential impact on the baseline company value—will determine
its ultimate rank position.
Approaches to Developing Individual Risk Scenarios
There are two different approaches to developing individual risk scenarios:
1. Approach for risks with mostly objective inputs. The risks with risk
scenario inputs that are mostly objective are those for which a large
amount of objective external quantitative experience data is readily
available. These are typically financial risks. One example is equity
market risk, which is a financial risk for which there exists decades of
experience with daily (and intraday) data on its volatility (i.e., the
volatility of the major stock markets).
Developing discrete risk scenarios for these risks is relatively
straightforward. A richly detailed distribution of historical risk scenarios
is available from which to choose discrete risk scenarios. This distribution
provides fodder for both the individual risk scenarios themselves as well
as their likelihood. Several discrete risk scenarios are selected to repre-
sent the shape of the distribution, including its inflection points. The
likelihood of each discrete scenario is obtained by mapping it to a portion
of the nearly continuous historical distribution and summing the corre-
sponding likelihood.4
2. Approach for risks withmostly subjective inputs. The risks with risk
scenario inputs that are mostly subjective are those for which a large
amount of objective external quantitative experience data is not readily
available. These are typically strategic and operational risks. One example
is execution risk, which is a strategic risk, and for which there is no
external objective data available. The ability to execute the strategic plan
as expected is a completely unique risk to each company.
Developing discrete risk scenarios for these risks is relatively more
involved, in that it requires expertise in a specific technique. The tech-
nique used to do this is an adaptation of a technique from the manu-
facturing sector called Failure Modes and Effects Analysis (FMEA), which
was described in Chapter 3. The technique involves identifying the
appropriate internal subject matter experts and interviewing them to
define the risk scenario event, assign likelihood, and estimate the
192 & Risk Quantification
C05 01/12/2011 11:1:16 Page 193
quantitative impacts. An example showing a summary of the results of a
FMEA interview is shown in Figure 3.5 in Chapter 3. The results of the
FMEA interviews include all the inputs needed for quantifying individual
risk scenarios, including changes, or shocks, to the items impacting the
distributable cash flow projection. For most key risks, this typically
includes the following: & Changes to revenues, for one or more years & Changes to variable expenses, for one or more years & Changes to fixed expenses, for one or more years
For risks that materially change the company’s risk profile, a change in
the discount rate is also included.
The subject matter experts will often provide these inputs in terms of
ranges. For example, they may estimate that revenues next year would be
decreased by ‘‘approximately 10 to 20 percent.’’ The midpoint of the range
is typically used as the main input for the quantification and the endpoints
of the ranges are used for sensitivity analysis.
To enhance the development of risk scenarios, the ERM team supple-
ments the subject matter experts’ knowledge, where appropriate, with the
information collected in the risk event database. This information will
include, for the risk in question, the historical occurrences of the risk event
at the company (which helps form the likelihood assumption), how the
event unfolded as well as management’s actions (which helps form the risk
scenario event itself), and the ultimate financial impacts (which helps form
the impact assumptions).
Model Calculations
The value-based ERMmodel evolves along the waywith each of the activities in
the risk quantification ERM process step. In this activity—quantifying individ-
ual risk exposures—the model from the prior activity—calculating baseline
company value—is expanded to include two new capabilities: (1) shocks to
baseline and (2) stakeholder actions.
Shocks to Baseline
We have now finally arrived at the most fundamental element in the value-
based ERM approach: quantifying individual risks. Individual risks are quanti-
fied by their potential impact, or shock, to the baseline company value (and
other key metrics, also derived from the distributable cash flow projection). Our
definition of risk is any deviation from expectations. Expectations are defined as
Quantify Individual Risk Exposures & 193
C05 01/12/2011 11:1:16 Page 194
the baseline company value (or, equivalently, its baseline projected distrib-
utable cash flows).
The value-based ERM model is expanded to reflect shocks to the baseline
company value. This involves shocks to any element in the value-based ERM
model that impacts the baseline company value, which includes the distribut-
able cash flow projection and the discount rate. This affords a before-and-after
look at the baseline company value (and supporting key metrics).
Although this can be done manually by editing the baseline company
value model, that would be a crude, tedious, and error-prone approach. In
addition, it would not support the evolution of the model needed for the
next risk quantification activity—quantifying enterprise risk exposure—
where an efficient mechanism is needed to run numerous simulations
that include multiple simultaneous shocks. Therefore, it is necessary to
modify the value-based ERM model to efficiently accommodate shocks in
an elegant manner.
A key aspect of having an efficient ability to shock the baseline is to isolate
and highlight any elements that may change. By necessity, this evolves as the
work progresses to develop risk scenarios for the key risks. As new risk
scenarios are developed, new elements will be identified that will require
‘‘shocking’’ in the model. One example of this is where a risk scenario only
impacts a sub-segment of one of the business segments, in a situation where
the model had, up to this point, only included detail broken out at the business
segment level. In some cases, it may be advisable to modify the model to
include the additional detail, breaking out that one business segment into two
components, to isolate the business impacted by the risk scenario. Another
example is where a risk scenario impacts the different strata of salespeople in
different ways. Imagine that the strata differentiation is related to experience
level. It may be necessary to expand the model to separately track and project
recruitment, retention, and production levels for each stratum separately, to
efficiently handle the related risk scenarios.
Stakeholder Actions
In quantifying individual risk exposures, we are shocking the baseline
company value for those elements identified in the risk scenario develop-
ment exercise. This is no longer a static projection like the baseline valua-
tion model used to calculate the baseline company value. We are shocking
the system, moving from a baseline scenario to a new, post-risk event
scenario, or shock scenario. However, there is more to producing a shock
194 & Risk Quantification
C05 01/12/2011 11:1:16 Page 195
scenario than merely adjusting for the elements identified in the risk scenario
development exercise. We must also adjust for the dynamic reality of stake-
holder actions.
Stakeholder actions are reasonably predictable actions expected to be
taken by internal stakeholders, such as management, and external stake-
holders, such as rating agencies, in response to triggers created in shock
scenarios. An example of internal stakeholder actions is where, as a result of
the risk scenario, the amount of available capital falls to a level that
precipitates management actions to raise capital. The value-based ERM
model must take into account this reality, and modify the calculations to
dynamically reflect this. An example of external stakeholder actions is where
revenue declines to a level that precipitates a ratings downgrade by rating
agencies. Again, the value-based ERM model must reflect such dynamic
actions, triggered not from the individual risk scenario itself, but from the
fallout of its impact on other key financial line items, such as capital, revenue,
expenses, and such.
Output of Results
There are three main types of outputs we will discuss for the individual risk
quantification activity:
1. Shock of key metrics
2. Attribution of shocks
3. Comparative ranking of shocks
Shock of Key Metrics
The output of results from quantifying one individual risk scenario typically
includes the values for the key metrics, on both a baseline and a shock scenario
basis. To illustrate some common outputs, we continue our earlier example of
Pear, Inc., and consider the following individual risk scenario:
Risk: Execution of product strategy
Risk scenario: InfinityG, Pear’s sophisticated network, is found to have
technological problems
Partial summary of impacts from FMEA risk scenario development
exercise:
& Pear is forced to permanently lower its average price per unit from $250 to
$225.
Quantify Individual Risk Exposures & 195
C05 01/12/2011 11:1:16 Page 196
& Annual sales per salesperson permanently decrease from 750 to 725. & Pear is forced to permanently increase SG&A expenditures 10 percent, to
fund additional marketing.
Some common individual risk scenario quantification outputs are shown
in Table 5.2 for this risk scenario.
At this point, all we have done is individually quantify the risk scenarios.
We have not yet calculated any interactivity between risk scenarios, which is
part of the next risk quantification activity—calculating enterprise risk expo-
sure. Yet, this is still quite valuable information, and it immediately spurs
management action. Once management sees the potential impact to company
value, they take actions. These actions are further informed by the attribution
information discussed next. In addition, several case studies illustrating this
point are presented later.
Attribution of Shocks
By itself, calculating the shock impact of individual risk scenarios on
company value is powerful information. It shows management the con-
nection of risk to value, focusing priorities and clarifying a business case
for decision making involving mitigation. However, specific mitigation
actions are further informed by calculating an attribution of the individual
risk scenario shocks to company value. This reveals how much each com-
ponent risk driver contributes to the overall shock to company value. For
example, assume a risk scenario includes two component drivers—one being
a reduction in revenues and another being an increase in variable expenses.
The attribution would show how much of the total value shock was
separately caused by each component driver: the value shock from the
TABLE 5.2 Individual Risk Scenario Quantification Outputs: Pear’s Product Strategy Execution Risk Scenario
(in $ millions)5 Enterprise
Value
Five-Year Revenue
CAGR6 Five-Year eps7
CAGR
Baseline Scenario 1,907 7.98% 10.86%
Shock Scenario 1,571 5.03% 6.39%
Absolute Change %336 %295 bps8 %447 bps
Percentage Change
%17.6% %37.0% %41.2%
196 & Risk Quantification
C05 01/12/2011 11:1:18 Page 197
revenue decrease and, separately, the value shock from the variable
expense increase.
There are several ways to calculate attribution for each component driver.
Two examples of methodologies are as follows:
Method #1. Each component driver can be introduced, by itself, into
the baseline model, and the value shocks recorded separately; if the
component value shocks do not add up to the total value shock (due to
interactivity) then the remainder is allocated to the drivers, in pro-
portion to the magnitude of each component driver. Some component
drivers may be judiciously excluded when it is clear that allocation to
those drivers is not warranted.
Method #2. Each component driver can be cumulatively introduced into
the model, one at a time, in some chosen order, with each marginal
value shock attributed to the newly introduced driver.
As an illustration, we will perform an attribution calculation using our
earlier example of Pear’s product strategy execution risk scenario. The attribu-
tion is detailed in Table 5.3. We use attribution method #1. The initial attri-
bution’s results, prior to allocation of any interactivity, are shown in Column 1.
The sum of the individual component driver shocks to company value add up
to a reduction of $344 million, which does not equal the total company value
shock from our earlier example, which is a reduction of $336 million. This is due
to the interactivity of the component drivers. In this case, the combined impact is
less than the sum of the parts. We allocate the interactivity only to the first two
component drivers: reduction in average price per unit and reduction in annual
sales per salesperson. These two are the cause of the interactivity: The first one
lowers the average revenue on sales, but the second one reduces the amount
of sales, which offsets the impact somewhat. Column 2 in Table 5.3 shows an
allocation by magnitude between the first two component drivers. Column 3
verifies that the final attribution does indeed sum to the total company value
shock of $336 million. Column 4 shows the relative percentage contribution,
in percentage form, of each component driver to the company value shock. This
attribution helps management focus as they consider mitigation opportunities.
The case studies presented later will expand on this point.
Comparative Ranking of Shocks
Once the calculations are completed for all the individual key risk scenarios,
comparative outputs can be produced. The most important of these is a
Quantify Individual Risk Exposures & 197
C05 01/12/2011 11:1:18 Page 198
TABLE 5.3 Attribution of Company Value Impact: Pear’s Product Strategy Execution Risk Scenario
Column:
(in $ millions)
(1)
Initial
Attribution
(2)
Allocation of
Interactivity
(3)
Final
Attribution
(4)
Percentage
Reduction in average price per unit
%240 þ6 %234 70%
Reduction in annual sales per salesperson
%80 þ2 %78 23%
Increase in SG&A due to marketing costs
%24 — %24 7%
Sum of component drivers
%344 þ8 %336 100%
–25.0%–20.0%–15.0%–10.0%–5.0%0.0%
Modified Case Study
Individual Risk Quantification Company Value Impact
Consumer Relations Risk
Competitor Risk 1
Union Negotiations
International Risk 2
IT Risk 2
Loss of Key Distributor
Loss of Key Supplier
International Risk 1
Execution Risk
M&A Risk
Loss of Critical EEs
Legislation Risk
IT Risk 1
FIGURE 5.3 Ranking of Individual Risk Scenario Exposures
198 & Risk Quantification
C05 01/12/2011 11:1:22 Page 199
ranking of all individual risk scenario exposures in terms of their potential
impact on the baseline company value. This was illustrated in Figure 3.2 in
Chapter 3, and is repeated here as Figure 5.3. Once this is available for the
company value metric, it is also immediately available on the basis of the
other key metrics.
This is a very important output, as was discussed in Chapter 3. This is the
first time management sees a holistic view of all key risks—from all sources
including strategic, operational, and financial—quantified in terms of their
impact on a single consistent metric. This immediately shifts management
attention to the most highly ranked risks. In addition, this replaces the
rudimentary ranking produced by the qualitative risk assessment exercise
performed in the risk identification ERM process step. The first time this is
done, there are typically some surprises: Some risks thought to be large
turn out to be quite small or negligible, and other risks thought to be minor
end up ranked highly, sometimes even in the top five.
Case Studies
Five case studies are presented here to illustrate the quantification of
individual risk scenarios using the value-based ERM approach. These case
studies will illustrate the approach as well as the impact of the information:
the power of quantification, particularly in terms of the potential impact on
the baseline company value, to support management decision making. The
case studies presented focus on strategic and operational risks rather than on
financial risks, because approaches to quantifying the latter are fairly
straightforward, whereas a practical approach to quantifying the former
has been, up to this point, elusive for most ERM practitioners.
Case Study #1: Technology Data Security and Privacy
This case study involves an operational risk related to technology data
security and privacy. A midsize financial services company was surprised
to see that a risk scenario involving an external attack on their technology
ranked #3 in terms of its potential impact on company value. The risk
scenario envisioned a computer worm entering an unprotected device such
as a handheld device. The company had a policy in place to protect all such
devices but was aware that the policy was not widely enforced, leaving them
Quantify Individual Risk Exposures & 199
C05 01/12/2011 11:1:22 Page 200
vulnerable. The risk scenario illustrated here is an extremely pessimistic one,
which involved almost every bad event imaginable:
& Entire e-mail system disabled & All programs and files, and their backups, deleted & Customer lists stolen and sold to competitors for poaching & Customer credit card data stolen and fraudulent purchases made & Customer privacy data stolen
However, upon examining the attribution, it was immediately apparent
that the vast majority of the impact on company value was due to the last
item—customer privacy data stolen—and took the form of notification and
monitoring9 costs. The reasoning, as thought through during the FMEA risk
scenario development exercise, was as follows: Customer privacy data for
millions of people resides on several dozen computers, though the company
was unsure which computers they were. Because all programs and files would
be deleted, it would be impossible to determine whether all or only a portion of
the privacy data was actually stolen. As a result, the company would have to
pay for notification and monitoring costs for all those whose privacy data was
on their computers.
As a result of this individual risk quantification information, management
immediately made two decisions, both related to mitigation. They launched an
initiative to identify and secure the several dozen computers on which resided
the customer privacy data. This lowered the likelihood of the risk scenario. In
addition, realizing that they had unnecessarily maintained privacy data for ex-
customers, they decided to purge this data from their computers. This imme-
diately reduced the severity of the risk scenario by nearly half.
There are three main lessons illustrated by this case study. The first
lesson is that quantifying risk scenarios in terms of their potential impact on
value supports decision making. This risk exposure existed at the company
for some time, but management did not take action until they were shown
the magnitude of the risk expressed in terms of the potential impact on value.
The second lesson is that calculating the attribution by component driver
focuses management on mitigation opportunities. The attribution clearly
highlighted the privacy data on the computers as the largest driver of the
magnitude of this risk. As a result, management was able to immediately
focus mitigation efforts on this area, leading to two initiatives to mitigate the
risk. The third lesson is that the FMEA risk scenario development process
develops robust scenarios. This risk scenario reveals the kind of thoughtful
200 & Risk Quantification
C05 01/12/2011 11:1:22 Page 201
detail that can only be gotten by getting the internal subject matter experts to
think through specific risk scenarios, as well as the valuable nature of such
an exercise.
Case Study #2: Loss of Critical Employees
This case study involves an operational, human resources risk related to losing
critical employees. A large insurance company was quantifying risk scenarios
of situations where valuable employees are gathered together, leading to a high
concentration of exposure. In particular, they began to focus on the risk
scenario involving a plane crash on the way to a conference for sales leaders.
The company had a policy limiting the number of key employees on any one
flight but was aware that the policy was not always enforced, particularly for
these conferences. The sales leaders’ conferences were attended by high-
powered individuals who often wanted to fly on the same aircraft together.
In addition, these conferences were usually held at exotic locations for which
fewer flights were available. The risk scenario included the loss of the following
types of individuals:
& Top salespeople & Sales managers & A few senior executives
Upon review of the attribution, it became clear that, although the loss of
the top salespeople was significant, the larger portion of the value impact came
from losing their sales managers. The reasoning, as thought through during
the FMEA risk scenario development exercise, and as quantified by the value-
based ERM model, was as follows: Sales managers are the most difficult to
replace. They are extremely rare individuals. The salespeople are very loyal to
their sales managers, andmay have even come to the company in the first place
by following the sales managers. As a result, the retention of salespeople would
suffer in those offices where a sales manager is lost. The productivity of the
remaining salespeople in that office would also deteriorate.
As a result of this individual risk quantification information, management
immediately made a decision related to mitigation. They decided to strengthen
the enforcement of the travel limitations policy for concentration of key
employees on flights, particularly in relation to sales managers. In addition,
they reviewed other travel policies to uncover any additional mitigation
opportunities related to other modes of transportation.
Quantify Individual Risk Exposures & 201
C05 01/12/2011 11:1:22 Page 202
There are three lessons illustrated by this case study. The first is that
calculating attribution by component driver focuses management on mitiga-
tion opportunities. It was not at all clear, until this exercise, that the sales
managers represented the largest part of this risk exposure.
The second lesson is that value-based quantification is superior to the
traditional capital-based quantification common at insurance companies. Had
the insurance company used a traditional approach to quantifying risk, using
an economic capital model, it likely would have significantly underestimated
the impact of this risk scenario, causing it to remain unmitigated. This is
because most economic capital models ignore future revenues and expenses
related to new business in their baseline projection; instead they simply project
revenues and expense for the ‘‘inforce,’’ which is the business currently on the
books. Unfortunately, for this risk scenario and for the majority of strategic and
operational risk scenarios, the impacts are largely on future revenues and
expenses, as opposed to capital.
The third lesson is that despite the fact that the arithmetic is simple a value-
based ERM model is needed to project out the risk scenario impacts on value,
discount them to the current time, and produce a final calculation, including
attributions. An intuitive estimate cannot suffice. It is impossible to correctly
rank the risks, identify the largest component driver, and take appropriate
mitigation actions without crunching the numbers.
Case Study #3: Money Laundering
This case study involves an operational, human resources risk related to a
potential money-laundering incident. A leading U.S. nonpublic insurance
company was spending a significant amount of money on mitigation known
as anti–money laundering (AML). The spending got to the point where a senior
executive halted all further mitigation activities pending an analysis. He
thought that the mitigation might be excessive, particularly in light of the
risk in question. He asked, ‘‘How bad could this risk even be?’’ As a result, the
company requested a quantification of this risk. The risk scenario illustrated
here is a very pessimistic one:
& A severe money-laundering violation occurs & Fines are levied on the company & Criminal prosecutions follow & Media coverage is triggered
202 & Risk Quantification
C05 01/12/2011 11:1:22 Page 203
& Customer retention decreases significantly, more than what would be
expected at other companies, because the violation shatters the company’s
brand positioning as one of high integrity
The quantification revealed that the event would destroy nearly half
(45 percent) of the company’s value. When management learned of the
magnitude, their response was decisive: they immediately resumed their
spending on anti-money laundering efforts. They instantly became comfortable
with this decision. They didn’t ask about the level of precision in the calcula-
tion. They also did not even ask, nor care, about the estimated likelihood of the
risk scenario. It didn’t matter. Until this risk quantification exercise, they had
no idea that the potential impact on value was even on this order of magnitude,
which was a level for which they had the proverbial ‘‘zero tolerance.’’10
There are two lessons highlighted by this case study. The first lesson is that
the value metric leads to decision making. The shock to company value is one
that hits home. Value is the language of business decision-makers, and when
you speak their language, they understand: There is a significant threat to
something they have to care about. The second lesson is that the risk
quantification exercise adds value, despite its lack of precision. In this case,
the approximate nature of the calculation did not inhibit the usefulness of the
information to senior management. They became comfortable with their
decision and acted swiftly.
Case Study #4: Supplier Disruption
This case study involves a strategic risk related to a potential supplier failure. A
leading U.S. cleaning products manufacturer was quantifying their key risks.
One of the risks included losing a sole-source supplier to a fire. Some time
earlier, management had made a strategic decision to eliminate a backup
supplier for one of their minor product lines. This resulted in a sole-source
supplier situation, but this did not engender much concern, and was allowed to
continue unchecked for a long time. Just prior to the risk quantification
exercise, management was querying the sole-source supplier about their
mitigation procedures against fire damage. Their response was, ‘‘Hey, we’re
great at it. In fact, we’re so good at it that we cannot even share the details with
you, because it is highly confidential. We consider it a competitive advantage.’’
In reaction to this, management decided that, as part of their fiduciary duties,
perhaps they should quantify this risk.
Quantify Individual Risk Exposures & 203
C05 01/12/2011 11:1:22 Page 204
The quantification of a risk scenario in which a fire totally destroys the
supplier’s facilities revealed that this was, by far, the number one risk of
the company, in terms of its potential impact on company value. The impact
was approximately 12 percent of company value, whereas the next most
impactful risk had a potential impact of only about 9 percent. The reasoning,
as thought through during the FMEA risk scenario development exercise,
and as quantified by the value-based ERM model, was as follows: The loss of
the sole-source supplier would completely wipe out one of their minor
product lines. However, in addition, this would result in a loss of market
share in one of their major product lines. This major product line was in a
market with a very tough competitor who would swoop in and take away a
significant portion of their market share, which they would never fully
recover. The leveraging impact of the loss of market share on a permanent
basis, for all future projection years, is quite large, even after discounting to
the present time.
Management was surprised by this information, but also pleased. This was
good news. They immediately made a mitigation decision to begin the process
to qualify a backup supplier. This would take about one year and only about
two million dollars, which for them was very minor. This meant that they
would be able to report the #1 key risk, along with the others, to the board of
directors, and then within a relatively short time frame they would be able to
virtually eliminate the #1 key risk. With a backup supplier in place, the
likelihood of this risk scenario becomes so remote that this would be removed
from the key risk list.
There are two lessons demonstrated by this case study. The FMEA process
is an invaluable way to translate and share the knowledge of the subject matter
experts, those closest to the risks. In addition, the value metric is needed to fully
quantify risks. In this case, the full projection of lost revenues is required to
appropriately quantify this risk scenario.
Case Study #5: Poor Strategic Planning
I am often asked the question, ‘‘Aren’t there some risks that just cannot be
quantified?’’ The traditional notion that some risks simply cannot be quantified
seems to permeate much of the ERM literature and is pervasive among
traditional ERM practitioners. As discussed throughout this book, a value-
based ERM approach, in theory, allows for the quantification of any risk. This is
also borne out by actual experience, rather than mere theory. The case studies
above offer some evidence of this. However, one of the risks that may appear to
204 & Risk Quantification
C05 01/12/2011 11:1:22 Page 205
be the most difficult to quantify is the risk of a poor strategic plan. After all, how
can one gauge whether their strategic plan is poorly devised? That is why this
case study is one of my favorites. It illustrates one such situation, and how this
was done.
This case study involves a strategic risk related to poor strategic planning.
A global leader in the technology sector began implementing an ERM program.
They had just completed the risk identification ERM process step and wanted
to pilot a value-based ERM approach for the risk quantification ERM process
step. To test its viability, they chose what they believed to be one of the most
difficult risks to quantify: the risk of poor strategic planning. Management
was aware that they had a very entrepreneurial culture, and that they tended
to develop strategic plans that were extremely aggressive. They were usually
unable to achieve the strategic plan goals, but this failure was a result of
unrealistic goals, rather than poor execution of the strategy.
The quantification of this risk was elevated to an even higher level of
difficulty, like an Olympic high diver adding another twist to the dive, by the
fact that the company refused to provide us, their consultants, with their
strategic plan. Despite our having signed a nondisclosure agreement, their
strategic plan was deemed too confidential to share, as a matter of policy.
Because the first step in the value-based ERM quantification approach is to
develop a baseline valuation model, this was not the best of news. However,
we did have their public financial reports, and management did provide some
public statements they had made about their growth prospects. Using this
information, we developed a high-level baseline valuation of the company, as
well as a value-based ERM model to quantify the risk.
The risk scenario development meeting was conducted using the FMEA
method. The risk scenario illustrated here involves failures related to four
specific strategic plan elements that management knew were particularly
questionable in terms of their feasibility. One was an inability to achieve and
maintain the same price premium, which they had been able to charge in
their main market, in the new markets into which they had recently
ventured. Another was weaker-than-expected supplier relationships. The
remaining two elements were related to an inability to achieve expense
reductions expected from the integration of acquisitions. The quantification
of this risk scenario revealed a potential decrease of 20 percent of their
baseline company value.
There are two interesting aspects of this case study. The first one relates
to an interaction that occurred at the meeting where we first presented the
baseline valuation. On seeing the baseline valuation, including the
Quantify Individual Risk Exposures & 205
C05 01/12/2011 11:1:22 Page 206
distributable cash flow projection, the project leader pulled her team aside for
a hushed discussion. Following this sidebar, they expressed their concern
that perhaps we had somehow obtained a copy of their strategic plan.
Apparently, the baseline valuation resonated so well, even though it was
constructed at a very high level and relied on even more simplifying
assumptions than usual, that they found it difficult to believe we did this
without their actual strategic plan. We were able to persuade them that, in
fact, we only used public information. The interesting point here is that, as
discussed earlier, many modelers believe that ERM models must be highly
detailed, and use only precise assumptions, to be at all useful. This is simply
untrue, both in theory and in practice.
The second interesting aspect of this case study relates to the quantifi-
cation of the risk scenario. The magnitude of the shock—a 20 percent
decrease in baseline company value—was just about equivalent to how
much their employee stock options were out-of-the-money.11 This revealed
the level of bias in the strategic planning process. It is management’s job
to grow the value of the company, and in this case, one of their deep-
seated needs was to increase the stock price to the level at which the
stock options would be back at-the-money12. In other words, the market
was implicitly saying, ‘‘We don’t believe in your strategic plan,’’ to the extent
that they inferred what it was, ‘‘but rather we think you will fail to achieve
key elements of it’’ (perhaps the very same four strategic plan elements of
which management was skeptical). Essentially, management, through their
strategic plan, was saying, ‘‘We think we are worth our baseline company
value,’’ and the market was saying, ‘‘No, we think you are worth about 20
percent less.’’ Who is right? If management perfectly executes its strategic
plan, then they will have been correct, and the market capitalization should
increase about 20 percent. If the risk scenario discussed here ends up
occurring, with management missing four of its strategic plan elements,
then the market’s valuation will have turned out to be accurate. The truth
may turn out to be somewhere in between. However, the cost of not
achieving the strategic plan was now quantified. In addition, the attribution
revealed the relative contribution of achieving each of the four strategic plan
elements in question. This gave management insights into the added value of
additional efforts to achieve strategic plan goals, in the aggregate, as well as
the marginal relative benefits of focusing on any one of the four individual
strategic plan elements. This helped prioritize management efforts, as well as
make the business case for any proposed additional initiatives to support the
strategic plan goals.
206 & Risk Quantification
C05 01/12/2011 11:1:22 Page 207
There are four lessons highlighted by this case study. First, any risk can
be quantified, even one as challenging as the risk of poor strategic planning.
Second, the quantification of individual risk scenarios, including the calcu-
lation of baseline company value upon which it is predicated, need not be
hyper-accurate to achieve their purpose. In this case, the ERM model
resonated with management to a high degree, despite its total lack of inside
information in constructing the baseline enterprise valuation. Third, using
the value metric allows ERM information to be related to other key metrics,
such as, in this case, employee stock options (and their strike price). This
makes a smoother path for integrating ERM into key company processes,
including decision making (Chapter 6) and risk messaging (Chapter 7).
Fourth, the attribution of shocks into their component drivers facilitates
management focus and prioritization of actions.
QUANTIFY ENTERPRISE RISK EXPOSURE
The third step in the risk quantification ERM process step is to quantify
enterprise risk exposure. We will discuss three aspects of quantifying enterprise
risk exposure:
1. Input of data and assumptions
2. Model calculations
3. Output of results
Input of Data and Assumptions
Enterprise risk exposure, in its graph form (see Figure 3.3 in Chapter 3),
represents the full range of possible outcomes:
& Baseline is achieved (no risk events) & One risk scenario at a time & Two risk scenarios at a time & Three risk scenarios at a time, and so forth
The graph is a distribution where the horizontal axis represents severity, or
impact on baseline company value (or some other key metric), and the
vertical axis represents likelihood. Therefore, the enterprise risk exposure cal-
culation requires two types of inputs—those related to quantifying the severity
Quantify Enterprise Risk Exposure & 207
C05 01/12/2011 11:1:22 Page 208
of individual risk scenarios and those related to likelihood. Data and assump-
tions related to severity are already available, because they were developed
as inputs to the individual risk quantification.
There are two types of inputs related to likelihood:
1. Likelihood of individual risk scenarios
2. Correlation between individual risk scenarios
Likelihood of Individual Risk Scenarios
The first input related to likelihood—the likelihood of each risk scenario—is
also readily available. The more difficult part—estimating the likelihood of
each individual non-baseline risk scenario, for each key risk, was developed
in the risk scenario development exercises, which utilizes the FMEA tech-
nique. The easy part is estimating the likelihood for the remaining scenario—
the baseline scenario. This is calculated as 100 percent less the sum of the
likelihoods of the other individual non-baseline risk scenarios.
Correlation between Individual Risk Scenarios
The second input related to likelihood is the correlation between individual risk
scenarios. This must be developed. Most traditional attempts to incorporate
correlations into risk modeling have been debunked during the global financial
crisis that began in the United States in 2007. Most traditional approaches are
used in combination with stochastic risk scenarios, and, as a result, require a
generic automatic assumption about correlations between risk sources, which
is assumed valid across all of their corresponding individual risk scenarios,
rather than customizing the correlation assumptions for each pair of individual
risk scenarios. This means that traditional methods are attempting to encap-
sulate the correlation between two distinct risk sources using a single correla-
tion assumption. This would require that all risk scenarios resulting from those
two risks share the same correlation behavior. This is too crude of an estimate.
During the financial crisis, it was demonstrated that, when extreme risk
scenarios are at play, such correlation assumptions break down. Correlations
between risks behave quite differently ‘‘in the tail,’’ that is, at the extreme
negative edge of the distribution, which corresponds to the realization of two or
more simultaneous highly pessimistic risk scenarios.
With a value-based approach, which is used in combination with
deterministic risk scenarios, we avoid this difficulty. Rather than attempt
208 & Risk Quantification
C05 01/12/2011 11:1:22 Page 209
to paint correlations broadly, as if they are uniform by risk source, we produce
an assumption for each pair of individual risk scenarios. This may initially
appear to be a daunting task, because there may be over 100 individual risk
scenarios. However, the vast majority of individual risk scenario pair combi-
nations are independent, which means they are uncorrelated, that is, they
have a correlation of zero. The vast majority of key risks are strategic and
operational risks, as opposed to financial risks. Most strategic and operational
risks are independent of each other. For example, the risk that the strategy is
flawed is uncorrelated with an information technology failure, which is
uncorrelated with a regulatory change, and so on. Although it is necessary
to consider each pair-wise combination, wide swaths of this work are
instantly completed using this realization.
For those individual risk scenario pairs that are correlated, the cor-
relation must be estimated. For those risks for which objective external data
is readily available, which are usually financial risks, the correlation data
is available from the investment department. For the remaining ones, a
simple approach is to simply guess at it, using the appropriate sign and
rough magnitude.
Why is this reasonable? Because correlations in general, and even corre-
lations for risks for which objective external data is readily available, are
mysterious relationships that (a) nobody can honestly claim to know with
much certainty, particularly in regard to how they behave when you most
need to know this, that is, ‘‘in the tail,’’ and (b) do exist, and should at least have
some accounting for them in the calculation of a distribution of outcomes, such
as enterprise risk exposure.
So, if two individual risk scenarios are thought to be moderately positively
correlated, assign a value to the correlation. It is naturally going to be a fairly
arbitrary value, but it should at least reflect the direction of the correlation (in
this case, positive), and the correlation’s magnitude should at least reflect, in
relative terms versus the assignment of other correlations, the degree of
correlation (in this case, moderate).
Model Calculations
The calculation of enterprise risk exposure consists of the following three steps:
1. Selecting simulations
2. Calculating impact
3. Calculating likelihood
Quantify Enterprise Risk Exposure & 209
C05 01/12/2011 11:1:23 Page 210
Selecting Simulations
Each simulation represents one possible future for the organization. A simula-
tion may be visualized as a vector, whose length is equal to the number of key
risks, and where each vector position indicates the risk scenario selected for its
key risk. An example of this is shown here:
Simulationi ¼ ðRisk1Sceni; Risk2Sceni; . . .RisknSceniÞ
Where:
& i ¼ the simulation number & RiskxSceni ¼ the risk scenario from key risk x that was selected in
simulation i; this can include one of the pessimistic scenarios, one of the
optimistic scenarios (if any exist), or the baseline scenario for this key
risk (which means that no risk event occurred) & n ¼ the number of key risks
The number of simulations required to run every possible combination of
risk scenarios developed, for the key risks selected, gets prohibitively large very
quickly after a handful of key risks and risk scenarios. Shortcuts are used to
select the set of simulations that will produce a representation of the enterprise
risk exposure distribution that is sufficiently robust as well as stable. This is
somewhat of an art form, and various techniques can be used to do this.
One example of a practical approach to selecting an appropriate but
manageable set of simulations involves the following three steps:
1. Set maximum run time. The first step is to decide on the maximum
desired model run time. Ideally, the value-based ERMmodel should be able
to perform the enterprise risk exposure calculation within a matter of six to
eight hours, although some companies find a run time of up to 12 or even
24 hours an acceptable time frame. The run time must be short enough to
be practical in terms of running multiple iterations of the model when
needed. In addition, it must be rapid enough to be practical in terms of
effectively supporting decision making, particularly at the highest levels,
where speed is of utmost importance.
2. Determine maximum number of feasible simulations. The maxi-
mum run time decided on in the first step is used to back into the maximum
number of simulations that can be feasibly calculated within that time
frame. For example, assume the maximum run time is set at six hours. Run
the model with 10,000 simulations, and record the run time. If the run
210 & Risk Quantification
C05 01/12/2011 11:1:23 Page 211
time is one hour, then 60,000 is the maximum number of simulations that
can be run within the six hour maximum time frame.13
3. Determine simulations needed for stability. In this step, an initial
number of simulations—well below the maximum number of feasible
simulations—are randomly generated, using stochastic techniques, and
then run through the value-based ERM model to calculate a first value
for enterprise risk exposure. It is important to note that the stochastic
element here is only involved with the selection of which deterministic
risk scenarios will populate the simulation vectors, rather than using
stochastic techniques to actually construct the risk scenarios. After this
first value is calculated, a second value is calculated using a new set of
randomly generated simulations. The values are then compared to see if
they are within a reasonable tolerance level of each other. If there is
reasonable stability, then the initial number of simulations becomes the
final number of simulations. However, if the first value is not within an
acceptable tolerance level from the second value, the process must be
repeated, each time increasing numbers of simulations, until stability is
achieved.
If the final number of simulations required for stability exceeds the
maximum number of feasible simulations, there are a few options. If the
increase in the number of simulations required results in aminor increase in
run time, management may simply choose to accept this. However, if the
run time is unacceptably long, one option is for management to allocate
more computing resources, using parallel processing to shorten the run
time to a reasonable level. Another option is to revise the calculation to
include a number of deterministic simulations, along with the stochastic
ones, to make the calculation more stable with fewer numbers of stochastic
simulations. Such deterministic simulations typically include those simu-
lations which are more significant, either due to high likelihood and/or
high severity.
Once the simulations are selected, they are locked into the model,
and not allowed to change from one model run to the next.14 This adds
further stability, by avoiding the ‘‘noise’’ that would be present if the
stochastic simulations were refreshed with each model run.
Calculating Impact
Once the simulations are determined, each simulation is run through the
value-based ERM model to calculate its impact on the baseline company
Quantify Enterprise Risk Exposure & 211
C05 01/12/2011 11:1:23 Page 212
value (and other key metrics), and the results are recorded. Simulations that
have more than one risk scenario occurring simultaneously will have their
shock inputs, from the FMEA risk scenario development exercises corre-
sponding to each risk scenario, aggregated together. The value-based ERM
model will then calculate the integrated impact of the multiple risk scenarios
occurring together. This is a powerful aspect of the model: the ability to see
how multiple risk scenarios interact, and to measure the net impact on the
organization.
Calculating Likelihood
The likelihood of a simulation is calculated bymultiplying the likelihood of each
individual risk scenario in the simulation vector, initially assuming indepen-
dence of all risk scenarios, and then multiplying this by a correlation adjust-
ment factor.
PðSimiÞ ¼ PðRisk1SceniÞ ' PðRisk2SceniÞ . . .' PðRisknSceniÞ ' CAF
Where:
& P(x) ¼ probability of x & Sim ¼ simulation & i ¼ the simulation number & RiskxSceni ¼ the risk scenario, from key risk x, that was selected in
simulation i; this can include one of the pessimistic scenarios, one of
the optimistic scenarios (if any exist), or the baseline scenario for this key
risk (which means that no risk event occurred) & n ¼ the number of key risks & CAF ¼ correlation adjustment factor
Adjustments must be made to account for correlations wherever the
simulation includes the occurrence of two risk scenarios that are not
independent. There are numerous methods that may be used to do this,
ranging from the simple to the complex. A simpler approach is preferable,
because it avoids the pretence that the true correlations can really be known
with much certitude. This is another example where the rule of significant
digits comes into play. Many risk modelers spend a significant amount of time
and effort refining their correlation approaches and assumptions further and
further, as if this is the differentiator between success and failure of an ERM
program. Although the interaction between multiple risks is a key factor in
212 & Risk Quantification
C05 01/12/2011 11:1:23 Page 213
ERM, there is more than one way to reflect risk interactivity, and the
correlation adjustment is the least important of all of them. See ‘‘Capturing
Interactions.’’
One simple way to perform this adjustment is to use a correlation
adjustment factor that is the multiplicative product of individual pair-
wise correlation factors. For example, if a simulation includes only one
pair of risk scenarios that are correlated, a single individual pair-wise multi-
plicative factor is applied to the simulation probability. When a simulation
includes more than one pair of risk scenarios that are correlated, each
individual pair-wise correlation adjustment factor is similarly applied multi-
plicatively to the simulation probability. The formula showing the correlation
adjustment factor as the multiplicative product of individual pair-wise corre-
lation adjustment factors is shown below:
CAF ¼ IPCAFRiskdSceni;Riskf Sceni ' IPCAFRiskrSceni;RiskmSceni ' . . .
Where:
& CAF ¼ correlation adjustment factor & IPCAFRiskxSceni;RiskySceni ¼ individual pair-wise correlation adjustment fac-
tor, for the combination of risk x scenario i occurring simultaneously with
risk y scenario i
There are four different situations involving the individual pair-wise correlation
adjustment factor (IPCAF):
1. If the two risk scenarios are positively correlated, then the IPCAF will
increase the simulation probability (i.e., the IPCAF will be greater than 1).
2. If the two risk scenarios are uncorrelated, then the IPCAF will not change the
simulation probability (i.e., the implied IPCAF will equal 1, though
technically no IPCAF applies unless the pair are correlated).
3. If the two risk scenarios are somewhat negatively correlated, then the IPCAF
will decrease the simulation probability (i.e., the IPCAF will be greater than
0 but less than 1).
4. If the two risk scenarios are 100 percent negatively correlated, meaning that
it is impossible for them to occur together, then the IPCAF will zero-out the
simulation probability, eliminating it entirely (i.e., the IPCAF will be zero
and therefore the CAF will also be zero).
Quantify Enterprise Risk Exposure & 213
C05 01/12/2011 11:1:23 Page 214
CAPTURING INTERACTIONS
Traditional approaches to ERM determine risk scenarios, and measurethem, in silo form, or one at a time. After that, there is an attempt to capture all the risk interactivity through a correlation adjustment to likeli- hood. This is not enough. One of the key ERM criteria is to have an integrated approach that fully captures the interaction between two or more risks. This was discussed as Criterion 4 in Chapters 2 and 3. There are three techniques that the value-based ERM approach uses to account for these interactions:
1. Risk scenarios
2. Impact calculations
3. Correlation adjustments
Risk Scenarios
The first technique to address risk interactivity is to reflect it directly in the risk scenarios themselves. In the value-based ERM approach, deterministic risk scenarios are developed using the FMEA technique. This involves a thought- provoking process where subject matter experts are asked to think through individual risk scenarios for key risks that are defined by their source. This allows the experts to consider all the downstream impacts flowing from the risk source, including those that are primary, secondary, and so on. Some of these impacts include triggering other risk scenarios related to different risk sources, which are then incorporated directly into the risk scenario. For example, an extremely pessimistic pandemic risk scenario may be assumed to trigger an economic downturn risk scenario, which then has its own set of cascading impacts and implications, which will be embedded directly in the pandemic risk scenario.
This is one of the two most powerful ways to reflect the interaction between risks. It provides a realistic portrayal of the risk interaction and how it would occur in the real world. This draws out the knowledge of the subject matter expert, who is closest to the risk and to the business. In addition, this provides a tailored approach to examining risk interactivity. As opposed to a formulaic approach using a single correlation metric across all risk scenarios for a given risk, this allows us to incorporate customized risk interactivity assumptions for each specific risk scenario.
Impact Calculations
The second technique to address risk interactivity is to reflect it directly in the calculation of the impact on company value (and other key metrics). The value-based ERM approach allows the quantification of two or more risk scenarios directly within the value-based ERM model.
214 & Risk Quantification
C05 01/12/2011 11:1:24 Page 215
Output of Results
There are four types of outputs from the enterprise risk exposure quantification:
1. Enterprise risk exposure—graph form
2. Enterprise risk exposure—table form
3. Downside standard deviation
4. Other outputs
Enterprise Risk Exposure—Graph Form
The first, and primary, type of output is the enterprise risk exposure in graph
form. This is a representation of the full distribution of all possible outcomes
(see ‘‘Caveats,’’ discussed later in this chapter). This was shown in Chapter 3,
Figure 3.3. All other exposure-related results are derived from this graph. The
types of information that can be derived include, but are not limited to, the
following four items:
Item #1. The likelihood of a decrease in company value of X percent or
more
Item #2. The likelihood of company value being within the range of þ/– X percent of the baseline company value
This is the other of the two most powerful ways to reflect the interaction between risks. This affords the clearest picture of how the risks will interact, including the amount that some combinations may offset each other, as well as the amount that other combinations may exacerbate each other. The net effect on the projected distributable cash flows, the baseline company value, and any other key metrics can be observed directly. In addition, an attribution calculation reveals the individual component drivers and their corresponding contribution to any interactivity between risks.
Correlation Adjustments
The third technique to address risk interactivity is risk correlation adjust- ments. These are multiplicative modifiers to the simulation likelihood. These do serve to recognize one aspect of the relationship between two risk scenarios: their tendency, or lack of tendency, to occur together. However, this is the least important of the three techniques. For the majority of risks that are correlated, this is a highly arbitrary assumption. What is useful about this technique is that, for risk scenarios where there is a known or strongly held belief as to the general nature of their correlation, this allows at least a directionally correct adjustment.
Quantify Enterprise Risk Exposure & 215
C05 01/12/2011 11:1:25 Page 216
Item #3. The likelihood of an increase in company value of X percent or
more
Item #4. The impact of each individual risk scenario on company value
Each of the above is also available for all keymetrics, not just for the company
value metric. Examples of commonly used key metrics include the following:
& Company value & Revenue growth rate (e.g., three-year or five-year CAGR15) & Net income growth rate (e.g., three-year or five-year CAGR) & Earnings per share (eps) growth rate (e.g., three-year or five-year CAGR) & Capital ratio (for financial services companies); for example, the ratio of
actual capital to required capital, where required capital is the capital
needed as a buffer against the current level of risk
Items #1, #2, and #3 typically form the basis for the enterprise risk
exposure table form output, which is the primary data used to inform the most
important decision in ERM: defining risk appetite.
A subset of item #3 is the likelihood of achieving or exceeding strategic
plan goals. This can be seen by plugging in zero as the percentage. This is a
very interesting result. This is a measure of the confidence level in the
strategic plan, or, put another way, a measure of the level of difficulty in
achieving plan goals and initiatives. The first time this is calculated, man-
agement is initially surprised at the value of this metric. It is usually
significantly lower than 50 percent, and often in the neighborhood of 35
percent. However, upon examination, this makes sense. More things can go
wrong than can go right. This is visually presented in the graph form of
enterprise risk exposure as a ‘‘fat tail’’ distribution. There is more area under
the curve to the left of the dotted vertical line (representing the strategic plan
being achieved) than to the right.
Ironically, and perhaps a bit confusingly with our terminology, risk is
measured as deviation from expected, where expected is defined as the
perfect realization of the strategic plan, and its corresponding distribut-
able cash flow projection. However, this is not the probabilistic expectation,
or the mean. The actual probabilistic expectation for company value, or
the mean company value, is usually somewhat lower than the baseline
company value.
Item #4 is the set of individual risk exposures discussed earlier. However,
as indicated in Chapter 3 (see ‘‘Enterprise Risk Exposure’’), the individual risk
216 & Risk Quantification
C05 01/12/2011 11:1:26 Page 217
exposures are technically a subset of the enterprise risk exposure, because it
already includes the one-at-a-time risk scenarios.
Enterprise Risk Exposure—Table Form
As discussed in Chapter 3, the table form of enterprise risk exposure is derived
from the graph form. The table form consists largely of items such as those
listed earlier, in ‘‘Enterprise Risk Exposure—Graph Form,’’ as items #1, #2,
and #3, where the values selected as the percentages define the pain points.
This is the primary data used to inform the most important decision in ERM:
defining risk appetite. Table 5.4 shows a modified case study of a table form of
enterprise risk exposure.
Downside Standard Deviation
A traditional measure of volatility that is easily calculated for a given distribu-
tion is the standard deviation. The higher the standard deviation, the higher
the level of dispersion away from the mean, or average value. The formula for
standard deviation is as follows:
s ¼ ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 1
n
Xn x¼1
ðx% #xÞ2 r
Where:
& s ¼ standard deviation & n ¼ number of data points in the distribution & x ¼ a data point in the distribution & #x ¼ mean of distribution (note that if the metric used here is company
value, this is the probabilistic expectation of company value)
TABLE 5.4 Enterprise Risk Exposure—Table Form Modified Case Study
Pain Point Likelihood
Decrease in company value of more than 15% 8.5%
Falling short of this year’s planned revenue growth by more than 200 basis points
13.2%
Falling short of this year’s planned earnings by more than 2c= per share 10.4%
Ratings downgrade of one level 7.6%
Quantify Enterprise Risk Exposure & 217
C05 01/12/2011 11:1:27 Page 218
The standard deviation metric does not suit our purposes. First, standard
deviation is defined in terms of deviation from the mean. For ERM purposes, we
define risk as deviation from the baseline, or strategic plan expectations. Second,
standard deviation captures all volatility—volatility resulting in deviations
below the mean, as well as volatility resulting in deviations above the mean.
This is appropriate where all deviations from the mean—both upward and
downward—are equal in importance as well as symmetrical, such as in the bell-
shaped curve of a normal distribution. For ERM purposes, we do define risk as all
volatility. However, not all deviations are created equal. Downside volatility—
producing results that fall short of the strategic plan expectations—is the bad
volatility, but upside volatility—producing results that exceed strategic plan
expectations—is the good volatility. Although in reality the two are connected,
management would prefer to decrease downside volatility, but they would prefer
to increase upside volatility. In addition, enterprise risk exposure is generally not
a symmetrical distribution. It is generally a ‘‘fat tail’’ distribution. As such, it is
important to distinguish the downside volatility from the upside volatility.
We will define a new volatility metric, called downside standard deviation
(sdownside, or DSD). The higher the downside standard deviation, the higher the
level of dispersion below the baseline, or strategic plan expectations. The
formula for downside standard deviation is as follows:
sdownside ¼ DSD ¼ ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 1
m
Xm y¼1
ðy% ##xÞ2 r
Where:
& sdownside ¼ DSD ¼ downside standard deviation & m ¼ number of data points in the distribution that correspond to a result
that falls short of baseline expectations & y ¼ a data point in the distribution that corresponds to a result that falls
short of baseline expectations & ##x ¼ baseline, or strategic plan expectations
This is a very important metric with several advantages. It is a single
number. It is prospective. It incorporates all the downside risk from the enter-
prise risk exposure calculation. It is readily available. It can be easily recalcu-
lated to assist in the evaluation of potential decisions.
In addition, the downside standard deviation can be used as a relative
guide to changing a key input to the value-based ERMmodel: the discount rate.
218 & Risk Quantification
C05 01/12/2011 11:1:27 Page 219
Changes to the discount rate may be needed when calculating a revised
baseline company value (upon periodic updates); quantifying individual risk
exposures; or for decision-making purposes. Although it is not worthwhile
spending a lot of time developing the assumption for the absolute value of the
discount rate, it is important to include a thoughtful approach to determining
any relative changes in the discount rate. Whatever the absolute value of the
discount rate, based on the current level of riskiness in the firm, the following
two statements are true:
1. Any increase in riskiness of the firm will increase the discount rate.
2. Any decrease in riskiness of the firm will decrease the discount rate.
This merely indicates that the return on investment required from share-
holders is proportional to the level of risk. This is fairly straightforward.
However, what does require a bit more care is deciding which changes to
the firm actually do rise to the level of materially changing the riskiness of
the firm, and what should be the nature of the relationship between change
in risk, as measured by downside standard deviation, and changes in the
discount rate. Whatever management decides regarding this relationship, it
should be consistently followed in all activities in the risk quantification and
risk decision making ERM process steps.
Other Outputs
The two forms of enterprise risk exposure (graph form and table form) and the
downside standard deviation are the major outputs from the enterprise risk
exposure calculation. However, there are two other useful outputs that are
readily available, or can be easily derived, from the calculation of enterprise
risk exposure:
& Likelihood of failure & Economic capital
Likelihood of Failure There are numerous ways to define varying degrees of failure, and generally, the pain points can be counted among them. The
pain points are thresholds, defined in terms of failing to achieve selected
company goals regarding key metrics, for which management wants the
likelihood of crossing them to be appropriately low. However, in addition to
the typical pain points, there are other types of failures, whose likelihoods are
Quantify Enterprise Risk Exposure & 219
C05 01/12/2011 11:1:27 Page 220
readily available and which management finds useful, but are not always
selected for inclusion as one of the formal pain points. Some examples of such
failures include the following:
& A one-level ratings downgrade & A two-level ratings downgrade & Bankruptcy, defined as default on debt payments & Capital ratio falling below some extreme threshold level & All capital being exhausted
Economic Capital Economic capital is a key metric for financial services companies. In Chapter 2, we defined economic capital as the amount of capital
needed on hand today to limit the probability of ruin, over a given time horizon,
to within a small predefined likelihood. One of the major benefits of a value-
based ERM approach for financial services companies is that the value-based
ERMmodel can serve a dual purpose as an economic capital model. This can be
referred to as a ‘‘value-based economic capital model.’’ Because the value-based
ERM model can produce a distribution of outcomes for any definition of ruin, it
can simply be run iteratively, by varying the initial level of capital, to determine
the level of capital that limits the probability of ruin to the desired predefined
likelihood.
Having a value-based economic capital model to replace, or preclude the
need to develop, a traditional economic capital model offers three advantages:
1. Enhances coordination. At most financial institutions, such as banks
and insurance companies, there is a lack of efficient coordination between
the value-based models and the economic capital models. The value
models—e.g., the strategic plan projection models, or the embedded
value16 models—are in one department, such as corporate planning,
and the economic capital models are in another department, such as
corporate risk management. This means that they are likely to have some
differences that may conflict. The models may have inconsistent assump-
tions or calculations. In addition, any existing friction between the
departments, due to differing political agendas or incentives, may result
in a lack of coordination in usage of the models.
However, introducing a value-based ERM approach resolves this issue
completely. Those using a value-based economic capital model have in
their possession a single, integrated tool that has automatic coordination
220 & Risk Quantification
C05 01/12/2011 11:1:28 Page 221
and consistency, because both the value model and the economic capital
model reside within a single model.
2. Moves beyond the tail. Traditional economic capital models typically
only examine extreme risk scenarios, or tail events, such as a one-in-a-
thousand risk scenario. Such an unlikely risk scenario is based on the least
credible data. There are (luckily) precious few of these historical events. In
addition, this is the least actionable information. There are very few
opportunities (again, luckily) for management to have to deal with
such situations.
However, the value-based economic capital moves beyond the tail to
include the full range of risk scenarios, both upside and downside,
including those near the baseline expectation. This is far more credible
information, because it is based on volatility for which more experience
exists. In addition, this information is far more valuable to management,
because it deals with the kind of volatility they are more likely to
encounter, as opposed to the Armageddon scenarios.
3. Satisfies key ERM criteria. The value-based economic capital model
satisfies all of the 10 key ERM criteria, and in particular, it satisfies several
criteria or sub-criteria that a traditional economic capital model fails to
satisfy, the five most important of which are discussed here:17
1. Full quantification of strategic and operational risks. Most
traditional economic capital models significantly underestimate the
impact of some risks. For their baseline, rather than use a full projection
of future distributable cash flows, they use current capital levels, or a
partial projection of future distributable cash flows.18 This is a particu-
larly poor way to measure strategic and operational risks, which often
have their largest impact on future revenues and expenses. A value-
based economic capital model resolves this problem, because it uses the
full projection of future distributable cash flows as its baseline.
Formore detail, see Chapters 2 and 3, ‘‘Criterion 2: All Risk Categories
Included.’’
2. Integration of multiple simultaneous risks. Most economic capi-
tal models do not use an integrated approach. They measure one source
of risk at a time, and then construct an elaborate correlation matrix in
an attempt to formulate an equation that captures risk interactivity.
This is suboptimal, as discussed earlier (see ‘‘Capturing Interactions’’).
The value-based economic capital model resolves this issue by captur-
ing interactions in three ways (see same sidebar).
Quantify Enterprise Risk Exposure & 221
C05 01/12/2011 11:1:28 Page 222
For more detail, see Chapters 2 and 3, ‘‘Criterion 4: Integrated across
Risk Types.’’
3. Metrics that support decision making. Traditional economic capi-
tal models do not have the metrics to fully support business decision
making. These models cannot support decisions involving strategy or
operations, because they either do not fully quantify strategic and
operational risks, or simply omit them altogether. In addition, these
models usually only present the risk (capital) aspect of the equation, and
ignore the return (value) aspect. Business decision-makers require both
risk and return information to make decisions.
However, value-based economic capital models resolve both of these
issues. They can support all types of decisions, including those related to
strategy and operations, because their quantification approach fully
quantifies all risks, including strategic and operational risks. In addition,
these models provide an integrated look at both risk and return
information, because risk is expressed in terms of its value impact.
All decisions are supported by information showing the potential
impact on expected value, as well as the likelihood of achieving that
value change, which is a rigorous business case for any decision.
For more detail, see Chapters 2 and 3, ‘‘Criterion 6: Includes
Decision Making.’’
4. Practicalmodeling. Most traditional economic capital models are not
practical. They tend to be unreliable, they have slow response times,
they lack transparency, and they violate the significant digits rule. As
an example related to response time, some companies have models that
can only manage a single run, using hundreds of computers, in a period
of several weeks.
In contrast, the value-based models are highly practical. They are
reliable, they have fast response times, they are highly transparent,
and they respect the significant digits rule. As an example related to
response time, the value-based economic capital model usually runs in
a handful of hours.
For more detail, see Chapters 2 and 3, ‘‘Criterion 6: Includes Decision
Making.’’
5. Balance of risk and return. The lack of connection between tradi-
tional economic capital models and traditional value-based models at
financial services companies was discussed earlier, in ‘‘Enhances coordi-
nation.’’ This leads to an incomplete picture being provided to manage-
ment, which causes inaction. Those presenting the results of the value
222 & Risk Quantification
C05 01/12/2011 11:1:28 Page 223
models may hear concerns such as, ‘‘Yes, that’s nice to see how much
value is created by this venture, but what about the risks?’’ Those
presenting the results of the economic capital models may hear concerns
such as, ‘‘Yes, that’s nice to see how much risk, in the form of economic
capital, is created by this venture, but what about the opportunities it
generates?’’ Risk–return, or risk–reward, is one of the most common
phrases in business, yet these two aspects of the business are not properly
integrated at most financial services companies.
However, the value-based economic capital model integrates these
two models together. As a result, risk and return can be managed
together, because the value-based economic capital model provides
information on both the risk (change in economic capital or value
volatility) and the value (change in baseline company value) margin-
ally produced by any single venture or by the enterprise as a whole.
For more detail, see Chapters 2 and 3, ‘‘Criterion 7: Balances Risk
and Return Management.’’
Caveats
There are several caveats that, although required for practicality and appro-
priate for the intended usage, should be disclosed when presenting results
derived from the enterprise risk exposure information. Examples of the type of
caveats that may be applicable are as follows:
& Represents volatility from key risks (not all risks) & Includes the first possible occurrence of each risk event (does not include
multiple occurrences of the same risk event in successive years, unless
embedded within a specific risk scenario) & Includes a representative sampling of simulations (not all possible risk
scenario combinations)
SUMMARY
The second step in the ERM process cycle, risk quantification is the lynchpin,
quantifying risk in terms of its value impact and bridging the gap between risk
and return. The value-based approach to risk quantification offers numerous
advantages. The practical approach to modeling, the use of deterministic risk
scenarios, and the ability to quantify risk scenarios by impact on company
Summary & 223
C05 01/12/2011 11:1:28 Page 224
value is a powerful combination, the value of which is demonstrated through
several case studies in this chapter. In addition, the value-based approach
also provides a superior ability to capture risk interactions in the calculation
of enterprise risk exposure. Finally, the value-based approach also improves
economic capital models used in financial services companies.
Now, we are ready to move on to the next chapter, where we will discuss
the main thrust of a value-based ERM approach: making better risk–return
decisions.
NOTES
1. Atul Gawande, ‘‘The Score: How Childbirth Went Industrial,’’ The New Yorker,
October 9, 2006.
2. Using the capital asset pricing model (CAPM) approach, the cost of equity
capital is calculated as follows:
COEC ¼ Rf þ bs ' ðRm % Rf Þ Where:
& COEC ¼ cost of equity capital & Rf ¼ risk-free rate & bs ¼ the stock’s beta, i.e., the relative movement of the stock in
relation to the general stock market & Rm ¼ stock market return rate
3. This excludes synergies related to your (the investor’s) other dealings (e.g.,
tax advantages, natural hedges to other investments, etc.).
4. If the nearly continuous historical distribution were represented graphically,
for example by a curve, the likelihood corresponding to an individual risk
scenario would be a portion of the area under the curve, near and around
the representative individual risk scenario.
5. The number of significant digits shown in this table is higher than warranted
by the data, but is displayed for illustrative purposes.
6. Compound annual growth rate
7. Earnings per share
8. Basis points
9. The company would be required to pay for the costs of performing notifica-
tion and monitoring related to the detection of any identity theft that may
result from the stolen privacy data.
10. The term zero tolerance is in quotes because, though often used, the term
is usually inaccurate. Often, there is a non-zero chance of something
happening. But it sounds nice, so people like to use this term. What people
224 & Risk Quantification
C05 01/12/2011 11:1:28 Page 225
often are implying is that they have precious little tolerance for the event
in question.
11. The term out-of-the-money refers to stock options for which the strike price
(the price at which one may purchase the stock upon exercising the option)
is above the current stock price.
12. The term at-the-money refers to stock options for which the strike price (the
price at which one may purchase the stock upon exercising the option) is equal
to the current stock price.
13. In practice, this is not precisely linear.
14. Technically, this converts the stochastic simulations to deterministic ones,
because although the stochastic simulations were initially randomly gen-
erated, once they are no longer allowed to change with each run, we are
deterministically selecting those particular simulations.
15. Compound annual growth rate
16. At an insurance company, an embedded value model quantifies the value
of the organization, based solely on the business ‘‘inforce’’ which is a run-
out of the insurance policies already on the books, and excludes new business
expected to be sold in the future.
17. In addition, Criteria 9 and 10 are also enhanced by the conversion of a
traditional economic capital model to a value-based economic capital model.
18. Insurance company economic capital models typically project distributable
cash flows corresponding to ‘‘inforce’’ business, which includes insurance
policies already on the books, but excludes new business expected to be sold in
the future.
Notes & 225
C06 01/13/2011 23:51:59 Page 226
6CHAPTER SIX Risk Decision Making
Often the difference between a successful person
and a failure is not one has better abilities or ideas,
but the courage that one has to bet on one’s ideas,
to take a calculated risk—and to act.
Andr!e Malraux
D URING THE BREAK at an ERM roundtable discussion of chieffinancial officers and chief risk officers of leading U.S. companiesimplementing ERM programs, I overheard the following exchange between a few of the attendees: ‘‘Are you making different decisions based
on your ERM information? Are you doing anything differently because of
ERM?’’ Unfortunately, as discussed earlier, most ERM programs suffer from
an inability to integrate ERM into decision making. Yet, this should be the
most important step in the ERM process. If you are not acting differently,
making different choices, as a result of implementing an ERM program, then
you have misspent a good deal of time and energy. As described in Chapter 3,
the value-based ERM approach resolves these issues, allowing a full integra-
tion of ERM into decision making.
226
C06 01/13/2011 23:51:59 Page 227
There are twomajor categories of risk decision making that we will discuss:
1. Defining risk appetite and risk limits
2. Integrating ERM into decision making
DEFINING RISK APPETITE AND RISK LIMITS
We will discuss each of the following two topics separately:
1. Defining risk appetite (risk exposure thresholds at the enterprise level)
2. Defining risk limits (risk exposure thresholds below enterprise level)
Defining Risk Appetite
Defining risk appetite is the first and most critical decision in the risk decision
making ERM process step. This facilitates the basic purpose of ERM, which
is managing enterprise risk exposure to within risk appetite. In addition,
with a value-based ERM approach, defining risk appetite is also the key
that unlocks the far more expansive ability of ERM to support all decision
making.
Many mistakenly believe that defining risk appetite is part of the risk
quantification ERM process step. In other words, they believe that risk appetite
can be defined by a calculation. It cannot. Risk appetite is an expression of
judgment by management, or more specifically by the ERM committee, as to
the level of enterprise risk exposure, at the maximum limit, with which the
shareholders are comfortable. This is an exercise that requires thoughtful
discussion, debate, and, ultimately, a consensus opinion among the members of
the ERM committee.
SampleCo Illustration
To illustrate the process of defining risk appetite, we will use a modified case
study of a Fortune 1000 company we will call SampleCo. We will discuss the
following aspects of this process:
& ERM committee & Information for risk appetite consensus meeting & Risk appetite consensus meeting & Risk appetite definition
Defining Risk Appetite and Risk Limits & 227
C06 01/13/2011 23:51:59 Page 228
ERM Committee SampleCo’s ERM committee had 12 members:
1. Chief executive officer (CEO), chair of ERM committee
2. Head of ERM program, functioning as chief risk officer (CRO), and will
be referred to as CRO herein
3. Chief financial officer (CFO)
4. Head of business segment #1
5. Head of business segment #2
6. Head of business segment #3
7. Head of business segment #4
8. Head of business segment #5
9. Chief legal counsel
10. Head of compliance, nonvoting; invited quarterly
11. Head of tax, nonvoting; invited quarterly
12. Head of internal audit, nonvoting
Information for Risk Appetite Consensus Meeting SampleCo’s ERM committee scheduled a risk appetite consensus meeting to define its risk
appetite. To assist the ERM committee in defining risk appetite, the ERM
team provided them with the following information:
& Enterprise risk exposure—table form & Individual risk scenario exposures & Mitigation options
Enterprise Risk Exposure—Table Form The table form of SampleCo’s enterprise risk exposure is shown in Table 6.1.
TABLE 6.1 SampleCo Enterprise Risk Exposure—Table Form Modified Case Study
Pain Point Likelihood
Decrease in company value of more than 15% 8.5%
Falling short of this year’s planned revenue growth by more than 200 basis points
13.2%
Falling short of this year’s planned earnings by more than 2c= per share 10.4%
Ratings downgrade of one level 7.6%
228 & Risk Decision Making
C06 01/13/2011 23:52:0 Page 229
The information shown in Table 6.1 served only as an initial draft of the
table form of enterprise risk exposure. The metrics, and particularly the
corresponding break points that comprise the pain points, were selected based
on initial guidance from key members of the ERM committee, as well as the
results of the enterprise risk exposure calculation itself. Changes to the pain
points are often discussed and finalized during the risk appetite consensus
meeting. To prepare for this possibility, and to further assist the ERM committee
in arriving at a consensus risk appetite definition, a member of the ERM team
attended the risk appetite consensus meeting ready to provide dynamic
changes to the pain points, along with their associated likelihoods, using
the value-based ERM model.
For illustration purposes, this case study was modified to include only
a subset of the information contained in the actual table form of SampleCo’s
enterprise risk exposure. In addition to the more extreme pain points shown,
SampleCo used other, more moderate, pain points. It was not just the extreme
pain points about which management was concerned, but also significant
deviations from results that management expected would occur more fre-
quently. An example of a more moderate pain point than those shown in
Table 6.1 is a decrease in company value of more than 10 percent.
This is a common practice of companies implementing a value-based
ERM approach, and a significant advantage over traditional ERM ap-
proaches. Traditional approaches to ERM, particularly in financial services
companies, do not construct the full distribution of outcomes, but rather
only produce pain points for the most extreme of events, far more in the
‘‘tail’’ than those shown in Table 6.1. This is suboptimal, because there is
far more information that can be provided to management regarding
the volatility closer to baseline results. The value-based approach includes
this, and thereby paints a more complete picture of the enterprise risk
exposure.
Individual Risk Scenario Exposures SampleCo’s individual risk scenario exposures, quantified in terms of their potential impact on company value, are
shown in Figure 6.1. The individual risk quantification was also provided in
terms of two additional key metrics: revenue growth and earnings per share
growth. This is shown in Table 6.2. Note that the risk ranking changes based
on the key metric through which it is viewed.
Although the company value metric is the dominant one, the other key
metrics are also important, and reviewing individual risk scenario exposures
in terms of multiple key metrics may provide additional insights in defining
Defining Risk Appetite and Risk Limits & 229
C06 01/13/2011 23:52:0 Page 230
risk appetite. It is also particularly helpful for stimulating discussion, and
ultimately consensus, because not all members of the ERM committee
may put the same emphasis on each key metric, based on their unique
perspective.
As additional support, the ERM team supplemented the information in
Figure 6.1 and Table 6.2 with summaries of the risk scenarios as developed
during the FMEA interview process. This concise, tangible documentation of
risk scenarios enhanced the level of comfort with the information, and helped
smooth the path toward consensus.
–30.0%–25.0%–20.0%–15.0%–10.0%–5.0%0.0%
Regulatory Risk 2
Disaster Risk
Regulatory Risk 1
Competitor Risk
IT Risk 2
Joint Venture Risk 1
Loss of Critical EEs
Product Strategy Risk
Economic Risk 1
IT Risk 1
Execution Risk 2
Loss of Key Supplier
Execution Risk 1
Individual Risk Quantification Company Value Impact
Modified Case Study
FIGURE 6.1 SampleCoIndividualRiskScenarioExposures—CompanyValueMetric
230 & Risk Decision Making
C06 01/13/2011 23:52:0 Page 231
Mitigation Options It often happens that an ERM committee attempts to define risk appetite without having first quantified enterprise risk exposure.
This involves skipping the risk quantification ERM process step and advanc-
ing directly to the risk decision making ERM process step. This is inadvisable.
Without the quantification of enterprise risk exposure, the ERM committee
has no information on how large it may actually be. Without the quantifi-
cation of enterprise risk exposure, the ERM committee may set risk appetite at
an unrealistic level. In these situations, after enterprise risk exposure is
quantified and the ERM committee realizes that risk appetite, as initially
defined, is unachievable, they are forced to amend the definition. Such
attempts to revise the risk appetite definition can erode confidence in the
ERM committee, the ERM process, or both.
Similarly, it is helpful to quantify at least some mitigation options, and to
provide this information to the ERM committee for use during the risk appetite
consensus meeting. If, upon reviewing the enterprise risk exposure informa-
tion, the ERM committee wishes to define risk appetite at a level below the
current enterprise risk exposure, it would be helpful for them to know, in
TABLE 6.2 SampleCo Individual Risk Scenario Exposures—Multiple Key Metrics Modified Case Study
Risk
D Company
Value
D Revenue
Growth
D EPS
Growth
1 Execution Risk 1 !28.5% !21.1% !19.9%
2 Loss of Key Supplier !22.0% !0.0% !20.0%
3 Execution Risk 2 !17.4% !6.8% !13.7%
4 IT Risk 1 !14.2% !3.6% !3.3%
5 Economic Risk 1 !8.2% !11.2% !10.4%
6 Product Strategy Risk !7.4% !2.7% !2.5%
7 Loss of Critical Employees !4.9% !5.9% !5.4%
8 Joint Venture Risk 1 !4.5% !4.4% !4.0%
9 IT Risk 2 !3.9% 1.7% !1.0%
10 Competitor Risk !3.3% !1.9% !1.8%
11 Regulatory Risk 1 !2.7% !0.0% !1.8%
12 Disaster Risk !2.6% !0.0% !0.0%
13 Regulatory Risk 2 !2.2% !0.0% !0.5%
Defining Risk Appetite and Risk Limits & 231
C06 01/13/2011 23:52:2 Page 232
advance, that enterprise risk exposure can actually be brought to within risk
appetite through mitigation. If the ERM committee defines a risk appetite that
cannot be realized, the ERM program risks losing credibility with both internal
and external stakeholders. For this reason, the ERM team often provides an
illustration of the ability of some mitigation options to lower the enterprise risk
exposure. Because risk appetite has not yet been defined, the ERM team cannot
know for certain how much, if at all, the enterprise risk exposure may need to
be reduced. However, the ERM team takes educated guesses, along with
advance guidance from one or two key ERM committee members, to make
reasonable suggestions regarding the mitigation options.
Risk Appetite Consensus Meeting With all of the information in place, SampleCo held its risk appetite consensusmeeting. The ERM committee reviewed
the information provided, anda facilitated discussionbegan.As co-facilitators, the
CRO and I, as their consultant, played a key joint role in thismeeting, because the
risk appetite consensus meeting is a challenging one to manage. Different mem-
bers of the ERMcommittee brought different perspectives to the discussion. This is
natural, because they have different roles in the company, different goals for their
areas of responsibility, and different incentives in their compensation formulae.
Ultimately, however, they arrived at a consensus risk appetite definition.
Risk Appetite Definition The result of the risk appetite consensus meeting was a risk appetite definition that required SampleCo to lower its enterprise risk
exposure. Table 6.3 shows the main portion of the risk appetite statement.
TABLE 6.3 SampleCo Risk Appetite Modified Case Study
Enterprise Risk Exposure Risk Appetite
Pain Point Likelihood
Likelihood—
Soft Limit
Likelihood—
Hard Limit
Decrease in company value of more than 15%
8.5% 10% 15%
Falling short of this year’s planned revenue growth by more than 200 basis points
13.2% 15% 25%
Falling short of this year’s planned earnings by more than 2c= per share
10.4% 10% 15%
Ratings downgrade of one level 7.6% 5% 10%
232 & Risk Decision Making
C06 01/13/2011 23:52:3 Page 233
Table 6.3 shows that the risk appetite definition includes both soft and hard
limits. The hard limits are set as maximum limits that should rarely, if ever, be
exceeded. The soft limits can be crossed, occasionally, for a temporary period of
time. The soft limits are set as triggers for escalating levels of attention, to
carefully monitor, and ultimately lower, the enterprise risk exposure back to
within the soft-limit threshold. For example, when a soft limit is crossed, it
triggers a requirement that any actions which would further increase the risk
exposure metric must be approved by a higher-level authority. In addition,
corporate ERM may become automatically involved and begin working with
management to evaluate and select mitigation options that are expected to
lower the risk exposure back to within the soft limit.
The risk appetite definition reveals that SampleCo’s ERM committee
was comfortable with the current level of enterprise risk exposure in terms
of the first two pain points—those involving the company value metric
and the revenue growth metric. However, they were uncomfortable with
the last two pain points. They defined risk appetite with soft limits that
require a reduction in the likelihood of the ‘‘Falling short of this year’s
planned earnings by more than 2c= per share’’ pain point, from 10.4 percent to 10.0 percent. In addition, the soft limits require the risk exposure as
expressed in the pain point ‘‘Ratings downgrade of one level’’ to be reduced
from 7.6 percent to 5.0 percent. The hard limits are defined in a way that
does not urgently require mitigation actions, because they are set above the
current enterprise risk exposure level.
In addition, the risk appetite statement includes one additional key point.
Upon reviewing the individual risk scenario exposures, the ERM committee
decided that a hard limit should be put in place limiting exposure of any single
risk scenario to a maximum of a 10 percent impact on company value. They
came to this decision largely from reviewing Figure 6.1, which shows that just
four individual risk scenarios had exposures that exceeded a 10 percent
potential impact on company value. As a result of this additional limit,
SampleCo immediately began investigating the feasibility of mitigation options
for each of these four risk scenarios.
Defining Risk Limits
Once risk appetite is defined at the enterprise level, it may be allocated down to
lower levels of the organization through what are referred to as risk limits. This
may be thought of as a budgeting process, where a risk budget is created and
corresponding risk exposures for this allocation must stay within budget. One
Defining Risk Appetite and Risk Limits & 233
C06 01/13/2011 23:52:3 Page 234
example is a risk limit set for each business segment. We will address two
aspects of risk limits:
1. Why risk limits are used
2. How to define risk limits
Why Risk Limits Are Used
There are four reasons why risk limits are used:
1. Diversification. There is much uncertainty in the ERM information,
particularly in any one piece of information, and as such, additional
measures of prudence are appropriate. The risk limits act to diversify the
risk exposures, preventing too much concentration of exposures in any
one area, such as a single business segment, or even a single source
of risk.
2. Risk–returnmanagement. Risk limits can be used to manage the risk–
return balance for portions of the business below the enterprise level,
such as business segments. The process of defining risk limits can produce
an attribution of the downside standard deviation metric for a given
business segment. This is a holistic measure of the marginal level of
downside risk that the business segment produces. Management ana-
lyzes this in relation to the returns generated by the business segment to
determine any necessary actions to better manage the risk–return profile
of the business segment. For example, if the level of risk is judged to be too
high, the business segment may be required to produce higher returns;
alternatively, a decision may be made to lower the level of risk generated
by the business segment, and risk limits may be defined to facilitate this
reduction.
3. Managing enterprise risk exposure. In a value-based ERM approach,
the ERM model is readily available as a dynamic tool to manage enterprise
risk exposure to within risk appetite. Management can easily access the
ERMmodel, quickly evaluate the marginal impact of any potential decision
on enterprise risk exposure, and obtain any necessary reviews and ap-
provals, including that of corporate ERM and the ERM committee, who
ensure that the overall enterprise risk exposure is maintained within risk
appetite. However, in a traditional ERM approach, such an accessible,
dynamic tool is typically unavailable. As a result, companies use risk limits
to allocate, or budget, enterprise risk exposure.
234 & Risk Decision Making
C06 01/13/2011 23:52:3 Page 235
4. Habit. A fourth reason that risk limits are used is simply that they are
a familiar habit. The concept of an enterprise risk management approach
is a new one. It is a drastic change to shift from independently manag-
ing risks in silos to managing them in an organized, top-down fashion.
Up until the point that ERM is introduced into an organization, risk
management is performed on more of a local level. In the absence of
ERM aggregate metrics, such as enterprise risk exposure and risk
appetite, companies manage their risks with risk limits, often established
by business segment or business unit. These risk limits are a long-
established and familiar concept. It is difficult to let go of this, even
though it may not be needed any longer. Although, as discussed earlier,
risk limits do have their purposes, these purposes can be satisfied with
one or two forms of allocations—such as by business segment and by
source of risk. However, some companies maintain multiple sets of risk
limits that go beyond this, and which persist for the simple, though hard-
to-justify, reason of satisfying an old habit.
How to Define Risk Limits
Companies implementing ERM use a wide range of practices to define their risk
limits. Unfortunately, most of these companies use practices that are long-
standing historical practices, and that pre-date the implementation of ERM.
Some companies use slightly modified versions of these practices in an attempt
to connect the risk limits to their new ERM framework.
The main problem with these common practices is that they rarely involve
top-down allocation of risk appetite. Before adopting ERM, the majority of these
companies used risk limits that were based on loose rules of thumb, often set by
local management. These risk limits were not related to an aggregate measure
of risk exposure for the company because aggregate metrics such as enterprise
risk exposure and risk appetite did not yet exist. As a result, not only are most
companies’ risk limits not top-down, but they are also not even bottom-up.
They don’t add up. It is not even possible to add them up, because various risk
exposures have disparate risk metrics. There is no common metric with which
to aggregate.
This issue is discussed in depth in Chapter 3 (see ‘‘Criterion 5: Aggregated
Metrics’’). The problem originates with an unclear definition of risk appetite,
which is the second of the three core challenges in successfully implementing
an ERM program. Figure 3.7 in Chapter 3 illustrates a process for developing
appropriate aggregate metrics—both enterprise risk exposure and risk
Defining Risk Appetite and Risk Limits & 235
C06 01/13/2011 23:52:3 Page 236
appetite—and a general approach for a downward-cascading allocation of
risk appetite to risk limits. An example of how to perform such a top-down
allocation is presented in ‘‘Top-Down Allocation: An Example.’’
TOP-DOWN ALLOCATION: AN EXAMPLE
Companies that have implemented a value-based ERM approach andthat have the appropriate aggregate metrics—enterprise risk exposure and risk appetite—are in a position to define their risk limits using a top- down allocation of risk appetite. For these companies, there are many variations on how to do this, and one approach is presented here.
In this example, let’s make four simplifying assumptions about the company:
1. The company would like to set risk limits for its business segments, and corporate is considered an additional business segment.
2. There are no separate hard and soft limits, but rather only one risk appetite limit.
3. Company value is the only key metric, and only one pain point is used: a decrease in company value of more than 10 percent, which is currently $500 million.
4. Enterprise risk exposure is calculated as an 8 percent likelihood, and risk appetite is defined as a 15 percent likelihood, of hitting the pain point.
One approach to a top-down allocation of risk appetite to risk limits involves a three-step process:
1. Attribution analysis
2. Risk–return adjustment
3. Scaling up
Attribution Analysis
The first step is to conduct an attribution analysis to identify the portion of the current enterprise risk exposure that is attributable to each business segment. There are several different approaches that can be used to do this. We will only discuss one approach here, because this will suffice to illustrate the concept. Let’s discuss how to perform an attribution analysis for one particular business segment which we will call the Alpha business segment.
236 & Risk Decision Making
C06 01/13/2011 23:52:5 Page 237
In attribution analyses, a common problem is how to address the interactivity between individual contributors toward the overall result. In other words, when the sum of the parts does not equal the whole, how do you allocate the remainder? An attribution analysis for the marginal contri- bution of the Alpha business segment toward enterprise risk exposure is particularly challenging in this regard. There are several aspects of inter- activity involved in calculating enterprise risk exposure, including the following:
& Risks originating in the Alpha business segment but whose severity of impact on company value is larger due to the presence of other business segments, such as a risk that triggers reputational issues impacting the entire enterprise
& Risks originating in the Alpha business segment but whose likelihood is larger due to the presence of other business segments, such as a risk that would not have as high a likelihood of triggering reputational issues related to negative media coverage were it not for the other business segments; in other words, the size of the firm makes it more likely to receive media attention
& Risks originating in the Alpha business segment but whose severity of impact on company value is smaller due to the presence of other business segments, such as a risk that would be more severe if the Alpha business segment were not a part of the larger firm and benefiting from funding, a strong rating, and other corporate support
& Risks originating in the Alpha business segment but whose likelihood of impact on company value is smaller due to the presence of other business segments, such as a risk whose likelihood is inversely propor- tional to economies of scale
& Risks impacting the entire enterprise, such as a natural disaster
& Correlations between risks1 originating in the Alpha business segment and those originating in other business segments
& The interactions of risks originating in the Alpha business segment with risks originating in other business segments by virtue of their inclusion together in the simulations comprising the enterprise risk exposure calculation (see Chapter 5, ‘‘Capturing Interactions’’).
It is complicated and challenging to address each of these interactions one by one. One simple though imperfect way to address this is to hold fixed the values of the business segment in the value-based ERM model, delete the risks originating solely in the business segment, and recalculate enter- prise risk exposure. This is a measure of what the enterprise risk exposure
(continued )
Defining Risk Appetite and Risk Limits & 237
C06 01/13/2011 23:52:6 Page 238
(continued ) would be if the Alpha business segment had zero risk associated with it; in other words, if the Alpha business segment distributable cash flow projec- tion always remains equal to its baseline projection. The difference between the actual enterprise risk exposure and the recalculated enterprise risk exposure with the Alpha business segment excluded is what we’ll call the initial attribution of enterprise risk exposure to the Alpha business segment. The formula for the initial attribution is as follows:
Initial EREAlpha ¼ EREFirm ! EREFirm where Alpha has zero risk
Where:
& ERE ¼ enterprise risk exposure
The next step in the enterprise risk exposure attribution analysis is to calculate the initial attribution for every other business segment. This allows the calculation of the remainder, which represents the contribution to enterprise risk exposure not yet accounted for with this approach. The remainder is calculated as follows:
Remainder ¼ EREFirm ! Xn
i¼1 Initial EREi
Where:
& i ¼ the business segment & n ¼ the total number of business segments
To calculate the enterprise risk exposure attribution for the Alpha business segment, we must first allocate the remainder among all the business segments. There are various ways of doing this. One way is to allocate the remainder to each business segment in proportion to the relative size of its initial enterprise risk exposure allocation. In this case, the allocation of the remainder to the Alpha business segment is calculated as follows:
RemainderAlpha ¼ Remainder # Initial EREAlphaPn
i¼1 Initial EREi
Now we can calculate the attribution of enterprise risk exposure to the Alpha business segment as follows:
EREAlpha ¼ InitialEREAlpha þ RemainderAlpha
The enterprise risk exposure attribution can be expressed in terms of the contribution to the likelihood of hitting the pain point, either in absolute terms or in percentage terms. Let’s assume that the enterprise risk exposure attribution for the Alpha business segment accounts for 2 percent of the total enterprise risk exposure 8 percent likelihood. Expressed as a percentage, the
238 & Risk Decision Making
C06 01/13/2011 23:52:7 Page 239
INTEGRATING ERM INTO DECISION MAKING
The term risk culture is an ERM phrase that has almost as many definitions as there
are people attempting to define it. Some define risk culture as a supportive environ-
ment within which ERM can flourish. Others define risk culture to include risk
governance, in thataproperhierarchicalorganization isconducive toERMadoption.
However, culture is not something that exists on paper, such as a governing
document. Culture is the way in which ideas and theoretical concepts actually
enterprise risk exposure attribution for the Alpha business segment is 25 percent (2/8) of the total enterprise risk exposure.
A similar attribution can be performed for the downside standard deviation (DSD) metric.
Risk–Return Adjustment
In the second step, management analyzes the risk–return balance for the Alpha business segment, comparing the returns Alpha generates to the marginal contribution to risk exposure as expressed through the two metrics calculated in the attribution analysis: the enterprise risk exposure attribution for Alpha and the downside standard deviation for Alpha.
Let’sassumethatmanagement isnot satisfiedwith the risk–returnbalance, in light of the Alpha business segment risk–return profile in relation to that of the entire enterprise. As a result,managementwould like to seeAlpha’s contribution to enterprise risk exposure reduced from 25 percent to 20 percent. This is not a threshold, butmerely suggests anappropriate risk exposure level commensurate withAlpha’s expected returns. For this exercise, let’s refer to the20percent as the optimal level for Alpha’s contribution to enterprise risk exposure.
Scaling Up
Up to this point, we have measured Alpha’s current contribution to enterprise risk exposure as well as its optimal contribution to enterprise risk exposure. Now we must scale up from enterprise risk exposure to risk appetite. This is because we are defining risk limits and risk limits are a subset of risk appetite, just as the Alpha enterprise risk exposure attribution is a subset of enterprise risk exposure. We are moving from exposures and an attribution of exposures to risk appetite and an attribution of risk appetite, which is the risk limit.
We calculate the Alpha business segment risk limit as follows:
Risk limitAlpha ¼ Optimal ERE%Alpha # Risk appetite ¼ ð20%Þ # ð15% likelihoodÞ ¼ 3% likelihood
Integrating ERM into Decision Making & 239
C06 01/13/2011 23:52:8 Page 240
take shape in real life. It is the same with risk culture. Risk culture—the way in
which ERM is embraced by company employees—is measured by the extent to
which ERM is integrated into key internal company processes.Wewill define risk
culture as a combination of the following two items:
1. The extent to which ERM is integrated into decision making (discussed in
this section)
2. The extent to which ERM is integrated into business performance analysis
and incentive compensation (discussed in the ‘‘Internal Risk Messaging’’
section in Chapter 7)
We are now at the summit of the value-based ERM approach. Although there
are many benefits to implementing a value-based ERM program, the single most
important purpose is to make better decisions. By integrating both risk (enterprise
riskmanagement) and return (value-basedmanagement),we arenow inaposition
to make better risk–return trade-off decisions, which increases company value.
We will discuss three aspects of integrating ERM into decision making:
1. Decision making with ERM
2. Risk-priority decision making
3. Return-priority decision making
Risk-priority decision making involves decisions whose primary goal is
related to managing the level of risk to an appropriate level (up or down); an
example of risk-priority decision making is managing enterprise risk exposure
to within risk appetite. Return-priority decision making involves decisions
whose primary goal is related to increasing company value; an example of
return-priority decision making is strategic planning.
Decision Making with ERM
The process of making risk–return trade-off decisions with ERM information, in
general, is virtually identical for both risk-priority and return-priority decisions.
This is an important point. The fact that a single approach to decisionmaking can
be used for any type of decision—whether related to managing risk or enhancing
value—is evidence that the value-based ERM approach delivers on its promise of
bridging the gap between ERM and value-based management. A single decision-
making process provides a strong business case for risk-priority decisions, by
expressing risk in terms of its potential impact on company value, and also for
return-priority decisions, by providing more rigor around the scenario analyses.
240 & Risk Decision Making
C06 01/13/2011 23:52:8 Page 241
As discussed in Chapter 3, and illustrated in Figure 3.1, in the risk decision
making process step of a value-based ERM framework, there are two types of
decisions that management can make: They can change strategy or they can
change tactics. As can be seen from Figure 3.1, a change in either will change
the filters and, thereby, change the calculation of the risk and return metrics,
informing the potential viability of the decision. Expanding the framework to
emphasize the decision-making portion, and to incorporate our categorization
of decisions into risk-priority and return-priority decisions, we arrive at the
modified value-based ERM framework shown in Figure 6.2.
In the modified version of the value-based ERM framework shown in
Figure 6.2, we expand on the original, representational framework and reveal
two important nuances. First, regardless of the type of decision (strategic or
tactical) or its primary intent (risk-priority or return-priority), any decision can
impact either (or both) of the two filters shown in Figure 6.2. This means that
any decision can lead to a change in the selection of key risks (represented by
changes to the first filter), as well as in the level of risk mitigation for the key
risks (represented by changes to the second filter). A return-priority decision can
change the selection of key risks (e.g., an acquisition of foreign business adds
sovereign risk as a new key risk) or can change the level of mitigation for an
existing key risk (e.g., an acquisition of a countercyclical business mitigates
economic risk). A risk-priority decision can change the selection of key risks
(e.g., backward integration eliminates a supplier risk) or can change the level of
mitigation (e.g., hurricane insurance mitigates hurricane risk).
The second nuance revealed in Figure 6.2 is that, in addition to changing
items related to the two filters, a decision can also impact additional items, such
as the key risk scenarios and the baseline company value. In Figure 6.2, this is
indicated by the arrows with the broken lines.
The decision-making process, for both risk-priority and return-priority
decisions, is a two-step process:
1. Recalculate risk and return metrics
2. Evaluate risk–return trade-off
Recalculate Risk and Return Metrics
A five-step procedure is used to recalculate the risk and return metrics:
Step 1: Revise distributable cash flow projection. The first step in the
procedure to recalculate the risk and return metrics is to revise the
baseline company value distributable cash flow projection. This cap-
tures how the decision is expected to impact future revenues and
Integrating ERM into Decision Making & 241
C 06
01/13/2011 23:52:8
Page 242
FIGURE 6.2 Value-Based ERMFrameworkModified toHighlight DecisionMaking
2 4 2
C06 01/13/2011 23:52:14 Page 243
future expenses. For risk-priority decisions, which are usually mitiga-
tion, expenses are often the only item impacted. For return-priority
decisions, both revenues and expenses are usually impacted.
Step 2: Revise discount rate. The second step in the procedure is to revise
the discount rate used in the baseline company value calculation. A
change in the discount rate would reflect a change in the riskiness of the
firm. At this stage, an estimate of any change in the discount rate would
need to be tentative, pending review of changes to enterprise risk
exposure, and, in particular, the downside standard deviation. This is,
by necessity, iterative (just once), because the baseline company value
must be recalculated prior to recalculating the risk metrics—enterprise
risk exposure and downside standard deviation.
Step 3: Recalculate baseline company value. The third step is to
perform a tentative (pending finalization of the discount rate) re-
calculation of the baseline company value, using the revised distrib-
utable cash flow projection and the revised discount rate. The
(tentative) revised baseline company value is used as the basis for
recalculating enterprise risk exposure. In other words, all risk is now
defined as deviations from this revised baseline.
Step 4: Revise key risk scenarios. The fourth step in the procedure is to
revise the key risk scenarios. One aspect of this is to review existing key
risk scenarios, determine if any revisions are needed, and if so, make
the revisions, using FMEA interviews with selected subject matter
experts if warranted. Another aspect of this is to identify any new key
risks introduced, and if so, develop appropriate risk scenarios for them,
using the FMEA technique.2 In addition, some key risks or key risk
scenarios may need to be removed.
Step 5: Recalculate enterprise risk exposure. The fifth step involves
recalculating enterprise risk exposure. This involves running the
simulations through the value-based ERM model using the revised
baseline company value and revised key risk scenarios. The outputs
include the following items: & Enterprise risk exposure3
& Downside standard deviation & Probabilistic expectation of company value
The impact on the downside standard deviation must now be com-
pared to the tentative revision to the discount rate used in the baseline
company value recalculation. Any material increase (or decrease) in the
downside standard deviation should correspond to an increase (or
Integrating ERM into Decision Making & 243
C06 01/13/2011 23:52:14 Page 244
decrease) in the discount rate. For example, all things being equal, if the
firm becomes more volatile, then investors will require a higher rate of
return,which equates to a higher discount rate in the enterprise valuation,
which lowers company value. If the initial change in the discount rate does
not properly reflect the change in riskiness implied by the impact on
downside standard deviation, then the discount rate must be adjusted to
make it so. If the discount rate is adjusted at this stage, the procedure must
be repeated one more time, starting at the second step.
Evaluate Risk–Return Trade-off
Once the risk and return metrics are recalculated, management has the infor-
mation it needs to evaluate the risk–return trade-off of any decision. A decision
must be evaluated in terms of its impact on both the risk metrics (the first two in
the following list) and the return metrics (the last two in the following list):
1. Impact on enterprise risk exposure. The impact on enterprise risk
exposure will be the first item considered for risk-priority decisions, in cases
where the enterprise risk exposure either exceeds risk appetite (either hard or
soft limit) or is too far below it. In these situations, management evaluates
decisions (risk mitigation options in the former situation, and risk-taking
options4 in the latter) with an eye towards how effectively they manage
exposures to the appropriate level. Return-priority decisions must also review
the impact on enterprise risk exposure to ensure that it does not violate risk
appetite limits; however, this will not be the first item considered.5
2. Impact on downside standard deviation. The impact on downside
standard deviation is another way to look at the impact of a decision on the
level of firm risk. If the change in this metric is considered out of bounds,
particularly in termsof its implications for the discount rate and the resultant
impact on the baseline companyvalue, then the decisionmaybe invalidated.
3. Impact on baseline company value. The impact on the baseline com-
pany value is the first item considered for return-priority decisions, and is
always the overriding consideration, even for risk-priority decisions. Man-
agement should only be making decisions that preserve or increase value,
and this equates to maintaining a neutral or positive change in the baseline
company value. In addition, all things being equal, management should be
making those decisions that generate the largest increase in value.
4. Impact on probabilistic expectation of company value. The impact
on the probabilistic expectation of company value should also be considered,
because it provides another view on whether the decision being considered is
adding value. In a perfect world, this should be the dominant metric, as
244 & Risk Decision Making
C06 01/13/2011 23:52:14 Page 245
opposed to the baseline company value, for determining a value-added
decision. Based on probability theory, this is the expected value of the
company. However, despite what the probabilities say about ‘‘expectation,’’
management is committed to achieving the strategic plan, and this must be
their working expectation; therefore, changes to the baseline company value
usually carry more weight in determining a go/no-go decision.
The risk–return trade-off analysis provides management with the infor-
mation needed to select the best risk–return trade-off decisions and increase
company value. Prior to finalizing any decisions, management obtains any
reviews and approvals that may be required by ERM policies and procedures.
The elements of the risk–return analysis are fundamental to the rules
of basic finance. However, the type of information made available by the
ERM process, with its rigor in calculating baseline (pre-decision) and revised
(post-decision) risk and return metrics, is unprecedented. The ERM process
provides a uniform approach for making all decisions, whether for risk-priority
decisions (adding a requirement to preserve or increase value) or for return-
priority decisions (adding robustness to the sensitivity analyses). Enhancing
and joining both the risk and return information improves the risk manage-
ment decisions, such as mitigation, as well as routine business decisions, such
as strategic planning, strategic and tactical decisions, and transactions.
Risk-Priority Decision Making
We will discuss two topics on risk-priority decision making:
1. Managing enterprise risk exposure to within risk appetite
2. Mitigation decisions
Managing Enterprise Risk Exposure to within Risk Appetite
Once risk appetite is defined, the primary function of ERM—managing enterprise
risk exposure to within risk appetite—can be performed. From here forward, for
convenience sake, we will use the term risk appetite to collectively refer to both
risk appetite (risk exposure thresholds at the enterprise level) and risk limits (risk
exposure thresholds below enterprise level), unless specified otherwise. The first
time that enterprise risk exposure is measured and risk appetite is defined,
management will find itself in one of the following four situations:
1. Enterprise risk exposure exceeds the hard limit of risk appetite.
Integrating ERM into Decision Making & 245
C06 01/13/2011 23:52:14 Page 246
2. Enterprise risk exposure is at, or exceeds, the soft limit of risk appetite, but
is below the hard limit.
3. Enterprise risk exposure is excessively below the soft limit of risk appetite.
4. Enterprise risk exposure is in a reasonably comfortable range below the soft
limit of risk appetite.
These four situations are listed in decreasing order of priority, in terms of
management actions needed to change the enterprise risk exposure. In the
first situation, there is an urgent need to reduce exposures to below the hard
limit, because the hard limit should rarely, if ever, be violated. In the second
situation, management may take some immediate actions to reduce expo-
sures to a comfortable range below the soft limit, although management may
also allow selected exposures to slightly exceed the soft limit for awhile,
depending on the upside opportunity that accompanies this. In the third
situation, management takes action to increase risk exposure; this is often
referred to as risk exploitation (see ‘‘Risk Exploitation’’). In such situations,
management often knows, even prior to this exercise, that they are not
taking enough risk, and therefore not achieving competitive returns, but it is
at this moment—when they see a quantification of how much room they
have for additional risk taking—that they are in a confident position to
take on more risk. In the fourth situation, management does not take risk-
priority actions, because the enterprise risk exposure is precisely where it
ought to be.
RISK EXPLOITATION
I n form, risk exploitation is no different from any routine businessdecision that simply involves taking on more risk. However, in context, risk exploitation refers to the conscious decision to take on additional risk exposure as part of a risk-priority decision. Risk exploitation can have one of two motives. It may be to increase the enterprise risk exposure of the firm, to move it closer to the soft limit of risk appetite for a better overall risk–return profile. Alternatively, it may be to increase one particular individual risk exposure to move it closer to its risk limit, where the company has a competitive advantage in taking such exposure and expects a profitable risk–return trade-off. Both of these motives, however, are only acted on if management finds appropriate risk–return trade-off business opportunities.
246 & Risk Decision Making
C06 01/13/2011 23:52:15 Page 247
In the first two situations, management must act to reduce enterprise
risk exposure to within risk appetite. These actions are more traditionally
thought of as being within the realm of ERM6 and are clearly risk-priority
decisions. Yet, all of the first three situations require actions, or decisions,
that are of the risk-priority type, because the risk level is not where
management would like it to be. All of these decisions are evaluated using
the procedure discussed earlier (see ‘‘Decision Making with ERM’’). The
fourth situation, where the risk level is reasonable, is the one in which
companies hopefully spend the majority of their time, and where most of the
important decisions are return-priority decisions, which, as with all decisions,
are evaluated using the same procedure discussed earlier (see ‘‘Decision
Making with ERM’’).7
There are two types of ERM information routinely provided to maintain an
appropriate level of enterprise risk exposure:
1. Exposure information
2. Key risk indicators (KRIs)
Exposure Information Exposure information and the corresponding thresholds are routinely reported to the board of directors, management,
and the ERM team, in support of maintaining an appropriate level of enterprise
risk exposure. The information includes a comparison of enterprise risk
exposure to risk appetite. In addition, any and all risk exposures below enter-
prise level (individual risk exposures, business segment risk exposures, etc.) are
compared to their corresponding risk limits. The information is reported to
those with the corresponding level of authority to oversee, direct, or take
actions to manage the exposure to within its tolerance limit. The reporting
frequency varies according to the volatility of the exposures, to afford a
reasonable time frame for action.
Key Risk Indicators (KRIs) Along with the actual exposures, key risk indicators (KRIs) are also commonly provided in support of maintaining an
appropriate level of enterprise risk exposure. The most useful KRIs are leading
indicators which are highly correlated with the exposuremetric and serve as an
advance warning to management about a likely impending change in the level
of exposure.
Some examples of KRIs, and the corresponding risk exposure for which the
KRI may be a leading indicator, are shown in Table 6.4.
Integrating ERM into Decision Making & 247
C06 01/13/2011 23:52:15 Page 248
Most of the KRIs commonly used seem fairly obvious but some are
unusual. However, as long as the KRI is highly correlated to the level of
risk exposure, it can be a useful early warning sign regardless of how curious
it might seem. An interesting example of an unusual but effective KRI comes
from outside the corporate sector. See ‘‘The Intuition KRI.’’
TABLE 6.4 Examples of Key Risk Indicators
Key Risk Indicator (KRI) Corresponding Risk Exposure
Attempted attacks on information technology Risk of a data security breach
Calls to customer service Risk of poor product/ service quality
Lawsuits filed against the company Litigation risk
Unemployment rate Disability insurance risk8
Complaints related to human resources issues, within a single business unit
Risk of employment-related lawsuit or scandal
THE INTUITION KRI
New York’s Bryant Park, located behind the New York Public Library, isa popular site for New Yorkers. Business people eat their lunches at tables that ring the park, summer sunbathers lie on the grass, and the park is the site of various social festivities. The park is largely maintained through private funds provided by local business owners. According to an article in The New Yorker,9 as part of efforts to keep the park in good condition, there is daily monitoring of an unusual KRI that serves as an early warning sign of worsening conditions. Once every workday, at lunchtime, a monitor walks around the park with a clicker, counting the number of men and women. The KRI is the ratio of women to men. A healthy ratio is over 50 percent. When the ratio begins changing to a preponderance of men, park management take this as a signal that action is needed to improve park cleanliness, safety, or other conditions. The explanation given is that women are more perceptive of subtle indicators—such as crumbs left on a table or the presence of homeless people—and when women start avoiding an area, it is correlated with an imminent change in the character of the park.
248 & Risk Decision Making
C06 01/13/2011 23:52:19 Page 249
Mitigation Decisions
We will discuss four aspects of mitigation decisions:
1. Types of mitigation decisions
2. Leveraging existing risk management models
3. Determining the value of mitigation in place
4. Integrating ERM into internal audit plans
Types ofMitigationDecisions Mitigation decisions reduce the likelihood of occurrence of a key risk scenario, the severity of its impact, or both.
Mitigation can be used to reduce the likelihood of a key risk scenario
occurring. In most cases, such preventive mitigation also reduces the severity
of impact. For example, lobbying efforts may prevent harmful legislation
altogether, or they may reduce the severity of the impact of the legislation
that does get passed. Some examples of such mitigation, along with the type of
risk whose likelihood they reduce, are shown in Table 6.5.
Some of the examples in Table 6.5 may seem less like mitigation decisions
and more like they are part and parcel of simply conducting business. That
is why it is helpful to have a single decision-making process in place that
can be used consistently for all types of decisions, regardless of whether
they seem like pure mitigation, partial mitigation, or just routine business
TABLE 6.5 Examples of Mitigation Reducing the Likelihood of a Key Risk Scenario
Mitigation Reduces Likelihood of . . .
Lobbying efforts Legislative/regulatory risk
Initiative to identify critical employees and develop customized retention programs for them
Loss of critical employees
Process-mapping project to identify and secure weak points in financial reporting
Risk of financial reporting restatement
Stricter rules on employees regarding securing data and usage of wireless devices
Data privacy breach
Enhanced succession plan Weakened leadership
Strong compliance personnel focused on regulatory compliance
Risk of regulatory fines
Training program for employees on protecting intellectual property
Failure to protect intellectual property
Integrating ERM into Decision Making & 249
C06 01/13/2011 23:52:20 Page 250
decision making. Such a process was described earlier (see ‘‘Decision Making
with ERM’’).
In addition to trying to prevent a key risk scenario from occurring to begin
with (reducing likelihood), mitigation decisions can also be used to reduce
the severity of impact if the risk scenario were to occur. For example:
& The purchase of a hurricane insurance policy to partially mitigate a key
risk scenario of a hurricane destroying the company headquarters. & A hedging program put in place by the investment department to partially
mitigate a foreign exchange key risk scenario. & A business continuity plan put in place to partially mitigate a pandemic
key risk scenario. & Discontinuing operations in a particular country to completely mitigate
a key risk scenario related to local unrest. This is an example of risk
avoidance.
In Chapter 5, we discussed five case studies of individual risk quantifica-
tion. Let’s briefly examine whether the mitigation resulting from each case
study reduces likelihood, severity, or both.
Case Study #1 involved an operational risk related to technology data
security and privacy. The key risk scenario was an external attack on informa-
tion technology. Management made two mitigation decisions. The first mitiga-
tion decision was to identify and secure the computers containing privacy data.
This reduces the likelihood of occurrence; more secure computers imply a less
likely breach. However, this also reduces the severity of impact; if a privacy data
breach were to occur, it would likely be less severe due to the additional security
protocols. The secondmitigation decisionwas to purge ex-customer privacy data
from the computers. This reduces the severity of impact; if a breach were to
occur, it would impact the privacy data of fewer customers.
Case Study #2 involved an operational, human resources risk related to
losing critical employees. The key risk scenario was a plane crash on the way
to a conference for sales leaders. Management made a mitigation decision to
strengthen the enforcement of the travel limitations policy for concentration of
key employees on flights, particularly in relation to sales managers. This
reduces the severity of impact; if a single plane crash were to occur, it would
impact fewer salespeople, and particularly, fewer sales managers.
Case Study #3 involved an operational, human resources risk related to a
money-laundering incident. The key risk scenario was a very pessimistic
250 & Risk Decision Making
C06 01/13/2011 23:52:20 Page 251
money-laundering event. Management made a mitigation decision to restart
their anti–money laundering (AML) efforts. This reduces the likelihood of
occurrence; AML efforts are preventative. However, this also reduces the
severity of impact; if a money-laundering event were to occur, it would likely
be less wide ranging across the enterprise due to AML controls instituted.
Case Study #4 involved a strategic risk related to supplier failure. The key
risk scenario was losing a sole-source supplier due to a fire. Management made
a mitigation decision to qualify a backup supplier. This reduces the severity of
impact; if a fire were to destroy the sole-source supplier, a rapid shift to the
backup supplier implies minimal supplier disruption.
Case Study #5 involved a strategic risk related to poor strategic planning.
The key risk scenario involved failures related to four specific strategic plan
elements that management knew were particularly questionable in terms of
their feasibility. The implied mitigation decision included additional efforts to
achieve the strategic plan, focusing in priority order on the more impactful
strategic plan elements. This reduces the likelihood of occurrence; the addi-
tional efforts are preventative. However, this also reduces the severity of
impact: If management suffers a failure in relation to one or more of the
four strategic plan elements, it would likely be by less of a margin due to the
additional efforts.
In each of the case studies discussed, the individual risk quantification of
key risk scenarios resulted in so large a potential impact on company value that
it sparked immediate management action in the form of one or more mitigation
decisions. The procedure for decision making, whether involving risk-priority
decisions (e.g., mitigation) or return-priority decisions (e.g., strategic planning),
was outlined earlier (see ‘‘Decision Making with ERM’’). However, for each of
these case studies, management implicitly followed this procedure, but did not
feel the need to formally go through all of the recalculations. In such cases, the
individual risk exposure is so extreme, and the need for action so clear, that
management only requires the following information for the mitigation
options:
& Cost of mitigation & Reduction in likelihood due to mitigation & Reduction in severity due to mitigation
Management selected mitigation if the cost was reasonable and it produced
a satisfactory result. Examples of satisfactory results included the following:
Integrating ERM into Decision Making & 251
C06 01/13/2011 23:52:20 Page 252
& An elimination of the key risk corresponding to an individual risk scenario
due to the reduction of likelihood or severity & A reduction in the ranking of an individual risk scenario due to a reduction
of likelihood or severity & A reduction of the exposure below the risk limit10 for an individual risk
scenario
Some interpret these actions as management having ‘‘zero tolerance’’
for exposures that exceed risk appetite or risk limits. Another way of looking at
this is that management was implicitly making a judgment that the risk
exposure, if left unchecked, would result in a higher discount rate, thereby
lowering value. Implicitly, then, the decision-making process outlined earlier
was actually followed, although the situation was so clear that management
chose to skip the formality of performing some of the recalculations.
Leveraging Existing Risk Management Models ERM is not risk man- agement. ERM is a strategic, integrated process involved with the key risks,
which are just the top 20 to 30 or so threats to the enterprise. ERM can be
considered a high-level, top-down approach. ERM models are simple, handle
multiple interacting risks, and are not designed for evaluating mitigation
decisions for lower-level risks.
In contrast, riskmanagement is a tactical, silo-based approach involvedwith
a large volume of risks, the vast majority of which are not significant threats to
the organization. Risk management can be considered a detailed approach.
Many risk management models are highly detailed, largely focus on one risk at a
time, and are not able to aggregate risk exposures to the enterprise level.
However, ERM models and risk management models do relate to each
other. The ERM approach leverages existing risk management models, to the
extent appropriate. The interaction involves an efficient division of labor where
each type of model is allocated the task that suits it best.
The ERM model is appropriate to use for prioritization of risk management
efforts. The ERM model quantifies enterprise risk exposure, which includes
individual risk exposures for the key risks, and defines risk appetite and risk
limits for the enterprise as a whole, using a top-down, integrated approach.
This can be considered strategic risk management in that it sets the high-level
risk strategy. This defines what to do, in terms of which key risk scenarios to
concentrate on, and in what priority order.
Risk management, or tactical risk management, then focuses on the key
risk scenarios prioritized in the risk strategy provided by ERM. Risk
252 & Risk Decision Making
C06 01/13/2011 23:52:20 Page 253
management defines the how, in terms of how best to mitigate the key risk
scenarios. Risk management models are in a much better position, for some
risks, to analyze the specific alternative mitigation options in detail.
However, the risk management models cannot properly measure the
marginal impact of any decision on the firm. This is because they are silo-
based, usually only handling one risk at a time. The ERMmodel is equipped to
measure risk interactivity, including exacerbations and offsets. For this
reason, the individual risk management models are most often used only
for developing inputs for the ERM model for each potential mitigation deci-
sion. These involve any changes to inputs for the individual risk scenarios or
the baseline company value. The ERM model is then used to determine the
marginal change in the risk and return profile, which informs the decision.
However, some decisions are straightforward enough that the individual risk
management model will suffice.
This is depicted in Figure 6.3. In step 1, the ERM model calculates
enterprise risk exposure, which, when compared with risk appetite and risk
limits, sets the strategic priorities for risk mitigation decisions. In step 2,
management identifies potential alternative mitigation options for evaluation.
In step 3, the existing risk management model is leveraged, producing the
1
Recalculate risk and return metrics
ERM model
Decision Making with ERM
4
Mitigation Priority
Alternate Mitigation Options
2 3 Evaluate risk-return trade-off
5b
Existing Risk Management Model
Baseline company value
For each mitigation option: Risk scenarios and
5a
FIGURE 6.3 Leveraging Existing Risk Management Models
Integrating ERM into Decision Making & 253
C06 01/13/2011 23:52:20 Page 254
changes to the individual risk scenarios and to the baseline company value.
In step 4, these items are used as inputs back into the ERM model. Step 5
involves the process used for decision making with ERM, where step 5a is the
recalculation of the risk and return metrics and step 5b is the evaluation of
the risk–return trade-off, to arrive at a final decision.
Consider the following example. An ERM model indicates that currency
risk is a key risk whose exposure exceeds its risk limit, and that mitigation is
therefore required. This information is then handed down to an existing risk
management model, which is leveraged to evaluate alternate mitigation
options, such as which type of hedge against currency risk would be best to
purchase. This is appropriate because the investment department has a risk
management model with far more detail related to evaluating currency risk
than the ERM model. Each risk mitigation option is evaluated in terms of
how it would change the currency risk scenarios (changes to likelihood and
severity), as well as the baseline company value (changes to distributable
cash flows and the discount rate). The changes for each mitigation option
are then uploaded back to the ERM model for making the best risk–return
decision. The ERM model recalculates values for the net marginal impact on
risk and return metrics, reflecting risk interaction of multiple key risks for
each mitigation option. The risk–return trade-offs for each mitigation option
are evaluated and a final decision is made.
Determining the Value ofMitigation in Place In Chapter 3, we discussed the unique ability of the value-based ERM approach to quantify the value
of mitigation in place. This refers to a rigorous quantitative approach to
demonstrating the value added by any mitigation-related area of the com-
pany or the value of specific risk mitigation. This involves using the decision-
making process (see ‘‘Decision Making with ERM’’) in reverse, so to speak. In
other words, rather than compare the current risk and return metrics to that
of a potential future decision, we compare them to a hypothetical undoing
of a prior decision: that of choosing the mitigation that is already in place.
For any mitigation in place, whether it is an entire department (compliance,
risk management, etc.) or a specific mitigation item (an insurance policy, a
financial hedge, etc.) this exercise involves creating a hypothetical view of
the company as if the mitigation were not in place.
There are two main benefits that can be derived by this technique:
1. Establish the value of a mitigation-related department. This tech-
nique can be used to establish, for the first time, the value of a department
254 & Risk Decision Making
C06 01/13/2011 23:52:20 Page 255
or unit whose role is mitigation related. The value is measured directly as
the impact on the baseline company value. This is calculated as follows:
Value of mitigation ¼ CoValueBaseline ! CoValueExcl Mitigation
Where:
& CoValueBaseline ¼ baseline company value & CoValueExcl Mitigation ¼ recalculated company value based on
excluding mitigation
The value of mitigation in place will be positive if its contribution to
company value due to lower risk exposure (as expressed by a lower downside
standard deviation and, more directly, a lower discount rate) is greater than
its detraction from company value due to higher costs. As discussed earlier,
another metric that provides a different perspective on value added is the
probabilistic company value, and this may be used as well.
This is a quantum leap forward for these areas, as well as the
companies that attempt to effectively manage them. Until a value-based
ERM approach is instituted and these values are calculated, management
has difficulty developing reasonable approaches to goal setting, perform-
ance measurement, and incentive compensation for mitigation-related
personnel. However, the value-based ERM approach provides a common
set of risk and return metrics to support decision making related to all
mitigation-related areas, which is also the same common set of metrics
used for all other decision making in the firm, whether for risk-priority or
return-priority decisions.
2. Evaluate appropriateness of specific mitigation items. This tech-
nique can also be used to evaluate an individual existing mitigation item,
such as an insurance policy or a hedge. Again, the exercise involves
recalculating the risk and return metrics under the assumption that the
mitigation is no longer in place. This is used to evaluate past mitigation
decisions that were made without the benefit of the rigorous quantification
afforded by the value-based ERM approach, but based merely on rules of
thumb or subjective management judgment, whose quality may vary from
area to area across the enterprise.
This evaluation will either confirm the appropriateness of a specific
mitigation item, or identify the amount of over-mitigation. Management
often harbors long-held suspicions that certainmitigation efforts have been
excessive in light of their benefits. This technique allows management to
Integrating ERM into Decision Making & 255
C06 01/13/2011 23:52:20 Page 256
test these notions and, if validated, provide a strong quantitative business
case for paring back these efforts and redirecting resources where they can
be put to better use.
Integrating ERM into Internal Audit Plans The value-based ERM ap- proach provides a single rallying point—the potential impact on the baseline
company value—for prioritization of risk management efforts, wherever they
may be in the enterprise. One of the main risk management areas that can be
enhanced through this alignment is the internal audit function. Internal audit
provides much value in detecting and deterring certain types of risks, such as
fraud, financial reporting errors, and so on. However, historically, the internal
audit function has not been fully utilized to its maximum benefit. Management
often feels that internal audit is focusing on too many minor items. The value-
based ERM approach changes this. By integrating ERM information into the
internal audit process, the internal audit plan can be prioritized to focus more
resources on the key risks, which are those with the largest potential impact on
company value. The internal audit team elevates their focus to items of more
strategic importance to the firm. This is valuable, because the company benefits
through more efficient prioritization of risk mitigation resources.
One example where this occurred was at a manufacturing company that
was ranked among the top three in its sector and was implementing a value-
based ERM program. The head of internal audit, who was acting as the de
facto chief risk officer, reprioritized the internal audit plan in alignment with
the value-based ERM information and had the following comment after-
wards: ‘‘This is great! My boss has been telling me for years that I am always
‘down in the weeds,’ spending my resources looking at the small stuff.
This gives me a way to fix that, and focus on the biggest priorities for the
company.’’
Return-Priority Decision Making
One of the most appealing aspects of the value-based ERM approach is its ability
to enhance routine business decision making. The decision-making process
used for these, and indeed any, decisions, was described earlier (see ‘‘Decision
Making with ERM’’). We will discuss the integration of ERM into the following
return-priority decision-making processes:
& Strategic planning & Business decision making
256 & Risk Decision Making
C06 01/13/2011 23:52:20 Page 257
Integrating ERM into Strategic Planning
The value-based ERM process strengthens the strategic planning process in
three major ways:
1. Aligns baseline assumptions
2. Aligns scenario assumptions
3. Converts static document into dynamic planning tool
Aligns Baseline Assumptions There are five distinct activities in the risk quantification ERM process step, performed as part of a value-based ERM
approach, that serve to better align the baseline assumptions in the strategic
plan:
1. Aggregating projections. The process of aggregating the individual
business segment projections that support the strategic plan, and any
other detailed supporting documents, into a baseline company value model
allows a more thorough vetting of the assumptions and clarification of any
conflicting items. This process helps align assumptions related to the
external environment as well as those related to the internal environment.
Some of the most important assumptions relate to the external
environment (future economic conditions, expectations about the stock
and bond markets, etc.), which can affect the entire enterprise. Aligning
external environment assumptions helps ensure that any related business
segment decision making, such as a ‘‘bet’’ on market directions, is cohesive
and rational for the company in the aggregate and is not being made at
cross-purposes.
The process of gathering together the different component projections
and combining them into a single dynamic baseline valuation model can
also help identify inconsistencies in assumptions related to the internal
environment. A case study will help illustrate this.
A midsize company was manufacturing and selling its products
through its own dedicated sales force. Their strategic planning process
was not rigorous. They had developed a high-level, top-down strategic plan
financial projection that projected slow but steady growth over the plan
period of three years. However, they also had a separate, more detailed
financial projection related to the sales force, including salespeople hired,
salesperson retention, and productivity. When the more detailed sales
force plans were integrated into a dynamic strategic plan financial
Integrating ERM into Decision Making & 257
C06 01/13/2011 23:52:20 Page 258
projection, it became clear that there were inconsistencies. The more
detailed sales force projections revealed that revenues were actually going
to shrink over the coming three years. In addition, the integrated model
revealed that to achieve the planned growth shown in the original high-
level strategic plan financial projection, management would have to adopt
a far more aggressive strategy toward its sales force, such as more hiring,
improved retention, and/or higher productivity. The CFO and CEO were
presented with the discrepancy, and their reaction was, ‘‘We had a sense
that there was a disconnect somewhere, but we didn’t know exactly
where, or how bad it was.’’ They proceeded to modify their sales force
strategy, making it consistent with supporting the plans for growth.
2. Analyzing trends. The trend analyses, performed as part of the develop-
ment of the baseline valuation model, tend to reveal any potential
discontinuities that warrant further examination. Discontinuities are
identified by comparing strategic plan period projections to recent finan-
cials, as well as to projections beyond the formal planning period. Com-
paring these trends to consensus industry expectations regarding growth
rates, by sector, provides additional insights. Finally, comparing trends
across business segments can generate additional conversations that lead
to higher levels of comfort, or possible changes, in the assumptions.
3. Analyzing the valuation. The calculation of the baseline company value
itself has a tendency to stimulate productive discussions and reviews of the
baseline assumptions. The valuation translates the baseline strategic plan
assumptions into the language of business decision-makers: value. Show-
ing the implications of the baseline assumptions, in terms of the resulting
value of the company, generates a visceral response by management,
which spurs some basic but useful analyses. Management compares the
baseline company value to any preconceived notions they may have of its
value. In addition, management performs a reasonability check, compar-
ing the baseline company value against market capitalization. Finally,
management reviews the valuation by business segment or sub-segment.
These valuation analyses often shine a bright light on any suspicious
results, leading to further scrutiny of any questionable assumptions,
particularly aggressive growth or expense reduction assumptions.
4. Documenting and disseminating. Traditionally, the assumptions sup-
porting the baseline strategic plan, and the resultant distributable cash
flow projection, are often viewed and understood by only a handful of
financial personnel. This inhibits a common understanding, and overt
acceptance, of the baseline assumptions by those making decisions based
258 & Risk Decision Making
C06 01/13/2011 23:52:20 Page 259
on their understanding of the baseline strategic plan. The quantification
process in the value-based ERM approach involves a wider range of
management, and puts the information in a format and language that
can be more easily shared and understood. The baseline company value
calculation, including the distributable cash flow projection and all related
assumptions, is documented and shared consistently throughout the
organization. Due to its connection to the broader ERM effort, a broader
range of management is in tune with the goings-on that produced this
information, and has a stronger tendency to focus on it. In addition, the
expression of the baseline strategic plan in the language of value makes the
information more accessible to management. Having a common under-
standing that is more broadly shared, especially among key business
decision-makers, helps to politically tease out and resolve any disputed
items in the baseline assumptions.
5. Developing stress tests. The process of developing key risk scenarios,
which are essentially stress tests, also helps align the baseline strategic plan
assumptions. Developing and examining upside and downside determinis-
tic key risk scenarios, which occurs at a later stage during the FMEA
process, also strengthens the understanding of what is, and what is not,
included within the baseline assumptions. This occurs as subject matter
experts, many of whom reside within the business segments, think through
various scenarios, producing detail on the critical components within the
business plan and how they can vary under different stress situations. This
may produce an iterative pass back to the calculation of the baseline
company value whenever any issues are uncovered.
Aligns Scenario Assumptions The value-based ERM approach to the risk quantification ERM process step improves the alignment of scenario assump-
tions in the strategic plan in three ways:
1. Consistent rigor in risk scenario development. At any company, the
subject matter experts include individuals with varying levels of ERM
knowledge and skill. If left to their own devices to develop risk scenarios,
the level of quality would vary to a degree that would impact the usefulness
of the information. The value-based ERM approach avoids this problem
by using a guided process—the FMEA interviews. The FMEA interviews
ensure a consistent approach to the development of risk scenarios. It is
used across all business segments (and corporate) and for all key risks.
In addition, the uniformity of the interviews is further enhanced by the
Integrating ERM into Decision Making & 259
C06 01/13/2011 23:52:20 Page 260
continuous presence of the interviewers, who are skilled in the FMEA
technique.
2. Standardized definitions of risk scenarios. Typically, risk scenarios
are developed as part of the strategic planning process, including
sensitivity analysis; stress testing; and/or strengths, weaknesses, oppor-
tunities, and threats (SWOT) analyses. These traditional methods for
developing risk scenarios often lack consistency in terms of how sce-
narios are defined. One person’s definition of a very pessimistic stress test
may not match someone else’s definition. In contrast, the FMEA inter-
view method solicits the development of a range of risk scenarios, and,
rather than leave it up to the subject matter expert to provide a
subjective label, such as very pessimistic, relies on more objective
elements to define each risk scenario. The ranking of a risk scenario
is used as its automatic standard label, and the ranking depends on
quantitative metrics, including, primarily, the severity—such as the
potential impact on company value—and, to a lesser extent, the likeli-
hood of occurrence, such as a 1-in-100 chance.
In addition to ensuring consistency, using a more objective standard-
ized approach to defining risk scenarios serves another purpose: avoiding
errors. It is quite common for a subject matter expert to describe one risk
scenario as very pessimistic and another as merely pessimistic during the
FMEA interview process, only to see later that the former has a lower
severity than the latter. This is because the risk quantification calculations
performed in the value-based ERM model, although based on fundamental
finance theory, are difficult to perform in one’s head. The calculations
involve projecting and discounting, and sometimes these results are
different than initially imagined. Fortunately, the FMEA approach does
not rely on the subject matter expert’s label, but merely collects a range of
risk scenarios and uses standardized quantitative metrics for defining the
risk scenarios.
3. Uniform external environment assumptions. The FMEA approach
ensures consistent assumptions regarding the external environment, such
as future economic conditions, expectations about the stock and bond
markets, and so on. The FMEA interview approach is guided by individuals
that are continuously present to identify all such usage of these assump-
tions and to ensure that they are uniform enterprise-wide. In addition,
FMEA interviews are documented and shared, providing another oppor-
tunity to identify and reconcile any external environment assumptions
that differ.
260 & Risk Decision Making
C06 01/13/2011 23:52:20 Page 261
In addition to providing the proper alignment of assumptions to ensure
a valid risk quantification ERM process step, with uniform external
environment assumptions in place, management gains a useful ‘‘what-
if’’ model for the company. Management can get an answer to questions
such as, ‘‘If the economy worsens (to a specified degree), how would it
impact the key metrics for the enterprise as a whole, as well as for each
business segment?’’
Converts Static Document into Dynamic Planning Tool In most com- panies, the strategic planning process is an annual event. It is a formal event
that consumes significant resources over several weeks. At the end of the
exercise, what results is a thick binder that contains the strategic plan. A key
element is how all the pieces of the strategy, including supporting tactics or
initiatives, will achieve the financial results to which management is commit-
ted. These financial results are expressed in the form of a strategic plan financial
projection, often for three or five years into the future. The strategic plan is a
static document that is at least partly outdated by the time it is completed. Most
CEOs dream of a day when their management continually lives and breathes
strategic planning and uses a dynamic, ongoing, and nimble approach to
developing and executing strategic decisions, rather than a static, once-a-year,
and cumbersome approach. This would be a true competitive advantage.
One of the most valuable outcomes of a value-based ERM approach is an
ability to finally achieve this dream. The value-based ERM approach connects
enterprise riskmanagement to value-basedmanagement.Anotherwayof saying
this is that the value-based ERM approach converts the heart of the strategic
plan—the strategic plan financial projection—from a static projection into a
dynamic model. Changes in the external or internal environment or changes in
strategy or tactics can be readily reflected in the value-based ERM model,
revealing the impact on projected financial results. In addition, any hypothetical
change or decision can also be easily reflected. Evenmore importantly, the value-
based ERMmodel transforms the strategic plan from a single-scenario projection
into a distribution of likelihood-severity outcomes based on a large volume of
simulations representing combinations of well-defined deterministic key risk
scenarios. What this means is that it provides a much more robust picture of
where the baseline companyvalue is likelyheaded, aswell as confidence intervals
for varying ranges around the baseline company value.
After one full cycle of the value-based ERM process, companies tend to take
advantage of this, and move to a more dynamic strategic planning process,
increasing the frequency of many of their strategic planning activities from
Integrating ERM into Decision Making & 261
C06 01/13/2011 23:52:20 Page 262
annually to quarterly or simply ad-hoc throughout the year, as conditions
warrant. This increase in planning frequency is not accompanied by a
magnification in effort to support it; quite the contrary. The agile value-based
ERM model is relatively easy to update, residing in a single spreadsheet-based
tool. In addition, the consistent approach to developing assumptions—both
baseline and scenario assumptions—more easily aligns risk scenario develop-
ment and maintenance.
This is the crowning example of the benefits of an ERM approach that,
rather than treating risk as a separate stand-alone function, creates an
approach where not only are risk and return, or risk and reward, married
to each other, in fact they cannot exist without each other. Risk cannot be
defined except in terms of the deviation of results from baseline company value,
and value cannot be defined without the discount rate, which is a function of
the downside standard deviation, which, in turn, is informed by enterprise risk
exposure and its underlying key risk scenarios. This irrevocably connects risk
management to strategic planning and decision making. The value-based ERM
approach and model supply the strategic planning process with the rigor to
enhance credibility and the dynamism to endow the process with vigor.
Integrating ERM into Business Decision Making
The value-based ERM process can be easily integrated into the full range of
business decision making, including strategic, tactical, and transactional
decision making. The basic way in which the value-based ERM process
enhances day-to-day decision making in the business segments is no different
from the way in which it is used to support the strategic planning process. The
fundamentals are the same. Therefore, we will merely highlight the following
selected aspects of integrating ERM into business decision making:
& The need for speed & Dealing with soft assumptions & Stock buyback or issuance & Prioritizing between stakeholders & Mergers and acquisitions
The Need for Speed Many important business decisions must be made quickly, without the luxury of time for the kinds of detailed analyses manage-
ment would prefer to do. This is because most financial models that are
available for these analyses are too cumbersome, and cannot be adapted for
262 & Risk Decision Making
C06 01/13/2011 23:52:20 Page 263
a new type of decision in a short time frame. As a result, management often
takes actions supported only by instinct, experience, and a back-of-the-enve-
lope analysis of the numbers.
The value-based ERM approach and model typically usher in a new era in
decision support. The equilibrium between robustness and fast flexibility of the
value-based model strikes the right balance for supplying a ‘‘what-if’’ tool that
can support any type of decision, even in the shortest of time frames.
A modified case study will help illustrate this point. A major technology
firm was in the early stages of risk quantification when a major business issue
arose. Some of their largest customers were collectively renegotiating their
contracts and made a sudden demand. This large group of customers insisted
that because the technology firm handled their data transfers, if a privacy data
breach were to occur, they expected the company to cover the liability. In
addition, the customers expressed that they were unwilling to pay for this
liability coverage. The ERM personnel were told that in just 10 calendar days,
the president of marketing and sales would be meeting with the CEO to decide
on a response, and they were asked if they could provide any input to assist
with the decision.
Instead of a technology firm, if they were a typical financial services
company with a traditional, heavy ERM model laden with complexity, their
answer would probably have been, ‘‘Sure, we can provide some insights. We’ll
hire back the consultants from whom we licensed the software, make modifi-
cations to the model, do some parallel testing, and then run some scenarios. We
should be ready in about 10 to 12 weeks, if we hurry.’’ If that had been the
answer provided by this ERM team, do you think senior management would
ever knock on their door again in a similar situation? Certainly not. It is crucial
that once the ERM team is invited in and asked if they can help, and do so
within the time frame required, the ERM team must be in a position to answer
positively. Fortunately, that was the position in which this ERM team found
itself, having the beginnings of a value-based ERM model at its disposal, which
is spreadsheet-based, is quickly adaptable to support new business decisions,
and has extremely fast run times.
The ERM team began by setting up the decision options and outlining the
consequences. One option was to refuse to comply with the demand. On the
upside, this would keep the company free from the potentially unlimited
liability of covering privacy data breaches for these customers. On the down-
side, this option could result in losing customers to a competitor willing to take
on such a liability. This represented a significant risk, because these customers
collectively accounted for hundreds of millions of dollars in profits. A second
Integrating ERM into Decision Making & 263
C06 01/13/2011 23:52:20 Page 264
option, on the other extreme, was to comply with the demand. On the upside,
this decision would not cause them to lose any business. On the downside, the
companywould be saddled with a large liability, and they had no idea (yet) how
large it could be. A third option was to offer to cover the liability only under
certain conditions, which was somewhere between the other two options.
Once the decision options and their categories of consequences were
defined, they followed the procedure outlined earlier in ‘‘Decision Making
with ERM,’’ to the extent possible. They had not yet fully quantified enterprise
risk exposure, so they were not able to perform all the steps fully. However, for
each decision option, they revised the distributable cash flow projection, revised
the discount rate, and recalculated the baseline company value. In addition,
they developed risk scenarios for the data breach risk, using the FMEA
interview technique. All the initial risk scenarios were developed within the
first two business days. They quantified the impact of the risk scenarios, under
each decision option, in terms of their impact to the baseline company value.
Once all the risk–return trade-off information was assembled well within
the required time frame, the senior member of the ERM team and his lieutenant
attended the decision-making meeting and provided this ERM information in
support of the decision-making process. After the decision was made, the
feedback from the CEO was that the ERM information was much appreciated,
that it helped them make the decision, and that this was a unique perspective
that was unavailable from anywhere else in the firm. As you can imagine, after
this event the ERM team began to get pulled into many more decisions of
strategic importance, which greatly expanded the influence and funding of the
ERM efforts.
Dealing with Soft Assumptions To make decisions, businesspeople need more than qualitative musings about the difference between two alternate
choices. Business decision-makers need numbers. Hard numbers—those for
which there is a high level of confidence in their accuracy—are preferred, but
in their absence, estimates based on soft assumptions—those for which there is
lower level of confidence in their accuracy—can also help support decision
making. By necessity, the very nature of ERM information—which is focused
on future forecasts and the level of uncertainty in them—is such that it must
involve some estimates based on soft assumptions. In the section titled ‘‘But
Aren’t These Just Guesses?’’ in Chapter 3, we rebutted the typical objections to
the use of soft estimates and discussed their advantages. We now present a
modified case study illustrating one of the ways to make decisions based on soft
assumptions.
264 & Risk Decision Making
C06 01/13/2011 23:52:21 Page 265
A major telecommunications company had adopted a value-based ERM
approach, and was beginning to use the ERM information to identify opportu-
nities to make better decisions. The ERM team identified such an opportunity
in one of its business units where they were about to implement a decision
involving a new initiative and its accompanying package of security protocols.
The ERM team approached management with a recommendation to make a
different decision incorporating a different package of protocols. After review-
ing the ERM information, management flatly rejected the ERM team’s recom-
mendation. Management argued, ‘‘This recommendation is based on a bunch
of soft assumptions, and, in particular, is largely predicated on just one critical
assumption, which had to have been pulled out of thin air, because there was
no way that the ERM team could estimate it with much accuracy.’’
The ERM team responded by admitting to virtually every statement that
management made in its response, although they still argued for, and suc-
ceeded in getting, management’s acceptance of their recommendation. Yes, the
recommendation was based on several soft assumptions. Yes, the one critical
assumption was indeed the lynchpin of the recommendation. Yes, the ERM
team could not, in fact, estimate the critical assumption with much accuracy.
However, the ERM team did not need much accuracy to prove their case. The
ERM team performed a sensitivity analysis that illustrated how wrong the
estimate of the critical assumption would need to be in order to negate the
recommendation. When management saw the results of the sensitivity analy-
sis, which revealed that the ERM team would have to have been off by a factor
of 10 for the recommendation to be nullified, management accepted the ERM
team’s recommendation. Management responded, ‘‘Okay. We get it. We’re on
board. We know that you are not off by a factor of 10.’’
Stock Buyback or Issuance For many companies adopting a value-based ERM approach, one of the key benefits is an ability to make opportunistic stock
buyback or issuance decisions. The risk quantification ERM process step
provides two pieces of information that are helpful in supporting such decisions.
The first piece of information is the baseline company value. As discussed in
Chapter 5, if done properly, this is a more accurate valuation of the company
than market capitalization. If management has full confidence in the accuracy
of its baseline enterprise valuation, then when the market capitalization is
lower than the baseline company value, this represents a viable opportunity for
buying back stock. The market price is cheap relative to the true underlying
value of the stock, which will be proved over time as management successfully
executes the strategy, realizing the future distributable cash flows projected in
Integrating ERM into Decision Making & 265
C06 01/13/2011 23:52:21 Page 266
its internal valuation. Conversely, when themarket capitalization is higher than
the baseline company value, this represents a viable opportunity for issuing
stock. The market is paying a premium over and above what management
believes to be the true underlying value of the stock.
The second piece of information that helps support these decisions is the
enterprise risk exposure. The enterprise risk exposure provides confidence
ranges around the baseline company value. For example, management can
estimate the chances of achieving or exceeding the baseline company value.
In addition, management can estimate the chances of being 10 percent or
15 percent off in their valuation. This is useful, because it is rare for manage-
ment to have full confidence in its baseline company value calculation; this
would be equivalent to management saying that they are 100 percent certain
that they can meet or exceed the strategic plan goals.
Consider the following illustrative example of how management uses this
information to opportunistically buy back some of its outstanding shares. The
general stock market drops 25 percent. Share prices drop indiscriminately
across most sectors and the company’s stock price drops as well. Management
believes that this is panic and that the decrease in company stock is without a
valid rationale. Sensing a stock buyback opportunity, management compares
the current market capitalization to its baseline company value calculation.
The former is lower than the latter by 30 percent. Management believes that its
enterprise risk exposure is a fair indication of the ranges of company values and
their corresponding likelihoods. The enterprise risk exposure indicates that
management has only a 40 percent chance of achieving or exceeding plan.
Based on this estimate, management is not fully comfortable relying on the
baseline company value as the sole basis of comparison for a stock buyback
opportunity. However, management uses the enterprise risk exposure to
estimate the chance of company value meeting or exceeding the current
market capitalization, and finds this likelihood to be 75 percent. This instills
a higher level of confidence that a stock buyback is a good bet, and manage-
ment proceeds.
Prioritizing between Stakeholders One of the challenges of running a company is prioritizing between multiple stakeholders. Shareholders demand a
level of return commensuratewith the level of risk. Rating agencies, representing
bondholders, want solvency, or security of interest payments and the repayment
of principal. Regulators desire a high level of compliance. And there are other
stakeholders to deal with as well. Some decisions favor one stakeholder over
another. Although shareholders are primary, it is not always clear how such
266 & Risk Decision Making
C06 01/13/2011 23:52:21 Page 267
trade-offs—gaining favor with one stakeholder while, simultaneously, falling
into disfavor with another—balance out. This is because they are interrelated;
for example, if rating agencies become so unhappy with management that
they downgrade the company, this can lower the company value, hurting
shareholders.
A value-based ERM approach can help management make such difficult
decisions. It does this by valuing the trade-offs directly. The level to which any
stakeholder may become displeased is measured directly, by quantifying the
change in the baseline company value. There is no intrinsic value in maximally
satisfying secondary stakeholders. Secondary stakeholders must only be satis-
fied to the point that it benefits the primary stakeholder, by increasing company
value, which is the central focus and key metric of the value-based ERM
approach. A modified case study illustrates this point.
A large private company implementing a value-based ERM approach
arrived for the first time at the risk decision making ERM process step.
Management decided to use the value-based ERM model to evaluate the
viability of a decision that senior management was about to make. Senior
management was considering implementing a new strategic initiative that
was expected to generate significant revenue growth in one of their markets.
However, if adopted, management was certain that the companywould receive
a ratings downgrade which would last five years. The downgrade would hurt
them in some of their minor markets, where they would be forced to lower
prices, and would also result in a higher cost of capital. Management was not
sure whether the initiative would be viable, after all the dust settled between
the various constituencies and their conflicting needs.
The value-based ERM approachwas used to sort out all these moving parts.
Management followed the steps indicated earlier (see ‘‘Decision Making with
ERM’’). They revised the baseline company value calculation to reflect the
additional revenues generated in one market, as a permanent change, and the
lower prices in some of the minor markets, and the higher cost of capital, as a
five-year change, and the resulting higher discount rate. In addition, they
revised a handful of key risk scenarios to reflect the lower rating. Finally, they
recalculated enterprise risk exposure, and performed a reasonability check on
the initial change in the discount rate. The risk-return trade-off evaluation
clearly identified the initiative as a viable option which would generate a
significant increase in company value.
Mergers and Acquisitions Mergers and acquisitions are prime candidates for decisions that can be improved with a value-based ERM approach. Most
Integrating ERM into Decision Making & 267
C06 01/13/2011 23:52:21 Page 268
studies show that the majority of these transactions actually destroy share-
holder value. So, what goes wrong? Why do these decisions have such a poor
track record?
One reason is that, due to the internal pressure, or perceived pressure, to
get the deal done, internal financial projections of the benefits that will be
generated by the transaction are continually tweaked toward increasingly
optimistic assumptions. Another reason is that these assumptions, and those
generating them, are never held to account after the fact, because their tracks
are covered through the messy integration and reorganization process.
The value-based ERM approach changes all that. Because major decisions
follow a standard and well-documented approach (see ‘‘Decision Making with
ERM’’) that becomes part of a shared dynamic strategic planning model, there
is nowhere to hide. It becomes clear, early on in the deal-making process, that
whatever assumptions are used to support the decision to green-light the
transaction will be around for awhile. As a result, those setting the assump-
tions, knowing that they are more likely to be held accountable if the
transaction does not generate the benefits they project, have more incentive
to keep their assumptions reasonable.
This results in more accurate pricing of mergers and acquisitions. This may
also result in the company winning fewer deals, because their bids may tend to
be lower than the other competitive bids. However, when this is synonymous
with passing on more deals that would have destroyed shareholder value, then
this is more than acceptable—it is preferable.
For this to work properly, those developing the assumptions for the
financial projections of the transaction must have incentive compensation
that is aligned with increasing company value. A modified case study high-
lights this issue. A technology company that was a dominant leader in its field
was analyzing its poor performance in acquisitions, which had become part of
their growth strategy over the past five years. They had an abysmal track
record of overpaying on acquisitions, where some of the resulting losses were
staggering in their magnitude. In focusing on one large acquisition, the source
of the problem came quickly into focus.
The company had recorded the assumptions used during the deal-
making process as a 10#10 grid of the estimated value of the transac- tion—the maximum bid warranted—based on two varying assumptions. The
10 columns showed the span of assumptions for revenue growth, ranging
from most pessimistic at the extreme left to most optimistic at the extreme
right. Similarly, the 10 rows showed the span of assumptions for expense
savings, ranging from most pessimistic at bottom to most optimistic on top.
268 & Risk Decision Making
C06 01/13/2011 23:52:21 Page 269
So, the most optimistic of all combinations was the upper right corner of the
grid, which contained the largest possible bid the company could rationally
offer. This box contained the price of $2 billion.
Just above and to the right of the table, just beyond the most optimistic bid,
was the handwritten number ‘‘$2.4 billion.’’ I asked, ‘‘What is that number?’’
They responded, ‘‘Well, that’s the price we actually paid for the acquisition.’’
I then asked, ‘‘Why would you pay more than you knew the acquisition was
worth, even under the most optimistic combination of your assumptions?’’
Their response essentially indicated that their incentive compensation was
based on total business segment revenue growth and not on company value.
Their incentive was growth, not profitable growth.
SUMMARY
The third step in the ERM process cycle, risk decision making, is the pinnacle
of the value-based ERM approach. The primary purpose of this approach is
to make better decisions by integrating risk (enterprise risk management)
and return (value-based management), thereby increasing company value.
The first step in risk decision making is to define risk appetite and risk limits.
With these in place, we have a solid framework for managing exposures to
within risk tolerances. However, we have so much more: a universal protocol
for all decision making, whether risk-priority or return-priority. The ERM-
infused decision-making protocol is agnostic as to the initiating driver behind
a proposed decision. It uses a single standard for evaluating any decision:
whether or not it increases company value. This opens the door to the value-
based approach providing myriad other benefits, such as enhancing the
strategic planning process; supporting stock buyback and issuance opportu-
nities; enhancing M&A decisions; better prioritizing internal audit efforts;
quantifying the value of compliance departments and other mitigation in
place; better prioritizing between stakeholders; and generally supporting
business decision making, even when speed is paramount and the assump-
tions are soft.
Risk culture is the acid test of an ERM program, because it gauges the
extent to which ERM is actually integrated into key company processes. The
integration of ERM into strategic planning and business decision making was
addressed in this chapter. In the next chapter, we will discuss the integration of
ERM into business performance analysis, incentive compensation, and com-
munications to external stakeholders.
Summary & 269
C06 01/13/2011 23:52:21 Page 270
NOTES
1. The term risks is shorthand here for the individual risk scenarios, because
this is the level at which correlations are handled in the value-based ERM
approach.
2. When new key risks are introduced, an additional step that will be required is
to revise the simulations used for the enterprise risk exposure calculation.
3. Enterprise risk exposure is comprised of enterprise risk exposure—graph
form; enterprise risk exposure—table form; and individual risk scenario
exposures.
4. Also referred to as risk exploitation (see ‘‘Risk Exploitation’’).
5. Enterprise risk exposure must also be monitored to ensure that it does not fall
too far below the soft limit of risk appetite; this is necessary for those less
common events where return-priority decisions somehow reduce enterprise
risk exposure.
6. In our value-based ERM approach, these lines are happily blurred, because risk
and return are properly integrated.
7. This is not to say that no risk-priority decisions take place. They do. However,
they are less urgent, and are more in the nature of serving to maintain the
appropriate levels of enterprise risk exposure.
8. There is a correlation between the unemployment rate and an increase in
disability claims, as workers see disability as a safe haven against the possibility
of being laid off.
9. Nick Paumgarten, The New Yorker, September 7, 2007.
10. Risk limits had not yet been formally set by management at this stage.
Management made the mitigation decisions on learning of the potential
impact of the key risk scenarios on company value. This occurred during
individual risk quantification, which precedes the definition of risk appetite
and risk limits. However, management’s reaction to these high individual
risk exposure levels revealed, implicitly, a tentative level for the risk limits,
which were ultimately determined, and formally set, later in the ERM
implementation process.
270 & Risk Decision Making
C07 01/05/2011 18:15:56 Page 271
7CHAPTER SEVEN Risk Messaging
The greatest problem of communication is the
illusion that it has been accomplished.
George Bernard Shaw
R ISK MESSAGING IS the fourth step in the ERM process cycle. In thischapter, we will discuss two types of risk messaging: internal riskmessaging and external risk messaging. INTERNAL RISK MESSAGING
Internal risk messaging refers to incorporating ERM information into perform-
ance measurement and management.
There are two aspects of internal risk messaging:
1. Integrating ERM into business performance analysis
2. Integrating ERM into incentive compensation
271
C07 01/05/2011 18:15:56 Page 272
Embedding ERM information into business performance analysis and
incentive compensation signals all levels of management that there is a strong
commitment to the ERM program. Effective internal risk messaging is neces-
sary to drive the appropriate ERM activities in the risk identification, risk
quantification, and risk decision making ERM process steps. If internal risk
messaging is ineffective or nonexistent, management realizes that they them-
selves are being measured on the same basis that pre-dated ERM; as a result
management begins to minimize ERM efforts or ignore them altogether.
Internal risk messaging—integrating ERM into performance measurement
and management—along with integrating ERM into decision making (dis-
cussed in Chapter 6), constitute what we are defining as risk culture.
Integrating ERM into Business Performance Analysis
We will discuss how ERM enhances two traditional methods for analyzing
business performance: financial results and balanced scorecards.
Financial Results
We will first examine the traditional approach to using financial results for
business performance analysis, along with its deficiencies, and then we will
discuss how the value-based ERM approach enhances this form of business
performance analysis.
Traditional Approach The primary traditional approach for evaluating the performance of the business is to analyze the prior single-period financial
results. These largely consist of an income statement, balance sheet, and cash
flow statement. Typically, the prior single-period financial results are compared
to the strategic plan goals, or ‘‘Plan.’’ Actual revenues are compared to Plan
revenues, actual expenses are compared to Plan expenses, actual earnings are
compared to Plan earnings, and so forth.
The benchmark—the Plan—is set using a form of risk adjustment. In
setting Plan goals, management implicitly or explicitly sets higher goals for
riskier businesses. However, there are two shortcomings with this traditional
approach: It lacks rigor and it is incomplete.
Lacks Rigor Management sets risk-adjusted goals either implicitly or explic- itly. Both approaches usually lack rigor. In cases where management implicitly
sets higher revenue and earnings goals for riskier businesses, their approach is
often both subjective and inconsistent. In these situations, management often
uses their gut-level feel for how much more should be required from the riskier
272 & Risk Messaging
C07 01/05/2011 18:15:56 Page 273
businesses. They are not basing this decision on quantitative information. This
is also an inconsistent approach. Different managers may be setting the goals
for different businesses, and each may have a different subjective perspective on
risk. In addition, without an objective standard, other factors enter into goal
setting, such as negotiating leverage, which also varies by business segment,
further skewing the implicit risk adjustment.
In most cases, management explicitly sets higher goals for riskier busi-
nesses. Goals may be set based on varying targets, such as a hurdle rate for
return on assets or return on investment. We will illustrate this with an
example. Consider a company that recognizes that its international business is
more risky, and that its mature business is less risky, than the bulk of its
domestic steady-growth business. As a result, management decides to vary its
15 percent hurdle rate, which, up until now, has been required for every
business segment. They decide to increase the 15 percent hurdle rate a little for
the riskier business, and decrease it a little for the less-risky business. Using
judgment, as opposed to quantitative analysis of the risk, management sets the
following explicitly defined hurdle rates for its business segments:
& Domestic steady-growth business segment: 15 percent return on
investment & International aggressive-growth business segment: 18 percent return on
investment & Mature business segment: 12 percent return on investment
Unfortunately, these targets are often set improperly, in two ways:
1. The hurdle rates are often set arbitrarily. The hurdle rates are usually
set without knowledge of the actual level of underlying risk in each
business segment, because it is not quantified. In our illustrative example,
management merely began with the 15 percent hurdle rate for all of its
businesses, and made a simple 3 percent upward adjustment for its higher-
than-average-risk business, and a 3 percent downward adjustment for its
lower-than-average-risk business.
2. The investment metric—the base to which the hurdle rate is
applied to determine target earnings—is poorly defined. At non-
financial services companies, the investment metric is often defined as an
allocation of equity. At financial services companies, the investment metric
is often defined as required capital. In either case, this only accounts for a
portion of the shareholder’s investment. The total investment is company
Internal Risk Messaging & 273
C07 01/05/2011 18:15:56 Page 274
value. The company value calculation includes the present value of all
future distributable cash flows. Equity, or required capital, usually repre-
sents only a small portion of company value.
However, even if we assume that equity, or required capital for financial
services companies, is an appropriate definition of the investment, there are
other problems with the way it is typically defined.
At non-financial services companies, the investment is often defined as
allocated equity, which in some cases may just be the amount of equity
maintained in the legal entity containing the business segment. This may have
no relationship to the actual level of required investment; for example, there
may currently be excess equity held in the legal entity.
At financial services companies, the investment is often defined as
required capital. Required capital is the amount financial services companies
set aside, in addition to reserves, as a buffer against bad performance related
to the risk inherent in their existing commitments. Required capital is defined
by management, and is often set in consideration of one or more of the
following:
1. Regulatory capital
2. Rating agency capital
3. Economic capital1
Unfortunately, each of these is a poor way to define the investment metric
for a business segment.
Regulatory capital and rating agency capital are not calculated based on
the company’s risks. They are determined formulaically, using an approach
based on broad industry statistics. They are not customized to the specifics of
the company, let alone to the specifics of each business segment.2
Traditional economic capital models are a step in the right direction, but
they are also seriously lacking. These models use a company-specific approach
to measuring risk, using risk scenarios and projecting their impact on company
financials. However, there are two major problems with the way traditional
economic capital models calculate risk exposure:
1. Missing future new business. Most economic capital models exclude
future new business. They were originally designed to focus on balance
sheet capital (hence the name), examining how it changed under stress
conditions. As such, they do not look forward, and do not include future
distributable cash flows for the firm as a going concern. This results in
274 & Risk Messaging
C07 01/05/2011 18:15:56 Page 275
economic capital models omitting the majority of the risk exposure. The
majority of risk exposure comes from strategic and operational risks.
Strategic and operational risks primarily impact future revenues and
expenses. These cannot be captured properly using a traditional eco-
nomic capital model, because these models do not project revenues and
expenses for future new business in their baseline scenario, and do not
reflect changes to future revenues and expenses in their risk scenarios.
2. Missing integrated impacts. Most economic capital models do not
capture the integrated impacts of two or more risk scenarios occurring
simultaneously. Instead, they measure each risk one at a time and attempt
to adjust for interactivity using correlation adjustments, which is in-
adequate, as discussed in ‘‘Capturing Interactions’’ in Chapter 5. Omitting
multiple simultaneous risk occurrences results in failing to capture some of
the largest loss events (see ‘‘Omits the Largest Threats’’ in Chapter 2).
Incomplete Even more problematic than the lack of rigor is the fact that this approach is incomplete. It only measures the changes in the past period, for
example, in terms of revenues, expenses, and earnings. This completely ignores
the changes that occur during the year that may alter the trajectory of future
revenues and expenses, versus the baseline strategic plan projection. Similarly,
it also ignores the changes that occur during the year that may alter the
riskiness of the firm, changing the enterprise risk exposure, the downside
standard deviation, and, thereby, the discount rate. These missing items can
easily be more significant than past period results.
Value-Based ERM Approach The value-based ERM approach provides multi-period metrics to support an analysis of business performance that is
both rigorous and complete.
Rigorous With a value-based approach, the business performance is meas- ured by the amount that company value is increased, over the past period, in
comparison to the increase expected in the strategic plan. This is quite rigorous,
since the value-based ERM approach strengthens the strategic plan and the
strategic planning process. In addition, the value-based ERM approach provides
rigorous risk and return metrics.
Complete In addition, this approach is complete in that it fully captures all future impacts on value as well as the impacts over the prior single period. This
approach captures all of the following:
Internal Risk Messaging & 275
C07 01/05/2011 18:15:56 Page 276
& Changes that occur during the year that impact distributable cash flows
during the year & Changes that occur during the year that alter the trajectory of future
distributable cash flows & Changes that occur during the year that alter the riskiness of the firm
In addition to being rigorous and complete, there are two additional
desirable aspects to using the change in company value as a metric for
performance analysis. First, in addition to the enterprise level metrics, an
analogous set of calculations produces this information in support of an
analysis of performance at the business segment level, or for any other level.
Second, an attribution analysis can be performed to determine the relative
contribution of any value driver of the past year’s business performance. For
example, the portion of the gains attributable to an increase in customer
retention can be quantified.
Balanced Scorecards
Balanced scorecards are commonly used to evaluate business performance.
The key feature of balanced scorecards is the use of several non-financial
measures along with financial measures to analyze business performance.
The premise is that there are numerous, less-tangible items that impact the
value of the business, and simply achieving past period financial results that
meet (or exceed) the strategic plan goals is not enough, because these other
items also affect the value of the firm; if not now, then in the near future.
This premise is valid. Unfortunately, there is a fundamental flaw in the
way balanced scorecards are used, which leads to opportunity losses in
company value.
The fundamental flawwith balanced scorecards is in the relative weight, or
emphasis, placed on each of the scorecard elements. They are developed in a
fairly arbitrary way. Some firms place a higher weight on the financial goals
and equally distribute the remaining weights among the non-financial goals.
Others use equal weights for all goals. Still others set different weights for each
of the goals. However, all companies define these weights without a rigorous
approach. They are more or less merely conjured up out of thin air.
Let’s assume that management believes that the weights will be taken
seriously by senior management. This would mean that management believes
that the weights (corresponding to balanced scorecard goals) will somehow—
either explicitly or implicitly—be reflected in their performance reviews and
276 & Risk Messaging
C07 01/05/2011 18:15:56 Page 277
incentive compensation. If this is the case, then management will expend
efforts to achieve the results of each scorecard element in proportion to these
weights. However, to the extent that these weights do not match the true
relative contribution to company value attributable to each scorecard element,
this will result in a smaller increase in company value than would have been
achieved with a correct set of weights. Because the weights used in the
balanced scorecards are set somewhat arbitrarily without a rigorous approach
to measuring the true relative contribution of each scorecard element to
company value, the ironic result is that balanced scorecards are fundamentally,
and destructively, unbalanced.
This problem can be solved using the value-based ERM approach. The
value-based ERM approach can be used to directly calculate more appropriate
weights for the balanced scorecard. It converts the less-tangible, non-financial
items into tangible items that can be quantified in terms of financial results.
First, let’s firmly establish the premise, which is not inconsistent with the
balanced scorecard premise, that the only important item to the company is
distributable cash flow, or, more precisely, the present value of all future
distributable cash flows. This is the only result that matters to the shareholders.
Unless a result impacts distributable cash flows now, or impacts them later, or
impacts the discount rate, shareholders do not care about it. The reason the
balanced scorecard introduces the non-financial metrics is that the prior single-
period financial results do not capture all of this. Looking only at prior period
results ignores the impact of changes during the past year that will impact the
future distributable cash flows or the discount rate.
The dynamic strategic planning tool, embodied in the value-based ERM
model, can be used to quantify each of the balanced scorecard elements in
terms of its marginal impact on company value. For example, assume that
one of the non-financial balanced scorecard items is ‘‘an increase in employee
satisfaction.’’ Management can make estimates, using an approach analo-
gous to a FMEA exercise, to develop risk scenarios for quantifying the
impact of this change on the baseline company value. A given increase in
the employee satisfaction index can be equated with some level of increase in
employee retention and/or employee productivity. These are value drivers
in the dynamic value-based ERM model, and changing them will translate
into an impact on the baseline company value. This is performed for each
balanced scorecard item. Even the ‘‘financial results’’ balanced scorecard
element itself must go through a (simple) calculation to put it on the basis of
a change in baseline company value: It must be discounted to the present
time using the discount rate.
Internal Risk Messaging & 277
C07 01/05/2011 18:15:56 Page 278
Once the relative marginal increases in company value are calculated
for a unit of improvement in each of the balanced scorecard items, they are
used to define more appropriate weights. The weights are defined in propor-
tion to the relative contribution toward company value. This results in a
significant shift in the weights. The change from arbitrary weights to mean-
ingful, quantitatively derived weights also increases the level of credibility of
the balanced scorecard with management. For companies whose manage-
ment takes the balanced scorecard seriously, this should lead to larger
increases in company value going forward.
It should be noted that if the ‘‘change in company value’’ metric is used
to analyze the performance of the business in the first place, then the
balanced scorecard would not really be needed at all. All that the balanced
scorecard would add at this point would be a simple rule of thumb that
provides an approximate equivalency between a given level of improvement
in one particular value driver and the resulting increase in company value.
See ‘‘Balance or Distraction?’’
Integrating ERM into Incentive Compensation
One of the basic tenets of good business practice is to use incentive compen-
sation to align management interests with those of the shareholders. A
common claim is that including stock or stock options in management’s
incentive compensation effectively achieves this alignment. The theory
offered is that if management is awarded stock, or stock options, their
BALANCEOR DISTRACTION?
Some argue that the balanced scorecard helps management focus on awide range of value drivers by requiring improvement in each balanced scorecard element. However, this is a hollow contribution. Shareholders are indifferent as to the source of an increase in company value. They just want it to increase and to keep increasing over time. There is no inherent benefit in forcing an attempt to squeeze an increase in company value specifically out of this source or that source. In fact, this tends to slow the increase in company value. Management must be free to achieve the largest possible increase in value from wherever the opportunity arises. Artificial constraints on these opportunities result in an opportunity loss in company value versus what could otherwise have been generated.
278 & Risk Messaging
C07 01/05/2011 18:15:57 Page 279
incentives are to drive up the stock price. If this ‘‘stock award alignment’’
theory were valid, then why do we still have so many instances where
management is enriched while shareholders suffer losses? Part of the reason
for this mismatch is that this simple theory has two holes in it:
1. Information mismatch for award value
2. Poor metrics for calculating award amount
We will discuss each of these holes, as well as how integrating ERM
information into incentive compensation can plug them.
Information Mismatch for Award Value
The first hole in the stock award alignment theory is that there is a mismatch
of information between management and the stock market which manage-
ment can exploit. The value of the stock or stock option awards is based
on the stock price. But this is not the best measure of the value of the
organization. As discussed in Chapter 5 (see ‘‘Calculate Baseline Company
Value’’), an internal enterprise valuation is more accurate. This is, to a large
extent, based on the fact that management has a better sense of the value of
the enterprise than does the market, because it has access to inside informa-
tion. With large amounts of stock or stock option awards already in hand,
management has great incentive to use their information mismatch to
drive up the market value, in some cases for long periods of time, without
actually doing the hard work of increasing the underlying value of the firm,
either by increasing future distributable cash flows or lowering the riskiness
of the firm.
One solution is to replace actual stock and stock option awards with
phantom stock based on ERM information, where the baseline company value
calculation is used as the basis for the phantom stock value. To be effective, the
unit in charge of calculating the phantom stock price must have a high level
of independence and access to information, and they must be scrutinized by
internal and external auditors and be reviewed by an independent valuation
firm. Another option is to use an independent valuation firm to perform the
calculations. Either way, this approach eliminates much of the mismatch of
information. Management may still have great incentive to maintain some of
this information mismatch, but it is far more difficult to hide information
internally than it is to hide it from the market, particularly when someone is in
charge of uncovering it.
Internal Risk Messaging & 279
C07 01/05/2011 18:15:57 Page 280
Poor Metrics for Calculating Award Amount
The second hole in the stock award alignment theory is that there are poor
metrics used to calculate the amount of the awards. The metrics that are typically
used to calculate these awards are the traditional approaches thatwere discussed
earlier (see ‘‘Integrating ERM into Business Performance Analysis’’), along with
their shortcomings. These traditional approaches include comparing past single-
period financial results with Plan results and the use of balanced scorecards.
The solution to the shortcomings of these approaches was also discussed
earlier: Use ERMmetrics, which more properly capture the actual performance
(of the enterprise, business segment, business unit, or individual), in terms of
the change in baseline company value. The actual amount of the initial award is
at least as important as the value of the award, which was addressed in the
prior section. However, with both the amount of the award, as well as the value
of the award based on the baseline company value calculation, there is superior
alignment between management and shareholders. Management’s true con-
tribution to company value, in the past year, determines their award amount,
and their future contribution to company value determines the sustained value
of their award.
EXTERNAL RISK MESSAGING
External risk messaging refers to communicating ERM information to external
stakeholders. There are four external stakeholders we will discuss:
1. Shareholders
2. Stock analysts
3. Rating agencies
4. Regulators
Communications to Shareholders
Communications to shareholders, or to potential investors and the general
public, are referred to generally as risk disclosures. We will discuss two
categories of risk disclosures:
1. Voluntary risk disclosures
2. Mandatory risk disclosures
280 & Risk Messaging
C07 01/05/2011 18:15:57 Page 281
Voluntary Risk Disclosures
Voluntary risk disclosures refer to ERM communications that management
chooses to share publicly, for example in the annual report to shareholders,
based on the belief that the ERM program constitutes a competitive advantage.
Companies with advanced ERM programs, such as the value-based ERM
approach, should include descriptions, and evidence of, their ERM activities
in their voluntary risk disclosures. This can signal to investors a superior ability
to properly understand and balance risk and reward, as well as to successfully
execute their strategic plan.
The appropriate information to provide shareholders varies from situation
to situation. In addition, the way in which the information is crafted must be
done with care. A balance must be struck. Enough information must be given
to convey the message, but without a high degree of specificity. However, some
examples of typical items that may be appropriate to voluntarily disclose
include the following:
& The comprehensive nature of the ERM program in terms of its enterprise-
wide scope and its inclusion of all sources of risk & The strategic focus of the ERM program and how it focuses management
on the largest potential threats, whether from a single risk event or from
combinations of simultaneous risk events & Management’s use of aggregate metrics—understanding risk exposures at
the enterprise level, as well as defining risk appetite at the enterprise
level—and thereby its ability to effectively manage risk exposure to within
risk appetite & The practical business applications of a value-based ERM program, and the
competitive advantage gained from making better risk–reward decisions
by linking ERM to value-based management & How business performance analysis is enhanced using ERM information & How management incentives are better aligned with shareholders using
ERM information & How risk governance is enhanced, providing additional comfort that key
risk exposures are well understood and managed
In addition, it is advisable to include selected stories about the lessons
learned through the adoption of the ERM program, and how it helped advance
the risk culture. Specific stories of the enhanced sophistication gained from
ERM strengthen the level of investor confidence. Flowery generalities of alleged
External Risk Messaging & 281
C07 01/05/2011 18:15:57 Page 282
competitive advantages tend to fall flat, whereas actual stories of success speak
for themselves. The stories should include incidents where management made
better decisions after producing ERM information. Some examples may include
the following:
& Previously hidden exposures that were uncovered by the ERM program,
immediately prioritized, and then mitigated & A level of enterprise risk exposure that was quantified, deemed too risky,
and reduced to an acceptable level & Exposures that were identified as wastefully over-mitigated and where
management produced significant cost savings by reducing the level of
mitigation & A change in the strategic proportions of the business toward amore shock-
resistant portfolio, leveraging offsetting risk sources; for example, finding
business opportunities that were countercyclical and strategically increas-
ing the level of exposure to them & A change in the strategic proportions of the business away from those
identified as having a subpar risk–return profile and toward those with an
acceptable or superior risk–return profile
Mandatory Risk Disclosures
We will discuss three Securities and Exchange Commission (SEC) requirements
regarding risk disclosures:
1. Disclosure of risk factors
2. Disclosure of risk governance
3. Disclosure of risky incentive compensation programs
Disclosure of Risk Factors The SEC requires annual risk disclosures in form 10-K, Item 1A. Risk Factors.3 The SEC requires ‘‘a discussion of the most
significant factors that make the offering speculative or risky.’’ The value-
based ERM approach satisfies this requirement in a way that ensures
compliance and also provides a competitive advantage. In addition to
providing an ability to emphasize the biggest threats to shareholder value,
the value-based ERM approach also provides the ability to properly categorize
and define risks by their source, identify the most impactful component
drivers of the key risk scenarios, and evaluate and select the most cost-
effective mitigation actions. The risk disclosures offer another opportunity for
282 & Risk Messaging
C07 01/05/2011 18:15:57 Page 283
management to showcase its leading practices in managing risk to protect
shareholder value. These skills can be conveyed by crafting risk disclosures
using the following three techniques:
1. Categorize and define risks by source. Most risk disclosures confuse
risks sources with risk outcomes (financial impacts). This can be seen by
the mention of reputational risk, or the risk of a ratings downgrade, as
if each of these represented individual sources of risk. In addition, most
risk disclosures demonstrate scrambled thinking about risk by confusing
a single discussion with multiple sources of risk. This can be seen by
selecting a single paragraph that should be discussing one source or group
of sources of risk, but instead rambles on in a discussion across multiple
sources of risk, crossing from strategic to operational and back again,
sometimes all in the same run-on sentence. For an example of this, see
‘‘Muddled Risk Disclosure.’’
MUDDLED RISK DISCLOSURE
As an example of a single paragraph in a risk disclosure that discussesmultiple risk sources in the same breath, consider the following extract, taken from the risk disclosures of a leading beverage company:
Obesity and other health concerns may reduce demand for some of our products. Consumers, public health officials, and government officials are becoming increasingly concerned about the public health con- sequences associated with obesity, particularly among young peo- ple. In addition, some researchers, health advocates, and dietary guidelines are encouraging consumers to reduce consumption of sugar-sweetened beverages, including those sweetened with HFCS or other nutritive sweeteners. Increasing public concern about these issues; possible new taxes and governmental regula- tions concerning the marketing, labeling, or availability of our beverages; and negative publicity resulting from actual or threat- ened legal actions against us or other companies in our industry relating to the marketing, labeling, or sale of sugar-sweetened beverages may reduce demand for our beverages, which could affect our profitability.
(continued )
External Risk Messaging & 283
C07 01/05/2011 18:15:58 Page 284
In contrast, a value-based ERM approach stresses the importance of
categorizing and defining risks by their source. This is important for the
risk identification, risk quantification, and risk decision making ERM
process steps. However, it is also important for the risk disclosure ERM
(continued ) In examining this one paragraph in the company’s risk disclosure,
several different sources of risk can be identified, some strategic and some operational. Some of the phrases in the risk disclosure paragraph have been selected and mapped to their risk source in Table 7.1.
Each of these risk sources would be better discussed and considered separately. Their qualitative risk assessment would benefit from a clear segregation of risks by their distinct sources; the risk scenario development interviews would flow better by starting with each individual risk source and following the downstream impacts; and risk mitigation must be addressed separately for each source of risk.
TABLE 7.1 Risk Disclosure Paragraph Mapped to Its Risk Sources
Phrase or
Sentence Risk Category Risk Subcategory Risk
‘‘Consumers . . . increasingly concerned’’ and ‘‘Increasing public concern’’
Strategic External relations Consumer relations
‘‘possible new taxes and governmental regulations concerning the marketing, labeling, or availability of our beverages’’
Strategic Legislative/ Regulatory
Product/services- related
‘‘negative publicity resulting from actual or threatened legal actions’’
Operational Litigation Litigation risks
284 & Risk Messaging
C07 01/05/2011 18:15:59 Page 285
process step as well. Discussing each risk source separately provides far
more clarity in a company’s risk communications versus its competitors.
This clarity of communications signifies a more sophisticated level of
understanding of the risks by management.
2. List risks in priority order. Traditional ERM programs do not provide
management with the capability of listing the risks in the priority order
indicated by a shareholder perspective. As a result, most disclosures of risk
factors include a laundry list of items not listed in priority order in the way
shareholders might expect. As discussed in Chapter 2 (see ‘‘Criterion 8:
Appropriate Risk Disclosures’’), the improper disclosure of risk factors is the
single most overlooked risk for companies in all sectors.
In contrast, a value-based ERM approach provides management an
ability to list the key risks in decreasing rank order corresponding to the
perspective of shareholders. This elegant facility sends a message to
shareholders that management has an ability that most of its competitors
do not: an ability to quantify risk in terms of its potential impact on com-
pany value. In addition, it supports compliance with the risk disclosure
requirements. Finally, this provides the board of directors and the exec-
utives with a level of comfort that the risk management program is
identifying and addressing the biggest shareholder threats.
The priority ranking should be determined by incorporating both
likelihood and severity information corresponding to the individual risk
scenarios. However, due to the sensitive nature of the information, as well
as the uncertainty of any individual data point, it is inappropriate to reveal
the likelihood or severity data. Instead, this information should merely be
used internally to inform the way in which the risk disclosures convey
the relative importance of the risks. This is done by listing the risks in
decreasing order of importance, by providing more discussion for the more
important risks, and by the relative tone used to describe management’s
concern about the risks.
3. Discuss most impactful component drivers. Most traditional ERM
programs do not highlight the most important individual component
drivers of the key risks, because they don’t measure this properly. This
is somewhat visible in the risk disclosures of these companies, in that
management will talk in generalities about the risks. Value-based ERM
programs, on the other hand, identify the most impactful component
drivers by quantifying them in terms of the potential impact on company
value, using an attribution calculation. Sharing these insights in the risk
disclosures conveys a deeper understanding of the risks.
External Risk Messaging & 285
C07 01/05/2011 18:15:59 Page 286
Disclosure of Risk Governance The SEC requires annual risk disclosures of the board’s role in risk oversight.4 The requirement is written vaguely, and is
intended to provide companies an opportunity to discuss the following:
& Whether primary risk oversight responsibility resides with the full board or
with a board committee, such as a risk committee or the audit committee & How risk oversight is conducted, which includes what information is
monitored (key risk exposures, key ERM decisions, etc.), who provides it,
and how often it is provided & Whether primary responsibility for ERM resides with the full board or with
a board committee or with management (e.g., the ERM committee) & Whether the person with day-to-day ERM responsibilities reports directly
to the full board, to a board committee, or to management
Disclosure of Risky Incentive Compensation Programs The SEC re- quires annual risk disclosures of risky incentive compensation programs.5 If
a company’s incentive compensation policies and practices (for any employee,
not just executives) create risks that are ‘‘reasonably likely to have a material
adverse effect’’ on the company, then the company must include discussion
and analysis of the compensation program giving rise to such risks. The
‘‘material adverse effect’’ requirement relates to net (or post-mitigation) risk
exposure, as opposed to gross (or pre-mitigation) risk exposure.
To ensure compliance with this disclosure requirement, management
must be able to do the following:
1. Measure the risks taken by employees in terms of impact on value6
2. Define ‘‘material adverse effect’’ in terms of impact on value7
3. Integrate both of the above into the incentive compensation formula
A value-based ERM approach provides all of these capabilities. It allows the
measuring of risk exposures, in terms of the potential impact on company
value, from enterprise level all the way down to the individual employee level.
In addition, it provides a rigorous definition of ‘‘material adverse effect’’
through the quantitative definition of risk appetite. Finally, it provides an
ability to integrate both of these metrics into incentive compensation: Both
metrics are available and are updated with a frequency that supports incentive
compensation calculations and payments.
If management finds that its compensation policies and practices do create
risks ‘‘reasonably likely to have a material adverse effect,’’ or if management
286 & Risk Messaging
C07 01/05/2011 18:15:59 Page 287
cannot confirm that they do not do so, then the company must disclose a
discussion and analysis of the relevant portion of the compensation program.
Some of the more interesting aspects of the discussion and analysis disclosure
include the following four elements:
1. The reasoning behind the compensation policies and practices, in terms of
its impact on employee risk taking
2. The risk assessment, if any, relied on in developing the compensation
policies and practices
3. The ability to modify compensation after a risk event occurs (e.g.,
clawbacks)
4. Changes to compensation policies and practices made pursuant to changes
in the company’s risk profile (i.e., enterprise risk exposure)
Communications with Stock Analysts
A value-based ERM approach is especially helpful in communications with
stock analysts. There are two key advantages provided by the value-based
approach that can demonstrate management’s advanced capabilities in ERM
versus its competitors. First, the value-based approach to risk scenario devel-
opment uses the FMEA interview technique to extract knowledge from internal
subject matter experts in developing discrete deterministic key risk scenarios.
The resulting risk scenarios are well thought out in terms of how the event
would unfold, how it would initially impact the company, any secondary or
tertiary impacts, and management’s likely actions, including existing post-
event mitigation plans (such as business continuity plans). Second, the value-
based approach to quantification provides a dynamic internal valuation model
for calculating company value, which is more accurate than the external
valuation models used by stock analysts, as discussed in Chapter 5 (see
‘‘Calculate Baseline Company Value’’).
These two advantages come into play with stock analysts when a risk
event occurs in the industry sector and analysts are querying management
about the impact it may have on the company. Management using a value-
based ERM approach is in a position to respond with something like the
following:
Although we do agree generally with your estimate of the potential impact of this risk event on other companies in our sector, we believe you are overstating its impact on our firm. We have already thought
External Risk Messaging & 287
C07 01/05/2011 18:15:59 Page 288
through this eventuality in some detail. We have this risk event as one of our key risks, and we have constructed several ‘‘what-if’’ risk scenarios, through interviews with our subject matter experts, that include the potential financial impact on our business. Though the scenario currently unfolding does not precisely match one of our risk scenarios, it is midway in severity between two that we did con- sider, and it’s playing out reasonably close to what we would expect. Two years ago, we put the following mitigation in place [details pro- vided] as a result of our ERM program highlighting this risk and quantifying these mitigation actions as valid risk–reward trade-offs. In addition, since the event, we have already put in motion the follow- ing post-event mitigation plan [details provided].
Further, we use an internal valuation model, based on discounted distributable cash flows consistent with our strategic business plan projection, to determine the potential impact of such events on our company value. We feel you are overstating how much this will impact us in the following business segments, for the following reasons [details provided].
Such a conversation would clearly demonstrate to stock analysts that
management at this firm has a far better grasp on ERM than the vast majority
of their competition. Most of the competitors are unlikely, during early onset of a
risk event, to yet have a sense of how, where, and to what extent the risk event
will impact their company. Over a sustained period of time, similar risk
messaging with stock analysts should serve as a powerful differentiator that
can eventually lead to a highermultiple on the valuation of the company’s stock.
Communications with Rating Agencies
Each major rating agency has its own unique perspective on, and under-
standing of, ERM. As a result, rating agencies each have their own set of
expectations of what they would like to see from companies. This not only
varies by rating agency, but also by industry sector, geography, and, often,
from analyst to analyst at some rating agencies. To conduct effective risk
messaging with rating agencies, management must take the following steps:
1. Understand formal positions
2. Understand variations by analyst
3. Draft risk message from company perspective
4. Customize risk message to rating agency and analyst perspectives
288 & Risk Messaging
C07 01/05/2011 18:15:59 Page 289
Understand Formal Positions
The first step in crafting an effective risk message for a rating agency is to
gain a thorough understanding of their formal position on enterprise risk
management. Depending on the rating agency and the industry sector, there
may or may not be dedicated publications on ERM. These documents often
convey the major themes of focus for the rating agency. However, some of
the key points can only be obtained by reading between the lines. Rating
agency documents are often championed by one or two main authors, but
also reflect the input of an assortment of other associates, which can cloud
some key elements.
The formal rating agency position papers on ERM are periodically updated;
therefore, we will not discuss the particulars of any specific documents.
However, there are two documents worth noting. As discussed in Chapter
1, in October 2005, Standard & Poor’s (S&P) introduced an ERM evaluation in
the insurance sector, resulting in an additional distinct ratings component,
which contributed to advancing the practice of ERM. In December 2007, S&P
published a monograph that includes nine separate ERM documents, including
their guidance on the insurance ERM evaluation. This monograph is important
because of the leadership role S&P has played in rating agency ERM evalua-
tions. The monograph is titled ‘‘Enterprise Risk Management for Financial
Institutions: Rating Criteria and Best Practices.’’ This monograph may be
periodically updated; care should always be taken to obtain the latest versions
of rating agency position papers.
Another document worth noting was published by Moody’s in March
2007, titled ‘‘Risk Management Assessment: Non-life Insurance Companies.’’
This document is no longer actively part of Moody’s ratings evaluation.
However, I reference it here because it has some advanced thinking and offers
some excellent perspectives and best practices.
Understand Variations by Analyst
Not all analysts at a rating agency share the same interpretation of the formal
ERM-related position papers published by their organization. It is prudent to
become familiar with the differing interpretations of the individual analyst or
analysts that will be evaluating the company. Management can meet with
these analysts and solicit their perspectives directly. This is helpful to an
extent. Even more helpful is to gather information from others in the industry
sector that have had direct experience with these analysts.
External Risk Messaging & 289
C07 01/05/2011 18:15:59 Page 290
Draft Risk Message from Company Perspective
There are two types of risk messaging that can be used for communications to
rating agencies:
1. Routine presentations
2. Dedicated ERM presentations
Routine Presentations Rating agencies seek to evaluate the strength of the company and evaluate how likely they are to fail. Most of the information
rating agencies receive is historical, yet they must think prospectively, in an
attempt to predict the likelihood of the company’s failure in the future. ERM can
play a big role in this regard. It offers robust information about future scenarios
and characterizes the company’s shock resistance to its key threats.
Management should review their routine presentations to rating agencies
to identify opportunities to embed ERM information. A major example is
discussions of the company’s strategy and management’s confidence in their
ability to successfully execute it. Having a value-based ERM approach provides
much fodder for inclusion in such a discussion. It strengthens the strategic
planning process. It identifies the key risks. It quantifies the key risks, as well
as combinations of them, in terms of how much they may damage the strate-
gic plan, as expressed by shortfalls from the strategic plan financial projection
of future distributable cash flows. It helps management select the best port-
folio of risk mitigation to ensure that the strategic plan is achieved. It also
provides a measure of how likely management is to meet or exceed the
strategic plan goals, as well as a measure of how likely the company is to fail
(using various definitions of failure), and how these change under alternate
strategies and tactics. Finally, it facilitates an ability to tie a balanced risk–
return profile to incentive compensation, providing another level of confi-
dence in achieving the strategic plan due to better alignment of management
and shareholder goals.
For financial services companies, another major example of an opportu-
nity to embed ERM information in routine discussions is in discussions in-
volving required capital calculations. Although required capital calculations
should be part of their ERM program, they often pre-date the introduction of
ERM. Demonstrating how the required capital calculations, such as economic
capital, are effectively integrated with the ERM program offers evidence of
its wider adoption and use in business decision making, significantly adding
to its credibility.
290 & Risk Messaging
C07 01/05/2011 18:15:59 Page 291
Dedicated ERM Presentations For some rating agencies in some sectors, a separate conversation about ERM is involved. One example is S&P’s insurance
sector, which has ERM as a distinct component of the rating. In these cases, a
straightforward presentation of the ERM program is warranted.
It is important, at this point, to craft these from the perspective of the
company as opposed to the perspective of the rating agency (which is the next
step). Whereas the primary stakeholder for rating agencies is the bondholder,
management’s primary fiduciary responsibility is to the shareholders. Rating
agency analysts understand that a company that is well run, that is more likely
to achieve their strategic plan, and that is growing company value is also more
likely not to default on its commitments to bondholders. In addition, rating
agencies prefer that management present ERM information in a manner that is
consistent with how it is used within the company, representing actual
business practice. Presenting ERM information only in the format that man-
agement thinks the rating agency wants to hear—essentially holding up an
ERM mirror—is inappropriate. The rating agencies want to hear, ‘‘We know
you (the rating agency) look at ERM a bit differently, and we will later explain
how we satisfy your ERM criteria, but this is how we define ERM, this is what
we believe about ERM and why we believe it, and this is how we use ERM to
help us make better decisions and deliver on our strategic plan.’’
One of the keys to these presentations is credibility. Rating agency analysts
routinely tell me of how apparent it is when companies are merely presenting
ERM theory as opposed to ERM practice. Rating agencies look for signs that the
ERM program is real. That it is embraced by management. That it is actually
used in decisionmaking. That risk appetite—an enterprise-level calculation—is
actually defined in quantitative terms. That ERM is used in risk governance,
and that exposures are actually managed to within risk appetite. Providing
real-life case studies goes a long way toward establishing credibility for the ERM
program. Some types of case study examples that are suitable for these
presentations include the following:
& Risks escalated in priority due to ERM activities & Risk exposures reduced through mitigation, to keep them below their risk
limits & Enhancements made to the strategic planning process using ERM tools
and techniques & Decisions made differently using better risk–return trade-off information & Disclosures improved using risk quantification information
External Risk Messaging & 291
C07 01/05/2011 18:15:59 Page 292
Customize Risk Message to Rating Agency and Analyst Perspectives
After the company has presented the ERM program and its integration into key
company processes from its own point of view, it is important to customize the
risk message to the perspectives of the rating agency and the specific analyst(s)
performing the review. The risk message must be translated into the terminol-
ogy of the audience. This is critical for ERM, because even among ERM experts
there is a plethora of competing definitions and terms.
In addition, a clear mapping must be provided to illustrate that the rating
agency’s key ERM criteria are satisfied, as well as any variations of interpreta-
tions held by the analyst(s). An effective mapping includes a list of the key ERM
criteria from the rating agency and analyst perspectives, using their terminol-
ogy, where each item in the list is mapped to one or more company ERM
activities, using the company’s terminology. This helps the analyst(s) gain a
clear understanding of what the company has achieved with their ERM
program. Skipping this step can result in a lack of appreciation of the company’s
ERM efforts by the rating agency, purely based on an erroneous belief that the
company is missing something.
Communications to Regulators
At the time of the writing of this book, it is unclear what risk information will
ultimately be required by U.S. regulators as a result of the Dodd-Frank bill,
which became effective July 21, 2010. The Dodd-Frank bill, intended to
prevent a recurrence of the global financial crisis that began in the United
States in 2007, may end up requiring some risk data primarily from the largest
banks. This regulation appears to have missed an opportunity to gather a
broader data set which could have provided a better picture of the risks to the
U.S. economy. A concentration of risk exposure that can threaten the U.S.
economy exists not just at banks, but at every large company, in all sectors,
particularly those that would be in the category of ‘‘too big to fail.’’
SUMMARY
The fourth and final step in the ERM process cycle, risk messaging, offers
numerous advantages. Internal risk messaging enhances performance mea-
surement and management. If the integration of ERM into strategic planning
and business decision making is the heart of risk culture, then internal risk
messaging is the electrical stimulus that makes it beat. The integration of
292 & Risk Messaging
C07 01/05/2011 18:15:59 Page 293
ERM into business performance analysis and incentive compensation sends a
clear signal internally that both risk and return must be managed together.
This is what drives risk culture. In addition, the integration of value-based
ERM into business performance analysis corrects the flaws in the balanced
scorecard approach, and provides an ability to capture management’s full
contribution to company value during the year. Finally, the value-based
approach better aligns management and shareholder interests by enhancing
incentive compensation.
External risk messaging offers significant benefits as well. The value-based
ERM approach supports complying with mandatory risk disclosures as well as
using voluntary risk disclosures to signal the market regarding the company’s
competitive advantage in ERM. With a more advanced version of a stock
analyst’s own valuation tools, and other advanced ERM techniques, the value-
based approach puts senior management in a stronger position when com-
municating with stock analysts, which can lead to better valuations. Finally,
the value-based ERM approach supports rating agency communications,
which can lead to strengthened ratings.
Now that we have completed our discussions of the basic ERM infra-
structure in Part I (Chapters 1–3), and the ERM process cycle in Part II
(Chapters 4–7), in the next chapter we move on to the final dimension of ERM
infrastructure: the hierarchical structure, which is risk governance.
NOTES
1. This refers to traditional economic capital models.
2. One argument in favor of using rating agency capital as a measure of the
investment is that, for many financial services companies, this is larger than
either regulatory capital or economic capital, and so, by default, the company
must hold that amount, regardless of the true underlying risk, or it will lose its
ratings. This has some merit. However, even in those situations, companies
often choose to measure business segments on the basis of a truer measure of
the actual risk, such as economic capital, and allocate the remainder to the
corporate segment.
3. Code of Federal Regulations, Title 17 (Commodity and Security Exchanges),
Chapter II (Security and Exchange Commission), Part 229 (Regulation S-K),
Item 503(c).
4. Code of Federal Regulations, Title 17 (Commodity and Security Exchanges),
Chapter II (Security and Exchange Commission), Part 229 (Regulation S-K),
Item 407(h), effective February 28, 2010.
Notes & 293
C07 01/05/2011 18:16:0 Page 294
5. Code of Federal Regulations, Title 17 (Commodity and Security Exchanges),
Chapter II (Security and Exchange Commission), Part 229 (Regulation S-K),
Item 402(s), effective February 28, 2010.
6. This must bemeasured in terms of the impact on value, because the perspective
of the disclosure is that of the shareholder.
7. Ibid.
294 & Risk Messaging
C08 01/05/2011 18:22:2 Page 295
IIIPART THREE Risk Governance and Other Topics
C08 01/05/2011 18:22:2 Page 296
C08 01/05/2011 18:22:3 Page 297
8CHAPTER EIGHT Risk Governance
Constitutions should consist only of general provi-
sions; the reason is that they must necessarily be
permanent, and that they cannot calculate for the
possible change of things.
Alexander Hamilton
R ISK GOVERNANCE AND the ERM framework constitute the twoelements of ERM infrastructure. The ERM framework provides thefunctional structure, which is part of the basic ERM infrastructure and must be in place before implementing the four ERM process cycle steps. Risk
governance provides the hierarchical structure, which includes the way in
which the ERM roles and responsibilities are divided up among individuals and
groups; the organizational structure, including reporting relationships and
authorities involved in ERM; and the policy and procedure documents that
instruct key elements of the ERM process. Until the company completes one full
ERM process cycle, only the most basic risk governance structure is warranted.
The way ERM evolves, is adopted, and becomes integrated into a company’s
key processes differs from company to company. Until it is clear what the ERM
297
C08 01/05/2011 18:22:3 Page 298
activities will actually look like, the comprehensive risk governance structure
required to support them cannot easily be determined. Now that we have
completed our discussions of the ERM framework and the ERM process cycle,
we are ready to discuss risk governance.
FOCUSING ON COMMON THEMES
The risk governance structure must be customized for each organization. There
are two reasons for this. First, the way ERM takes shape can be different at each
organization. Each organization adopts the ERM activities to a different extent,
expanding some aspects more than others, and the risk governance structure
must be defined around the ERM activities adopted. Second, risk governance
should be conducted, to the extent possible, through the normal governance
pathways already in place in the company. There are some components of ERM
that are new to the organization, are truly unique, and require distinct elements
in the governance process. However, ERM, to a great extent, should be
integrated into the company culture: integrated into key company processes
including decisionmaking and performance measurement andmanagement. As
a result, much of risk governance will be covered by the existing governance
structure over these existing company processes, which varies from company to
company. However, there are some risk governance themes that are common to
all companies, and these will be the focus of this chapter.
COMPONENTS OF RISK GOVERNANCE
In this chapter, we will discuss the three components of risk governance:
1. Roles and responsibilities
2. Organizational structure
3. Policies and procedures
ROLES AND RESPONSIBILITIES
We will discuss the ERM roles and responsibilities of each of the following
individuals or groups:
& Corporate ERM & ERM committee
298 & Risk Governance
C08 01/05/2011 18:22:3 Page 299
& Risk experts & Business segments & Board of directors & Internal audit
Corporate ERM
Corporate ERM, or the ERM team, includes the chief risk officer (CRO), or
equivalent head of the ERM program, and the supporting members of the
corporate ERM team. Corporate ERM has six major types of roles and
responsibilities:
1. Build, maintain, and enhance infrastructure
2. Build buy-in
3. Ensure consistency
4. Act as central clearing house
5. Monitor exposures
6. Inform the board
Build, Maintain, and Enhance Infrastructure
The ERM team is responsible to lead the development of new ERM capabilities,
to maintain existing ERM infrastructure, and to introduce enhancements over
time. Below is a list of fundamental ERM program infrastructure elements that
the ERM team builds, maintains, or enhances:
Build The ERM team must build the following ERM program elements:
& Setup & Construct the ERM framework, including details for major ERM process
steps & Develop an ERM program implementation plan & Outline an initial basic risk governance structure & Develop a comprehensive risk governance structure after at least one
pass through the ERM process cycle & Risk identification
& Develop the risk categorization and definition (RCD) tool & Design the process, tools, andmaterials for the qualitative risk assessment & Lead the development of the key risk list by conducting the qualitative
risk assessment
Roles and Responsibilities & 299
C08 01/05/2011 18:22:3 Page 300
& Develop the risk event database, which is developed during risk identi-
fication but used during risk quantification & Develop the emerging risk identification tools and processes
& Risk quantification & Build the value-based ERM model & Calculate baseline company value & Design the risk scenario development process and techniques & Facilitate development of the key risk scenarios by conducting the
risk scenario development process, such as FMEA interviews & Calculate the individual risk exposures & Facilitate the development of the key risk scenario correlation
assumptions & Calculate enterprise risk exposure in the graph form & Facilitate the development of initial pain points, and produce enterprise
risk exposure in the table form & Risk decision making
& Facilitate the definition of risk appetite and risk limits by conducting
the risk appetite consensus meeting & Develop the methodology for the top-down allocation of risk appetite
to risk limits & Develop the protocol for the integration of ERM information into
decision making & Monitor risk exposures to ensure they are maintained to within risk
tolerance limits & Facilitate the integration of ERM into strategic planning and business
decision making & Risk messaging
& Facilitate the integration of ERM into business performance analysis
and incentive compensation & Develop risk communications for shareholders, rating agencies, and
regulators
Maintain or Enhance Over time, the ERM team must maintain or enhance the following ERM program elements:
& Risk identification & Maintain the risk categorization and definition (RCD) tool, such as
occasionally adding risk subcategories
300 & Risk Governance
C08 01/05/2011 18:22:3 Page 301
& Conduct qualitative risk assessments periodically, sometimes annu-
ally, often at least every two years, or whenever warranted by signifi-
cant changes in the internal or external environment; periodically
identify or develop supplemental information to assist survey par-
ticipants, such as a comparative analysis of competitors’ disclosed risks & Update the key risk list after each qualitative risk assessment or for
significant changes in decisions or in the internal or external
environment & Update the risk event database for risk events occurring in the company & Coordinate continual emerging risk identification activities, including
monitoring known risks and environmental scanning for unknown
risks; periodically identify new techniques to supplement existing
activities & Risk quantification
& Maintain, update, and provide appropriate access to the value-based
ERMmodel; over time, modify and adapt the model for new applications & Recalculate baseline company value with at least the same frequency as
the strategic planning process & Update the key risk scenarios impacted by significant changes in
decisions or in the internal or external environment by re-conducting
the risk scenario development process, such as the FMEA interviews & Recalculate the individual risk exposures with the same frequency as
the strategic planning process, or whenever the key risk scenarios are
updated & Update the key risk scenario correlations when there are significant
changes in decisions or in the internal or external environment & Recalculate enterprise risk exposure with the same frequency as the
strategic planning process, or whenever the key risk scenarios or key
risk scenario correlations are updated & Risk decision making
& Update the definition of risk appetite, but only infrequently, with
significant changes in the strategy or the internal or external environ-
ment, by facilitating another risk appetite consensus meeting & Update the definition of risk limits, but only infrequently; for example,
with changes in risk appetite or a reorganization, by facilitating another
risk appetite consensus meeting & Monitor risk exposures against risk tolerance limits, and ensure appro-
priate risk-priority actions are taken by decision makers
Roles and Responsibilities & 301
C08 01/05/2011 18:22:3 Page 302
& Update ERM information supporting strategic planning and business
decision making for changes in the business & Over time, facilitate the expansion of applications for the integration of
ERM into business decision making & Risk messaging
& Over time, facilitate the expansion of applications for the integration
of ERM into business performance analysis & Over time, facilitate the evolution of the integration of ERM into
incentive compensation & Update communications to shareholders with the same frequency as
its venue, such as annually for 10-K risk disclosures; over time, modify
communications for changes in regulatory disclosures as well as changes
in industry sector conventions regarding disclosures & Lead the routine development of rating agency communications and
conduct the dedicated ERM presentations to rating agency analysts;
update communications for changes in rating agency ERM criteria & Update communications to regulators for changes in regulations
Build Buy-in
As the champion for the ERM program, the CRO has primary responsibility
to build sufficient buy-in for its adoption. With traditional ERM programs,
this is often the most challenging task. Any change in the way a company
does business involves some resistance and triggers the need for change
management efforts. However, the reason this is so difficult is that traditional
ERM programs use an approach that has many shortcomings, which are
discussed throughout this book. Traditional ERM programs typically generate
concern in the business segments that Corporate may impose another layer
of red tape and restrictions that may impinge on their freedom to pursue
business opportunities.
A value-based ERM approach is refreshingly different. One of its chief
advantages is the relative ease with which the CRO can gain buy-in. At the
heart of this is the fact that ERM is integrated into the business in a way that
makes a business case for ERM itself, and enhances the rigor in the business
case for all decision making by providing the ability to effectively manage risk
and return together. This is well received by the business segments.
There are several aspects of the value-based ERM approach that build buy-
in for the ERM program. We will discuss some examples of this by walking
302 & Risk Governance
C08 01/05/2011 18:22:3 Page 303
through the experience of implementing a value-based ERM program for the
first time.1
Setup The very first steps to setting up a value-based ERM program are all fairly low key. With a value-based ERM approach, the ERM team can be kept to
a small group, typically the CRO plus a handful of teammembers for support. In
addition, the ERM implementation plan can be largely drafted by the ERM team
themselves, requiring only minimal intrusion to gather input from key internal
stakeholders. Finally, very little risk governance structure is needed at the
outset; a more formal risk governance structure is developed later, after
completing the ERM process cycle at least once. The risk governance can
be mainly limited to defining the roles and responsibilities, as well as the
reporting relationship, of the CRO, and letting the rest evolve informally as the
ERM activities take place, until such time as a more formal risk governance
structure is needed. This lighter touch, particularly at the start, means that
very little political capital, as well as actual capital, has been spent.
Risk Identification The next step is the first step in the ERM process cycle: risk identification. The ERM team can produce the RCD tool mostly on their
own; they do leverage data on risks from internal audit, but this is readily
available and therefore not a burden. The ERM team identifies the qualitative
risk assessment survey participants, produces the advance communication,
and sends it to the participants.
Although survey participants are being asked to give of their time, what is
traditionally a negative first impression for the ERM program actually becomes
a positive experience and a good first step in building relationships, good will,
and buy-in for the ERM program. This is particularly important because this
first exercise involves interactions with powerful stakeholders from all key
areas of the enterprise. The qualitative risk assessment in a value-based ERM
program has four areas of advantage over that conducted in a traditional ERM
program, in terms of building buy-in:
1. Limited data request. The value-based ERM approach keeps the data
request limited to only what is needed at the time (see ‘‘Key #4: Gather
Data Appropriately’’ in Chapter 4). Traditional qualitative risk assessment
surveys include some data that is never needed, and other data that should
not be requested until the risk quantification stage, at which point it is only
needed for a much smaller number of risks. This is because traditional ERM
Roles and Responsibilities & 303
C08 01/05/2011 18:22:3 Page 304
approaches usually do not even have a risk quantification stage for most
risks. However, the value-based approach only needs to use the risk
identification stage to narrow down the larger list of risks to those key
risks which will then be quantified.
2. One-on-one interviews. Unlike the traditional approach of using tem-
plates, the one-on-one interviews used in the value-based ERM approach
have five key features that help build buy-in:
1. Personal. The interviews avoid the impersonal intrusion of an e-mail
bearing a task which participants feel they are left to figure out on their
own; instead, the participants will be individually guided through an
interview by one of the ERM team members. This is a highly personal
touch that builds goodwill and offers an excellent first impression of the
ERM effort. In addition, the face-to-face (or voice-to-voice) communi-
cations start to build key relationships between the ERM team and
internal stakeholders.
2. Collaborative. Rather than requiring survey participants to fill in a
complicated template, the ERM team member takes notes during the
interview, documents the minutes, and gives participants an opportu-
nity to correct them. This generates an atmosphere of collaboration.
3. Respectful. Although the survey participants are being asked to spend
their own time and energy, an ERM teammember is matching this level
of effort by being present and conducting the interview. This shows
respect for survey participants’ time.
4. Concise. Using interviews, rather than templates, further limits the
data request to only the need-to-have data, because any additional data
collected would require more work of the ERM team as well.
5. Confidential. The interviews may give survey participants more
confidence in the ability to maintain confidentiality, which makes
participants more comfortable and also builds trust.
3. Consensus meeting. A third area of advantage is the qualitative risk
assessment consensus meeting. Getting the survey participants together
as a group, whether in person or Web facilitated, and having conversa-
tions about the key risks and risk in general, starts to build a sense of
teamwork in connection with the ERM program. In addition, as a group,
participants have selected the key risks, which will be advanced to the
risk quantification ERM process step. This act gives survey participants a
sense of ownership over this key step in the ERM process, and people tend
to support efforts to which they attach a sense of ownership, and in
which they have had input in creating.
304 & Risk Governance
C08 01/05/2011 18:22:3 Page 305
4. Value added to internal audit. A fourth area of advantage is that the
first deliverable produced—a qualitative risk assessment that is based on
the potential impact to company value—offers significant value to the
internal audit team, which builds their level of buy-in. The internal audit
team can use this information to align their efforts to the ERM program.
In addition, the audit team can use this to better prioritize their audit plan
to focus on risks more impactful to the value of the enterprise. Finally, this
helps internal audit connect themselves to more of the strategic items
on the corporate agenda.
Risk Quantification We will discuss three items in the risk quantification ERM process step that help build buy-in:
1. Calculating baseline company value
2. Developing key risk scenarios
3. Quantifying individual risk exposures
Calculating Baseline Company Value The first step in the risk quantifi- cation ERM process step is constructing a baseline valuation model. The ERM
team can build the baseline valuation model mostly themselves, along with
key input from the person responsible for the strategic plan financial projection.
So, again, this involves a minimal footprint early on, which avoids stirring
up any negative sentiment that can inhibit buy-in.
In addition, once the baseline company value is calculated, the ERM teamhas
its second early deliverable: a more accurate, detailed, and dynamic valuation of
the enterprise. This offers several benefits, all of which serve as positive advertising
for theERMprogram, buildingmore buy-in. It helps identify opportunities for stock
issuance or buyback. It also enhances communications with stock analysts. In
addition, it provides an attribution of the company value by business segment,
which yields various insights.2 Finally, it offers a dynamic ‘‘what-if’’ model with
which to evaluate decisions or changes in the environment in terms of their
potential impact on the baseline company value.
Developing Key Risk Scenarios The development of key risk scenarios is one of the most significant sources of building buy-in. There are three main
aspects to this technique that generate such a high level of buy-in:
1. Respects expertise in business segments. Most traditional ERM pro-
grams rely too heavily on the ERM team to develop key risk scenarios, and
Roles and Responsibilities & 305
C08 01/05/2011 18:22:3 Page 306
then build an ERM model based on these assumptions which is then
unleashed on the business segments. This does not tend to gain credibility
with the business segments. Those closest to the risks— largely those in the
business segments—must be heavily involved.
The value-based ERM approach uses the FMEA process, which re-
spects the expertise of the subject matter experts, who mostly reside in the
business segments. The subject matter experts are being acknowledged for
their expertise, and are asked to provide virtually all of the inputs needed to
develop the key risk scenario. This produces a credible set of key risk
scenarios. In addition, because the business segments participated in the
development of the key risk scenarios, they tend to support the effort
behind it.
2. Addresses ‘‘black box’’ concerns. Whenever a financial projection
model is involved, there is some natural, unavoidable concern about it
being a ‘‘black box’’ calculation, which means that its inner workings are
somewhat opaque. However, the value-based ERM model is based on
fundamental valuation techniques, using a simple projection and discount-
ing of distributable cash flows. This is a bit more transparent due to its
simple structure. In addition, as part of the FMEA process, the subject
matter experts gain some additional comfort by providing inputs, seeing
the outputs from the calculation, verifying that results are reasonable, and
performing iterations if necessary.
3. Offers help. The FMEA interview provides a forum for the ERM team
member performing the interview to offer help to the subject matter
expert. At the end of the meeting, the expert from the business segment is
asked, ‘‘Is there any mitigation that you feel is needed, or is there any
project you had planned to do that is related to this risk scenario?’’ Often
the answer is, ‘‘Yeah, we know we need such and such, but we just
couldn’t make the business case for it and Corporate did not approve it.’’
The ERM team member is then able to respond, ‘‘Well, maybe we can
help you. The ERM model is written in the language of changes in
company value, which is the strongest business case possible. We can
help you model the proposed initiative and show you what revenues or
cost savings are needed to make it viable.’’ This shifts the level of buy-in
into high gear.
Quantifying Individual Risk Exposures The first quantification of risk comes fairly quickly, in the form of the individual risk quantification, and builds
buy-in in four ways:
306 & Risk Governance
C08 01/05/2011 18:22:3 Page 307
1. Transparent scenarios. The individual risk quantification results are
based on transparent risk scenarios. Most traditional ERM programs use
stochastic risk scenarios, which are inaccessible to management. Stochas-
tic scenarios involve formulae and mathematics that are not intuitive to
non-financial personnel. However, the value-based ERM approach uses
deterministic risk scenarios which are fully transparent. Each specific
individual risk scenario, along with its assumptions, is clearly laid out
in easy-to-read, concise documentation. The scenarios are tangible and
resonate with management. This engenders trust and a higher level of
comfort in using the information.
2. Stable results. Traditional risk quantification is based on stochastic risk
scenarios, which change every time the ERM model is run. This causes
unease on the part of management. However, the value-based approach
to individual risk quantification uses deterministic scenarios, which
have stability. They tend to remain unchanged, unless there is a change
to the risks, the business, or the external environment. This gives man-
agement the comfort they need to incorporate the information into
decision making.
3. Value-based results. The value-based ERM approach quantifies individ-
ual risks in terms of their potential impact on company value, which gains
buy-in from management. Rather than treating risk separately from
return, the two are integrated together. This makes sense to management.
They respond to this. They tend to act on information immediately when it
is expressed in their language, which is the language of all decision-
makers: the language of value.
4. Attribution by risk driver. The value-based ERM approach also gen-
erates support among businesspeople because it provides actionable
information that directs priorities for mitigation decisions. The individ-
ual risk quantification includes an attribution of the impact by compo-
nent risk driver. This helps management prioritize and focus mitigation
efforts on the most important components of the risks. Actionable
information, which includes clear decision-making priorities, is much
appreciated by management.
Risk Decision Making By the time the third step of the ERM process cycle, risk decision making, comes around, the ERM program has already achieved a
good level of buy-in from both Corporate and the business segments. However,
this brings us to the main attraction in terms of gaining acceptance of the
ERM program. It is the general ability of the value-based ERM approach to be
Roles and Responsibilities & 307
C08 01/05/2011 18:22:3 Page 308
integrated into the routine business decision-making processes that gains the
deepest level of buy-in. Rather than a separate risk management process,
value-based ERM becomes embedded in strategic planning as well as day-to-
day business decisions, including strategic decisions, tactical decisions, and
transactions such as mergers and acquisitions. This enhances the decision-
making process by providing information on both risk and return, in the same
venue, expressed in terms of changes in the baseline company value and the
likelihood of achieving it. Rather than hinder business, the value-based ERM
approach supports it.
Risk Messaging External risk messaging also helps build internal buy-in, particularly by helping senior management in one of their key responsibili-
ties.3 Part of senior management’s job is effectively managing the relation-
ship with stock analysts and rating agencies to obtain a favorable stock
valuation and to maintain the desired rating, respectively. External risk
messaging improves communications with both of these key external stake-
holders, supporting both of these key goals. The internal baseline enterprise
valuation, along with other aspects of the ERM program, significantly
enhances the quality of discussions with stock analysts. These discussions
demonstrate management’s superior ability to manage risk and return. In
addition, rating agencies tend to react quite favorably to the adoption of
value-based ERM programs. Rating agencies must project the future solvency
of the company, and the value-based ERM program provides a large amount
of credible prospective information on the company’s shock resistance.
Ensure Consistency
The ERM team must ensure consistency of the ERM program throughout the
enterprise. Consistency is one of the main advantages offered by an ERM
program. It takes the different risk management activities previously existing in
silo form and brings them together into a consistent program. The ERM team
must ensure a high level of consistency in various aspects of the ERM program.
Some examples include the following:
& Definitions, concepts, and terminology: & Create a common lexicon for ERM terms and concepts & Provide training on ERM to key stakeholders in the process & Ensure that risks are consistently defined by source and at the appro-
priate level
308 & Risk Governance
C08 01/05/2011 18:22:3 Page 309
& Align understanding of the baseline strategic plan in terms of its
financial projection (this is critical, because risk is defined as deviations
from the baseline strategic plan) & Tools and techniques, including their usage:
& Deploy a single ERM framework enterprise-wide & Use a single repository (such as the RCD tool) for risk identification,
emerging risk identification, and risk monitoring (risk event database) & Conduct qualitative risk assessment surveys in a uniform manner, in
part to ensure a common understanding of the risk scenarios among
survey participants & Use a consistent risk scenario development technique (such as FMEA
interviews), and conduct it in a uniform manner & Provide a single ERM model accessible to all stakeholders
& Assumptions: & Offer input on assumptions developed for risk scenarios, when neces-
sary, to ensure consistency & Review and approve risk scenario correlation assumptions, many of
which cross multiple business segments & Ensure that a consistent standard is used to decide when ERM assump-
tions may be changed & Metrics:
& Provide a single set of metrics that can be used to: & Quantify all types of risk—strategic, operational, or financial—for
individual risk quantification & Produce the aggregate metrics: enterprise risk exposure and risk
appetite & Decision making:
& Establish a consistent process to manage risk exposures to within risk
appetite and risk limits & Establish a consistent process for evaluating business decisions,
whether risk-priority or return-priority decisions & Risk messaging:
& Use a uniform set of reporting templates internally & Ensure a consistent message is provided to shareholders through both
mandatory and voluntary risk disclosures, and that this is consistent
with the internal ERM program & Ensure that a consistent ERM message is communicated to rating
agencies in dedicated and non-dedicated ERM presentations, as well
as in conversations with management
Roles and Responsibilities & 309
C08 01/05/2011 18:22:3 Page 310
Act as Central Clearing House
The ERM team serves as a central clearing house for ERM information and
actions. Information must be centrally gathered, maintained, aggregated,
and reported (internally and externally). It is critical to perform this centrally,
not only to aggregate metrics to the enterprise level, but also to determine
the net integrated impact of cross-department risks interacting to offset or
exacerbate each other. In addition, the ERM team coordinates and sorts out
disputes involving competing cross-department requests for increases in risk
budgeting. The ERM team also must coordinate risk-priority mitigation
decisions enterprise-wide. Finally, the ERM team helps coordinate responses
to risk events as well as inquiries by external stakeholders, facilitating
communications and actions among the board, senior management, exec-
utive risk owners, subject matter experts, and external stakeholders.
Monitor Exposures
One of the most important roles of the CRO is to effectively monitor
exposures. The ERM team must monitor exposures and ensure they are
maintained within risk appetite and risk limits.4 The ERM team may not be
the ones that, in isolation, make the decisions regarding what appropriate
actions to take, when exposures threaten to, or actually do, exceed risk
tolerance levels. In addition, the ERM team may not be the ones deciding on,
or executing, the specific mitigation plans. However, their responsibility is to
set up a general process by which the ERM committee can determine what
the exposures are and what the appropriate risk tolerance levels should be,
and provide reasonable notice to all relevant stakeholders in advance of
violations or an increase in the likelihood of violations, pursuant to a
predefined protocol.
Inform the Board
The CRO has a responsibility to keep the board of directors apprised of key ERM
information. Items that are suitable for inclusion in the CRO report to the board
include the following:
& Key risk exposures and their position relative to risk appetite and risk limits & Individual risk exposures & Enterprise risk exposure
310 & Risk Governance
C08 01/05/2011 18:22:3 Page 311
& Future changes in risk exposures, either expected, somewhat likely, or
representing significant threats (along with their corresponding contin-
gency response plans), particularly in the near term & Key decisions (recent and upcoming) relating to, or impacting, ERM
& Risk-priority decisions changing exposures & Return-priority decisions changing exposures
& Key ERM program activities, such as enhancements & Any recent significant risk event, and ERM lessons learned
ERM Committee
The ERM committee (which may be called by various names, including the
risk committee) has a primary role of defining risk appetite and risk limits,
and managing enterprise risk exposure to within these tolerance limits. The
ERM committee has the following major responsibilities:
& Setup: & Review and approve ERM framework (including details for major ERM
process steps) & Review and approve ERM program implementation plan & Review and approve initial basic risk governance structure & Review and approve comprehensive risk governance structure (after at
least one pass through the ERM process cycle) & Risk identification:
& Review risk categorization and definition (RCD) tool & Review emerging risk identification process
& Risk decision making: & Define risk appetite (during risk appetite consensus meeting) & Define risk limits, including method of top-down allocation of risk
appetite using an attribution & Review and approve method of integration of ERM information into
decision-making protocols & Management of enterprise risk exposure to within risk appetite (co-
responsibility with corporate ERM) & Review and approve integration of ERM into strategic planning and
business decision making & Risk messaging
& Review and approve integration of ERM into business performance
analysis and incentive compensation
Roles and Responsibilities & 311
C08 01/05/2011 18:22:3 Page 312
& Review and approve communications to shareholders, rating agencies,
and regulators
Risk Experts
There are many people throughout the enterprise that provide information in
support of one or more ERM process steps. One example is the qualitative risk
assessment survey participants. They help identify the key risks by providing
individual opinions on potential key risks, their likelihood, severity, and
credible worst-case scenarios. However, most of them are more experts in
managing the business than they are experts in risk, per se. What we will
refer to as risk experts are those who are designated as risk experts in a
particular source of risk and have a routine involvement with the ERM
program. These are the executive risk owners (EROs) and the subject matter
experts (SMEs).
Executive risk owners are executives formally designated as such by the
CRO. An ERO’s role is to be the point person for coordinating efforts across the
enterprise regarding one particular risk, and to help provide the required
information to the ERM team. Each ERO is responsible for putting together a
team of subject matter experts and managing them in support of a range of
ERM activities. Not all EROs have preexisting expertise in their designated risk,
at least not enterprise-wide; for example, an executive in the business segment
most vulnerable to regulatory risk may be chosen as the regulatory risk ERO. In
contrast, the SMEs are the leading recognized internal experts for their risk.
Most SMEs are middle management, although some are executives, depending
on the risk.
The risk experts—both EROs and SMEs—have the following major
responsibilities:
& Risk identification: & Provide risk event information to the ERM team for populating the risk
event database & Monitor known risks and scan the environment for unknown risks in
support of emerging risk identification & Risk quantification:
& Develop key risk scenarios by participating as subject matter experts in
the FMEA interview process & Provide input on key risk scenario correlations
312 & Risk Governance
C08 01/05/2011 18:22:3 Page 313
& For some risks (e.g., financial or insurance), conduct the detailed
modeling whose outputs are used as inputs into the ERM model, in
support of risk scenario development or decision making & Risk decision making:
& Support management of enterprise risk exposure to within risk appetite
by identifying mitigation options and helping to evaluate them by
providing modified key risk scenarios & Make risk-priority decisions either in isolation, or for decisions requiring
escalation, in concert with the ERM committee & Risk messaging
& Support communications to shareholders by providing information to
the ERM team & Support communications with rating agencies by providing informa-
tion to the ERM team, and attending a portion of the meetings with
rating agency analysts & Support communications with regulators by providing information to
the ERM team
Business Segments
The primary role of the business segments is to do the risk taking. This is just a
normal part of doing business, although ERM information is integrated into the
decision-making processes. In addition, the business segments provide most of
the EROs and SMEs, whose contribution was separately discussed earlier.
Finally, they provide many of the qualitative risk assessment survey
participants.
The major ERM roles played by the business segments are as follows:
& Risk identification: & Qualitative risk assessment (to the extent that business segments
provide survey participants) & Risk quantification:
& Support baseline company value calculation by providing business
segment projections used in support of strategic plan financial
projections & Risk decision making:
& Help define risk appetite and risk limits (to the extent that business
segments are represented on the ERM committee)
Roles and Responsibilities & 313
C08 01/05/2011 18:22:3 Page 314
& Manage business segment risk exposure to within risk limits (to the
extent that risk limits are established by business segment) & Support management of enterprise risk exposure to within risk appetite
by providing information to the ERM team regarding unexpected
business decisions or changes in the environment that change the
level of risk & Perform strategic planning using ERM information and protocols & Perform business decision making—including strategic decisions, tac-
tical decisions, and transactions (such as mergers and acquisitions)
using ERM information and protocols & Risk messaging
& Conduct business performance analysis and design incentive compen-
sation using ERM information and protocols5
& Support communications to shareholders by providing information to
the ERM team and reviewing risk disclosures & Support communications with rating agencies by providing informa-
tion to the ERM team, incorporating ERM information into routine
rating agency presentations, and possibly attending a portion of the
meetings with rating agency analysts & Support communications with regulators by providing information
to the ERM team
Board of Directors
A list of ERM information that is appropriate for the board to review was
provided earlier (see ‘‘Inform the Board’’). This information is used to perform
the board of directors’ four major roles in ERM:
1. Awareness of key risk exposures and risk decisions
2. Familiarity with ERM program
3. Evaluation of ERM program effectiveness
4. Involvement with defining risk appetite
Awareness of Key Risk Exposures and Risk Decisions
The board should be aware of the company’s major risk exposures. Being aware
of key threats to the company is not a new role for directors. In the United
States, federal regulations require boards to be aware of key risk exposures and
mitigating actions:
314 & Risk Governance
C08 01/05/2011 18:22:3 Page 315
The audit committee should discuss the company’s major financial risk exposures and the steps management has taken to monitor and control such exposures.
Code of Federal Regulations, Title 17 (Commodity and Security Exchanges),
Chapter II (Security and Exchange Commission),
Part 229 (Regulation S-K),Item 303A.07(c)(iii)(D)
However, the presence of an ERM program changes the format in which
the board sees the information, improving its quality and clarifying the
appropriate tolerance limits. The board must be up to date on current key risk
exposures, particularly in comparison to the risk appetite and risk limits. In
addition, the board should be informed, in a timely way, about significant
imminent or emerging threats and corresponding ERM mitigation activities.
Finally, the board should be aware of major ERM decisions impacting
exposures (such as risk-priority decisions to manage enterprise risk exposure
to within risk appetite).
Familiarity with ERM Program
The board should be generally aware of the ERM program design and
activities. They should understand the ERM framework, including the major
elements of each ERM process step. In the United States, federal regulations
require this:
. . . the audit committee must discuss guidelines and policies to govern the process by which [assessing and managing the company’s exposure to risk] is handled. (commentary in brackets)
Code of Federal Regulations, Title 17 (Commodity and Security Exchanges),
Chapter II (Security and Exchange Commission),
Part 229 (Regulation S-K), Item 303A.07(c)(iii)(D)
Evaluation of ERM Program Effectiveness
The board has a responsibility to judge the effectiveness of the ERM program.
In the United States, federal regulations require the audit committee to, at a
minimum, share responsibility for an effective ERM process and to perform a
general review of ERM:
Roles and Responsibilities & 315
C08 01/05/2011 18:22:3 Page 316
The audit committee is not required to be the sole body responsible for risk assessment and management . . . Many companies . . . manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee.
Code of Federal Regulations, Title 17 (Commodity and Security Exchanges),
Chapter II (Security and Exchange Commission),
Part 229 (Regulation S-K), Item 303A.07(c)(iii)(D).
The board should determine the effectiveness of the ERM program design
by comparing it to the 10 key ERM criteria defined in Chapter 2. In addition, the
board must evaluate the effectiveness of the ERM program execution, primarily
in terms of its most important goal: managing enterprise risk exposure to
within risk appetite.
Involvement with Defining Risk Appetite
Defining risk appetite is a difficult task with sweeping implications. In defining
risk appetite, the ERM committee is attempting to divine the wishes of the
collective shareholders—which are often a highly diverse group with different
perspectives, expectations, and investment needs—in terms of the optimal and
maximum levels of risk they expect the company to be taking. It is prudent to
get board input on such a decision. The level of board involvement varies,
though there has been a trend toward boards approving the company’s risk
appetite, as defined by the ERM committee.
Internal Audit
We will discuss four aspects of internal audit’s involvement with the ERM
program:
1. Independent verification
2. Broader roles
3. Information for the ERM team
4. Alignment of internal audit plan with ERM priorities
Independent Verification
Internal audit should remain largely independent of ERM program activities.
This is necessary for internal audit to perform their primary ERM function,
316 & Risk Governance
C08 01/05/2011 18:22:3 Page 317
which is independent verification that ERM program policies and procedures
are being carried out.
Some of the items that internal audit must verify include the following:
& Risk identification: & Qualitative risk assessment
& Performed with the required frequency & Data integrity is maintained from data collection through
documentation & Qualitative risk assessment consensus meeting results are
documented & Risk event database
& Updated for risk events occurring in the company & Used as input to risk scenario development
& Emerging risk identification process & Activities are taking place with the required frequency
& Risk quantification: & Value-based ERM model
& Data integrity is maintained from data collection through incorpo-
ration into the model & Calculations, including baseline company value, individual risk
exposures, and enterprise risk exposure are functioning as intended & Data integrity is maintained from calculated results through dissem-
ination of communications & Key risk scenarios and their correlations
& Updated properly & Risk decision making:
& Risk limits & Integrity of attribution calculation is maintained
& Management of enterprise risk exposure to within risk appetite and risk
limits & Exposures are kept within tolerance limits & Required protocols are followed (such as when soft limits are tempo-
rarily violated) & ERM information supporting strategic planning and business decision
making & Data integrity is maintained from calculated results through infor-
mation provided & Information is incorporated appropriately
Roles and Responsibilities & 317
C08 01/05/2011 18:22:3 Page 318
& Risk messaging & Communications to shareholders, rating agencies, and regulators
& Data integrity is maintained between internal ERM information and
external communications
Broader Roles
Some companies are asking internal audit to take the lead in implementing
their ERM program. In these cases, internal audit is serving as the ERM
team. This prevents internal audit from performing an independent verifica-
tion of ERM program policies and procedures. This might be temporarily
justifiable for companies with minimal resources who, without an ability
to leverage internal audit in this way, would not otherwise be able to
launch an ERM program at all. However, even in such situations, once
the ERM program matures, the ERM team should be made independent from
internal audit.
Information for the ERM Team
Internal audit can offer various risk insights that are helpful to the ERM
program. Internal audit provides the following information, all of which is
related to the risk identification ERM process step, to the ERM team:
& Risk assessments that support the development of the risk categorization
and definition (RCD) tool & Historical data on risk event occurrences in the company, which supports
the development of the risk event database & Various input in support of the emerging risk identification process
Alignment of Internal Audit Plan with ERM Priorities
The ERM program can offer valuable information on risk to internal audit. The
ERM team provides internal audit with the results of the qualitative risk
assessment and the individual risk scenario quantification. Internal audit
uses this information to prioritize the internal audit plan in alignment with
ERM program priorities. This is of great value to internal audit, because this
provides a venue for them to address more strategic items of concern to the
company. Aligning the audit plan with a value-based ERM program produces
a value-based audit plan focused on the items that present the greatest threats
to company value.
318 & Risk Governance
C08 01/05/2011 18:22:3 Page 319
ORGANIZATIONAL STRUCTURE
The second aspect of risk governance is the organizational structure. There are
not as many common themes to discuss here as compared to the roles and
responsibilities, nor should there be. A successful ERM program will have the
bulk of its inner workings subsumed into the normal pathways of doing
business, rather than being relegated to a separate, disconnected function.
For that reason, the risk governance organizational structure should leverage,
as much as possible, the existing governance organizational structure. How-
ever, there are some unique elements required, and this will be the focus of our
discussion here.
We will discuss four elements of the risk governance organizational
structure:
1. CRO
2. ERM committee
3. Key risk committees
4. Board of directors
CRO
We will discuss five criteria that represent best practices for the CRO position:
1. One leader. It is crucial to designate one person as the sole head of the
ERM program. Like any change in the way of doing business, introducing
an ERM program requires change management, and building buy-in is
critical. It is a lot easier to build buy-in through a dedicated champion who
advocates for the ERM program. In addition, the ERM program requires
communicating with the board and various levels of management, liaising
between constituencies across the enterprise and building consensus on
issues where multiple interpretations can exist. Again, it is much simpler
for one individual to manage these activities. Finally, a key ERM theme is
integration. ERM seeks to take disparate risk processes and integrate them
into a single coherent process. Splitting the CRO function among more
than one person sends an inconsistent message about integration. More
importantly, a split CRO function is unlikely to achieve a fully integrated
ERM program.
2. Dedicated function. The CRO role should be a full-time position. As
discussed earlier, there is much work to do, both upon initial ERM program
Organizational Structure & 319
C08 01/05/2011 18:22:4 Page 320
implementation, as well as on an ongoing basis. Some companies begin
their ERM program with a part-time CRO position, just as a temporary
measure, and later elevate the position to full time.
3. Executive position. It is advisable to appoint the CRO as a senior
executive (see ‘‘Top Eight Traits of an Executive CRO’’). The ERM
program is difficult to implement without indications of strong support
by company leadership. If the CRO position is not afforded a high level
of authority, this can send the wrong signal enterprise-wide, making it
far more difficult for the CRO to achieve success. In addition, the level
of responsibility is naturally commensurate with a senior executive
position.
TOP EIGHT TRAITS OF AN EXECUTIVE CRO
A CRO must have strong executive qualities in addition to the requisiteexpertise in ERM and knowledge of finance. The appropriate character- istics for a CRO depend on many factors that vary by organization. However, the following is a list of the top eight traits an executive CRO should have, in priority order:
1. ERM expertise. Ideally the CRO should have experience successfully implementing ERM. Realistically, there are not many who have this yet. The next best thing is for the CRO to have significant conceptual knowledge of ERM.
2. Leadership. The CRO must have strong leadership capabilities. Lead- ership is getting others to share, and follow, your vision for a better direction. The CRO must develop buy-in for the ERM program through- out the enterprise.
3. Imagination. The ERM process requires imagining, and getting others to imagine, a range of potential risk scenarios. This requires pragmatic creativity, an ability to imagine what is possible, for both upside and downside risk events.
4. Communication.A large part of the CRO’s role involves communicating with a disparate range of internal and external stakeholders. The CRO must effectively tailor both oral and written communications to each audience.
5. Executive presence. The CROmust be able to effectively interact at the highest levels, both internally and externally.
320 & Risk Governance
C08 01/05/2011 18:22:4 Page 321
4. Independence. The CRO position requires a high level of independence.
The CRO, as well as the rest of the ERM team, is responsible to lead
numerous efforts related to key risks that span the entire enterprise. An
appropriate level of independence will help minimize conflicts of interest
where the CRO is under the auspices of an individual who is the source of
one or more key risks. In addition, the CRO functions in several capaci-
ties—such as ensuring consistency enterprise-wide and acting as a
central clearing house—which would be well served by a proper level
of independence, which would ensure, as well as convey, that the CRO
is an unbiased actor.
It is best for the CRO, and the ERM team, to have a reporting line
directly to the board of directors, a board committee, or the chief executive
officer (CEO). This may reduce the number of potential conflicts of interest.
However, it is impossible to completely avoid such conflicts, because even
directors and the CEO are potential sources of risk. Many companies,
especially in financial services, have the CRO report to the chief financial
officer (CFO), which is the next best choice for some companies.6
In addition, the CRO’s level of independence should be underscored
by regular access to the board. This is important for fulfilling the CRO’s
routine role of informing the board as well as satisfying the board’s
requirements (receive ERM information, evaluate the ERM program,
etc.). In addition, the CRO should be able to contact the board of directors
directly, on an ad-hoc basis, to alert them of issues needing their urgent
attention.
5. Appropriate support. Companies using a value-based ERM approach
usually require only a small dedicated ERM team, such as three to five
6. Management. The ERM program is wide ranging and requires coordi- nation of contributors to, and stakeholders in, the ERM program, across all business segments and levels of the organization.
7. Diplomacy. The CRO role requires an ability to balance the need for independence—to ensure an objective and consistent ERMprocess and to enforce risk tolerance limits—with the need to partner effectively with ERM contributors throughout the organization. This requires a deft diplomatic touch.
8. Finance. The CRO should have a strong knowledge of finance to understand and convey the quantitative ERM information.
Organizational Structure & 321
C08 01/05/2011 18:22:5 Page 322
people, including the CRO, or head of the ERM program, and supporting
staff (see ‘‘The Supporting Cast’’). This is a reasonable level of resources,
given the roles and responsibilities that include an initial push to launch
the ERM program as well as ongoing efforts. This is also consistent with
the basic principle that ERM should be largely embedded in key company
processes, rather than a separate department unto itself.
However, companies using traditional ERM approaches have ERM
teams whose sizes vary widely. Some of these companies choose to
use the ERM team as a much broader umbrella, covering a wide range of
personnel involved in some ERM activities; this is usually based on their
historical approach to risk management which pre-dates ERM. Although
this can work, depending on the company culture, it is inadvisable,
because this makes it more difficult to embed ERM into key company
processes, particularly decision making, which largely resides in the
business segments.
THE SUPPORTING CAST
TheCRO only needs a few supporting staff on the ERM team to effectivelyimplement a value-based ERM program. However, they must have the appropriate balance of skills to perform the broad and diverse range of their ERM roles and responsibilities.
The staff person that takes the lead for the ERM model should have excellent quantitative skills:
1. A basic knowledge of financial statement accounting is needed to work with the strategic plan financial projection and convert it into a calcula- tion of the baseline company value.
2. Strong spreadsheet skills are helpful to construct the dynamic elements in the ERM model for calculating the individual risk exposures.
3. Knowledge of spreadsheet programming is required to run the simula- tions necessary for the enterprise risk exposure calculation.
4. Excellent model-building skills are critical to maintain the ERM model’s practicality—in the form of reliability, speed, transparency, and balance of significant digits—which is fundamental to the success of the value- based ERM approach (see the section titled ‘‘Practical Modeling’’ in Chapter 5).
322 & Risk Governance
C08 01/05/2011 18:22:6 Page 323
It is best practice for the CRO to be a single leader in a full-time ERM
role, with the authority of an executive position, ample independence, and
an appropriate level of dedicated support. However, these best practice
criteria are neither necessary nor sufficient conditions. Following these
best practices does not guarantee success. There are some companies where
the CRO enjoys the presence of all of these criteria, yet the ERM program
has still achieved very little. In addition, ignoring these best practices does
not guarantee failure, either. One of the most advanced ERM programs I
At least one staff person, who will support the qualitative risk assess- ment interviews and the risk scenario development FMEA interviews, should have superior ERM knowledge and experience, as well as excellent business savvy:
1. A mastery of ERM knowledge and experience is necessary to properly guide interviewees. These are challenging interviews. For example, during the qualitative risk assessment, survey participants will proffer potential risks that are not properly defined by source or are not material enough to be key risks. Only significant experience in ERM can enable the interviewer to quickly identify and correct these prob- lems on the fly. Another example is that during the FMEA interviews, subject matter experts will develop risk scenarios that are not properly defined by source or are not reflecting all of the financial impacts. Again, it takes years of ERM experience to immediately identify and correct these issues. For this reason, these interviews are usually led, at least the first time through the process, by ERM consultants.
2. Strong listening skills are critical to hear, understand, and properly record the information provided during these interviews.
3. Good interviewing skills are required to conduct the interviews on a consistent basis, and to effectively solicit the required information from the interviewees.
4. Excellent written communication skills are helpful in crafting the advance communication for the qualitative risk assessment interviews.
5. An ability to interact with the most senior executives, as well as board members, is necessary to conduct the qualitative risk assessment inter- views and consensus meeting.
It is also helpful if some ERM team members have long-standing relationships with a variety of associates in the firm. A strong network is helpful, especially initially, when building buy-in for the ERM program is paramount.
Organizational Structure & 323
C08 01/05/2011 18:22:7 Page 324
have seen was achieved by a part-time CRO who was non-executive manage-
ment, without significant independence, and with a bare minimum of part-
time support (although the CRO did have the sole responsibility to lead the
ERM program).
ERM Committee
The appropriate makeup of the ERM committee (which may be called by
various names, including the risk committee) varies by organization. It is
usually an executive-level committee comprised of the following individuals,
at a minimum:
& Chief executive officer (CEO) & Chief risk officer (CRO) & Chief financial officer (CFO) & Heads of major business segments or their lieutenants & Chief legal counsel & Head of compliance (nonvoting) & Head of internal audit (nonvoting)
Risk experts—executive risk owners (EROs) and subject matter experts
(SMEs)—and other business experts are occasionally invited to join commit-
tee meetings in support of discussions of key risks related to the expertise
required. The ERM committee is often chaired by either the CEO or the CRO.
Key Risk Committees
The executive risk owners (EROs) and their subject matter experts (SMEs) often
form key risk committees bearing the name of the key risk(s) under their
purview. Some of these committees pre-date ERM, representing a silo form of
risk management (such as a credit risk committee), and are appropriately
leveraged into service in the ERM risk governance organizational structure.
These committees are organized to help the risk experts (EROs and SMEs)
perform their ERM roles and responsibilities, and also to share information
(including the basic required ERM information, as well as tools and techniques,
issues of concern, best practices, etc.) more effectively within committees,
between committees, and upstream to the CRO and the ERM committee. The
EROs have ‘‘dotted-line’’ reporting relationships to the CRO or to the ERM
committee, indicating an informal, or less formal, organizational structure. The
324 & Risk Governance
C08 01/05/2011 18:22:7 Page 325
SMEs have dotted-line reporting relationships to their EROs, though many of
themmay already be direct reports of their ERO. The ERO and SME roles are not
usually full-time roles in and of themselves.
Board of Directors
The majority of companies do not set up a separate board-level committee to
take the lead in fulfilling the board’s ERM roles and responsibilities listed
earlier, but instead either assign the tasks to the entire board or to the audit
committee. If this is assigned to the audit committee, the full board should
receive complete reports from the audit committee to satisfy two of their roles:
awareness of key risk exposures and risk decisions, and familiarity with the
ERM program. In addition, the full board should receive summary reports on
the evaluation of the ERM program effectiveness. Finally, only the full board
should fulfill the role of involvement with defining risk appetite.
POLICIES AND PROCEDURES
The third aspect of risk governance is the codification and communication
of policies and procedures. This should evolve along with the ERM program.
Detailed policies and procedures should not be written far in advance of
completing the ERM process cycle at least once. It is impossible to draft effective
ERM policies and procedures until management can see, for example, the
enterprise risk exposure calculation, the risk appetite definition, and how the
ERM program will integrate into key company processes, particularly decision
making.
We will discuss two of the key ERM policy and procedure documents:
1. ERM program summary document
2. Risk appetite document
ERM Program Summary Document
The ERM program summary document contains a summary and description of
the following items:
& ERM program origins, historical development, current status, and
enhancement plans
Policies and Procedures & 325
C08 01/05/2011 18:22:7 Page 326
& ERM framework, including detail on each of the ERM process steps and
activities & Risk governance structure, including roles and responsibilities and orga-
nizational structure
The ERM program summary document is often accompanied by exhibits
such as the following:
& Risk categorization and definition (RCD) tool, in each of its various
incarnations, such as: & Results of qualitative risk assessment & Comparative analysis & Risk event database
& Individual risk scenario exposures & Enterprise risk exposure & Summary of risk appetite definition & Summary of major risk decisions, both risk-priority and return-priority & Description of integration of ERM into decision making, business perform-
ance analysis, and incentive compensation & Recent ERM communications to rating agencies
The ERM program summary document is used for the following
purposes:
& Documentation & Training & Repository for internal reporting and external risk messaging
Risk Appetite Document
The risk appetite document contains the following information:
& Definition of risk appetite, including hard and soft limits & Definition of risk limits, including hard and soft limits, as well as the
allocation methodology & Enterprise risk exposure compared to risk appetite (both current and
historical) & Risk exposures below enterprise level compared to their corresponding risk
limits (both current and historical)
326 & Risk Governance
C08 01/05/2011 18:22:7 Page 327
& Delegation of authority for increasing risk exposures, including escalat-
ing actions and authorities required when exposures cross soft-limit or
hard-limit thresholds
SUMMARY
There are three main aspects to effectively governing risks: having the key
ERM contributors knowing and performing their roles and responsibilities;
establishing the organizational structure that supports the execution of these
roles and responsibilities; and codifying policies and procedures. The CRO and
his or her ERM team play a large role in ERM: building, maintaining, and
enhancing the ERM program; building buy-in for the program; and many
other critical functions. However, there are several other key contributors
across the enterprise—executives on the ERM committee, risk experts,
business segment personnel, the board, and internal audit—that play critical
roles in a successful ERM program.
This chapter concludes our discussions on implementing a successful ERM
program using a value-based ERM approach. In the next chapter, we examine a
case study on the global financial crisis that began in the United States in 2007
as it relates to ERM and bank risk management practices.
NOTES
1. This discussion offers a brief summary of points made elsewhere, primarily in
Chapters 4 through 7, but from Chapter 3 as well. For a more thorough
explanation of each of these points, please revisit those chapters.
2. This offers valuable insights, although political care must be taken, because
this may indicate a change in the relative power of the business segments.
3. The first time through the ERM process cycle, risk messaging may be limited
only to external risk messaging. Going through the first three ERM process
steps a second time irons out all the wrinkles, which is prudent prior to
integrating ERM into business performance evaluation and, especially,
incentive compensation.
4. Internal audit is responsible for all assurance regarding compliance with
ERM policies and procedures. However, a primary role for the ERM team is to
sound the alarm and take action when exposures threaten to exceed
tolerance limits.
5. Business segments are defined here to include Corporate (not to be confused
here with corporate ERM). Corporate is primarily responsible for these tasks,
Notes & 327
C08 01/05/2011 18:22:7 Page 328
which are usually consistently applied enterprise-wide. However, to the
extent that the non-corporate business segments conduct their own
internal business performance reviews, or to the extent that there are
business segment–specific incentives, then these tasks are performed by
non-corporate business segments as well.
6. This is more common at insurance companies than at banks. Initially, the
majority of bank CROs reported to the CFO, but now the majority report
to the CEO, the board, or a board committee.
328 & Risk Governance
C09 01/05/2011 18:37:48 Page 329
9CHAPTER NINE Financial Crisis Case Study
I am a firm believer in the people. If given the truth,
they can be depended upon to meet any national
crisis. The great point is to bring them the real facts.
Abraham Lincoln
T HE GLOBAL FINANCIAL crisis that began in the United States in2007 is a complex and challenging case study. In the United States, thishas been described as the most damaging economic event since the Great Depression, which followed the stock market crash of 1929. Economists
still debate the facts of the 1929 crash—the relative importance of the events
that caused it, the interacting factors that deepened it, and the effectiveness of
the government actions tomitigate it. Certainly, the financial crisis, fromwhich
we still have not recovered at the time of the writing of this book, will be
similarly debated for decades.
We will not claim to present here a definitive, or even nearly complete,
discussion of this event. However, what we will do is analyze the financial crisis
from an ERM perspective. During 2008, the first full year of the financial crisis,
many in the ERM field were being asked the following question:
329
C09 01/05/2011 18:37:48 Page 330
Banks have been claiming primacy in risk management for a long time. ERM is the latest incarnation of risk management, so banks must have been doing ERM, right? Yet the banks just blew up the entire global economy. So, if ERM didn’t prevent this financial crisis, how can ERM be any good?
This chapter is in response to this question. We will examine whether the
bank1 risk management practices that contributed to the financial crisis were a
failure of ERM theory or a failure of banks to actually follow ERM practices. We
will begin with a brief summary of the financial crisis.
SUMMARY OF THE FINANCIAL CRISIS
We will only discuss here a high-level summary of the financial crisis, to
introduce our topic. Our focus in this chapter is on bank risk management
practices, for which we will provide more details throughout our discussion,
and therefore, this brief summary will be sufficient for our purposes.
The Causes
An increase in risky mortgages—those more likely to result in foreclosure—
was fueled by the unrealistic expectation by both mortgage issuers and
homeowners that housing prices would continue to rise and that interest
rates would continue to fall or remain low, even as housing prices peaked at an
unsustainable level, referred to as a ‘‘housing bubble,’’ and interest rates were
about to rise from unsustainably low levels. The unrealistic expectation of the
mortgage issuers were mainly fueled by an investment supply–demand im-
balance due to an excess of foreign capital seeking investments.2
Banks Made It Worse
The risks already inherent in this situation were exacerbated by banks in two
ways:
1. Soliciting more and riskier home buyers
2. Selling more and riskier investments
Soliciting More and Riskier Home Buyers
Banks solicited more home buyers by creating mortgages that were easier to
get into but harder to maintain, and that involved risks that most consumers
330 & Financial Crisis Case Study
C09 01/05/2011 18:37:48 Page 331
were not aware of, or did not fully understand. Some of these riskier mortgages
even had loan amounts that increased over time, because the early interest
payments were not covering the interest charges. In addition, banks further
increased the risks inherent in the mortgage investment supply chain by
growing the subprime mortgage market: home buyers with higher-than-usual
likelihoods of default.
Selling More and Riskier Investments
Banks solicited more mortgage investors through complex innovative mort-
gage investment products that made it easier to invest in the mortgage market,
and where the risks to investors were even less transparent than usual (due to
multifaceted packaging of mortgages and multiple handoffs) and magnified in
exposure (through leverage). Two such products were collateralized debt
obligations (CDOs) and credit default swaps (CDSs).
CDOs led to less transparency. A CDO is a bond with payments based on
cash flows from a package of mortgage products, such as mortgage-backed
securities (MBSs) and collateralized mortgage obligations (CMOs). Different
CDOs have different levels of risk, called tranches, based on how the CDO
defines the way in which cash flows will be divided up. Some tranches were
considered highly secure (triple-A credit rating). The multifaceted packaging of
mortgages made the risk behind the investment murkier. However, further
reducing transparency were CDOs of CDOs, called CDO-Squareds, which
involve reselling more detailed tranches of existing CDO tranches. These
multiple handoffs made investors yet another entity removed from under-
standing the risk.
CDSs magnified the risks. A CDS is essentially an insurance policy against
the failure of a given entity. The issuer of the CDS receives steady cash inflows
but suffers a large loss if the entity fails. CDSs issued on CDOs or other mortgage
instruments allowed the magnification of bets on the mortgage market,
through leverage, because the number of CDSs was not limited to the number
of mortgages, or CDOs, on which they were based.
The Crisis
When interest rates rose, and the investment supply–demand imbalance
ended, removing excess foreign capital, housing prices fell at the same time
as mortgage payments rose, and foreclosures dramatically increased as a re-
sult. Banks began to fail, a credit and liquidity crisis ensued, and a threat of
cascading failures leading to a vicious cycle—banks fail, companies needing
Summary of the Financial Crisis & 331
C09 01/05/2011 18:37:48 Page 332
credit from banks fail or cut employees, unemployed homeowners default on
more mortgages, and so on—prompted governments to bail out banks and
other ‘‘too-big-to-fail’’ entities in an attempt to stabilize the financial system.
EVALUATING BANK RISK MANAGEMENT PRACTICES
We will evaluate the extent to which banks were, or were not following
ERM practices, by benchmarking their risk management practices against the
10 key ERM criteria, primarily discussed in Chapters 2 and 3.
Benchmarking against 10 Key ERM Criteria
The 10 key ERM criteria are:
1. Enterprise-wide scope
2. All risk categories included
3. Key risk focus
4. Integrated across risk types
5. Aggregated metrics
6. Includes decision making
7. Balances risk and return management
8. Appropriate risk disclosures
9. Measures value impacts
10. Primary stakeholder focus
These criteria are the critical defining elements of a robust ERM program,
and are a good benchmark to use in evaluating ERM programs. In Chapter 3,
we discussed how a value-based ERM approach fully satisfies these 10 key ERM
criteria. Wewill now begin evaluating bank risk management practices against
this benchmark.
Criterion 1: Enterprise-Wide Scope
The ERM program must be equally applied across the enterprise. In Chapter 2,
we discussed five reasons why companies may fail to satisfy this condition. The
first of these was the presence of a ‘‘golden boy unit.’’ This is a business unit that
is exempt from certain activities, such as ERM, as a result of their generating
large revenue growth and/or profits. This leads to a lack of understanding, or
willful ignorance, of the risks involved in the business.
332 & Financial Crisis Case Study
C09 01/05/2011 18:37:48 Page 333
Many banks that contributed to the financial crisis fell into this
situation. The business units issuing mortgage products were experiencing
a high level of growth. Management did not want to miss out on the growth
opportunity in which many of their competitors were participating. The
pressure for growth, as well as the seduction of easy and rapid growth,
either influenced management to consciously avoid a full level of ERM
scrutiny, or unconsciously use a light touch that avoided fully looking at
the risks.
Criterion 2: All Risk Categories Included
All risk categories must be included in the ERM program. Risk categories
include the following:
& Financial risk, which includes market, credit, and liquidity risks. & Strategic risk, which includes risks related to strategy, execution of
strategy, governance, competitors, suppliers, external relations, regulatory
changes, and so on. & Operational risk, which includes risks related to human resources, tech-
nology, litigation, compliance, fraud, disasters, and so on. & Insurance risk, which involves risks that generally apply only to insurance
companies, and includes pricing risk, underwriting risk, and reserving risk;
this risk category also applies to non-insurance companies issuing con-
tracts that cover contingencies analogous to insurance contracts, such
as CDSs.
In Chapter 2, we discussed three reasons why companies may fail to satisfy
this condition. Two of these apply here:
1. Inability to quantify strategic and operational risks. The inability
of banks to quantify strategic and operational risks was explored in depth
in Chapter 3 (see ‘‘Risk Capital’’), where we explained that banks use one
of two alternative capital-based approaches to risk quantification. Both
alternative approaches ignore strategic risks altogether. The majority of
banks use Alternative 1, which poorly measures operational risks in that
it is not a risk-based approach and is sometimes not even directionally
correct. Those banks using Alternative 2 are unable to fully quantify
operational risks because they ignore impacts to future revenues and
expenses.
Evaluating Bank Risk Management Practices & 333
C09 01/05/2011 18:37:48 Page 334
This is the first of the three core challenges to ERM identified in
Chapter 3.
2. Financial analyst bias. In Chapter 2, we explained that financial analyst
bias (an excessive focus on financial risk) stems from the fact that the
financial modelers’ education, training, certification, experience, and
department are all focused solely on financial risk, and that their tech-
niques only work well for these risks. Bank financial modelers definitely
suffer from such bias.
This bias leads to management receiving information on enterprise
risk exposure that appears complete, but is not. In fact, as discussed,
research shows that financial risk only represents a fraction of the bank’s
overall exposure, once strategic and operational risks are properly factored
in. Deepening this false impression is the level of precision with which the
financial risk exposures are presented. The level of precision is implied by
the significant digits in the exposure data provided to management.
We will now discuss some examples of non-financial risks not addressed by
bank financial modelers, which contributed to the crisis. These examples
involve human resources risks, which are a type of operational risk.
Some claim that the financial crisis was a ‘‘perfect storm’’ where an
unforeseeable combination of rare events suddenly came together. Others
contend that many bank personnel were aware of the exposures or should
have been aware, but this information did not become available to their boards
of directors, executives, or management. If so, why not? What went wrong?
The answer to that question leads us to three non-financial sources of risk that
contributed to the financial crisis:
1. Agency risk
2. Process risk
3. Errors
Agency Risk Banks have agency risk, in terms of a misalignment of the interests of management with that of the shareholders, as well as with that of
the taxpayers.
The agency risk due to misalignment with shareholders comes in the form of
incentive compensation programs that reward management for generating
high revenues and profits without properly adjusting for the corresponding
334 & Financial Crisis Case Study
C09 01/05/2011 18:37:48 Page 335
increase in risk exposure. There are three features needed in an ERM program
to prevent this:
1. Measure risk exposures on the basis of impact on value
2. Integrate information on risk exposures into business performance eval-
uation, including an attribution at the individual level
3. Integrate information on risk exposures into incentive compensation
The first feature, measuring risk in terms of value impacts, is critical to
aligning management’s interests with that of the shareholders, because the
shareholders’ primary metric is company value. However, bank risk manage-
ment programs do not have this feature, because they measure risk in terms of
the balance sheet, as impacts on capital or required capital.
Bank risk management programs also do not have the second and third
features. Though banks do have risk exposure metrics in their business
performance analysis, they are flawed. Banks typically use the Value-at-Risk
(VaR) metric. VaR is often defined as the maximum amount of capital that
can be lost in a single day, within a given small predefined likelihood. A key
weakness of this metric is that bank associates can add large amounts of
risk without accountability, by creating it, or defining it, as just beyond
the likelihood threshold, so that it is not captured in the VaR metric. In
addition, banks generally do not produce attributions of the risk exposure
metrics at the individual level. Without knowing the level to which an
individual increased risk exposure, it is impossible to build this into in-
centive compensation.
The presence of the agency risk causing misalignment with shareholders
contributed to bank management’s taking on excessively high levels of risk.
Doing so increased the chances of massive bonuses. Indeed, bank manage-
ment did receive massive paydays during the mortgage boom. In fact, bank
management even received massive bonuses after it became clear that their
actions contributed to the financial crisis as well as to the failure of their own
firms, some of which had to be bailed out by the government.
The agency risk due to misalignment with taxpayers comes from the moral
hazard of bank management believing that the government will not allow
them to fail, but will instead bail them out, if large losses ensue from any of their
excessive risk taking. This has also been eloquently referred to as the problem of
‘‘privatizing profits and socializing losses.’’
Evaluating Bank Risk Management Practices & 335
C09 01/05/2011 18:37:48 Page 336
The presence of the agency risk causing misalignment with taxpayers
encouraged banks to take on excessively high levels of risk. Banks felt even
more emboldened by the fact that so many of their peers were taking the
same high-risk bets, which made it even more likely that the government
would need to step in, because if trouble ensued, it would cause major
systemwide problems. This kind of thinking was confirmed and reinforced by
government bailouts of many banks, particularly the largest ones. The Dodd-
Frank legislation was intended to address this moral hazard by making future
bailouts more difficult. However, many are skeptical, because the banking
system is still just as vulnerable, if not more so, to another financial crisis, and
when one occurs, the same political pressures for bailouts will reemerge, and
a temporary emergency measure could easily be passed to empower another
government bailout, notwithstanding the Dodd-Frank bill.
Process Risk Banks have process risk in that the risk management program is not designed properly and therefore not performing as expected. This is the
subject of much of this chapter, and will not be repeated here. However, there is
one additional failure in the process design of bank risk management programs
that is worth mentioning. See ‘‘Is It Gross or Net?’’
IS IT GROSS OR NET?
Asdiscussed in Chapter 3, during discussions of the ERM framework, itis important to measure, and internally report, risk exposures on both a gross (pre-mitigation) and net (post-mitigation) risk exposure basis. Most banks did not do this. Instead, they only calculated and reported these risks on a net risk exposure basis. They were issuing huge volumes of risky mortgage products that, even if some bank associates were aware of the excessive exposure, they didn’t feel as worried, because they had what they believed to be effective mitigation, and the post-mitigation, or net, risk exposures looked acceptable to them. One example of this mitigation was the ability to offload the bulk of this risk to ‘‘suppliers’’ in the form of other banks or investors buying the bank CDOs comprised of these mortgages or mortgage packages. Another example of this mitigation was having a monoline insurer wrap the bank CDOs with their Triple-A rating.3
336 & Financial Crisis Case Study
C09 01/05/2011 18:37:49 Page 337
Errors Banks have significant risk exposure to errors by financial analysts doing themodeling work to evaluate the risks inherent in bank products.4 Bank
management relies heavily on financial modelers. In fact, the banks did
experience such risk events, which contributed to the financial crisis. We
will discuss two examples. One was mispricing the default risk of CDOs.5
Another was mispricing the insurance risk of CDSs.
Financial modelers significantly mispriced the default risk of CDOs by
taking a disastrous shortcut. They did not do the hard work to develop
individual risk scenarios from historical data, understand the structure of
each CDO and how its underlying assets behave, quantify the CDO’s default
risk by the impacts on the future distributable cash flows of each CDO, and,
further, measure the correlation between CDOs using the exposure data
developed. Instead, they used a shortcut that involved a formula called a
copula, which inferred the default risk of a CDO, and correlations between
CDOs, from that implied by the historical market prices for the CDS on the
CDO. In other words, because the CDS is an insurance contract on the risk
that the CDO will default, the price changes reflect the level of default risk of a
CDO, and the relationship between price changes reveals the correlations
between CDOs. The market prices of CDSs on CDOs were available because
CDSs were tradable securities.
One of the reasons to calculate and internally report risk exposures on a pre-mitigation risk exposure basis is because mitigation does not always work as expected. In the context of our discussion, this is precisely what occurred in the financial crisis. Both examples of the mitigation disap- peared. The bank was suddenly no longer able to offload the bulk of the risk to its suppliers, as the market dried up and these suppliers suffered huge losses. In addition, some banks had their monoline insurance com- pany collapse, and the CDO rating immediately fell to the level of the monoline, which was downgraded.
Had these banks calculated, and internally reported, risk exposures on a pre-mitigation, or gross, risk exposure basis, the financial crisis might have been averted, or at least mitigated. Had the pre-mitigation risk exposures been reported up to executives and to the boards of directors, they would have seen a huge surge in exposures in this one area. Seeing the magnitude of the risk on the basis of ‘‘what if our mitigation disappears’’ might have triggered additional scrutiny and some caution that could have diminished, or even prevented, the financial crisis.
Evaluating Bank Risk Management Practices & 337
C09 01/05/2011 18:37:49 Page 338
This shortcut did not capture enough detail to make it appropriate for
use. It assumed that correlations are constant, when in fact they are
unstable. In addition, the historical data on CDSs, upon which the assump-
tions were based, was not appropriate for developing long-term assumptions.
The historical data period was less than 10 years (because CDSs had not
existed before that), which is too short. This only included a housing boom
period, and certainly did not include a national downturn in housing prices,
which occurs periodically. When the housing bubble burst and defaults
exploded, banks relying on this inappropriate shortcut for their pricing of
CDO default risk and correlation suffered huge losses.
Financial modelers also significantly mispriced the insurance risk of
CDSs. Most insurance products must, by law, only be issued by insurance
companies. There is a good reason for this. Insurance policies require a high
level of security. They provide great social value in the form of extremely
long-term guarantees upon which people rely for their future financial
security. Insurance companies provide this security.6 They are heavily
regulated. In addition, insurance companies use actuaries to understand
the complex insurance products, price the risks, set up appropriate reserves to
pay future obligations (where the reserves have additional margins of safety
for errors), set up appropriate levels of state-required capital (which provides
another layer of protection), and set aside additional capital (yet another
layer of protection).
However, CDSs are a type of insurance contract which can be issued by
non-insurance companies, such as banks. The banks generally did not use
actuaries as their financial modelers to understand and price the risks of
CDSs, nor did banks set aside appropriate reserves or capital. This is part
of what led to the excessive growth of CDSs and what made them appear so
profitable (before they suffered enormous losses). The banks did not under-
stand the risk exposures and they were essentially ignoring a large part of
the cost of being in the insurance business: setting up reserves and capital.
When these products suffered huge losses, the taxpayers picked up the tab
for these ignored costs and more, through the government bailouts of
these banks.
Criterion 3: Key Risk Focus
Most banks have risk management programs that are indeed properly focused
on prioritizing risks and focusing on the most significant threats. They rank
338 & Financial Crisis Case Study
C09 01/05/2011 18:37:49 Page 339
their risks and focus more efforts on the largest exposures for the enterprise
as a whole.
Criterion 4: Integrated across Risk Types
Most banks do not use an integrated approach to risk management. Each
department tends to manage risk separately from the other. In addition, they
also measure risks one at a time, in silo form, and then attempt to use cor-
relation adjustments to reflect risk interactions. As discussed in Chapter 5 (see
‘‘Capturing Interactions’’), this fails to capture the bulk of the interactivity. As
discussed in Chapter 2, silo risk management has several disadvantages,
including incompleteness, inefficiency, and internal inconsistency. One of
the disadvantages of incompleteness is most relevant for our topic: it omits
multiple simultaneous risk events, which can lead to the largest losses. The
financial crisis was such an event: There were multiple risk events occurring
together, including an increase in interest rates and an ending of the invest-
ment supply–demand imbalance which removed excess foreign capital, both of
which exacerbated the separate impacts of either event, in terms of their impact
on housing prices, due to the triggering of the financial crisis and its downward
spiraling events. In addition, as discussed earlier, there were non-financial risks
that also contributed to the financial crisis.
Criterion 5: Aggregated Metrics
Banks generally do not have either of the two aggregated ERM metrics. They
cannot calculate a proper enterprise risk exposure, because they do not have a
single metric that can fully quantify all risks. Most banks measure the impact of
risk only on the current balance sheet—in terms of change in capital or
required capital—rather than on company value. As a result, businesses within
the organization that do not have capital requirements cannot be so measured.
In addition, strategic and operational risks cannot be fully quantified using
capital-based metrics, because the majority of their impact comes from changes
to future revenues and expenses.
In addition, most banks cannot clearly define their risk appetite. This is the
second of the three core challenges to ERM identified in Chapter 3. This is
directly related to their inability to calculate enterprise risk exposure, because it
is the basis for defining risk appetite. In addition, the lack of a clear, quantitative
definition of risk appetite means that these banks also do not have a top-down
allocation of risk appetite to risk limits.
Evaluating Bank Risk Management Practices & 339
C09 01/05/2011 18:37:49 Page 340
Because most banks do not have an aggregated enterprise-level under-
standing of what their risk exposure is, or what it should be, it is easier to
understand why they fail so frequently, and how they were able to create such
a high level of exposure that led to the financial crisis.
Criterion 6: Includes Decision Making
Most banks do not effectively integrate their risk information into decision
making. This is the last of the three core challenges to ERM identified in Chapter
3. They do use risk information for mitigation decisions, but their approach is
lacking.We will discuss each of the three critical elements that must be in place
for effectively integrating ERM into decision making:
1. ERM metrics that support decision making
2. Practical ERM models
3. Consensus buy-in from business segments
First, the metrics most banks use do not support all decision making,
because they only have robust risk quantification methods for financial risks
(this was discussed earlier). In addition, the metrics that they use only provide
the risk (capital) side of the equation and not the return (value) side, both of
which are needed to support effective decision making.
Second, the risk models are not practical. Although the models generally
have reasonably fast run times, they tend to be lacking in reliability, they use an
inappropriately high number of significant digits, and they are particularly poor
in terms of transparency.
Most banks do have buy-in from the business segments, but they have the
reverse problem: Too much buy-in regarding the risk models. In the context of
our discussion, this is one of the factors that contributed to the financial crisis.
Most banks failed to scrutinize risk-modeling assumptions or question their
validity with enough skepticism.
Criterion 7: Balances Risk and Return Management
Most banks do use risk information for both upside and downside opportunities.
However, they do not do this optimally, because they only measure risk in
terms of its impact on the current balance sheet, rather than on company
340 & Financial Crisis Case Study
C09 01/05/2011 18:37:49 Page 341
value. Without fully integrating risk and return information, banks will
continue to make suboptimal business decisions.
Criterion 8: Appropriate Risk Disclosures
Most banks do not appear to have risk disclosures that adequately incorpo-
rate the appropriate information from their risk management programs.
Neither the voluntary nor the mandatory risk disclosures seem to include
the information recommended in Chapter 7. As one important example,
most banks do not appear to prioritize their key risks, in terms of their
potential impact on company value, which would match shareholder priori-
ties. In the context of our discussion, some banks were unable to properly
disclose the financial impact of the crisis until multiple quarters after it
took hold.
Criterion 9: Measures Value Impacts
Once again, most banks do not measure risk on the basis of its potential impact
on company value. Instead, they measure it in terms of impacts to the current
balance sheet capital or required capital.
Criterion 10: Primary Stakeholder Focus
Most bank risk management programs cannot support a primary focus on the
shareholders because they don’t use company value as the risk metric. In
addition, the use of the capital-based risk metric is indicative of their focus on
goals related to secondary stakeholders: maintenance of a satisfactory rating
(rating agency focus) and maintaining adequate mandatory capital levels
(bank regulators).
Conclusion: Bank ERM Scorecard
Table 9.1 summarizes the results of benchmarking bank risk management
practices against the 10 key ERM criteria. The results clearly indicate that most
banks were not actually employing ERM practices. As some of the examples
in our discussion point out, the failure to follow ERM practices contributed to
the financial crisis, and if banks had followed ERM practices it might have
prevented the financial crisis. (Caveats: The scorecard reflects the risk man-
agement practices at most banks. Only a Pass/Fail score is used.)
Evaluating Bank Risk Management Practices & 341
C09 01/05/2011 18:37:50 Page 342
SUMMARY
In this chapter, we responded to the aspersions cast on ERM by the fact that
banks were the primary cause of the global financial crisis and the fallacy that
banks were actually following ERM practices. We revealed that, contrary to
popular claims, banks generally did not follow ERM practices, in that they fail
to meet nine of the 10 key ERM criteria. In addition, we clear up another
popular misconception, which is that the financial crisis was caused exclu-
sively by financial sources of risks. We discussed three examples of non-
financial risks at banks that helped cause the financial crisis:
TABLE 9.1 Bank Scorecard on ERM: Results of Benchmarking against 10 Key ERM Criteria
Criterion Score Main Reason(s) for Failure
1. Enterprise-wide scope Fail & ‘‘Golden boy’’ units lacked sufficient scrutiny
2. All risk categories included Fail & Inability to quantify strategic and operational risks
& Financial analyst bias & Failing to address critical human resources
risks, such as agency risk, process risk, and errors
3. Key risk focus Pass
4. Integrated across risk types Fail & Only use correlation adjustments, which do not capture all interactions
5. Aggregated metrics Fail & Do not calculate enterprise risk exposure & Do not clearly define risk appetite
6. Includes decision making Fail & Risk metrics do not support decision making & Risk models are not practical, particularly in
their lack of transparency & Not enough scrutiny of risk modeling
assumptions 7. Balances risk and return
management Fail & Capital-based metrics do not provide both
risk and return information
8. Appropriate risk disclosures
Fail & Lack of robust ERM information embedded in mandatory and voluntary risk disclosures
9. Measures value impacts Fail & Lack of company value metric
10. Primary stakeholder focus Fail & Risk management program focus is on rating agencies and regulators
342 & Financial Crisis Case Study
C09 01/05/2011 18:37:50 Page 343
1. Agency risk: The interests of bank management are often misaligned with
the interests of shareholders and taxpayers.
2. Process risk: Most bank risk management practices are flawed, as evi-
denced by their failing to satisfy nine of the 10 key ERM criteria. In
addition, most banks were not calculating and reporting risk exposures on
a pre-mitigation, or gross, basis. Had this been done, the financial crisis
might have been averted, or at least mitigated.
3. Errors: Many bank financial modelers significantly mispriced the default
risk of CDOs and the insurance risk of CDSs.
Worrisome is the fact that society is still fully exposed to the first two of
these risks, as well as to the broader category of the third risk. As a result, the
global financial system remains vulnerable to the next financial crisis.
In the next and final chapter of this book, we move on to a more upbeat
topic: a look at how to apply ERM to non-corporate entities, such as non-
profit organizations, government bodies, and individuals.
NOTES
1. In this chapter, we will generically define banks as any financial entity which
is not an insurance company. This is imprecise, but sufficient for the context
of our discussion.
2. In addition to banks and homeowners, there are many others that have
received blame, including regulators, legislators, quasi-governmental agen-
cies, monoline insurers, rating agencies, and others. In our discussion, we
are only focusing on the prime culprits.
3. The monoline insurer is standing behind the CDO with their guarantee, based
on their own triple-A rating.
4. This is different from process risk, discussed earlier; a perfect process can
still be thwarted by individual errors.
5. This portion of the discussion references aWiredmagazine article titled ‘‘Recipe
for Disaster: The Formula That Killed Wall Street,’’ written by Felix Salmon,
dated February 23, 2009.
6. Historically, insurance companies are far less likely to fail than banks. The
notable failure of AIG during the financial crisis was caused by their Financial
Products division, which was not part of AIG’s insurance entities.
Notes & 343
C10 01/19/2011 11:9:36 Page 344
10CHAPTER TEN ERM for
Non-Corporate Entities
Only those who dare to fail greatly can ever
achieve greatly.
Robert F. Kennedy
U P TO THIS point, we have discussed ERM in the context of applyingit to corporate entities that operate for profit. In this chapter, wewill discuss how to apply ERM to other entities. For convenience, we will refer to for-profit companies as corporate entities and all other entities
as non-corporate entities, or NCEs. We will discuss how to apply ERM to such
NCEs as non-profit organizations, government bodies, and individuals. To
do this, we must first generalize the value-based ERM approach discussed
throughout this book.
GENERALIZING THE VALUE-BASED ERM APPROACH
The value-based ERM approach can be generalized and applied to any entity.
We will discuss five aspects of generalizing the value-based ERM approach:
344
C10 01/19/2011 11:9:36 Page 345
1. Terminology
2. Objectives
3. Key metrics
4. Risk categorization
5. Framework
Terminology
Wewill generalize the term value-based ERM in two ways. First, we will change
enterprise risk management to entity risk management.1 Second, we will
change value-based to objectives-based. Value-based implies a primary objective
of increasing company value, which is appropriate for corporate entities, but
non-corporate entities (NCEs) usually have other objectives. With this gener-
alized terminology, value-based enterprise risk management becomes a special
case of objectives-based entity risk management.
Objectives
With corporate entities, there is a single objective: increasing value. However,
NCEs often have multiple objectives. There are two steps to clearly defining
objectives for NCEs:
1. Identifying stakeholders
2. Defining objectives for each stakeholder
Identifying Stakeholders
Corporate entities have a single primary stakeholder: the shareholder. How-
ever, NCEs often have multiple stakeholders that must be equally served. For
example, a charitable organization may have a mission to provide assistance to
poor children and to poor elderly people.
Defining Objectives for Each Stakeholder
Corporate entities have a single objective for their primary stakeholder:
increase value. However, NCEs often have more than one objective for each
stakeholder. Each distinct objective must be separately defined for each stake-
holder. Continuing our earlier example, a charitable organization that serves
Generalizing the Value-Based ERM Approach & 345
C10 01/19/2011 11:9:37 Page 346
both poor children and poor elderly people may have two objectives for each of
these stakeholders:
& Poor children: & Improve education (objective #1) & Improve health (objective #2)
& Poor elderly people: & Improve access to medication (objective #3) & Provide visiting nurse services (objective #4)
Key Metrics
With corporate entities, there is a single primary stakeholder—the share-
holder—and a single objective for this primary stakeholder—increasing
value—which leads to a single dominant key metric: company value. There
are other key metrics, but company value is the primary metric. However, this
is generally not the case for NCEs. The tendency of NCEs to have multiple
stakeholders, and multiple objectives for each of these stakeholders, automati-
cally results in multiple key metrics of equal or similar importance—even if
there is only one key metric needed for each objective. However, there are three
factors that drive the need for even more key metrics:
1. Multiple key metrics per objective
2. Time
3. Money
Multiple Key Metrics per Objective
Corporate entities only need a single dominantmetric—company value—for their
single objective of increasing value. This is possible because money is easy to
measure. In contrast, NCEs—such as non-profit organizations, government
bodies, and individuals—often requiremultiplemetrics for each of their objectives.
Rather than generating distributable cash flows for shareholders, like corporate
entities, NCEs often have objectives related to serving other people. Measuring
these services is more complex, and often requires multiple metrics.
Consider our earlier charitable organization example, which has two
objectives related to services for poor children: improving education and
improving health. For each objective, they use multiple key metrics to gauge
their success. Each key metric, along with its projected result, is included in
the baseline strategic plan projection.
346 & ERM for Non-Corporate Entities
C10 01/19/2011 11:9:37 Page 347
The charitable organization in our example uses three such key metrics
for the education objective:
1. Standardized test scores
2. Graduation rates
3. Percentage of high school graduates entering college
For the objective of improving health, the charitable organization also
uses three key metrics:
1. Percentage of children with access to a pediatrician
2. Incidence rates of leading illnesses
3. Life expectancy
As with the value-based ERM approach, the objectives-based ERM ap-
proach quantifies risk in terms of its potential impact on baseline expectations.
Therefore, these key metrics, whose results are in the baseline strategic plan
projection, are also used as the ERM key metrics to measure the impact of risks.
Time
With the value-based ERM approach, time is not a complicating factor in mea-
suring the impact of risks. The value of a dollar lost next year, or 10 years fromnow,
is easily evaluated in terms of a dollar lost today, through the discounting of
distributable cash flows using the discount rate. However, with the objectives-based
ERM approach, time is a complicating factor that increases the number of required
key metrics. Most of the key metrics are not monetary items, and cannot be
discounted. NCEs often have strategic plans for expected improvements in a given
key metric over the coming years. Some risks may impact a key metric in the near
term, though other risksmay impact the keymetric further down the timeline. As a
result, some key metrics need to be tracked for more than one point in time.
Continuing our example of the charitable organization, they may have a
strategic goal to improve graduation rates by one percent next year and by five
percent by year three. Some risks may impact the coming year’s graduation
rates—for example, a teacher’s strike—though other risks may impact gradu-
ation rates in multiple future years—for example, a gradual erosion of the local
tax base resulting in less funding for education.
Money
Money is virtually always a factor and an additional key metric for NCEs.
However, NCEs tend to look at money from a different perspective than
corporate entities, particularly regarding cash inflows and cash outflows.
Generalizing the Value-Based ERM Approach & 347
C10 01/19/2011 11:9:37 Page 348
An increase in cash inflows is generally viewed favorably, because more
money translates into more services provided to stakeholders (i.e., more
objectives achieved). However, this is not always the case, and depends on
the source of the funds. Consider the federal government as the NCE. An
increase in government revenues would be favorable, for example, if the source
is an unexpected repayment of foreign debt. However, if the source is a tax
increase, then this would generally be viewed unfavorably by taxpayers, who
are a key stakeholder.
Similarly, the way in which an increase in cash outflows is viewed depends
on its use. If the use of the increase is to pay expenses, such as an increase in
vendor charges for services provided to the NCE, then this would be viewed
unfavorably. However, if the use is for an increase in services provided to
stakeholders, then this would be viewed favorably.
Rather than calculate company value, as do corporate entities, NCEs have
different key metrics related to cash flows. These metrics often focus on the
efficiencies of operating costs, the level of funding of initiatives, liquidity, and
other key metrics which recognize the different attitudes toward cash flows and
their sources and uses.
Risk Categorization
For NCEs, we will generalize the categorization of risks used in the risk
categorization and definition (RCD) tool. Rather than limit the risk categories
to strategic, operational, financial, and insurance, we will keep them open, like
a blank slate, to include any categories of risk that may be relevant to the entity.
It is not critical for risk nomenclature to conform to any standard, but it should
be clearly defined, consistently used throughout the entity, and should match
internal terminology. The value-based ERM risk categories (strategic, opera-
tional, financial, and insurance) may still wind up being the best choice for
many NCEs as well, but not for all.
Framework
The generalization of the value-based ERM approach into an objectives-based
ERM approach can be represented by changes to the value-based ERM
framework, shown in Figure 3.1, resulting in the objectives-based ERM
framework, shown in Figure 10.1, which depicts a more generic treatment
of terminology, key metrics, and risk categorization.
348 & ERM for Non-Corporate Entities
C 10
01/19/2011 11:9:37
Page 349
FIGURE 10.1 Objectives-Based ERM Framework
3 4 9
C10 01/19/2011 11:9:45 Page 350
COMPLEXITIES OF OBJECTIVES-BASED ERM
There are two main characteristics of NCEs that result in adding complexity to
the implementation of an objectives-based ERM program:
1. Multiple key metrics
2. Non-corporate culture
Multiple Key Metrics
In the value-based ERM approach for corporate entities, the presence of a
single dominant metric was a key to elegantly performing several ERM
activities. However, the objectives-based ERM approach for NCEs requires
multiple key metrics. This adds complexity to the ERM process. There are five
main ERM activities whose complexity is increased by the need for multiple
key metrics:
1. Selecting key risks. The selection of key risks is more complex in an
objectives-based ERM approach. It requires qualitative survey participants
to score severity for each potential key risk on multiple bases. In addition,
weights must be assigned, either implicitly or explicitly, to translate the
multiple severity scores, one for each key metric, into a single severity
ranking for each risk, to enable the selection of the key risks.
2. Quantifying key risk scenarios. Quantifying key risk scenarios is more
complex as well. The value-based ERM model only has to project distrib-
utable cash flow items. Cash flow items are used to measure both the net
costs of running the businesses and the results of the businesses. The
objectives-based ERM model projects cash flow items to measure net costs,
but to measure results, it instead must project values for several key
metrics. In addition, weights must be assigned, either implicitly or explic-
itly, to translate the multiple quantified impacts, one for each key metric,
into a single quantitative score for ranking each key risk scenario.
3. Focusing mitigation efforts. Focusing mitigation efforts also becomes
more complicated. Quantifying the component drivers for a particular
key risk scenario has the same complexity as quantifying key risk
scenarios, and for the same reasons. The objectives-based ERM model
is used to perform an attribution of the impact for each component
driver, for each key metric, and then weights must be assigned, either
implicitly or explicitly, to translate the multiple quantified impacts into a
single attribution, to focus prioritization of mitigation efforts.
350 & ERM for Non-Corporate Entities
C10 01/19/2011 11:9:45 Page 351
4. Determining risk appetite and risk limits. Aggregating metrics to
the enterprise level by calculating the enterprise risk exposure is more
complicated in an objectives-based ERM approach. Enterprise risk expo-
sure must be calculated on the basis of multiple metrics, just as with the
value-based approach. However, the number of key metrics is much
larger. In addition, because there is no dominant metric to serve as
arbiter for the competing multiple metrics, the definition of risk appetite
must also be expressed in terms of a much larger array of key metrics.
Analogously, this adds complexity to the risk limit setting process as well.
5. Decision making. Because risk and return are not both measured on the
basis of a single consistent metric such as company value, decisionmaking in
the objectives-based ERMapproach ismore complex. This is true for both risk-
priority and return-priority decisions. For example, if one risk-priority decision
reduces risk exposure in terms of one key metric by a given amount, and
another risk-priority decision reduces the risk exposure in terms of a different
key metric by the same amount, are they equivalent? Once again, weights
must be assigned, either implicitly or explicitly, to answer this question.
Non-Corporate Culture
An ERM program can be applied to any entity, as long as they can clearly define
their strategic objectives. Risk is defined as a deviation from expected results as
expressed in the baseline strategic plan projection. Most corporate entities have
some form of strategic plan projection, including supporting detail by business
segment, which is reproduced with each annual planning cycle. This is a
critical starting point for a value-based ERM program.
However, NCEs do not have shareholders. Their stakeholders do not look
at them as an investment. As a result, they do not have a corporate culture,
and therefore they often have a less rigorous strategic planning process and
resulting strategic plan projection. This complicates the objectives-based ERM
approach, because without a clear vision of expected results, risk cannot be
clearly defined. With NCEs, the development of a baseline strategic plan
projection is more involved, because it requires additional work.
EXAMPLES OF NCEs
The discussion in this chapter up to this point—generalizing the value-based
ERM approach into an objectives-based ERM approach, and discussion of the
added complexity this brings—along with Chapters 2 through 8, provide a
Examples of NCEs & 351
C10 01/19/2011 11:9:45 Page 352
foundation for understanding how to implement ERM for an NCE. In the
remainder of this chapter, we will discuss some examples of NCEs, and share
some additional thoughts on ERM as it relates to these entities. We will discuss
the following three examples of NCEs:
1. Non-profit organizations
2. Government bodies
3. Individuals
Non-Profit Organizations
We will discuss two examples of non-profit organizations: charitable organiza-
tions and professional associations.
Charitable Organizations
A charitable organization is a typical example of a non-profit organization.
Implementing an objectives-based ERM program for a charitable organization
is fairly straightforward, using the objectives-based ERM framework (see
Figure 10.1), which is largely analogous to the value-based ERM approach
discussed throughout this book. However, we will discuss some of the unique
aspects of setting up an objectives-based ERM approach, using a hypothetical
charitable organization called HelpKids as an illustration.
We will discuss four of these unique aspects:
1. Objectives
2. Key metrics
3. ERM modeling
4. Key risks
Objectives There are two steps to defining objectives for an NCE:
1. Identifying stakeholders. To simplify our example, HelpKids has only
one stakeholder: children living below the poverty level.
2. Defining objectives for each stakeholder. HelpKids has two major
strategic objectives:
1. Improve the education of children living below the poverty level
2. Improve the health of children living below the poverty level
Key Metrics HelpKids selects 15 key metrics for their ERM program which are a subset of the metrics used in their strategic planning process (as well as in
their business performance analysis) and which relate to their key objectives
and supporting initiatives.
352 & ERM for Non-Corporate Entities
C10 01/19/2011 11:9:45 Page 353
Seven key metrics are selected for their education program:
1. Number of children receiving HelpKids services
2. Truancy rates
3. Dropout rates
4. Standardized test scores
5. Graduation rates
6. Percentage of high school graduates entering college
7. Donations and grants received
Eight key metrics are selected for their health program:
1. Number of children receiving HelpKids services
2. Percentage of children with access to a pediatrician
3. Incidence rates of leading illnesses
4. Life expectancy
5. Mortality rates
6. Hours of weekly physical activity
7. Percentage of children with two or more daily nutritious meals
8. Donations and grants received
ERM Modeling The objectives-based ERMmodel must project values for each of these keymetrics into future years in a way that is consistent with the HelpKids
baseline strategic plan. The model must include the value drivers behind each of
these keymetrics to capture how risks, or decisions, will shock the baseline values.
The value drivers are those variables which HelpKids is likely working to improve.
For example, if truancy levels are related to three shortcomings in the child’s
environment, then HelpKids may have initiatives, supporting the strategic objec-
tive of decreasing truancy, that address each of these shortcomings.
Key Risks Once the key metrics are defined, as well as the ERM modeling methodology, the risks are identified as those events which will result in a
deviation from the baseline projection of the key metrics. A list of risks will be
populated into the risk categorization and definition (RCD) tool for use in the
risk identification process to identify the key risks.
Some examples of key risks for HelpKids are as follows:
& Various risks related to damaging HelpKids’ reputation, where the indi-
vidual sources of risk include the following: & Misappropriation of charitable funds & Any form of mistreatment of children
Examples of NCEs & 353
C10 01/19/2011 11:9:45 Page 354
& Perception of inefficient use of charitable funds (overpaid CEO, excessive
proportion of budget spent on fundraising, etc.) & Competition (for charitable donations and grants) & Economic downturn (reduces charitable donations and grants) & Inability to recruit and retain key employees & Economic upturn (makes it more difficult to recruit and retain key employ-
ees, as opportunities elsewhere increase) & Regulatory change & Compliance risk & Litigation
Professional Associations
Professional associations are a non-profit organization NCE, but they have two
qualities that make them similar to corporate entities in an ERM context. First,
they largely serve a single primary stakeholder—members—which indicates
the possibility of a single dominant key metric. Second, because the primary
stakeholders are similar to ‘‘owners’’ of the entity, a key metric can be
constructed that is a value-based metric similar to the company value metric,
based on distributable cash flows. We will introduce a hypothetical professional
association, and discuss these two qualities.
A hypothetical professional association called the American Association of
Advanced Financial Professionals, or AAAFP, has 100,000 members nation-
wide and one major strategic objective: to grow the value of the AAAFP
credential. Its members are those who:
& Pass the one-day AAAFP certification test annually & Attend 10 hours of AAAFP-provided continuing education annually & Abide by the AAAFP code of professional conduct & Pay AAAFP dues annually
Value-Based Metric The AAAFP, even though it is an NCE, has a quality that makes it similar to a corporate entity. The primary stakeholders, or the
primary beneficiaries of the entity’s activities, are the members themselves.2 A
corporate entity directly produces distributable cash flow for shareholders, in
return for their capital investment, by running a business. The AAAFP
indirectly generates additional compensation for its members, in return for their
dues and fees, by creating a valued credential recognized by employers.
As a result, we can construct a metric analogous to company value for
AAAFP: We will define credential value as the present value of projected
354 & ERM for Non-Corporate Entities
C10 01/19/2011 11:9:45 Page 355
credential cash flows. The credential cash flow measures the net cash flows
into a member’s pocket due to the credential: cash inflow from additional
compensation from their employer, less cash outflow for dues and fees to
AAAFP. The credential cash flows for a single member are calculated as
follows:
CCFmember ¼ Add0l Compmember " Duesmember " Feesmember Where:
& CCFmember ¼ credential cash flow, per member & Add0l Compmember ¼ the (estimated) additional compensation earned, per
member, by virtue of possessing the AAAFP credential & Duesmember ¼ annual membership dues, per member & Feesmember ¼ annual certification and continuing education fees, per
member
The credential cash flows for the entire entity AAAFP can be calculated as
follows:
CCFAAAFP ¼ XN
i¼1 CCFi
Where:
& CCFAAAFP ¼ credential cash flow for AAAFP & CCFi ¼ credential cash flow, per member i & N ¼ total number of AAAFP members
The credential value for AAAFP is calculated by projecting CCFAAAFP into future years, and taking the present value, using a discount rate:
Credential value ¼ XM
j¼1 ðCCFAAAFP:Year jÞ x 1ð1þ dÞj
Where:
& CCFAAAFP:Year j ¼ credential cash flow for AAAFP, in projection year j & j ¼ year of the projection & M ¼ total number of years in the projection & d ¼ the discount rate
Other key metrics can be developed as well. In addition to the total
credential value for the organization, AAAFP can estimate the average
Examples of NCEs & 355
C10 01/19/2011 11:9:45 Page 356
credential value per member, the average credential value per member by
subgroup, and other useful metrics.
Credential value is a value-based metric analogous to company value. It
can provide some of the facility afforded by the value-based ERM approach for a
corporate entity and avoid some of the additional complexities usually present
in an objectives-based ERM program for an NCE, as discussed earlier.
However, the credential value metric is not exactly the same as the
company value metric. The credential value metric has one major short-
coming. The credential value metric equates losses in growth of numbers of
members with losses in compensation, and these are not necessarily viewed
equally by members. Consider the following example of two key risk events,
along with their potential impacts on credential value:
1. Immediate and permanent 5 percent decrease in Add0l Compmember (the
additional compensation earned, per member, by virtue of possessing the
AAAFP credential), decreasing credential value by 5 percent
2. Recruiting produces fewer new members than expected over time, de-
creasing credential value by 5 percent
The impacts of these two key risk events on credential value are identical.
However, although shareholders are indifferent between two equivalent de-
creases in company value, the same is not true for member attitudes toward all
equivalent decreases in credential value. Members are likely to prefer the
second key risk event—the loss, versus expectations, of some future new
members—rather than the first key risk event—the immediate and permanent
loss of some of their own compensation.
Single Dominant Key Metric The AAAFP appears to be similar to a corporate entity in that it seems to have a single primary stakeholder, which
implies the possibility of a single dominant metric and all its corresponding
advantages, as with the company value metric. Unfortunately, this is often not
precisely the case. Professional associations often have sub-constituencies
which must be identified and served individually. For example, it may be
necessary to separate the AAAFP members into subgroups, because some key
risks may impact one subgroup more than others. Some examples of necessary
subgroups may include:
& Experience level (such as number of years in the industry) & Geographical differences (such as different regions of the country)
356 & ERM for Non-Corporate Entities
C10 01/19/2011 11:9:46 Page 357
& Industry sector (energy, manufacturing, banking, insurance, etc.) & Practice area (accounting, financial projections, ERM, etc.)
In other words, once again, not all impacts on credential value are equi-
valent. Consider the following example of two key risk events, along with their
potential impacts on credential value:
1. California passes a regulation resulting in the elimination of all 1,000
jobs in the state for AAAFP professionals, decreasing credential value by
1 percent
2. A federal regulation passes decreasing Add0l Compmember by 1 percent
The impacts of these two key risk events on credential value are identical.
However, members are likely to prefer the second key risk event—the relatively
palatable loss of 1 percent of the additional compensation earned from having
the credential—rather than the first key risk event—the total loss of compen-
sation (not just the loss of 100 percent of the additional portion attributable to
the credential) of 1,000 of their AAAFP brothers and sisters.
Government Bodies
Government bodies, particularly at the federal level, present special challenges
for ERM. They have a large number of stakeholders and strategic objectives,
both of which are not only difficult to clearly define, but which also shift in
relative importance, sometimes dramatically, based on fickle internal political
winds and highly dynamic external factors. In addition, politics will often
trump funding allocation recommendations based on need. The easiest gov-
ernmental bodies at which to implement an ERM program are sub-entities,
which often have clear, ongoing tasks with a fairly certain budget, and which
can benefit from ERM’s superior identification of risk–reward trade-offs to better
prioritize efforts within the given budget.
The Need for ERM at the Federal Level
Despite the difficulty involved, it is worthwhile to consider applying ERM at the
federal level. This is the level at which the largest opportunity for a positive
impact exists. The primary role of the federal government is to protect people.
Countries face a large number of threats from a wide variety of sources, yet the
risks are usually managed in silos, by department, without much integration.
Let’s take the United States as an example.
Examples of NCEs & 357
C10 01/19/2011 11:9:46 Page 358
After the September 11th attacks, the U.S. federal government recognized
the need for a better approach to manage terrorist threats, including broader
sharing of information for risk identification and better coordination of risk
assessment, prioritization, and response. There were two major changes that led
to improvement: consolidation of agencies and centralization of responsibility.
The first change was to consolidate some agencies under a new umbrella:
the Department of Homeland Security (DHS). DHS contains several agencies
related to securing the border (such as the Coast Guard, the Transportation
Security Administration [TSA], and immigration-related agencies), Federal
Emergency Management Agency (FEMA), and the Secret Service. This was
not a complete consolidation, because the Federal Bureau of Investigation
(FBI) and the Central Intelligence Agency (CIA) remained separate.
The second change was to centralize responsibility. The federal govern-
ment established a central point for coordination and integration of all activities
related to terrorist threats, creating the Office of the Director of National
Intelligence (ODNI). The Director of National Intelligence (DNI) is the single
point person responsible to coordinate and integrate the approach to defending
against terrorist threats. According to the ODNI Web site, the DNI is ‘‘over-
seeing and directing the implementation of the National Intelligence Program
and acting as the principal advisor to the President, the National Security
Council, and the Homeland Security Council for intelligence matters related
to the national security.’’ In addition, ‘‘ . . . the DNI’s goal is to effectively
integrate foreign, military, and domestic intelligence in defense of the home-
land and of United States interests abroad.’’3
However, the federal government did not integrate the approach for
managing risks from other sources. Table 10.1 shows a partial list of U.S. federal
agencies along with an example of the risks for which they are responsible. This
is a silo approach to risk management, whose disadvantages were enumerated
in Chapter 2.
What is needed is not so much a consolidation of these federal agencies;
rather, what is needed is leadership in coordinating and integrating these risk
management efforts. Without a leader to implement an ERM program at the
federal level, it is undoubtedly the case that resources are wasted on risks
that should be lower priority, but, far more worrisome, that some of the largest
threats are not receiving the priority they need. Whereas the DNI is intended to
be such a coordinating leader for terrorism-related threats, what is needed is an
equivalent leader for coverage over all sources of risk, such as a Director of
National Risk Management, or DNRM. The DNRM would lead the implementa-
tion of an ERM approach at the federal level.
358 & ERM for Non-Corporate Entities
C10 01/19/2011 11:9:46 Page 359
There is much to be gained, at the federal level, in using an ERM approach.
Some of the more important benefits include the following:
& Clear identification of overlaps and gaps in the responsibilities for key
threats, using a consistent approach to identifying risks by source & Uniform approach to identifying all types of emerging risks & Better prioritization: Identifying key risks through qualitative risk assess-
ments and ranking their key risk scenarios by quantifying their potential
impact on key metrics; see ‘‘Threats to the Financial Stability of the
Country’’ & More efficient allocation of limited resources by focusing mitigation on the
most impactful component drivers of key risk scenarios, through quanti-
tative attribution analysis & Better decision making based on quantifying the relative impact of
alternative options, using an objectives-based ERM model & Simpler method of sharing risk information across all federal agencies,
using a standardized terminology for risk
TABLE 10.1 Federal Agencies Responsible for Managing Risks (Partial List)
U.S. Federal Agency Examples of Risk Source Managed
Army Corps of Engineers Disasters
Board of Governors of the Federal Reserve System (the Fed)
Economic instability
Centers for Disease Control and Prevention (CDC) Disease
Central Intelligence Agency (CIA) Foreign threats
Department of Defense (DoD) Military attacks
Environmental Protection Agency (EPA) Damage to the environment
Federal Aviation Administration (FAA) Airplane crashes
Federal Bureau of Investigation (FBI) Organized crime
Terrorism on U.S. soil
Food and Drug Administration (FDA) Food poisoning
Department of Homeland Security (DHS) Terrorist attack
National Highway Traffic Safety Administration (NHTSA)
Automobile accidents
Securities and Exchange Commission (SEC) Defrauding investors
Examples of NCEs & 359
C10 01/19/2011 11:9:58 Page 360
Implementing ERM at the Federal Level
We will begin the discussion on how to implement ERM at the federal
government level to illustrate the different approach needed for government
entities; however, we will not complete it. A comprehensive discussion on this
topic would require its own book.
Imagine that the U.S. federal government establishes a new position of
Director of National Risk Management (DNRM). Unlike the DNI, the DNRM’s
purview is over all sources of risk for the country. Now, imagine that the DNRM
asks us to assist in establishing an ERM program at the federal level. Howwould
we begin? How would we set the priorities?
We will recommend an objectives-based ERM approach. The following
discussion is just a beginning on how to think through some of the unique
THREATS TO THE FINANCIAL STABILITY OF THE COUNTRY
One specific application of ERM that is worth highlighting further is theability to rank key risk scenarios by quantifying their potential impact on key metrics. This can be used for an issue of vital importance to the U.S. economy. The Financial Stability Oversight Council, established by the Dodd-Frank bill passed in response to the global financial crisis that began in the United States in 2007, is charged with taking three actions related to large and complex financial institutions:
1. Establish regulatory authority over non-bank financial companies that ‘‘pose a risk to the financial stability of the U.S.’’
2. Put restrictions on financial companies that ‘‘pose risks to the financial system’’
3. Break up financial companies that ‘‘pose a grave threat to the financial stability of the U.S.’’
The ability to rank key risk scenarios by quantifying their potential impact on keymetrics can be used to identify and rank the entities that present these threats to the economy if they were to fail. Scenarios can be developed for the failure of firms that potentially represent this level of risk to the economy, and the impacts can be evaluated on a consistent basis and compared to identify the largest threats. In addition, an objectives-based ERM approach can also provide an ability to evaluate mitigation options to reduce the level of riskiness (e.g., the level to which firms may need to be broken up).
360 & ERM for Non-Corporate Entities
C10 01/19/2011 11:10:10 Page 361
aspects of implementing an objectives-based ERM program for the federal
government. We will discuss three of these unique aspects:
1. Objectives
2. Key metrics
3. Decision making
Objectives There are two steps to defining objectives for an NCE:
1. Identifying stakeholders. The federal government is an NCE with a
single primary stakeholder: citizens. However, there are many other
stakeholders, or entities that receive government services. One example
is legal aliens residing in the country on their way to citizenship. Another
example is visitors to the country.
Two additional examples of noncitizen stakeholders relate to entities
outside the United States. Each of these examples serves to illustrate
the complex nature of government NCEs. One example is U.S. allies. The
United States, as do all countries, provides assistance to its allies. Some
of this assistance is provided in the indirect service of achieving objec-
tives for U.S. citizens; for example, providing intelligence services in
exchange for similar assistance in return, which protects U.S. citizens.
However, other assistance is provided altruistically, where the govern-
ment is acting more like a charitable organization, with little or no
expected benefit to its citizens in return; for example, gifts to poverty-
stricken nations.
A second, though rare, example of stakeholders outside the country, is
U.S. adversaries. When a major disaster strikes adversaries, the United
States tends to offer assistance in the form of relief efforts; for example, the
United States sent aid to Iran in response to a December 26, 2003,
earthquake measuring 6.6 on the Richter scale.4
2. Defining objectives for each stakeholder. To simplify our discussion,
we will only address the citizen stakeholder from here onward. Now we
must define all of the federal government objectives related to serving the
citizen stakeholder. The U.S. federal government has numerous such
objectives. We will simplify the discussion by selecting only one objective:
protecting the lives of citizens. This is the first of the three ‘‘unalienable
rights’’ listed in the U.S. Declaration of Independence, as ‘‘life, liberty, and
the pursuit of happiness.’’
Examples of NCEs & 361
C10 01/19/2011 11:10:10 Page 362
Key Metrics What should be the key metric, or metrics, for protecting the lives of citizens? Should it be the number of lives? For example, do we want to
quantify key risks in terms of their potential impact on the number of lives
lost? To see why this is not a sufficient metric, consider that two people are
about to fall off of a cliff, and you can only reach out and save one of them.
The number of lives lost in either case is one. However, one person is 90 years
old and the other is 10 years old. Which one do you save? Most people would
say the 10-year-old. Why? Because the child has many more future expected
life-years to live. Now we have just moved beyond the ‘‘number of lives lost’’
metric, and into the realm of the ‘‘life-years lost’’ metric, which is better.
But is it that simple? Does the life-years lost metric capture all of society’s
values toward protecting life? Not exactly. Society does sometimes send its
young women and men to fight and die to allow the rest of society to live in
freedom.5 Now, we have just moved beyond the life-years lost metric, and,
adding a multiplier representing the quality of life, into the realm of the
‘‘quality-life-years lost’’ metric. Life by itself is not enough, because our
societal values reveal that we put living in freedom above that, at times.
There are many other factors that can be included in a quality-of-life
multiplier.
But is it even that simple? Which of the following two threats would you
rank as a higher priority, in terms of the quality-life-years lost metric, assuming
that they are both equally likely to occur?
1. A terrorist attack that kills 10 people
2. A terrorist attack that makes 10,000 people ill, causing each of them to
lose one-tenth of one year (0.1 years) off of their life expectancy
Let’s assume there is no quality of life issue, and that our key metric is
reduced to a life-years lost metric. Further, let’s assume that each of the people
involved at the time of the attack has 50 more expected life-years. Each threat
has the following impact on the life-years lost metric:
1. 500 life-years lost (10 people & 50 years) 2. 1,000 life-years lost (10,000 people & 0.1 years)
By the numbers, the second threat is twice as large. But would this be a
higher priority to you?Wouldn’t 1,000 people each give up just a little over one
month of their life expectancy to collectively help save 10 people’s lives?
Different people may answer differently, but there is not a clear answer. As a
362 & ERM for Non-Corporate Entities
C10 01/19/2011 11:10:10 Page 363
result, a more sophisticated metric may be warranted. Refinements needed
may depend on the context in which the metric is used.
This illustrates the complexity involved in trying to measure something
even as simple as the goal of protecting life. This is not an academic discussion.
There are metrics in use by governments and other organizations that attempt
to capture life-years, including a quality of life adjustment. For example, the
World Health Organization (WHO) uses a years of life lost (YLL) metric
analogous to our life-years lost metric. The WHO also uses a disability-adjusted
life years (DALY) metric, which is a form of a quality-of-life adjustment to life
years, related to our quality-life-years lost metric.6 Another example is the
United Nations’ Human Development Index (HDI), which attempts to capture
the level of well-being of a country’s citizens. The HDI combines many factors,
such as life expectancy and standard of living.7
DecisionMaking Assume now that we have mapped out the major federal government stakeholders, the objectives related to each stakeholder, and
the key metrics for each of the objectives. Decision making at the federal
government level is complex, and any one decision may negatively impact
one or more key metrics while simultaneously positively impacting one
or more other key metrics. One example is highway speed limits. We
know with certainty that if we legislate and enforce lower speed limits
on highways, it will save a significant number of lives. However, our choice
to keep speed limits at their current level reflects our relative weights for
competing key metrics, where one is ‘‘protecting lives’’ and let’s say, for
simplicity sake, that the other may be represented as ‘‘economic prosperity,’’
because rapid transit by automobile is a contributor to economic growth.8
However, these weights are assigned implicitly, not explicitly, and a more
explicit treatment, which is facilitated by an ERM program, may lead to better
decision making.
An example of a related project that has some of the integrated character-
istics of an objectives-based ERM approach is a traffic model called the Balanced
Transportation Analyzer, designed by traffic expert Charles Komanoff. The
Komanoff traffic model is designed to help government entities make more-
informed trade-off decisions between traffic fees and tolls and the resulting
integrated economic impact on citizens. The model factors in the explicit
impacts of new fees and tolls, as well as the implicit impact of congestion
on productivity, and has a holistic scope, recognizing time of day, whether
citizens live in the city or the suburbs, and even delays caused by passengers
digging for change in their pockets before boarding a city bus.9
Examples of NCEs & 363
C10 01/19/2011 11:10:10 Page 364
Individuals
Not only can ERM be applied to corporate entities and non-profit organizations,
but, as we have just discussed, it can be applied at a higher level of abstrac-
tion—at the government (or country) level. However, ERM can also be applied
at a lower level of abstraction—at the individual level.
The Need for ERM at the Individual Level
We each, as individuals, are prime candidates for the application of an
objectives-based ERM approach. We face a variety of risks. We lack a holistic
approach to identifying, prioritizing, and mitigating the risks particular to our
individual situation. As a result, we make suboptimal decisions, based on a silo
risk management approach, to allocate mitigation funds. This leads to a higher
likelihood of failing to achieve our individual goals.
We face a variety of risks. A partial list of such risks includes the following:
& Dying too soon & Living too long (outliving our assets) & Accidental injury (such as an automobile accident) & Medical illness & Disability & Unemployment & Disaster (such as a fire or flood that causes property damage) & Investment risk & Divorce & Litigation & Theft
There is no one place where we can get an objective qualitative ranking
of all of the risks specific to our situation, to allow us to identify our key risks. It
is rare to find an unbiased advisor who is qualified to help us identify and
prioritize all the risks we personally face, for our particular situation. Some
people use fee-based financial planners for this, but their expertise is usually
limited to investment risk and they do not use ERM-like tools and techniques;
see ‘‘Risk Appetite in Five Questions?’’
Without a holistic view on the relative importance (or even existence)
of each of the key risks we should be mitigating, we typically go to a variety
of places for advice as well as mitigation, for one risk at a time. For example,
we may go to an insurance salesperson to figure out how much life insurance
364 & ERM for Non-Corporate Entities
C10 01/19/2011 11:10:10 Page 365
RISK APPETITE IN FIVE QUESTIONS?
An important part of an ERM process is the definition of risk appetite, orwhat some refer to as risk tolerance. For corporate entities, this involves inferring the will of the shareholders in terms of the level of risk they want the company to take. For individuals, this involves understanding their personal tolerance for failing to achieve their goals.
Financial planners typically attempt to capture an individual’s risk appetite by having them answer about five questions, sometimes more. The questions usually relate to the individual’s feelings about the de- sired investment time horizon, expected returns, and tolerance for vol- atility and losses. These answers are used to map the individual into one of usually five categories, sometimes more, ranging from conservative to aggressive, or something similar. The category is then mapped to a recommended allocation for investing assets among stocks, bonds, and cash investments.
This is a crude approach, for three main reasons:
1. Incomplete sources of risk. The financial planning approach only looks at sources of risk related to invested asset fluctuation. This ignores the vast majority of an individual’s key risks, such as illness, early death, unemployment, divorce, and so on.
2. Poor risk measure. The financial planning approach expresses risk in terms of the volatility of invested assets. Instead, risk must be expressed in terms of a failure to achieve the individual’s goals. For example, an individual is shown that a given portfolio allocation will result in only a 35 percent chance of meeting all of his or her goals.
3. Incomplete portfolio. The financial planning approach only addresses the individual’s portfolio in terms of stocks, bonds, and cash invest- ments. What is needed is a holistic look at the entire portfolio of holdings, including stocks, bonds, cash, life insurance, medical insur- ance, disability insurance, unemployment insurance, immediate annui- ties, deferred annuities, and so on. All of the financial instruments can be reduced to their basic cash flows, integrated into a single projection model, and evaluated in terms of how they mitigate key risk scenarios by dampening their cash flow impacts.
In contrast, an ERM approach resolves all of the shortcomings in the financial planning approach to determining risk appetite. The ERM approach includes all sources of risk, expresses risk in terms of the impact on the ability to achieve the individual’s goals, and examines a complete portfolio of financial products.
Examples of NCEs & 365
C10 01/19/2011 11:10:22 Page 366
to buy, we may get information from our employer on health insurance
coverage options, we may go to an investment broker for advice on invest-
ment portfolio allocations (e.g., mix of stocks, bonds, and cash), and so forth.
This is a silo approach, which is suboptimal. We lack an objective
recommendation on how to most effectively allocate our resources to mitigate
the entire portfolio of risks that we personally face. As a result, we are not
necessarily making the best risk–reward decisions regarding our lives. Even if
each advisor was completely unbiased, a silo approach can result in over-
mitigating risks that are relatively unimportant for our situation, while
ignoring, or under-mitigating, some of our biggest threats.
We need a holistic approach—one that includes all potential sources or
risk. We don’t care which source of risk causes us to go bankrupt . . . we just
don’t want to go bankrupt. A holistic approach to understanding our risks can
lead to a re-allocation of funds that makes us more likely to achieve our
individual goals.
Implementing ERM at the Individual Level
We will discuss three aspects of applying an objectives-based ERM approach to
individuals:
1. Objectives
2. Key metrics
3. ERM modeling
Objectives There are two steps to defining objectives for an NCE:
1. Identifying stakeholders
2. Defining objectives for each stakeholder
Individuals serve multiple objectives, such as providing cash flows—to
themselves, dependents, and charities—as well as intangible items. For our
discussion, we will focus only on the objective of providing cash flows.
1. Identifying stakeholders. For simplicity, we will use an example of an
individual with the following situation: & Married & Two children dependents & Two living parents, one from each spouse & Core value of donating money to charity each year
366 & ERM for Non-Corporate Entities
C10 01/19/2011 11:10:22 Page 367
The stakeholders for individuals typically change over their lifetimes.
Let’s assume we are interested in an objectives-based ERM program whose
time horizon is the length of the individual’s lifetime, or that of the spouse’s,
whichever is longer. In this case, we must consider current stakeholders
and likely future stakeholders. The current stakeholders include the
individual, the spouse, their two children, and the charity to which
they donate. Depending on the health and financial situation of the
two living parents, as well as other factors, the parents may become
stakeholders in the future. Each stakeholder has a different level of
importance, and this will factor into trade-off decisions; for example,
most individuals in this situation place the highest level of priority on
their two children.
2. Defining objectives for each stakeholder. Each individual has differ-
ent goals, and the objectives-based ERM approach must be customized to
each person. However, we will use a simplified objective by assuming that
this individual, jointly with his or her spouse, has only the following goals,
in priority order: & Maintain their current standard of living & Fund their children’s education costs through college & Fund long-term care costs for their parents & Fund their children’s wedding costs & Donate to charity each year & No specific goal for leaving an inheritance, but wishing to leave no debt
All of these goals can be summarized in a single objective of ‘‘having
sufficient funding for these goals, with no debt remaining after the death of
both the individual and his or her spouse.’’
Key Metrics In an objectives-based ERM approach for this individual, it may initially appear that we only need a yes/no indicator for whether or
not the single objective is met over the entire projection period. For example,
the impact of any individual risk scenario may be quantified in terms of
whether there was a failure to meet the objective at any time over the
projection period.
However, this is too simple for two reasons. The first reason is that not all
failures are equal. For example, if one risk scenario results in the individual
coming up one dollar short of funding the goals in the last year of the
projection (i.e., leaving one dollar of debt to their heirs), this is not the same
as massive debt resulting in bankruptcy in the 10th year of the projection.
Examples of NCEs & 367
C10 01/19/2011 11:10:22 Page 368
Both the severity and the timing of any shortfall are meaningful factors and
they must also be captured. The second reason a yes/no failure indicator is
too simple is that an ERMmetric should capture the upside as well. Those risk
scenarios that succeed in meeting the goals must be differentiated by the size
of their positive impacts.
There are a variety of ways to define key metrics to adequately quantify
the risks for this individual. One example involves two key metrics. The
first key metric measures the failures, capturing the severity of the short-
fall and its timing. This key metric is the present value of the largest shortfall
over the projection period. The second key metric measures the successes,
capturing the magnitude of the upside. This key metric is the amount of the
inheritance, or, the accumulated net worth, equal to assets less liabilities,
upon the death of the remaining spouse. Although this individual did not
have a specific goal for the size of an inheritance, more is assumed to be better,
and this is a good way to capture the accumulated positive impacts of any
risk scenario.
ERM Modeling The objectives-based ERM model must include a baseline cash flow projection, supported by an income statement and balance sheet.
The income must reflect all sources, such as salary, bonus, investment
income, and so on, expected from both spouses. The expenses must reflect
all expected expenses, such as mortgage payments, food, insurance for
current dependents, and so on, as well as the funds needed to meet each
of the individual goals in the objective, such as vacations, entertainment,
payments to the college fund, and so on. The balance sheet must reflect all
invested assets, such as stocks, bonds, cash, insurance policy cash surrender
values, home equity, and so on, as well as liabilities, such as mortgage and
other outstanding loans.
The ERM model must also reflect the entire current portfolio of
products—both investment (stocks, bonds, and cash) and insurance (life,
health, annuities, etc.)—in terms of how they act as mitigation, protect-
ing the baseline projected cash flows from a variety of risks. In addition, the
ERM model must be able to incorporate additional purchases (or sales) of
these products, in support of decision making. This provides a powerful ability
to the individual: to find the best allocation of limited funds, across all types of
financial products, that will best protect the individual against all of their
specific key risks, over a lifetime, giving the individual the best chance of
achieving his or her goals.
368 & ERM for Non-Corporate Entities
C10 01/19/2011 11:10:22 Page 369
SUMMARY
We can generalize the value-based enterprise risk management approach for
corporate entities into an objectives-based entity risk management approach for
all types of non-corporate entities (NCEs). NCEs present additional challenges for
ERM, mostly due to the absence of a single dominant metric, but the payoffs are
worthwhile. An objectives-based ERM program can help NCEs domore with less,
and increase the likelihood of achieving their multiple objectives. For professional
association non-profits supplying credentials to their members, an objectives-
based ERM approach has the added advantage of being able to calculate
credential value, the dollar value of the credential to each member and to the
association as a whole. There is much to gain by applying ERM to federal
governments, because they are large, silo-based, and impact the health, welfare,
and security of all their citizens. Finally, individuals like me and you need ERM as
well. We have a wide variety of risks facing us and no single place to go to for
advice, whether to identify our biggest threats, to measure them, or to mitigate
them. An objectives-based ERM approach can help individuals like us achieve an
integrated view for diversifying across investment, insurance, and other financial
products, in a manner tailored to our personal goals, the risks we face, and our
tolerance for risk.
CONCLUSION
This concludes our discussions of ERM . . . at least for now. I hope you found
this enjoyable as well as useful. Thank you for your time and attention.
I would be pleased to continue our discussion anytime. Please feel free to
do any or all of the following:
& E-mail me directly: [email protected] & Visit my Web page with additional resources related to this book:
www.simergy.com/ermbookresources & Visit my Web site with additional resources related to ERM:
www.simergy.com
NOTES
1. We will use ERM as an acronym for both enterprise risk management and
entity risk management.
Notes & 369
C10 01/19/2011 11:10:23 Page 370
2. Technically, future members are also stakeholders, because the goal is to
grow the value of the credential, and part of that is growth in membership;
however, they are secondary to current members. In addition, the general
public is also a stakeholder, but serving the general public is understood, and
is also secondary to, and subsumed in, the goals of the members, because
(a) the AAAFP entity would not exist without the members, and (b) if the
public interest is violated, this will damage the credential and thereby the
members.
3. Although national security is a much broader responsibility than terrorist
threats, it is the latter that was the primary reason for establishing a
DNI role.
4. ‘‘Assistance for Iranian Earthquake Victims.’’ Available at www.usaid.gov/iran/
5. This relates to the second of the unalienable rights mentioned earlier: liberty.
6. ‘‘Distribution of years of life lost by broader causes (percentage of total).’’
Available at www.who.int/whosis/indicators/compendium/2008/1llr/en/
index.html
7. UN Human Development Index - Definition. Available at www.wordiq.com/
definition/UN_Human_Development_Index
8. This relates to the third of the unalienable rights mentioned earlier: pursuit
of happiness.
9. Felix Salmon, ‘‘The Man Who Could Unsnarl Manhattan Traffic,’’ Wired,
May 24, 2010.
370 & ERM for Non-Corporate Entities
BGLOSS 01/05/2011 18:43:24 Page 371
Glossary
10 Key ERM Criteria Ten critical characteristics that define an ERM
program, and which can be used as a benchmark to evaluate the robust-
ness of any ERM program.
Agency risk A misalignment of interests between management and the
primary stakeholders.
Aggregated metrics Two ERM metrics at the enterprise level: enterprise
risk exposure and risk appetite.
Balanced scorecards A tool for performance measurement and manage-
ment that includes financial goals and non-financial goals.
Basel Accords Guidelines developed by a group of global banking regulators
in an attempt to improve risk management practices. Basel II, an interna-
tional guideline for risk management, influenced the advancement of ERM
practices in the financial services sector.
Baseline company value Management’s calculation of company value
based on distributable cash flow projections consistent with the strategic
plan baseline financial projection. This is management’s estimate of share-
holder value, contrasted with market capitalization, which is the market’s
estimate of shareholder value. The baseline company value is the value
investors would pay today, if they believed that management will be able to
perfectly execute the strategic plan and that everything will go the way the
company expects. This is the baseline fromwhich any deviation constitutes
a risk in the value-based ERM approach.
Baseline risk scenario The risk scenario which is neither upside nor
downside but where the risk event occurs precisely as expected in the
baseline strategic plan financial projection. Technically, this is not a risk,
but it is tracked as one for ERM modeling purposes.
Basis points An expression of percentages in unit terms, where 1.00 percent
is expressed as 100 basis points.
371
BGLOSS 01/05/2011 18:43:24 Page 372
C-Suite Chief executives, such as chief executive officer (CEO), chief financial
officer (CFO), and chief risk officer (CRO).
CAGR See Compound annual growth rate.
Capital requirements Requirements by external stakeholders, such as
regulators or rating agencies, to hold a certain amount of capital as a
buffer against existing liabilities.
Cash flow The cash generated by the business.
CDO See Collateralized debt obligation.
CDS See Credit default swap.
Chief risk officer (CRO) Head of the ERM team, an executive who champi-
ons the ERM program development, maintenance, and enhancement.
Collateralized debt obligation (CDO) A bond with payments based on
cash flows from a package of mortgage products, such as mortgage-backed
securities (MBSs) and collateralized mortgage obligations (CMOs), with
different levels of risk, called tranches, based on how the cash flows will be
divided up.
Company value An internal valuation, performed by management, which
calculates the value of the company from the perspective of the share-
holders as the present value of distributable cash flows. See Baseline
company value.
Technically, company value also includes distributable equity capital at
time zero, which is calculated differently for different types of companies.
For non-financial services companies, it is adjusted shareholder equity. For
financial services companies, it is available capital (adjusted shareholder
equity minus required capital). To simplify our discussions and illustrations
in this book, we omit this.
Competitor risk Unexpected change in competitive landscape, such as new
entrants, aggressive competitor actions against the company, and price
wars.
Compliance risk Level of compliance not matching expectations, such as
financial reports are not as accurate as expected.
Component risk driver One of the driving factors in the financial impact of
a risk scenario, and whose marginal impact is quantified with an attribu-
tion calculation, which is used to focus mitigation efforts.
Compound annual growth rate (CAGR) The growth over a period of
years reduced to an annualized rate.
372 & Glossary
BGLOSS 01/05/2011 18:43:24 Page 373
Concentration risk Definition 1: A misnomer, because this is not a source
of risk. Concentration risk refers to a high level of risk exposure from one
particular risk source or group of sources.
Definition 2: A concentration of power, such as in the form of a rainmaker,
a mastermind, a critical supplier, a large customer, or a large distributor.
Conduct risk Unexpected conduct by management, staff, board member, or
other person identified with the company. Some examples include un-
seemly public behavior, criminal conduct, and fraud.
Corporate ERM See ERM team.
Correlation See Risk correlation.
COSO An internal control framework, developed in the early 1990s, in-
tended as a process to help achieve effectiveness and efficiency of opera-
tions, reliability of financial reporting, and compliance.
Cost of capital The cost of company funds, including equity from share-
holders and debt from bondholders.
Cost of equity capital The required returns from shareholders for their
investment.
Credential cash flow (CCF) The net cash flows into a professional associa-
tion member’s pocket due to the credential, such as cash inflow from
additional compensation, less cash outflow for dues and fees.
Credential value The collective value of a professional association’s cre-
dential, calculated as the present value of projected credential cash flows
(CCFs) for all members.
Credible worst-case scenario A scenario whose likelihood of occurrence is
remote, but not out of the realm of possibility, and where the severity of
impact would be significant. This is used in the qualitative risk assessment
scoring and in the risk scenario development FMEA interviews.
Credit default swap (CDS) Insurance against the failure of a given entity,
with regular premium payments made to the issuer and a large payment
made by the issuer if the entity fails.
Credit risk Unexpected changes in credit markets (availability), prices
(credit spreads), or creditworthiness of issuers, related to (a) general credit
market movements (although the source for this is often economic risk) or
(b) a specific issuer of a fixed income security on the company’s balance
sheet or (c) a counterparty to whom the company has extended credit.
CRO See Chief risk officer.
Glossary & 373
BGLOSS 01/05/2011 18:43:24 Page 374
Deterministic risk scenarios Individual risk scenarios, selected using
human judgment, and which remain static with each run of the ERM
model.
Director of National Intelligence In the United States, the single point
person responsible to coordinate and integrate the approach to defending
against terrorist threats.
Disaster risk Unexpected natural or man-made disasters, such as weather-
related (for example, hurricane, flood, tornado, earthquake, and drought),
health-related (such as pandemic), accidental (such as fire), general acts of
destruction (such as war, terrorism, and rioting), and specific acts of
destruction against the company (such as product tampering, attack on
employees, and sabotage). This also includes unexpected man-made disas-
ters caused by company employees or agents, such as environment damage.
Discount rate The interest rate used to discount cash flows in a present
value calculation. The appropriate discount rate depends on the perspec-
tive of the entity valuing the cash flows. For example, a discount rate equal
to the cost of equity capital is used in a company value calculation
involving the present value of distributable cash flows to shareholders.
Dispersion analysis An analysis performed on both the likelihood and
severity scores in the qualitative risk assessment to identify any scores for
which there is not a clear initial consensus.
Distributable cash flow Cash flow available to be distributed to share-
holders, generally calculated as net income, plus depreciation and
amortization, minus increase in working capital, minus capital expen-
ditures. For financial services companies, it is calculated as net income,
plus depreciation and amortization, minus increase in working capital,
minus capital expenditures, minus increase in required capital. Techni-
cally, distributable cash flow also includes changes in the level of debt,
which includes repayment of principal to bondholders as well as issuance
of new debt; to simplify our discussions and illustrations in this book, we
omit this.
Distribution A range of potential outcomes and their likelihood. An exam-
ple is enterprise risk exposure in graph form, where the vertical axis is
likelihood of occurrence and the horizontal axis is severity of outcome.
DNI See Director of National Intelligence.
Dodd-Frank legislation U.S. legislation, effective July 2010, formally
named the Dodd-Frank Wall Street Reform and Consumer Protection
374 & Glossary
BGLOSS 01/05/2011 18:43:24 Page 375
Act, commonly named for its sponsors in the Senate and House of
Representatives, and intended as a response to the global financial crisis.
Downside risk event The occurrence of a risk scenario where results are
below expected, or baseline projections.
Downside risk scenario A risk scenario where results are below expected,
or baseline projections.
Downside standard deviation (DSD) A measure of dispersion below
baseline expectation, downside standard deviation, or sdownside, is calcu-
lated as
ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 1
m
Xm
y¼1 y" !!xð Þ2
s , where m is the number of data points in the
distribution that correspond to a result below baseline expectations, y is a
single data point that corresponds to a result below baseline expectations,
and x ¼ is the baseline expectation.
Downside volatility A general reference to the level of downside risk,
or the range of likelihoods corresponding to results being below baseline
projections.
Economic capital (EC) A measurement, commonly used in the insurance
sector, of the amount of capital needed on hand today to limit the
probability of ruin, over a given time horizon, to within a given small
predefined likelihood.
Economic risk Unexpected changes in the economy. This is often the source
of risk that triggers multiple simultaneous unexpected changes in other
items, such as consumer disposable income (impacting demand for the
company’s products or services), employment markets (impacting the
company’s fixed expenses), inflation/deflation (impacting the company’s
variable costs), items related to market risk, and items related to credit risk.
Embedded value (EV) At an insurance company, embedded value is the
portion of the insurer’s value attributable solely to the ‘‘inforce’’ business,
which is a run-out of the insurance policies already on the books, and
excludes new business expected to be sold in the future.
Emerging risk identification The third component of the risk identifica-
tion ERM process step, this is a process to (a) monitor known non-key risks
for any changes that might increase their ranking enough to become key
risks; and (b) to scan the environment for unknown risks.
Enterprise risk exposure A calculation that reflects the current aggregate
enterprise-level risk exposure, in the form of a distribution representing
Glossary & 375
BGLOSS 01/05/2011 18:43:24 Page 376
the full range of possible combinations of individual risk scenarios. The
graph form depicts the entire distribution. The table form expresses select
‘‘pain points’’ in terms of their likelihood of occurrence and severity of
impact.
Enterprise risk management (ERM) Definition 1: The process by which
companies identify, measure, manage, and disclose all key risks to increase
value to stakeholders.
Definition 2: A business process that satisfies the 10 key ERM criteria.
See Value-based enterprise risk management and Entity risk
management.
Entity risk management (ERM) A generalized version of enterprise risk
management used for non-corporate entities (NCEs) such as non-profit
organizations, government bodies, and individuals. SeeObjectives-based
entity risk management and Enterprise risk management.
ERM See Enterprise risk management or Entity risk management.
ERM committee An executive-level committee, often chaired by either the
CEO or the CRO, which has a primary role of defining risk appetite and risk
limits and managing enterprise risk exposure to within these tolerance
limits.
ERM framework The functional structure of ERM, describing what activi-
ties take place, in what order they take place, and how they interact.
ERMmodel A financial model, which, in a value-based ERM approach, is in
the form of a spreadsheet-based tool that calculates the baseline company
value, as well as changes in the baseline company value resulting from one
or more individual key risk scenarios occurring at a time.
ERM process cycle The continuous, evolving, and integrated process cycle
involving four ERM process steps, including risk identification, risk quan-
tification, risk decision making, and risk messaging.
ERM program summary document A document that contains a sum-
mary and description of ERM program origins, the ERM framework, the
risk governance structure, and supporting exhibits, such as the RCD tool.
ERM team The chief risk officer (CRO), or equivalent head of the ERM
program, and supporting team members.
ERO See Executive risk owner.
Execution risk Strategy is not implemented as expected. This is highly
variable by company and must be customized.
376 & Glossary
BGLOSS 01/05/2011 18:43:24 Page 377
Executive risk owner (ERO) An executive formally designated by the CRO
to be the point person for coordinating efforts across the enterprise with
regard to one particular risk.
External fraud risk Unexpected change in the amount of fraud by external
parties.
External relations risk Unexpected changes in the company’s relationship
with external stakeholders with public voices, such as the media, consumer
advocates, equity analysts, rating agencies, regulators, and politicians.
Failure modes and effects analysis (FMEA) A technique adapted from
the manufacturing sector used to develop risk scenarios in the risk
quantification ERM process step by interviewing subject matter experts.
Financial analyst In this book, this is defined as those financial personnel
building, maintaining, and enhancing the risk models or ERMmodel. They
are also referred to herein as financial modelers or modelers.
Financial crisis The global financial crisis that began in the United States in
2007 when subprime mortgages began to default in large numbers.
Financial modeler See Financial analyst.
Financial risk A category of risks related to unexpected changes in external
markets, prices, rates, and liquidity supply and demand. Examples include
market risk, credit risk, and liquidity risk.
FMEA See Failure modes and effects analysis.
Golden boy unit A business unit that is able to avoid internal scrutiny, such
as risk governance, because they have been generating large revenue
growth and/or profits.
Governance, risk, and compliance (GRC) A repackaging by audit firms
of three service offerings: corporate governance; an expanded version of
SOX activities (erroneously relabeled as ERM); and compliance.
Governance risk Governance is not functioning as expected.
GRC See Governance, risk, and compliance.
Gross risk exposure The amount of exposure beforemitigation is taken into
account. This is also called inherent risk or pre-mitigation risk exposure.
Hard limits Part of the risk appetite and risk limit definition, hard limits are
the maximum limits which risk exposures should rarely, if ever, exceed.
Heat map A type of risk status report, often used for senior management or
the board of directors, which involves a simple chart listing key risks and
Glossary & 377
BGLOSS 01/05/2011 18:43:24 Page 378
scoring them at a high level, usually with color coding (such as red, yellow,
and green).
Hedge A position that offsets an existing risk exposure. This is a common
form of risk mitigation.
Human resources risk Human resources (i.e., people) are not performing
as expected, such as unexpected changes in talent management, perform-
ance, productivity, and conduct.
I/T risk See Technology risk.
Individual risk exposures The potential financial impacts on key metrics,
and the corresponding likelihood, related to individual risk scenarios
occurring one at a time.
Industry practices risk Widespread abusive practices unexpectedly dis-
covered in the company’s industry sector.
Inherent risk exposure See Gross risk exposure.
Insurance risk A category of risks involving poor performance of the
pricing, underwriting, reserving, or setting of required capital for insurance
products.
International risk Unexpected changes in the business environment of
foreign countries in which the company operates, such as unexpected
changes in the government’s stability, attitude towards foreign companies,
and tariffs.
Key metrics The metrics used to quantify the impact of risk events.
Key risk committee A committee formed by the key risk executive risk
owner (ERO) and his or her subject matter experts (SMEs) to help them
perform their ERM roles and responsibilities, and to share information
more effectively within committees, between committees, and upstream to
the CRO and the ERM committee.
Key risk indicator (KRI) A leading indicator which is highly correlated
with a risk’s exposure metric, and serves as an advance warning to
management about a likely impending change in the level of exposure.
Key risks The approximately 20 to 30 risks representing the most significant
threats to the organization, initially based on the qualitative risk assess-
ment, and later replaced by the quantification of key risk scenarios, in
terms of their potential impact on key metrics.
KRI See Key risk indicator.
378 & Glossary
BGLOSS 01/05/2011 18:43:24 Page 379
Legislative/regulatory risk Unexpected changes in laws or regulations.
Likelihood of occurrence The probability, or chances, that a risk event
involving one or more individual risk scenarios will occur.
Liquidity risk Unexpected changes in liquidity supply or demand, related to
three different levels of impact on the company: (a) untimely asset sales; (b)
inability to meet contractual demands; or (c) default. A change in liquidity
supply involves an unexpected change in the ability to sell assets as
expected in the market, in terms of price, volume, or timeliness. A change
in liquidity demand involves an unexpected change in demand for liquidity
by option-holders, such as bondholders exercising early put options or
‘‘run-on-the-bank’’ situations for financial services companies, where
account-holders suddenly request the withdrawal of funds from their
accounts, en masse.
Litigation risk Unexpected civil suits or judgments against the company.
Mandatory risk disclosures Public risk disclosures required by law or
regulation.
Market capitalization The market’s estimate of shareholder value, calcu-
lated as the stock price multiplied by the number of outstanding shares.
Market risk Unexpected changes in external markets (such as stock mar-
kets), prices (such as commodity prices), or rates (such as interest rates),
related to (a) general market movements (although the source for this is
often economic risk) or (b) a specific asset on the company’s balance sheet.
Some examples include equity market risk, interest rate risk, and currency
risk.
Mitigation See Risk mitigation.
Mitigation in place Mitigation already present in the organization, such as
the compliance department or insurance coverage.
Modeler See Financial analyst.
NCEs See Non-corporate entities.
Net risk exposure The amount of exposure after mitigation is taken into
account. This is also called residual risk or post-mitigation risk exposure.
Non-corporate entities (NCEs) Entities other than corporations, such as
non-profit organizations, government bodies, and individuals.
Objectives-based entity risk management A generalized version of
value-based enterprise risk management used for non-corporate entities
Glossary & 379
BGLOSS 01/05/2011 18:43:24 Page 380
(NCEs), such as non-profit organizations, government bodies, and indi-
viduals. See Value-based enterprise risk management.
Operational risk A category of risks related to unexpected changes in
elements related to operations, such as human resources, technology,
processes, and disasters.
Pain points Risk tolerance thresholds, for which management wants the
likelihood of crossing them to be quite small, used to convert the graph
form of enterprise risk exposure into the table form, and to define risk
appetite.
Performance risk Management or staff not performing their function as
expected, such as related to research and development or the finance
department activities (including accuracy of financial reporting).
Phantom stock An internal calculation of the company’s stock price based
on a calculation of company value.
Post-mitigation risk exposure See Net risk exposure.
Pre-mitigation risk exposure See Gross risk exposure.
Present value A calculation that reduces a series of future cash flows to
a single equivalent value at the present time, adjusting for the time value
of money.
Probability The chances, or odds, of something occurring. See Likelihood
of occurrence.
Process risk Company processes not functioning as expected.
Productivity risk Management, staff, or non-employees upon whom the
company depends, not performing at the level of productivity expected.
Qualitative risk assessment The second component of the risk identifica-
tion ERM process step, the qualitative risk assessment involves prioritizing
the list of potential risks and narrowing them down to the list of key risks.
This involves soliciting input from internal personnel regarding the orga-
nization’s key risks, and a high-level qualitative scoring of each potential
key risk’s likelihood of occurrence and severity of impact.
Qualitative risk assessment consensus meeting A meeting where
qualitative risk assessment survey participants arrive at a consensus
regarding the scoring of potential key risks, and finalize the selection of
the key risks.
Rating A creditworthiness score assigned by a rating agency, which largely
determines the company’s cost of debt capital.
380 & Glossary
BGLOSS 01/05/2011 18:43:24 Page 381
Rating agency capital See Required capital.
RCD tool See Risk categorization and definition tool.
Regulatory capital See Required capital.
Regulatory risk See Legislative/regulatory risk.
Required capital For financial services companies, this is the amount of
capital that is required to remain on the balance sheet in support of existing
business on the books, and cannot be used to support future growth. This
can refer to required capital defined bymanagement, by rating agencies, or
by regulators.
Reputational risk A misnomer, since this is not a source of risk, this refers
to the intermediate impact of reputation damage, which can be caused by
multiple sources of risk, and which may, or may not, trigger financial
impacts.
Residual risk exposure See Net risk exposure.
Return-priority decisions Decisions whose primary goal is related to
increasing enterprise value, such as strategic planning.
Risk Uncertainty which can cause a deviation, either upside or downside,
from expected results.
Risk appetite Amanagement-defined quantitative expression of the level of
enterprise risk exposure that is acceptable, at the limit. Also sometimes
referred to as risk tolerance. See Hard limits and Soft limits.
Risk appetite consensus meeting Meeting at which the ERM committee
comes to a consensus definition of risk appetite and risk limits.
Risk appetite document A document that contains the definitions of risk
appetite and risk limits, a comparison of current and historical risk
exposures to risk tolerance thresholds at the enterprise level (risk appetite)
as well as below enterprise level (risk limits), and the delegation of
authority for increasing risk exposures.
Risk capital See Required capital.
Risk categorization and definition The first component of the risk
identification ERM process step, which produces the risk categorization
and definition (RCD) tool.
Risk categorization and definition (RCD) tool A tool with several
applications in the ERM process, the RCD tool includes a risk categorization
hierarchy (such as risk categories, risk subcategories, and risk divisions),
the risks themselves, and a definition of the risk.
Glossary & 381
BGLOSS 01/05/2011 18:43:24 Page 382
Risk correlation The tendency of two risk scenarios to occur together.
Some risk scenario pairs are more likely to occur together (positively
correlated) than the multiplication of their probabilities would otherwise
indicate, some are less likely to occur together (negatively correlated), and
some are independent of each other.
Risk culture The extent to which ERM is integrated into decision making
(including strategic planning, strategic decisions, tactical decisions,
and transactions), business performance analysis, and incentive
compensation.
Risk decisionmaking The third step in the ERM process cycle, this involves
defining risk appetite and risk limits, managing risk exposure levels to
within these tolerance limits, and integrating ERM into strategic planning
and other business decision making.
Risk disclosures Communications with external stakeholders, such as
shareholders, rating agencies, and regulators, involving ERM information.
Risk event database A database about risk events that have occurred in
the company, capturing information such as the originating source of the
risk, how the event emerged and unfolded, management actions, and the
ultimate financial impacts. This information can be used to enhance
the development of risk scenarios, and enhance the entire ERM program
through what is often referred to as risk learnings.
Risk experts Those who are designated or recognized as risk experts in a
particular source of risk and have a routine involvement with the ERM
program. These are the executive risk owners (EROs) and the subject
matter experts (SMEs).
Risk exploitation Risk exploitation is no different from any routine business
decision that simply involves taking on more risk. However, in an ERM
context, risk exploitation refers to the conscious decision to take on
additional risk exposure, as part of a risk-priority decision either to increase
the overall enterprise risk exposure of the firm (closer to the soft limit of risk
appetite, for a better overall risk-return profile) or to increase the individual
risk exposure (closer to its risk limit) of a specific risk, where the company
has a competitive advantage in taking such exposure and expects a
profitable risk-return trade-off.
Risk exposure An expression of the amount of risk to which the company is
currently exposed, in terms of the likelihood of occurrence and severity of
impact.
382 & Glossary
BGLOSS 01/05/2011 18:43:24 Page 383
Risk governance The hierarchical structure of ERM, including the roles
and responsibilities, organizational procedures, and policies and proce-
dures that govern the ERM program.
Risk identification The first step in the ERM process cycle, this involves
determining the key risks, which represent the biggest potential threats to
the company. Risk identification includes risk categorization and defini-
tion; qualitative risk assessment; and emerging risk identification.
Risk interactivity The level to which two or more risks scenarios occur-
ring simultaneously impact each other. In the value-based ERM ap-
proach, this is captured in three ways: risk scenarios (such as including
within one risk scenario the triggering of a separate risk scenario);
impact calculations (directly calculating the extent to which the finan-
cial impacts exacerbate or offset each other); and correlation adjust-
ments to the likelihood of occurrence. See “Capturing Interactions” in
Chapter 5.
Risk learnings Lessons learned from past risk events occurring at the
company.
Risk limits A management-defined quantitative expression of the level of
risk exposure that is acceptable, at the limit, for exposure concentrations
below enterprise level.
Risk management See Silo risk management.
Risk management tactics See Risk mitigation.
Risk messaging The fourth step in the ERM process cycle, this involves
internal risk messaging, which is the integration of ERM into business
performance analysis and incentive compensation, and external risk
messaging, which is the integration of ERM into communications with
shareholders, rating agencies, and regulators.
Risk mitigation Implicit or explicit actions that reduce the likelihood and/
or severity of risk events.
Risk-priority decisions Decisions whose primary goal is related to manag-
ing the level of risk to an appropriate level (up or down), such as managing
enterprise risk exposure to within risk appetite.
Risk quantification The second step in the ERM process cycle, this involves
quantifying baseline company value, key risks on an individual basis
(producing individual risk exposures) and key risks on an integrated basis
(producing enterprise risk exposure).
Glossary & 383
BGLOSS 01/05/2011 18:43:24 Page 384
Risk-ranking criteria A rule or guideline for combining the qualitative
likelihood and severity scores into a single number that is used to rank all
the risks identified in the qualitative risk assessment.
Risk scenario A potential future outcome related to a risk source, such as
pessimistic (downside), optimistic (upside), or baseline (no risk occurs).
Rule of significant digits See Significant digits.
Risk tolerance See Risk appetite and Risk limits.
Sarbanes-Oxley Act (SOX) U.S. legislation passed in 2002 in response to a
wave of accounting scandals. SOX significantly increased requirements on
publicly-traded companies to ensure the accuracy of their financial reports
and to have executives attest to this.
Scoring criteria Guidance provided to qualitative risk assessment survey
participants for scoring the likelihood and severity metrics to ensure a
consistent form of input from participants.
Seasonal weather risk Unexpected changes in seasonal weather. This is a
strategic risk for companies with products or services for which consumer
demand is weather-sensitive. For example, a warm winter or cool summer
reduces energy usage, and a cold or rainy summer reduces soda
consumption.
SEC Securities and Exchange Commission.
Severity of impact The magnitude, or amount, of the deviation from
expected, or baseline projections, caused by the occurrence of a risk event.
Shareholder value A measure of the value of the company from the
perspective of shareholders. Management’s estimate of shareholder value
is company value. The market’s estimate of shareholder value is market
capitalization. See Company value and Market capitalization.
Shock scenario A risk scenario, or scenarios, which result in a deviation
from expected or baseline projections.
Significant digits The number of digits used to express a mathematical
result which appropriately reflects the level of accuracy in the number.
Silo risk management The traditional approach to risk management
whereby each source of risk is managed by separate ‘‘silo’’ departments,
and which involves a large volume of risks, the vast majority of which are
not significant threats to the company.
Simulation A single picture of future events, where one of the individual risk
scenarios (including baseline) is projected to occur for each key risk.
384 & Glossary
BGLOSS 01/05/2011 18:43:24 Page 385
Simulations are run with the ERM model to generate the enterprise risk
exposure, which represents the distribution of possible outcomes involving
one or more risk events occurring simultaneously.
SME See Subject matter expert.
Soft limits Part of the risk appetite and risk limit definitions, soft limits are set
as triggers for escalating levels of attention to carefully monitor the risk
exposures and ultimately lower them back to within their soft-limit
thresholds.
SOX See Sarbanes-Oxley Act.
Standard deviation A measure of dispersion away from the mean, or
average, value in a distribution, standard deviation, or s, is calculated
as
ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi 1
N
XN
i¼1 ðxi " !xÞ2
s
, where N is the number of data points in the
distribution, xi is a single data point, and !x is the mean value.
Stochastic risk scenarios Individual risk scenarios, selected using
automation—whose setup involves developing a formula to capture the
shape of the risk distribution and a random number generator—andwhich
are randomly changed with each run of the ERM model.
Strategic relationships risk Unexpected change in strategic relationships,
such as a parent company or joint venture partner.
Strategic risk A category of risks related to unexpected changes in key
elements of strategy formulation or execution. These are highly variable by
company and must be customized.
Strategy risk Viability of strategy—such as choice of products, distribution
channels, markets, or value proposition—does not match expectations.
This is highly variable by company and must be customized.
Strengths, weaknesses, opportunities and threats (SWOT) analysis
An analysis performed during strategic planning.
Stress test See Risk scenario.
Subject matter expert (SME) A recognized internal expert on subject
matter related to a particular risk.
Supplier risk Unexpected changes in supplier environment, such as sup-
plier capacity, supplier failure, or change in the cost of goods or services.
This also includes unexpected changes in rating agency ratings or regula-
tory licenses.
Glossary & 385
BGLOSS 01/05/2011 18:43:24 Page 386
SWOT See Strengths, weaknesses, opportunities and threats (SWOT)
analysis.
Systemic risk The risk that failures in one part of the economic system can
spread contagiously to others, resulting in a cascading set of failures
threatening to crash the entire system.
Tail scenario Extremely pessimistic scenarios, which are in the ‘‘tail’’
portion of the distribution.
Talentmanagement risk Unexpected change in the ability to maintain the
expected level of talent, involving aspects of human resources such as
recruiting and retaining employees, succession planning, maintaining
critical knowledge of key employees, and labor or producer relations.
Technology risk Technology not performing as expected. Some examples
include data security, data privacy, data integrity, capacity, and reliability.
Three core challenges to traditional ERM programs The three main
obstacles in traditional ERM programs, which are overcome by a value-
based ERM approach: (1) an inability to quantify strategic and operational
risks; (2) an unclear definition of risk appetite; and (3) a lack of integration
of ERM into decision making.
Uncertainty When there is less than a 100 percent chance that something
will occur.
Upside risk event The occurrence of a risk scenario where results are above
expected or baseline projections.
Upside risk scenario A risk scenario where results are above expected or
baseline projections.
Upside volatility A general reference to the level of upside risk or the range
of likelihoods corresponding to results being above baseline projections.
Value See Company value and Shareholder value.
Value-at-Risk (VaR) A measurement of risk exposure, used in the banking
sector, often defined as the maximum amount of capital that can be lost in
a single day, within a given small predefined likelihood.
Value-based enterprise risk management Definition 1. A synthesis of
ERM and value-based management, providing the missing link between
risk and return, transforming ERM into a strategic management approach
that enhances strategic planning and other business decision making.
Definition 2. A practical yet advanced approach to integrate both risk and
return information into strategic planning, business decision making,
386 & Glossary
BGLOSS 01/05/2011 18:43:24 Page 387
business performance analysis, incentive compensation, and external
communications.
See Objectives-based entity risk management.
VaR See Value-at-Risk.
Volatility The level to which results are likely to deviate from expected or
baseline projections.
Voluntary risk disclosures ERM communications that management
chooses to share publicly.
Glossary & 387
BGLOSS 01/05/2011 18:43:24 Page 388
BABOUT 12/29/2010 10:55:43 Page 389
About the Author
S IM SEGAL IS PRESIDENT and founder of SimErgy Consulting, aconsulting firm headquartered in Manhattan, providing ERM con-sulting services and executive education seminars on ERM. Segal has ERM experience with companies in a range of sectors, such as manu-
facturing, energy, entertainment, technology, services, telecommunications,
banking, and insurance, and also with non-corporate entities, such as non-
profit organizations and government agencies. Prior to SimErgy, he led
ERM consulting practices at Deloitte Consulting, Aon, and Towers Watson.
Segal also serves as an adjunct professor at Columbia Business School,
where he teaches an MBA/EMBA course on ERM. He has also led and co-
authored ERM research studies.
Segal is often quoted in industry media, such as Financial Week and
Treasury & Risk, as well as mainstream media, such as the Wall Street Journal.
He has written frequently on the topic of ERM and has had byline articles in
major publications, such as Forbes, Corporate Finance Review, and American
Banker. Segal is a professional speaker on ERM and has made over 100 speeches
on ERM and risk-related topics.
Segal is inaugural chair of the risk committee of the Society of Actuaries
(SOA), the largest global actuarial association, leading the design and imple-
mentation of their ERM program. He is vice president on the SOA board of
directors, and is also a member of the ERM Symposium program committee.
Segal has a B.A. in mathematics and holds two risk-related credentials: He
is a Fellow of Society of Actuaries (FSA) and a Chartered Enterprise Risk
Analyst (CERA). Segal is one of a select group of ERM experts globally to be
awarded the CERA credential based on his ‘‘thought leadership and significant
contributions to advance the practice of ERM.’’
389
BABOUT 12/29/2010 10:55:43 Page 390
BINDEX 01/12/2011 11:43:33 Page 391
Index
10 key ERM criteria. See Key criteria for ERM program
Accounting scandals, 7–9 Agency risk, 334–336, 343 Aggregated metrics (criterion 5). See also
Metrics banks and financial crisis, 332, 339, 340, 342
enterprise risk exposure, 33, 34, 40–42, 96–99, 235, 236. See also Enterprise risk exposure
as key criterion of ERM program, 25, 40–42, 63, 332
risk appetite, 64, 96–99, 235. See also Risk appetite
top-down allocation of risk appetite to risk limits, 95–99, 235. See also Top-down allocation of risk appetite to risk limits
and traditional ERM frameworks, 63 and value-based ERM framework, 96–99
AIG, 26, 161 All risk categories included (criterion 2).
See also Risk identification; Risk quantification
banks and financial crisis, 333–338, 342 financial risk, 27, 85, 116. See also Financial risk
as key criterion of ERM program, 25, 27–34, 84–94
operational risk, 64, 85–94 risk categorization and definition (RCD) tool, 115–129, 348, 353
strategic risk, 64, 85–94, 333 and traditional ERM frameworks, 63 and value-based ERM framework,
84–94 Apgar, Virginia, 170, 171 Appropriate risk disclosures (criterion 8).
See Risk disclosures Arrogance, 155–158 Attribution analysis, 236–239, 276,
359 Audit committee, 286, 315, 316, 325
Balanced scorecards, 272, 276–278, 280, 293
Balances risk and return management (criterion 7). See Risk and return management balance (criterion 7)
Banks. See Financial crisis (2007-) Basel Accords, 4, 5, 86 Baseline company value calculation, 176–181 and company value, 46, 48 data input and assumptions, 174–176,
186–193, 207–209 defined, 48 distributable cash flow, 48, 72, 88, 93,
97, 176–178, 180 enterprise risk exposure calculation,
209–215 example, 179–181 output of results, 181–185, 195–199,
215–219 and risk decision making, 79, 82,
241–245, 253–267 and risk identification, 65
391
BINDEX 01/12/2011 11:43:33 Page 392
Baseline company value (Continued ) and risk quantification, 67–73, 76, 88–90, 93, 174–186, 192–194, 199, 205–207, 211, 212, 219
shocks to, 193–199 stakeholder actions, 193–195
Baseline risk scenarios, 81, 82, 190–195, 208–212, 275
Benefits of ERM, 24, 52–59 The Black Swan: The Impact of the Highly
Improbable (Taleb), 26 Board of directors
benefits of ERM to, 52, 55 and organizational structure, 319, 325 reporting to, 310, 311 roles and responsibilities of, 314–316, 325
Business decision making, 44, 77, 80–83, 101, 102, 107, 203, 222, 245, 256, 262–269. See also Return-priority decision making; Strategic planning
Business performance analysis, 50, 52, 240, 271–278, 280, 281, 293, 335
Business segments buy-in from, 100, 103–105 and enterprise-wide scope of ERM, 26, 27, 83
hurdle rates, 273, 274 and integrated approach to ERM, 7, 50 risk and return balance, 43, 44 risk limits, 42, 233–239 risk offsets, 19, 20 and risk quantification, 172, 191, 194 roles and responsibilities of, 313, 314 and silo approach to ERM, 40. See also Silo approach to risk management
and strategic planning, 81, 82, 257–259, 262
valuation of, 183–185 Buy-in, 100, 103–105, 299, 302–308,
327
Capital requirements, 4, 5, 26, 48, 57, 84, 86, 87, 107, 108, 339. See also Financial services sector
CDO. See Collateralized debt obligations
CDS. See Credit default swaps Charitable donations, 109 Charitable organizations. See
Non-corporate entities, ERM for Chief executive officer (CEO), 53,
55–57, 324 Chief financial officer (CFO), 53, 55–57,
324 Chief risk officer (CRO) and ERM implementation, 15, 154 independence, 321, 323 as member of ERM committee, 228, 324
as member of ERM team, 299 reporting, 321 roles and responsibilities, 299–311, 319–324
support staff, 321–323 traits of, 320, 321
Collateralized debt obligations (CDOs), 331, 336–338, 343. See also Financial crisis (2007-)
Communications. See Risk messaging Company value baseline value. See Baseline company value
benefits of ERM, 55–57 calculation, 47, 48, 84, 176 defined, 46 distributable cash flow. See Distributable cash flow
enterprise risk exposure, 69, 75, 76 individual risk exposures, impact of, 73–75
as key ERM metric, 40, 41, 46, 94, 97–101, 105–107
measurement of by public companies, 72, 73
overview, 40 pain points. See Pain points reasonability check, 179 and risk quantification, 97, 100, 107 and secondary stakeholders, 108, 109 and shareholder value, 49, 53, 56, 72 terminal value formula, 177, 178 truncated formula, 177
392 & Index
BINDEX 01/12/2011 11:43:33 Page 393
Competitor risk, 74, 122, 190 Complexity, 101, 169–171 Compliance risk, 29, 131, 254, 354 Component risk driver. See Risk
quantification, component risk driver
Concentration risk, 5–6, 158–167, 234 Core challenges of ERM, 15, 16, 63, 64,
83, 85, 97, 99, 109, 110, 235, 334, 339, 340
Corporate accounting fraud, 7–9 Corporate citizenship, 109 Corporate ERM, roles and responsibilities,
299–311 Correlation. See Risk correlation COSO Internal Control framework, 8 Cost of capital, 21, 123, 125, 136, 267.
See also Discount rate Cost of equity capital, 47, 56, 108, 109,
124–126, 175, 176 Credential cash flows, 355 Credential value, 354–357, 369 Credible worst-case scenarios, 89, 90,
132, 135, 136, 138, 140, 153, 312
Credit default swaps (CDSs), 26, 161, 331, 333, 337, 338, 343. See also Financial crisis (2007-)
Credit risk, 27, 36, 116, 126, 128 Criteria for ERM program. See Key criteria
for ERM program Critical supplier concentration risk, 159,
160, 163–164, 165 CRO. See Chief risk officer C-Suite. See Executive officers
Data security and privacy, risk quantification case study, 199–201
Decision making included (criterion 6). See also Risk decision making
banks and financial crisis, 340, 342 and core challenges to ERM implementation, 64, 99
as key criterion of ERM program, 25, 42, 43
metrics supporting decision making, 100, 101, 222, 241, 243, 244
practicality of ERM models, 101–103, 222
and traditional ERM frameworks, 42, 43, 63, 100–103, 106, 222
and value-based ERM framework, 43, 99–106, 222
Department of Homeland Security (DHS), 7, 358, 359
Deterministic risk scenarios, 67, 68, 88–90, 127, 169, 185–187, 208, 209, 211, 214, 223, 307
Deviation from expected, 19, 23, 24, 38, 59, 72, 174, 186, 193, 216, 351
Director of National Intelligence (DNI), 358, 360
Disaster risk, 9, 10, 30, 69, 87, 88, 93, 116, 118, 230, 231, 237, 333, 364
Disclosures. See Risk disclosures Discount rate company value calculation, 47, 72,
175–180, 185, 194, 218, 219, 243, 244, 252, 254, 255, 262
cost of capital, 21, 123, 125, 136, 267 significant digits rule, 175
Dispersion analysis, 149, 150 Distributable cash flow and baseline company value, 48, 72,
88, 93, 97, 176–178, 180 and company value, 46–48, 84,
97, 109 projections, 48, 176, 178, 180, 181,
185, 190, 191, 193, 194, 216, 241, 243, 258, 259, 264
Dodd-Frank legislation (Dodd-Frank Wall Street Reform and Consumer Protection Act), 12, 13, 292, 336, 360
Downside risk events, 19–21, 23, 37–39, 48, 76
Downside risk scenarios, 190, 191, 259 Downside standard deviation (DSD), 215,
217–219, 234, 239, 243, 244, 255, 262, 275
Index & 393
BINDEX 01/12/2011 11:43:33 Page 394
Downside volatility, 19, 21, 22, 44, 48, 55, 218
Economic capital (EC), 32, 87, 88, 202, 219–224, 274, 275, 290
Economic risk, 116, 117, 128, 152, 230, 231, 241
Economic volatility, 125, 126, 128 Embedded value model, 220 Emerging risk identification, 14, 113,
121, 129, 138, 153–155, 166, 167 Employees, risk quantification case study
for loss of critical employees, 201, 202 Enterprise risk exposure
aggregated metrics, 33, 34, 40–42, 96–99, 235, 236
and benefits of ERM, 55, 58 downside standard deviation. See Downside standard deviation (DSD)
economic capital calculation, 219–223 graph form, 75, 98–99, 207, 215–217, 219, 300
likelihood of failure, 219, 220 risk and return balance, 44 and risk appetite, 41–43, 79, 80, 216–218, 228, 229, 231
and risk decision making, 79, 80, 227–229, 231–240, 243–248, 252, 253, 261, 262, 264, 266, 267, 269
risk limits, 234 and risk quantification, 52, 69, 71, 75–79, 174, 207–223
and silo approach to risk, 95 table form, 76, 98–99, 215, 217, 219, 228–229, 300
and traditional ERM models, 102, 103 Enterprise risk management. See ERM Enterprise-wide scope (criterion 1)
banks and financial crisis, 332, 333, 342
as key criterion of ERM program, 25–27
and traditional ERM frameworks, 25–27, 63, 83, 84
and value-based ERM framework, 83, 84
Entity risk management. See Non-corporate entities, ERM for
Environmental scanning for unknown risks, 153–155
ERM (enterprise risk management), overview
benefits of, 24, 52–59 defined, 3, 24–58, 82, 83 factors impacting, 4–15 financial crisis, impact of, 11–13, 329. See also Financial crisis (2007-)
framework for. See Framework for ERM generic models, 171, 172 key criteria, 24–49, 59, 83, 332. See also Key criteria for ERM program
long-term trends, 14, 15 process cycle, 24, 49–52, 59 program effectiveness, responsibility for, 315, 316
program summary document, 325, 326
ERM committee (risk committee), 311, 312, 319, 324
ERM defined, 3, 24–58, 82, 83 ERM framework. See Framework for ERM ERM model, 52, 55–56, 57, 65, 69, 72,
75, 88, 90, 95–96, 98, 101–103, 105–106, 169–173, 189, 193–195, 220–223, 252–254, 261–262, 306, 322, 340, 353, 368
ERM process cycle. See Process cycle ERM products and services, 15, 16 ERM team, 299–311 Execution risk, 74, 192, 196–198, 230,
231 Executive officers benefits of ERM to, 53, 55–57 chief executive officer (CEO), 53, 55–57, 324
chief financial officer (CFO), 53, 55–57, 324
chief risk officer (CRO). See Chief risk officer (CRO)
incentive compensation. See Incentive compensation
394 & Index
BINDEX 01/12/2011 11:43:33 Page 395
Executive risk owners (EROs), 88, 310, 312, 313, 324, 325
External risk messaging. See Risk messaging
Factors impacting ERM, 4–15 Failure Modes and Effects Analysis
(FMEA) risk identification, 140, 141 risk quantification, 68, 192, 193, 195, 196, 200, 201, 204, 205, 208, 212, 214
risk scenarios for strategic and operational risks, 88–92, 104
Federal Emergency Management Agency (FEMA), 358
Federal government, ERM for, 344, 357–363
Financial analyst, 31–34, 334, 337–338, 342. See alsoModeler
Financial crisis (2007-) banks, risk management practices, 332–343
and benefits of ERM to regulatory agencies, 58
causes of, 330 Dodd-Frank legislation. See Dodd-Frank legislation (Dodd-Frank Wall Street Reform and Consumer Protection Act)
impact of on ERM, 11–13, 329 overview, 330–332
Financial risk banks, 333, 334, 340 defined, 27, 116 focus on, 28–31 and key risk exposure, 33, 34 metrics, 100, 102, 103 and risk identification, 65, 116, 117 and risk quantification, 192, 209 risk scenarios, 68 and traditional ERM programs, 64, 85
Financial services sector. See also Financial crisis (2007-)
capital-based ERM, 83, 84, 219–223, 273, 274, 339
impact of financial crisis on ERM, 11–13 threats to financial stability of U.S., 360 and value-based ERM framework, 83,
84 Financial Stability Oversight Council, 13,
360 FMEA. See Failure modes and effects
analysis Framework for ERM and ERM infrastructure, 62, 63, 297,
298 non-corporate entities, 348, 349 overview, 61–63, 109, 110 practicality of models for ERM,
101–103, 169–173, 222, 340 traditional frameworks, challenges of,
63, 64, 83, 109. See also Core challenges of ERM
value-based, 63, 65–110 Fraud, 7–9, 123, 124
Generic models for ERM, 171, 172 Global financial crisis. See Financial crisis ‘‘Golden boy’’ units, 25, 26, 159, 165, 332 Governance, risk, and compliance (GRC)
programs, 36 Government, ERM for, 344, 357–363.
See also Non-corporate entities, ERM for
Gross risk exposure, 69, 286, 337
H1N1 flu pandemic, 13 Hard limits, 232–233, 245–246, 327 Heat maps, 43 Hedges, 39, 40, 250, 254, 255 Housing bubble. See Financial crisis (2007-) Human resources risk. See Operational
risk Hurdle rates, 88, 175, 176, 273 Hurricane Katrina, 4, 9, 10
Incentive compensation ERM integration, 271, 272, 278–280 and internal risk messaging, 52, 240 and risk decision making, 268, 269 SEC regulations, 13, 55, 286
Index & 395
BINDEX 01/12/2011 11:43:33 Page 396
Individual risk exposures and decision making, 228–231, 233, 246, 247, 250–254
impact of on company value, 73–75 quantifying, 68, 69, 73–78, 174, 185–207
and risk appetite, 229, 230 Individuals, ERM for, 344, 364–369.
See also Non-corporate entities, ERM for
Industry data, 68, 85, 86, 93, 94 Infrastructure for ERM
framework. See Framework for ERM process cycle. See Process cycle risk governance. See Risk governance
Inherent risk, 69, 286, 337 Insurance companies
case study, risk of loss of critical employees, 201, 202
economic capital metric, 32, 87, 88, 220 embedded value, 220 ERM as rating category, 10, 11 insurance risk, 28, 116, 333 regulation of, 338 risk capital, 86 Solvency II standards, 5 terrorism risk, 191
Insurance coverage, 69, 86, 87, 122, 128, 187, 250, 254, 255
Insurance risk, 28, 116, 333, 338 Integrated across risk types (criterion 4)
banks and financial crisis, 339, 342 as key criterion of ERM program, 25, 36–40
and silo approach to risk management, 36–41, 94–96, 357, 358, 364, 366, 369
and traditional ERM frameworks, 63, 95, 96
and value-based ERM framework, 94–96, 221
Integrated approach to risk management, 5, 7, 16
Internal audit, 161, 249, 256, 269, 316–318
Internal risk messaging. See Risk messaging
Key criteria for ERM program aggregated metrics (criterion 5). See Aggregated metrics (criterion 5)
all risk categories included (criterion 2). See All risk categories included (criterion 2)
appropriate risk disclosures (criterion 8). See Appropriate risk disclosures (criterion 8)
decision making included (criterion 6). See Decision making included (criterion 6)
enterprise-wide scope (criterion 1). See Enterprise-wide scope (criterion 1)
and financial crisis, 332–343 integrated across risk types (criterion 4). See Integrated across risk types (criterion 4)
key risk focus (criterion 3). See Key risk focus (criterion 3)
overview, 24–49, 59, 83, 109, 332 primary stakeholder focus (criterion 10). See Primary stakeholder focus (criterion 10)
risk and return management balance (criterion 7). See Risk and return management balance (criterion 7)
and traditional ERM frameworks, 63, 64, 83, 109, 110
value impacts, measurement of (criterion 9). See Value impacts, measurement of (criterion 9)
Key metrics, commonly used, 216 Key risk committees, 319, 324, 325 Key risk focus (criterion 3) banks and financial crisis, 338, 339, 342
as key criterion of ERM program, 25, 34–36
and traditional ERM frameworks, 63, 94
and value-based ERM framework, 94 Key risk indicators (KRIs), 85, 97, 247,
248 Killer risks, 155–167
396 & Index
BINDEX 01/12/2011 11:43:33 Page 397
Known risks, monitoring, 153 Komanoff, Charles, 363 KRI. See Key risk indicators (KRIs)
Large customer concentration risk, 159, 160, 164, 166,
Large distributor concentration risk, 159, 160, 164, 166
LifeLock, 124 Likelihood and severity scoring criteria,
133–138 Likelihood of occurrence, 137, 138,
249–251, 260 Likelihood-severity scores, 67, 120, 121,
138, 151, 153, 261 Liquidity risk, 27, 116, 333. See also
Financial risk Litigation risk, 23, 88, 152, 248 Long-term trends, impact of on ERM,
14, 15 Loss, possibility of, 23
Madoff, Bernie, 163, 164 Management, benefits of ERM to, 53, 57 Mandatory risk disclosures. See Risk
disclosures, mandatory disclosures Market capitalization, 29, 46, 48, 72,
137, 179–185, 206, 258, 265–266 Market risk, 68, 125, 126, 128 Mastermind concentration risk, 159,
160, 162, 165 Measurement of value impacts. See
Value impacts, measurement of (criterion 9)
Mergers and acquisitions, 262, 267–269, 308, 314
Metrics. See also Aggregated metrics (criterion 5)
company value as key ERM metric, 40, 41, 46, 94, 97–101, 105–107
decision making, metrics supporting, 100, 101, 222, 241, 243, 244
economic capital, 32, 87, 88, 220 enterprise risk exposure, 33, 34, 40–42, 96–99, 235, 236
financial risk, 100, 102, 103
non-corporate entities, 346–348, 350–357, 362, 363, 367, 368
operational risk, 100, 103 risk and return metrics, 241, 243,
244 risk appetite, 64, 96–99, 235, 236 strategic risk, 100, 103 traditional ERM frameworks, 97 Value-at-Risk (VaR), 32, 87, 335
Mitigation arrogance, 157, 158 concentration risk, 164–166 and ERM framework, 43, 44, 50,
94 hedges, 39, 40, 250, 254, 255 insurance coverage, 69, 86, 87, 122,
128, 187, 250, 254, 255 non-corporate entities, 350 in place, 56, 70, 71, 122, 140, 249,
254–256, 269 pre-mitigation risk exposure, 69, 286,
337 and risk appetite, 231, 232 and risk culture, 70 and risk decision making, 231–233,
241, 243–245, 249–256, 269 and risk quantification, 71, 73,
86 under- and over-mitigation, 42, 70,
73, 97 Modeler, 31–34, 101, 170, 206, 212,
334, 337–338, 343. See also Financial analyst
Money laundering, risk quantification case study, 202, 203
Monitoring of known risks, 153
Natural disasters, 9–10, 30, 237 NCEs. See Non-corporate entities Net risk exposure, 69, 336–337 Non-corporate entities (NCEs), ERM for government bodies, 344, 357–363 individuals, 344, 364–369 non-corporate culture, 351 non-profit organizations, 344,
352–354
Index & 397
BINDEX 01/12/2011 11:43:33 Page 398
Non-corporate entities (Continued ) objectives-based ERM, 345, 347–353, 356, 359–361, 363, 364, 366–369
overview, 344–349 professional associations, 354, 356, 357
Non-profit organizations, ERM for, 344, 352–354. See also Non-corporate entities, ERM for
Objectives-based ERM. See Non-corporate entities, ERM for
Office of the Department of National Intelligence (ODNI), 7, 358
Operational risk and Basel II, 5, 86 case study, 199–203 defined, 27, 116 importance of, 28–31, 86 inclusion of in all risk categories, 64, 85–94, 333
metrics, 100, 103 and risk identification, 65, 116, 118 and risk scenarios, 68, 190, 192, 193 values-based approach to quantifying, 88–92, 221
Organizational structure board of directors, 319, 325 chief risk officer (CRO), 319–324 ERM committee, 319, 324 key risk committees, 319, 324, 325 as part of risk governance, 297, 298, 319
Pain points, 76, 77, 80, 96, 98, 217, 219, 220, 228, 229, 232, 233, 236, 238, 300
Pandemic risk, 13 Performance analysis, 271–277 Phelps, Michael, 20 Pirates, impact of on ERM, 14 Policies and procedures
ERM program summary document, 325, 326
internal audit, responsibilities of, 318
overview, 297, 298, 325 risk appetite document, 326, 327
Post-mitigation risk exposure. See Net risk exposure
Practicality of ERM model, 101–103, 169–173, 222, 340
Pre-mitigation risk exposure, 69, 286, 337
Present value, 21, 22, 72, 84, 274, 277, 354, 355
Primary stakeholder focus (criterion 10). See also Stakeholders
banks and financial crisis, 341, 342 as key criterion of ERM program, 25, 48, 49
and traditional ERM frameworks, 48, 64, 107, 108
and value-based ERM framework, 48, 49, 107–109
Probability, 32, 89–90, 212–213, 220, 245. See also Likelihood of occurrence
Process cycle continuous, 49 and ERM framework, 62, 63 evolving, 49, 50 integrated, 50, 51 process defined, 49 steps, 51, 52, 59. See also Risk decision making; Risk identification; Risk messaging; Risk quantification
Process maps, 8, 9 Process risk, 336–337, 343 Professional associations, ERM for, 354,
356, 357. See also Non-corporate entities, ERM for
Program effectiveness, responsibility for, 315, 316
Program summary document, 325–326
Qualitative data, 85 Qualitative risk assessment and external risk messaging, 291 consensus meeting, 121, 147–151, 304
interviews, 116, 119, 120
398 & Index
BINDEX 01/12/2011 11:43:33 Page 399
number of key risks, 35, 51, 67 periodic use of, 301 process, 129–153 purpose of, 129 and risk decision making, 42 and risk governance, 299, 301, 303–305, 309, 312, 313, 317, 318, 323, 326
and risk identification, 51, 67, 73, 113, 114, 119–121, 127–153, 166–167, 299, 303
and risk messaging, 284, 291 and risk quantification, 199 survey, 119–120, 139–146
Quantitative data, 31, 85, 91
Rainmaker concentration risk, 159–162, 164, 165
Rating agencies benefits of ERM to, 53, 57, 58 capital requirements, 57, 274 and company value, 108, 109 downgrade risk, 123, 125 increased scrutiny by, 10, 11 and prioritizing stakeholders, 266, 267
ratings, 10, 11, 48–49, 56–57, 220, 331, 336–337, 341
risk messaging, 280, 288–293 RCD tool. See Risk categorization and
definition (RCD) tool Regulatory agencies benefits of ERM to, 53, 58 board of directors, accountability of, 314–316
capital requirements, 48, 274 compliance risk, 29, 123, 131, 254, 354
and prioritizing stakeholders, 266, 267 risk messaging, 280, 292
Reputational risk, 109, 123, 124, 127 Required capital, 5, 28, 47, 57, 83–84,
86–88, 101, 107, 116, 175, 216, 273–274, 290, 335, 338, 339, 341
Return-priority decision making. See Risk decision making
Risk correlation, 69, 78, 98, 187, 208–209, 212–215, 221, 237, 275, 300, 301, 309, 312, 317, 337–338, 339, 342
Risk, defined, 18–24 Risk and return management balance
(criterion 7) banks and financial crisis, 340–342 as key criterion of ERM program, 25,
43, 44 risk and return metrics, 241, 243,
244 and risk limits, 234 and traditional ERM frameworks, 43,
44, 63, 106, 222, 223 and value-based ERM framework, 44,
106, 107, 222, 223 Risk appetite aggregated metrics, 64, 96–99, 235,
236 board of directors, responsibilities of,
55, 315, 316, 325 consensus meeting, 78–80, 228–232 core challenges, 64, 109 defining, 227–233 described, 41 document, 326, 327 and enterprise risk exposure, 41–43,
79, 80, 216–218, 228, 229, 231, 235, 236
and individual risk exposures, 229, 230
individuals, 365 and mitigation options, 231, 232 non-corporate entities, 350, 351, 365 and risk decision making, 42, 52, 57,
77–80, 227–235, 237, 240, 244–247, 253, 269
and risk governance, 55, 301, 309, 310, 313–317, 325–327
and risk messaging, 281, 291 and risk quantification, 216, 217, 227,
231 top-down allocation of to risk limits,
42, 95–99, 233–239, 252, 300, 311, 339
Index & 399
BINDEX 01/12/2011 11:43:33 Page 400
Risk capital, 86–88 Risk categories, inclusion of all categories
in ERM. See All risk categories included (criterion 2)
Risk categorization and definition, 31, 114–129, 348
Risk categorization and definition (RCD) tool, 115–129, 348, 353
Risk committee (ERM committee), 311, 312, 319, 324
Risk complexity, 5–7 Risk correlation, 69, 78, 98, 187, 208–209,
212–215, 221, 237, 275, 300, 301, 309, 312, 317, 337–338, 339, 342
Risk culture and business performance, 272 and decision making, 239, 240, 272, 292
and ERM framework, 42, 70, 86 and internal risk messaging, 272, 281, 292, 293
and mitigation, 70 and risk categorization and definition (RCD) tool, 119, 121
and risk disclosures, 281 and risk governance, 298, 322 and risk identification, 141, 143, 151 and risk quantification, 186, 188, 189
Risk decision making and baseline company value, 79, 82, 241, 243–245, 253–259, 261, 262, 264–267
and benefits of ERM to management, 57 board of directors, responsibilities of, 315
business segments, role of, 313, 314 and enterprise risk exposure, 79, 80, 227–229, 231–240, 243–248, 252, 253, 261, 262, 264, 266, 267, 269
ERM committee responsibilities, 311 ERM team responsibilities, 300–302 failure to define all risks by source, 128 individual risk exposures, 228–231, 233, 246, 247, 250–254
integration of ERM into, 25, 42, 43, 64, 227, 239–269
internal audit, responsibilities of, 317 metrics supporting, 100, 101, 241, 243, 244
mitigation decisions, 231–233, 241, 243–245, 249–256, 269
non-corporate entities, 351, 363 as part of ERM process cycle, 51, 52, 226
return-priority, 240, 241, 256–269 and risk appetite, 42, 52, 57, 77–80, 227–235, 237, 240, 244–247, 253, 269
and risk culture, 239, 240, 272 risk experts, responsibilities of, 312, 313 risk limits. See Risk limits risk-priority, 240, 241, 245–256 soft assumptions, 262, 264, 265, 269 and strategic planning, 256–269 and value-based ERM framework, 61, 65, 66, 77–83, 241, 242
Risk disclosures banks and financial crisis, 341, 342 and benefits of ERM to shareholders, 53 as key criterion of ERM program, 25, 44, 45
mandatory disclosures, 280, 282–287 and risk culture, 281 and risk governance, 286, 302 and traditional ERM frameworks, 63, 107
and value-based ERM frameworks, 107
voluntary disclosures, 280–282 Risk event database, 122, 193, 300, 301,
309, 312, 317, 318, 326 Risk experts, roles and responsibilities of,
312, 313, 324. See also Executive risk owners (EROs); Subject matter experts (SMEs)
Risk exploitation, 44, 244, 246 Risk governance components of, 298 customization required, 298 disclosures, 286, 302 and ERM infrastructure, 62, 63, 297, 298
400 & Index
BINDEX 01/12/2011 11:43:33 Page 401
organizational structure, 297, 298, 319–325
overview, 297, 298, 327 policies and procedures, 297, 298, 325–327
and qualitative risk assessment, 299, 301, 303–305, 309, 312, 313, 317, 318, 323, 326
and risk culture, 239 roles and responsibilities, 297–318
Risk identification and baseline company value, 65 business segments, role of, 313 emerging risk identification, 113, 153–155, 167
ERM committee responsibilities, 311 ERM team responsibilities, 299–301, 303–305
internal audit, responsibilities of, 317 keys to success, 114, 122–129, 167 killer risks, 155–167 known risks, monitoring, 153 non-corporate entities, 350, 353, 354, 364
overview, 113, 114, 166, 167 as part of ERM process cycle, 51 qualitative risk assessment, 113, 129–153, 167
risk categorization and definition, 113–129, 167
risk experts, responsibilities of, 312 risk scenarios, 65 unknown risks, environmental scanning for, 153–155
and value-based ERM framework, 61, 65–67
Risk interactivity, 69, 213, 214–215, 221, 253
Risk learnings, 122 Risk limits allocation of risk appetite, 95, 96, 98, 99, 235–239, 252, 300, 311, 339
board of directors, responsibilities of, 315
business segments, 233–239 defining, 227, 233–239
non-corporate entities, 351 soft and hard limits, 232, 233, 236,
244–246 use of, reasons for, 234, 235
Risk management. See Silo approach to risk management
Risk messaging business segments, role of, 313, 314 ERM committee responsibilities, 311,
312 ERM team responsibilities, 300, 302,
308, 309 external, 280–293 internal, 271–280, 292, 293 internal audit, responsibilities of, 318 overview, 292, 293 as part of ERM process cycle, 51, 52,
271 risk experts, responsibilities of, 312,
313 and value-based ERM framework, 61,
65, 66 Risk mitigation. SeeMitigation Risk-priority decision making. See Risk
decision making Risk quantification baseline company value, 67–69,
71–73, 76, 88–90, 93, 174–186, 192–194, 199, 205–207, 211, 212, 219
business segments, role of, 313 case studies, 199–207 component risk drivers, 196–198, 200,
202, 207, 215, 282, 285, 307, 350, 359
and economic capital, 219–223 enterprise risk exposure, 52, 69, 71,
75–79, 174, 207–223 ERM team responsibilities, 300, 301,
305–308 failure, likelihood of, 219, 220 failure to define all risks by source,
impact of, 127, 128 individual risk exposures, 68, 69,
73–78, 174, 185–207 internal audit, responsibilities of, 317
Index & 401
BINDEX 01/12/2011 11:43:33 Page 402
Risk quantification (Continued ) and mitigation, 71, 73, 86 non-corporate entities, 350 operational risk, 88–92, 192–193, 199–203, 221
overview, 168, 223, 224 as part of ERM process cycle, 51, 52 and practical modeling, 169–173, 223
process, 174–223 and risk appetite, 227, 231 and risk correlation, 69 risk experts, responsibilities of, 312, 313
risk scenarios, 28, 52, 55, 56, 67–69, 73–75
strategic risk, 88–92, 192–193, 203–207, 221
and value-based ERM framework, 61, 65–77, 168
Risk-ranking criteria, 147–149 Risk-return adjustment, 236, 259 Risk scenarios
baseline risk scenarios, 81, 82, 190, 191, 194, 195, 208, 210, 212, 275
credible worst-case scenarios, 89, 90, 132, 135, 136, 138, 140, 153, 312
deterministic risk scenarios, 67, 68, 88–90, 127, 169, 185–187, 208, 209, 211, 214, 223, 307
downside risk scenarios, 190, 191, 259
Failure Modes and Effects Analysis (FMEA). See Failure Modes and Effects Analysis (FMEA)
non-corporate entities, 350 and risk identification, 65, 127, 128 and risk quantification, 28, 52, 55, 56, 67–69, 73–75
shock scenarios, 73, 193–196 and silo risk management, 36–40 stochastic risk scenarios, 74, 75, 102, 169, 171, 186–189, 206, 211, 307
tail scenarios, 12, 187, 188, 208, 209, 221
upside risk scenarios, 89, 190, 191
and value-based ERM framework, 81, 82, 88–93, 95, 96, 98, 102–105
Risk-taking options, 244. See also Risk exploitation
Risk tolerance, 41, 76–77, 269, 300–301, 310, 321, 365. See also Risk appetite
Sarbanes-Oxley Act (SOX), 8, 9, 35, 36, 92, 94
Scoring criteria. See Likelihood and severity scoring criteria
Securities and Exchange Commission (SEC)
incentive compensation, disclosure requirements, 13, 55, 286
risk disclosures, 282, 286 September 11, 2001, terrorist attacks,
4–7, 358 Severity of impact, 122, 130, 237,
249–251 Shareholder value, 45, 46, 48, 49, 268,
282, 283, 346. See alsoMarket capitalization
Shareholders benefits of ERM to, 52–54 and prioritizing stakeholders, 266, 267 risk messaging, 280–287, 293
Shock resistance, 42, 53–55, 58, 290 Shock scenarios, 73, 193–196 Significant digits rule described, 32–34 and discount rate, 175 and practicality of ERM model, 102, 103, 169, 173, 222, 340
and risk correlation, 212 traditional ERM models, 102, 103
Silo approach to risk management, 36–41, 94–96, 357, 358, 364, 366, 369
Simulation, 68–69, 73–75, 98, 191, 194, 210–213, 215, 223, 237, 243, 261, 322
Soft limits, 232–233, 244–246, 317, 326, 327
SOX. See Sarbanes-Oxley Act (SOX)
402 & Index
BINDEX 01/12/2011 11:43:33 Page 403
Stakeholders. See also Primary stakeholder focus (criterion 10)
external stakeholders, risk messaging, 280–293
non-corporate entities, 345, 346, 348, 351, 352, 354, 356–357, 361–363, 366, 367
prioritizing, 266, 267 Standard & Poor’s (S&P), 10–12, 41, 53,
56, 57, 289, 291 Stochastic risk scenarios, 74, 75, 102,
169, 171, 186–189, 206, 211, 307 Stock buyback decisions, 265, 266 issuance decisions, 265, 266 prices, 53–56
Stock analysts, 280, 287, 288, 293 Stock options. See Incentive
compensation Strategic planning. See also Business
decision making and risk decision making, 80–83, 256–269
risk quantification case study, 204–207
Strategic risk and Basel II, 5, 86 case study, 203–207, 251 defined, 27, 116 importance of, 28–31, 86 inclusion of in all risk categories, 64, 85–94, 333
metrics, 100, 103 and risk identification, 65, 116–118 and risk scenarios, 68, 190, 192, 193
values-based approach to quantifying, 88–92, 221
Strengths, weaknesses, opportunities, and threats (SWOT) analysis. See SWOT analysis
Stress test, 259, 260. See also Risk scenarios
Subject matter experts (SMEs) and risk governance, 312, 313, 324, 325
and risk identification, 127, 128, 140
and risk quantification, 186–189, 192, 193, 201, 204
use of in FMEA, 68, 140, 204, 214, 243, 259, 260, 287, 288, 306
Subprime mortgages. See Financial crisis (2007-)
Supplier risk, 122, 159, 160, 163–166, 203, 204, 241
SWOT analysis (Strengths, Weaknesses, Opportunities, and Threats), 81, 156, 260
Systemic risk, 58
Tail scenarios, 12, 187, 188, 208, 209, 221
Taleb, Nassim, 26 Talent management risk, 115, 118, 129,
152, 165 Technology advances as driver of ERM
adoption, 14 Technology risk, 123, 131, 136 Templates qualitative risk assessment survey,
141–144, 304 RCD tool. See Risk categorization and
definition (RCD) tool Terrorism risk, 5, 6, 123, 190, 191, 358,
359, 362, 363 Terrorist attacks of September 11, 2001,
4–7, 358 Time horizon, 32, 137–138, 220, 365,
367 Top-down allocation of risk appetite to
risk limits, 42, 95–99, 233–239, 252, 300, 311, 339
Traditional ERM programs buy-in, lack of, 103 capital-based framework, 83, 84,
220–223, 274, 275 company value, measurement of,
107 complexity of, 101–103 core challenges, 63, 64, 83, 109.
See also Core challenges of ERM
Index & 403
BINDEX 01/12/2011 11:43:33 Page 404
Traditional ERM programs (Continued ) decision making, 42, 43, 63, 100–103, 106, 222
ERM teams, 322 financial risk, 64, 85 and key ERM criteria, failure to meet, 63, 64, 83, 109, 110
metrics, 97 risk and return management, 43, 44, 63, 106, 222, 223
risk disclosures, 63, 107 risk metrics, 97 and Sarbanes-Oxley focus, 94 scope of, 25–27, 63, 83, 84 silo approach to risk management, 94–96
stakeholder focus, 48, 64, 107, 108 strategic and operational risks, approaches to quantifying, 85–88, 92, 93
value impacts, measurement of, 64, 107
Transportation Security Administration (TSA), 358
Uncertainty, 18, 19, 22, 144, 264 Unknown risks, scanning for, 153–155 Upside risk events, 19–21, 37, 76 Upside risk scenarios, 89, 190, 191 Upside volatility, 19, 21, 23, 44, 48,
106, 218
Value impacts, measurement of (criterion 9). See also Company value
banks and financial crisis, 341, 342 as key criterion of ERM program, 25, 46–48
and traditional ERM frameworks, 64, 107
and value-based ERM framework, 107
Value-at-Risk (VaR), 32, 87, 335 Value-based ERM framework and non-corporate entities, 344, 345 operational risks, quantifying, 88–94 process flows, 65, 66 risk decision making. See Risk decision
making risk identification. See Risk identification
risk messaging. See Risk messaging risk quantification. See Risk quantification
strategic risks, quantifying, 88–94 Volatility cost of, 19, 21–23 downside, 19, 21, 22, 44, 48, 55, 218 economic, 125, 126, 128 economic volatility, 126 as element of risk, 18–23 upside, 19, 21, 23, 44, 48, 106, 218
Voluntary risk disclosures. See Risk disclosures, voluntary disclosures
404 & Index
- Contents
- Foreword
- Preface
- Acknowledgments
- PART I: Basic ERM Infrastructure
- 1: Introduction
- EVOLUTION OF ERM
- BASEL ACCORDS
- SEPTEMBER 11TH
- CORPORATE ACCOUNTING FRAUD
- HURRICANE KATRINA
- RATING AGENCY SCRUTINY
- FINANCIAL CRISIS
- RARE EVENTS
- LONG-TERM TRENDS
- CHALLENGES TO ERM
- SUMMARY
- NOTES
- 2: Defining ERM
- DEFINITION OF RISK
- DEFINITION OF ERM
- SUMMARY
- NOTES
- 3: ERM Framework
- VALUE-BASED ERM FRAMEWORK
- CHALLENGES OF TRADITIONAL ERM FRAMEWORKS
- VALUE-BASED ERM FRAMEWORK
- OVERCOMING THE CHALLENGES BY USING A VALUE-BASED ERM FRAMEWORK
- SUMMARY
- NOTES
- PART II: ERM Process Cycle
- 4: Risk Identification
- COMPONENTS OF RISK IDENTIFICATION
- FIVE KEYS TO SUCCESSFUL RISK IDENTIFICATION
- RISK CATEGORIZATION AND DEFINITION
- QUALITATIVE RISK ASSESSMENT
- EMERGING RISK IDENTIFICATION
- KILLER RISKS
- SUMMARY
- NOTES
- 5: Risk Quantification
- PRACTICAL MODELING
- COMPONENTS OF RISK QUANTIFICATION
- CALCULATE BASELINE COMPANY VALUE
- QUANTIFY INDIVIDUAL RISK EXPOSURES
- QUANTIFY ENTERPRISE RISK EXPOSURE
- SUMMARY
- NOTES
- 6: Risk Decision
- DEFINING RISK APPETITE AND RISK LIMITS
- INTEGRATING ERM INTO DECISION MAKING
- SUMMARY
- NOTES
- 7: Risk Messaging
- INTERNAL RISK MESSAGING
- EXTERNAL RISK MESSAGING
- SUMMARY
- NOTES
- PART III: Risk Governance and Other Topics
- 8: Risk Governance
- FOCUSING ON COMMON THEMES
- COMPONENTS OF RISK GOVERNANCE
- ROLES AND RESPONSIBILITIES
- ORGANIZATIONAL STRUCTURE
- POLICIES AND PROCEDURES
- SUMMARY
- NOTES
- 9: Financial Crisis Case
- SUMMARY OF THE FINANCIAL CRISIS
- EVALUATING BANK RISK MANAGEMENT PRACTICES
- SUMMARY
- NOTES
- 10: ERM for Non-Corporate Entities
- GENERALIZING THE VALUE-BASED ERM APPROACH
- COMPLEXITIES OF OBJECTIVES-BASED ERM
- EXAMPLES OF NCEs
- SUMMARY
- CONCLUSION
- NOTES
- Glossary
- About the Author
- Index