Enterprise Risk Management

This is Part 5 of my blog series: The Art & Science of Risk Management

Photo courtesy of Google

In my previous post, I discussed the invaluable lessons to be learned from the many mistakes made by companies over the years due to ineffective risk management. Having learnt these lessons, risk practitioners encourage the implementation of enterprise risk management in all companies, which, by definition, is a comprehensive and integrated framework for managing key risks in order to achieve business objectives, minimize unexpected earnings volatility and maximize shareholder value. Evidence suggests that those with a good enterprise risk management (ERM) framework embedded in the business outperform those that don’t.

Essentially, ERM is all about integration of risks across different business units and functions. Traditionally, businesses operate in silos (e.g. treasury handles FX risk, human resources handle people risk, senior management handle strategy risks, etc). However, it is apparent that such a fragmented approach does not work in managing organizational risk properly. This is because risks are dynamic and interdependent i.e. risks interact with one another across the different facets of the business and the strength of the interaction is never fixed. This means that each business unit must understand and manage the risks with consideration of the risks faced in other business units to prevent the usually undetected risks from slipping through the cracks. It is also important for the business units to see how risks in combination can net off each other or compound the problem. One might argue that it is the senior managers job to have the overall picture of the business and it is hence their responsibility to manage the inter-dependencies and portfolio effects. However, this method is usually not sufficient and leads to sub-optimal performance.

An ERM function would be responsible for establishing enterprise-wide policies and standards, coordinate and centralize risk management activities across business units and functions, and provide overall risk monitoring for senior management and the board. The integrated approach therefore ensures the following benefits:

• It enables us to capture the “portfolio” effects of risks across business units and functions.
• It solidifies the relationship between risk and performance, partly assisted by defining the organization’s risk appetite.
• It ensures consistency in the management of risks.
• It enables us to standardize the way we measure and report on risks which in turn serves as a better risk communication tool.
• Having an independent view of what’s happening on the ground as well as a dotted line to the Board enables better corporate oversight.
• With the assistance of internal audit, ensures continuous review of the risks facing the enterprise.

As a side note, some people find it difficult to visualize risk inter-dependencies and the need to address portfolio effects. Here are some examples in the context of business (negative effects):

• Ensuring that legal contracts are of good quality may be a low risk for the legal department. For the credit department, credit default may also be a low risk. However, if someone defaults on a loan and it so happens that the legal contract pertaining to that loan is of low quality, we will never be able to recoup the loan amount from the borrower. In this case, both business units may not have considered each other’s risks. It is important for the legal team to consult with the credit team to ensure that loan documents, especially those of large amounts, are in order.
• The sales team’s objective is to maximize sales, whether it be cash or credit. The credit department’s objective is to minimize credit default. The sales team may not like it when the credit department denies a sale because it goes against their objective. The credit department may not like it when the sales team goes for clients with bad credit scores. Both departments have conflicting objectives, and the situation could be worse if the credit department is conservative while the sales department is aggressive. Department objectives must be in line.
• Where the finance team has taken out insurance against operational risks, but the operations team already have controls in place to manage their risks. The insurance cost in this scenario may be unnecessary and unfortunately, without understanding the risks across the business, both teams would be none the wiser.
• Traditionally, there is a siloed approach to measuring and reporting. risks. For example, the treasury team reports on FX losses, the finance team reports on the number of accounting errors, the HR department reports on employee turnover rates. This makes it difficult for senior management to prioritise on what’s important. For example, how does senior management know whether a 5% employee turnover is riskier than 100 accounting errors. Something as simple as an ERM risk assessment can put all measures on a level playing field.

Example of portfolio effects (positive):

• The simplest case of positive portfolio effects can be summed up in one expression: ‘don’t put all your eggs in one basket’. If you’re an investor, this means that you should not put all your money in one company. If you manage your own company, this means that you should diversify your product base, diversify your talent base (e.g. gender, race), etc.
• A typical business may have high risk of human error across many departments. Under a silo approach, each department manager may budget the purchase of an IT application to resolve this risk. This will be costlier and less efficient than implementing a company-wide integrated IT system, managed by an IT specialist.
• Most departments traditionally operate in silos. This means that usually departments are not aware of the risks facing all other departments in the organization. But what if they were? This would mean that each department would take into consideration its risks as well as the risks of other departments with every decision made. This would of course lead to more informed decision making and therefore more value add. This can be achieved by establishing risk committees. These committees provide the forum for individuals from different departments to share information.
• Adding to the previous point, the company I work for holds several hotels in its portfolio, which you could argue compete with one another. To mitigate the risks associated with this siloed thinking, we have formed a risk committee with the general managers of every hotel. The idea is to create synergy between them, to work together as a team and to share their ideas with regard to risk and controls.
• Read up a bit on hedge accounting.
• Read up a bit on regulatory capital. In the banking world, there is much work be done to reduce exposures through diversification and correlation measure.
• Insurance contracts that consider net exposures as opposed to gross exposures i.e. taking out insurance on exposures with diversification benefits considered will reduce the premium. A centralized or combined insurance contract may be worthwhile.

Now that we understand what ERM is and the benefits that come with it, the question remains on how to go about implementation. We will get more into this as this blog series progresses. For now, lets just summarize it. There are two sides to implementing a fully effective ERM framework, the hard side and the soft side:

• The hard side is concerned with developing an integrated data management system containing data on losses, incidences, risk indicators, exposures, etc. It is from this system that we analyse the risks and report on the conclusions, guided by the limits, policies and standards set by the organization.
• The soft side is concerned with building the risk culture and values. This involves setting the tone from the top i.e. through senior management’s commitment, ensuring that the overall vision, leadership and direction for ERM is sustainable in the long run. Building the risk culture and values also involves honest and transparent risk communication to all stakeholders on a continuous basis.

Next up – The Risk Assessment
Your Risk Connoisseur
J-MLN