Unit 3 - Introduction to Enterprise Risk Management (ERM)

Management and Board of Directors Discussions

-Address risks as determined by the organization's strategy and business objectives. -Capture and align information at a level that is consistent with directors' risk oversight responsibilities and with the level of information determined necessary by the board. -Ensure reports present the organization's risk profile as aligned with its risk appetite statement and link reported risk information to policies for exposure and tolerance. -Provide longitudinal perspective of risk exposures including historical data, explanations of trends, and forward looking trends explained in relation to current positions. -Update at a frequency consistent with the pace of risk evolution and severity of risk. -Use standardization templates to support consistent presentations and structure of risk information.

Enterprise Risk Management (ERM) Definitions

-The process of planning, organizing, leading, and controlling the activities of an organization in order to minimize the effects of risk on an organization's capital and earnings. -The process, effected by an entity's board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. -A business strategy that identifies and prepares for hazards that may interfere with a company's operations and objectives. -An organization's enterprise risk competence (the ability to understand, control, and articulate the nature and level of risks taken in pursuit of business strategies) coupled with accountability for risks taken and activities engaged in, which contributes to increased confidence shown by stakeholders.

Risk Quantification Process and Results

-Understand the Exposure/Opportunity -Risk Response Design and Stress Testing -Risk Appetite Determination Results: 1. Reduce volatility and capitalize on opportunities 2. Efficient capital deployment

ERM Framework

1. Insights and Transparency -Risk Taxonomy: Establish common vocabulary for different risks. -Risk Register/Risk Heat Map: Characterize and prioritize risk based on probability, impact, and preparedness. -Risk Insight and Foresight: Use business-specific scenarios, stress tests, and early indicators to understand risks and opportunities (potentially also for key customers and peers). -Risk Models: Build simple model as support tool for business decisions. -Risk Reporting: Focus on key risks and provide clarity on these to allow actionable measures. 2. Natural Ownership, Risk Appetite, and Strategy: -Risk Ownership: Consider whether you are the natural owner of a given risk. -Risk Capacity: Understand how much risk you can take. -Risk Appetite: Decide how much risk you feel comfortable taking. -Risk Strategy: Decide on actions to transform your risk profile, including trade-offs with corresponding costs. 3. Risk-Related Decisions and Processes: -Risk-Related Decisions: Embed risk in business decision-making rather than a pure compliance-oriented activity. -Risk Optimization: Embed in each major strategic decision before launch/positive decision. -Risk Processes: Design and execute core business processes and operations on a risk-informed basis. 4. Risk Organization and Governance: -Risk Archetypes: Define enterprise risk management (ERM) mandate of the risk function. -Risk Organization: Design risk structures across entire organization and ensure buy-in of top management. -Risk-Function Profile: Establish clear allocation of responsibilities between risk taking and controlling units. 5. Risk Culture and Performance Transformation: -Risk Culture: Ensure soundness of risk culture across entire organization (perform culture diagnostic). -Risk Norms: Embed new risk norms through various corporate processes and governance. -Risk Skill Building: Implement a skill enhancement program for key roles.

Barriers to ERM

1. Organizational Culture: ERM may be incompatible with the organization's culture if the organization thinks mainly in terms of reaching the next quarter's numbers. If so, it requires an even greater shift in thinking to embrace the principles of ERM. 2. Leadership: Implementation of ERM requires committed leaders who clearly communicate that ERM is a priority. 3. Turf Battles: ERM requires combined knowledge to and focus from functions across the organization. Yet, some leaders may not be enthusiastic about participating. Not only is it necessary for every leader to devote the time to participate, but each leader must be forthright abouts risks within his or her area of responsibility. That can be uncomfortable if a leader must admit that there is a significant risk within his or her scope of responsibility that has not been addressed. A department head may also be concerned that ERM can lead to some loss of control if reducing risk requires passing on some potentially profitable opportunities or its scarce resources must be redirected from potential profitable ventures to risk reduction or mitigation. 4. Lack of a Formal Process: Management must establish and embrace a structured process to implement an effective ERM plan. 5. Lack of Uniform Metrics Across the Organization: The various disciplines within an organization develop and rely on their own unique metrics, resulting in several different metrics being used within the organizations. This prevents top management from gaining a true perspective of risk across the enterprise.

External Environment Categories and Characteristics

1. Political: The nature and extent of government intervention and influence including tax policies, labor laws, environmental laws, trade restriction, tariffs, and political stability. 2. Economic: Interest rates, inflation, foreign exchange rates, availability of credit, etc. 3. Social: Customer needs or expectations, population demographics such as age distribution, educational levels, and distribution of wealth. 4. Technological: Research and development activity, automation and technology incentives, rate of technological changes or disruption. 5. Legal: Laws (employment, consumer, health, and safety), regulations, and industry standards. 6. Environmental: Natural or human-caused catastrophes, ongoing climate change, changes in energy consumption regulations, and attitudes toward the environment.

Risk Reporting

1. Portfolio view of risk outlining the severity of the risks at the organization level that may impact the achievement of strategy and business objectives. The reporting of the portfolio view highlights the greatest threats to the organization, interdependencies between specific risk, and opportunities. The portfolio view of risk is typically found in management and board reporting. 2. Profile view of risk, similar to the portfolio view, outlines the severity of risks but focuses on different levels within the organization. For example, the risk profile of a division or operating unit may include designated risk reporting for management or those areas of the organization. 3. Analysis of root causes enables users to understand assumptions and changes underpinning the portfolio and profile views of risk. 4. Sensitivity analysis measures the effects of changes in key assumptions embedded in strategy and the potential impact on strategy and business objectives. Analysis of new, emerging, and changing risks provides the forward looking view to anticipate changes to the risk universe, effects on resource requirements and allocation, and the anticipated performance of the organization. 5. Key performance indicators and measures outline the acceptable variation in performance of the organization and potential risk to a strategy or business objective. Trend analysis demonstrates movements and changes in the portfolio view of risk, risk profile, and performance of the organization. 6. Disclosure of incidents, breaches, and losses provides insight into the effectiveness of risk responses. Tracking ERM plans and initiatives involves the preparation of a summary of the plan and initiatives in establishing or maintaining ERM practices. Investment in resources and the urgency by which initiatives are completed, would be included. It may also reflect the commitment to ERM and culture by organizational leaders in responding to risks.

ERM Best Practices Process

1. Risk Governance: -Risk Strategy and Objectives -ERM Sustainability 2. Risk Awareness: -Risk Identification and Prioritization -Risk Assessment and Quantification 3. Risk Improvement: -Risk Response Strategy -Risk Response Implementation *Growth *Profitability *Continuity

Discussion of ERM Determinants

1. Size: Survey evidence suggests that larger firms are more likely to engage in ERM because they are more complex, face a wider array of risks, and have the institutional size to support the administrative cost of an ERM program. 2. Leverage: Firms engaging in ERM may have lower financial leverage if they have decided to lower their probability of financial distress by decreasing financial risk. However, firms may decide that as a result of ERM they are able to assume greater financial risk. Accordingly, posit that the relation between ERM adoption and leverage is unclear. Find that firms with greater financial leverage are more likely to appoint a chief risk officer. Leverage is defined as the ratio of the book value of asset to the book value of liabilities 3. Opacity: Firms that are relatively more opaque should derive greater benefit from ERM programs that communicate risk management objectives and strategies to outsiders. Hypothesize that ERM adoption is related to the opacity of a firm's assets because assets that are relatively more opaque are more difficult to liquidate in order to avert financial distress. 4. Div_Int, Div_Ind, Div_Ins: Insurers that are relatively more complex are likely to benefit more from the adoption of ERM programs. Although firm size captures a good deal of complexity, other factors such as industrial and international diversification are also likely to affect whether a firm adopts an ERM program. 5. Institutions: Pressure from external stakeholders is regarded as an important driving force behind the adoption of ERM programs. Regulatory pressure is likely to have a similar impact on all competitors within a given industry whereas shareholder pressure may differ depending on the relative influence of different shareholder groups for each firm. Institutions are relatively more influential than individual shareholders and may be able to exert greater pressure for the adoption of an ERM program. Therefore, we expect that firms with higher percentage of institutional share ownership will be more likely to engage in ERM. 6. Slack: They argue that ERM users may have higher levels of financial slack due to an emphasis of risk management on reducing the probability of financial distress. However, they also note that ERM users may be able to reduce the level of financial slack because of improved risk management. Slack is measured as the ratio of cash and marketable securities to total assets. 7. CV(EBIT): Firms that are relatively more volatile are likely to benefit from the effects of an ERM program. However, firms that have adopted ERM programs are likely to experience lower volatility of stock returns or earnings. 8. Value Change: Argue that ERM adoption might be related to sharp declines in shareholder value if firms feel pressure to convey to shareholders that they are taking corrective steps to prevent continued value reduction.

Discussion of Q Determinants

1. Size: There is some evidence that large firms are more likely to have ERM programs in place. 2. Leverage: On the one hand, financial leverage enhances firm value to the extent that it reduces free cash flow that might otherwise have been invested by self-interested managers in suboptimal projects. On the other hand, excessive leverage can increase the probability of bankruptcy and cause the firm's owners to bear financial distress costs. 3. ROA: Profitable firms are likely to trade at a premium. We expect a positive relation between ROA and Tobin's Q. 4. Div_Ind: On the one hand, diversification may be performance enhancing due to benefits associated with scope economies, larger internal capital markets, and risk reduction. On the other hand, diversification may reduce performance if it exacerbates agency costs and leads to inefficient cross-subsidization of poorly performing businesses. 5. Div_Int: International diversification is associated with costs that stem from unresolved agency conflicts and benefits that result from scope economies and risk reduction. 6. Dividends: On the one hand, investors may view a disbursement of cash in the form of a dividend as a sign that the firm has exhausted its growth opportunities. If this holds, then the payment of dividends will negatively affect firm value. On the other hand, to the extent that dividends reduce free cash flow that could be used for managerial perquisite consumption, the payment of dividends is expected to positively affect firm value. -Insiders: There is a large body of research that links insider share ownership to firm value. The literature predicts that low levels of insider ownership are effective in aligning managerial and shareholder interests. However, high levels of ownership have the opposite effect on firm value.

When developing a Risk Appetite Statement an organization should consider the following:

1. Strategic Parameters: Considering matters such as new products to pursue or avoid, the investment for capital expenditures and, merger and acquisition activity. 2. Financial Parameters: Considering matters such as the maximum acceptable variation in financial performance, return on assets or risk-adjusted return on capital, target debt rating, and target Debt to Equity Ratio. 3. Operating Parameters: Considering matters such as capacity management, environmental requirements, safety targets, quality targets, and customer concentrations.

Interview Core Questions

1. What are the goals for your department/division/area of responsibility, both short-term and long-term? 2. When you think about achieving your goals, what do you see as the greatest risks and obstacles? 3. What are the greatest risks and obstacles facing the organization regardless of whether they are related to your department?

Portfolio View of Risks

A portfolio view allows management and the board to consider the type, severity, and interdependence of risks and how they may affect performance.

Risk Quantification, Risk Identification, and Risk Prioritization

Although Risk Quantification is the focus of this discussion, it is important to understand the Risk Identification and Risk Prioritization role in a broader, functioning ERM program. In particular, Risk Identification and Risk Prioritization can provide focus regarding which enterprise risks may, or should, be assessed in a deeper manner, leading to focus and accomplished by surveying and interviewing employees and gaining consensus for key risks from senior managers and risk owners.

4. Developing Action Plans

An ERM risk survey will almost certainly reveal more risks than an organization can tackle at one time. An organization may plan to address all risks eventually, but it will likely need to select the most urgent to act upon in the short run. Dimensions to risk other than the "Likelihood of Loss" and the "Potential Severity of Loss" should be considered when selecting the risks to address. They include the difficulty, the cost, and the length of time required to reduce the risk to an acceptable level. After taking all these factors into consideration, the ERM team must select those issues the company will begin to address. For each issue, selected, a formal action plan should be developed.

Risks in Performance Management

Because risk emanates from a variety of sources and requires a range of responses, the process of identifying, assessing, and responding to risk is undertaken across all levels: corporate level, business unit level, and functional level. Organizations use their operating model to develop a process that does the following: -Identifies new and emerging risks so that management can deploy risk responses in a timely manner. -Assesses the severity of risk with an understanding of how the risk may change depending on the level of the organization. -Prioritizes risk, allowing management to optimize the allocation of resources and capabilities in response to those risks. -Identifies and selects responses to risk. -Develops a portfolio view to enhance the ability of the organization to articulate the amount of risk assumed in the pursuit of strategy and business objectives. -Monitors the organization's performance and identifies substantial changes in the performance or risk profile of the organization.

Business Context

Business context refers to the trends, relationships, and other factors that influence, clarify, or drive change to an organization's current and future strategy and business objectives. Business context may be the following: 1. Dynamic: Where new risks can emerge at any time causing disruption and changing the status quo (a new competitor causes product sales to decrease or even make the product obsolete). 2. Complex: With many interconnections and interdependencies (an organization has many operational units around the world, each dealing with its own unique political regimes, regulatory policies, and taxation laws). 3. Unpredictable: As changes may happen quickly and in unanticipated ways (currency fluctuations and political forces). -The effect that business context has on an entity's risk profile may be viewed in three stages: (1) past, (2) present, and (3) future performance. Looking back at past performance can provide an organization with valuable information to use in shaping its risk profile. Looking at current performance can show an organization how current trends, relationships, and other factors are influencing the risk profile. By thinking what these factors will look like in the future, the organization can consider how its risk profile will evolve and change in relation to where it is heading or what lies ahead. -An organization's internal environment is anything inside the organization that can affect its ability to achieve its strategy and business objectives. Internal stakeholders are those people working within the organization who directly influence the organization (board of directors, management, and other personnel). As organizations vary greatly in size and structure, internal stakeholders may affect the organization differently as a whole than at the level of division, operating unit, or function. -Once a risk profile has been defined for a chosen strategy, the management team is able to determine what resources and capabilities will be required and allocated to support executing the strategy while still operating within the defined risk appetite. Resources would include infrastructure, technical expertise, and working capital. The amount of effort needed to evaluate alternative strategies will depend on how significant the decision is and also the resources and capabilities available.

Risk Identification

By identifying new and emerging risks, management is given the opportunity to look to the future, assess the potential severity of the risks, and respond with the proper risk treatment. What types of emerging risks should senior management be concerned with? Following are some examples: 1. Emerging Technology: Advances in technology that may impact the relevance and longevity of existing products and services. 2. Expanding Role of Big Data: How organizations can effectively and efficiently access and transform large volumes of structured and unstructured data. 3. Depleting Natural Resources: The diminishing availability and increasing cost of natural resources that impact the supply, demand, and location for products and services. 3. Risk of Virtual Entities: The growing prominence of virtual entities that influence the supply, demand, and distribution channels of traditional market structures 4. Mobility of Workforce: Mobile and remote workforces that introduce new processes to the day-to-day operations of an entity. 5. Labor Shortages: The challenges of securing labor with the skills and levels of education required by entities to support performance. 6. Shifts in Lifestyle, Health Care, and Demographics: The changing habits and needs of current and future customers as populations change. -There are a variety of ways for identifying risk. These range from simple questionnaires to sophisticated facilitated workshops and meetings. Online surveys, data tracking, and complex analytics can also be used for risk identification. Key risk indicators are qualitative and quantitative measures designed to identify changes to existing risks. Risk indicators should not be confused with performance measures, which are typically retrospective in nature. -Sometimes opportunities emerge from risk or what can be perceived by an organization as a threat.

Risk Tolerance

Closely linked to Risk Appetite is the acceptable variation in performance which is also referred to as Risk Tolerance. Both of these terms refer to the boundaries of acceptable outcomes related to achieving a business objective by either the boundary of exceeding the target or the boundary of trailing the target. Having an understanding of acceptable variation in performance enables management to enhance value of the entity. -Example: The acceptable level of risk tolerance should not exceed its risk profile or risk appetite.

Risk Communication

Communication is the continual, iterative process of providing, sharing, and obtaining information which flows throughout the organization. Senior management uses relevant information from both internal and external sources to support enterprise risk management. -Communicating risks in an organization starts with defining risk responsibilities clearly and answering the two questions: (1) who needs to know what and (2) when do they need to act on it. Effective risk communication starts by examining the risk governance structure to ensure that risk responsibilities are clearly allocated and defined at the board and management levels and that the structure supports the desired risk dialogue. The board's responsibility is to provide oversight and ensure the appropriate measures are in place so that management can identify, assess, prioritize, and respond to risk. -To be able to communicate effectively, the board of directors and management must have a shared understanding of risk and its relationship to strategy and business objectives. In addition, directors need to develop a deep understanding of the business, value drivers, strategy, and associated risks. The board and senior management team need to continually discuss the risk appetite by holding formal quarterly board meetings to address specific events, such as cyber-terrorism, CEO succession, or mergers.

Culture

Culture is reflected in all levels of decision-making and risk governance helps culture reach its strategic goals.

Culture and Risk Governance

ERM helps people understand and develop the skill sets to address risks in relationship to the organization's strategy and business objectives. This understanding supports decision-making at all levels and helps to reduce organizational bias. Risk governance and culture together form a basis for all other components of ERM.

How is ERM Different from Traditional Risk Management?

ERM is different only because it manages risks beyond the traditional insurable risks. Those risks include the following: -Traditional Property and Casualty Risks -Supply Chain Risks -Pure Financial Loss Risks (securities suits, crime losses, fiduciary losses, cyber crime) -Currency Risk -Financial Risks such as Interest Rates -Commodities Risks, Either Availability or Pricing -Socioeconomic Risks, including changing consumer preferences -Operational Risks -Organizational Risks (Succession Planning) -Political Risks -Increased Competition Risks (new entrants into the market, more intense due to consolidation of competitors, overseas competitors) -People Risks (Shortages of skilled labor, benefit costs, regulations, employment class actions, union activity) -Regulatory Risks (Sarbanes-Oxley compliance, Foreign Corrupt Practices (FCPA), Dodd-Frank, Health Insurance Portability and Accountability Act, Fair Credit Reporting Act) -Reputational Risks

ERM - The Critical Steps

ERM is not a project with a completion date, but rather an ongoing process, a process that includes several key steps including risk identification and prioritization, risk assessment and quantification, risk response strategy evaluation and implementation, and program sustainability through governance, compliance, reporting, and culture. -While it is stated that ERM is a process and not a project, the same techniques in this discussion can be used to evaluate project or capital expenditure risks. In these instances, the project does not have a completion date, but the process can be used to evaluate risk before engaging in the project and be continually updated as the project progresses. The process can also be modified to monitor and quantify identified risks and additional risks that may arise after the project is complete. -Within the ERM program framework, a powerful guidance tool can be created that is flexible enough to incorporate environmental changes such as changing risk profiles and mitigation strategies. This arms decision-makers with valuable information enabling a decision-making process that represents information in a strategic manner, for example, critical financial and operational performance measures. -Although the techniques of risk quantification within a decision-making framework can be quite complex, its critical elements are determining risk appetite, measuring risk impact (understanding the risk exposure or opportunity), and stress testing response strategies. The last point is key. If the measurement of appetite and identification/quantification of key risk is not used in a decision-making framework, the results will not drive action, and everything will remain status quo.

ERM Summary

ERM is the process of applying the basic risk management model used for identifying and managing insurable risk to all the risks facing an organization. An ERM program must be supported by top management and works best when it is a board-level initiative. ERM will only work within a well-defined framework and if there is broad participation throughout the organization. ERM can help a company reduce risk and a well-developed ERM process can help it create value when used to evaluate opportunities to deploy capital.

Enterprise Risk Management "Spotlight"

Enterprise Risk Management (ERM) is an extremely advanced discipline in many organizations. -A successful risk manager has already mastered the underlying skills needed to implement ERM. As with any new initiative, the risk manager is going to face barriers to implementing an ERM process. The risk manager who wants to overcome the barriers to ERM has 3 main selling points: (1) scorekeeping, (2) cultural change, and (3) value enhancement. Moving from traditional risk to an ERM approach can be very rewarding for a risk manager. To be successful, ERM must be more than a function within the risk management department. -The ERM process is very similar to the traditional risk management process. The foundation of the ERM process is the process for defining risk. The core of the ERM process and the key to success is the risk survey that identifies the universe of risks facing the organization. -Interviews will provide a great deal of information that is not very useful in its raw form. An ERM risk survey will almost certainly reveal more risks than an organization can tackle at one time. The model used to measure and identify risk should be modified over time and risk interviews should be repeated at least annually.

Integration of ERM into the Organization

Improves decision-making in governance, strategy, objective-setting, and day-to-day business objectives to both risk and opportunity. The diligence required to embed ERM into the daily operations of an organization will provide a clear path to creating, preserving, and realizing value. -Those business decisions can create, preserve, realize, or erode the value of an organization. The resources and capabilities necessary to create this value are based on people, financial capital, technology, processes, and market presence. The proper deployment of resources and capabilities can create either monetary or nonmonetary benefits. Value can be eroded when the senior management team cannot yield expected outcomes or fails to execute day-to-day tasks. ERM does not create the entity's strategy, but it does influence the success of its execution. An organization's performance can be enhanced by embedding ERM into day-to-day operations and more closely linking business objectives to risk and opportunity.

3. Defining and Prioritizing

Interviews will provide a great deal of information that is not very useful in its raw form. The ERM committee will need to sift through and organize it. One way to organize risks is to develop a table with the identified risks and rank them using the definitions in "ERM Definitions."

ERM Definitions

Loss Probability Definitions: -Ongoing: A loss that occurs during the normal course of business and is characterized as high-frequency but usually low severity. -High: A loss that is substantially likely to occur within the next year; usually a unique risk and not a normal consequence of ongoing operations. -Medium: A loss that is likely to occur within the next year only if certain unusual circumstances develop; the likelihood of such circumstances developing is real but remote. -Low: A loss that is more speculative and will only occur if there are major changes to the environment in which the company operates. Loss Severity Definitions: -P&L (Plan): A loss that can be planned for and reserved within the current year's operating plan. -P&L (Disruption): A loss that will jeopardize the organization's ability to meet its current year profit and loss goals. -Balance Sheet: A loss that will have consequences beyond the current year's results and that will significantly impact the overall value of the company well beyond the current year results. -Existential: A loss of such severity that the organization could cease to exist in its current form if it occurs.

What ERM Means for the Risk Manager's Role

Moving from traditional risk to an ERM approach can be very rewarding for a risk manager. Developing an ERM program necessarily elevates the risk manager's stature in the organization because he needs to be involved in developing the overall strategy of the company and not just the strategy for managing insurable risk. When the ERM process gains traction, it gains top management's attention and often even the attention of the board of directors. Many companies that develop strong ERM programs have board ERM committees. The person responsible for ERM is often a vice president or even a chief risk officer.

Results

On average, insurers with ERM programs are valued approximately 4 percent higher than other insurers. Second, ERM users are systematically different from non-users. Specifically, in terms of their financial characteristics, the average ERM user is larger, less leveraged, less opaque, has less financial slack, and lower return volatility than the average non-user. Furthermore, in terms of ownership, ERM users tend to have higher levels of institutional ownership than non-users. Finally, the average ERM user relies less on re-insurance than the average non-user and the median change in value is greater for ERM users than for non-users.

Risks in Strategic Planning

Popular approaches to evaluating alternative strategies can include strengths, weaknesses, opportunities, and threats (SWOT) analysis, modeling, valuation, revenue forecast, competitor analysis, and scenario analysis. These evaluations are typically performed internally with management personnel who have an organization-wide view of risk and understand how strategy impacts performance. The management team has a better insight into how a chosen strategy will support performance across the corporate level, business unit levels, and functional levels of the organization. -A change in strategy is warranted if the organization determines that the current strategy fails to create, realize, or preserve value or a change in business context causes the organization to come to close to the maximum amount of risk it is willing to accept or that required resources and capabilities needed to execute the strategy are not available.

Why ERM Should Add Value to the Firm

Profit maximizing firms should consider implementing an ERM program only if it increases expected shareholder wealth. Although the individual advantages of different risk management activities are clear, there are disadvantages to the traditional "silo" approach to risk management. Managing each risk class in a separate silo creates inefficiencies due to lack of coordination between the various risk management departments. Proponents of ERM argue that by integrating decision making across all risk classes, firms are able to avoid duplication of risk management expenditure by exploiting natural hedges. Firms that engage in ERM should be able to better understand the aggregate risk inherent in different business activities. This should provide them with a more objective basis for resource allocation, thus improving capital efficiency and return on equity. Organizations with a wide range of investment opportunities are likely to benefit from being able to select investments based on a more accurate risk-adjusted rate than was available under the traditional risk management approach. -Although individual risk management activities may reduce earnings volatility by reducing the probability of catastrophic losses, there are potential interdependencies between risks across activities that might go unnoticed in the traditional risk management model. ERM provides a structure that combines all risk management activities into one integrated framework that facilitates the identification of such interdependencies. Thus, although individual risk management activities can reduce earnings volatility from a specific source (hazard risk, interest rate risk, etc.), an ERM strategy aims to reduce volatility by preventing aggregation of risk across different sources. A further potential source of value from ERM programs arises due to improved information about the firm's risk profile. Outsiders are more likely to have difficulty in assessing the financial strength and risk profile of firms that are highly financially and operationally complex. ERM might enable these opaque firms to better inform outsiders of their risk profile and should serve as a signal of their commitment to risk management. By improving risk management disclosure, ERM is likely to reduce the expected costs of regulatory scrutiny and external capital. Additionally, for insurers, the major ratings agencies have put increasing focus on risk management and ERM specifically as part of their financial review. This is likely to provide additional incentives for insurers to consider ERM programs and also suggests a potential value implication to the existence of ERM programs in insurers.

Risk Profile

Provides a composite view of the risk at a particular level of the organization or aspect of the business model. The composite view allows management to consider the type, severity, and interdependencies of risks and how they may affect performance relative to strategy and business objectives.

Risk Appetite

Risk Appetite is integral to ERM. It guides decisions on the types and amount of risk an organization is willing to accept in its pursuit of value. Risk appetite is not static and may change over time due to changes in the organization's resources and capabilities. There is no standard or "right" risk appetite that applies to all organizations. An organization's risk appetite is unique to its circumstances and should align with strategic goals and its capacity to take on risks. -A variety of approaches are available to determine risk appetite including facilitating discussions, reviewing past and current performance targets, and modeling.

Risk Assessment

Risk assessment approaches may be qualitative, quantitative, or both. The severity of risk may influence how it will be approached. Types of approaches include scenario analysis, simulation, data analysis, and interviews with risk owners. Qualitative assessment approaches are often used where risks are not easy to quantify or cost effective to obtain sufficient data for quantification. In these cases, management might use benchmarking information to evaluate a risk. Management considers inherent risk and targets residual risk and actual risk as part of the risk assessment. 1. Inherent Risk: Risk to an entity in the absence of any direct or focused actions by management to alter its potential severity. 2. Target Residual Risk: The amount of risk that an entity prefers to assume in the pursuit of its strategy and business objectives, knowing that management will implement, or has implemented, direct or focused actions by management to alter risk severity. 3. Actual Residual Risk: The risk remaining after management has taken action to alter its severity. Actual residual risk should be equal to or less than the target residual. Where actual residual risk exceeds target risk, additional actions should be identified that allow management to alter risk severity.

Risk Repsonse

Risk responses fall within the following categories: Accept, Avoid, Pursue, Reduce, or Share. Management may need to consider another course of action by doing the following: 1. Review Business Objectives: The organization chooses to review and potentially revise the business objective given the severity of identified risk and acceptable variation in performance. This may occur when the other categories of risk response do not represent desired courses of action for the organization. 2. Review Strategy: The organization chooses to review and potentially revise the strategy given the severity of identified risks and risk appetite of the organization. As with a review of business objectives, this may occur when other categories of risk responses do not represent desired courses of action for the organization.

Risk Prioritization

Risks are prioritized to enable informal decision making and optimize the allocation of resources. Risk prioritization considers the severity of a risk and informs the selection of the risk response. The priorities are determined by applying agreed upon criteria that can include adaptability, complexity, velocity, persistence, and recovery.

Risk Governance

Sets the organizational tone, reinforcing the importance of ERM, and establishing oversight responsibilities for it. Culture pertains to ethical values, desired behaviors, and understanding of risk in the organization. -To be effective, risk governance needs an operating model and reporting lines to execute the strategy and business objectives. In designing reporting lines within the operating model, it is important for the organization to clearly define responsibilities. -Another very important part of risk governance is a commitment to developing the right human capital resources and capabilities to execute the strategy and business objectives.

The ERM Process

The ERM process if very similar to the traditional risk management process, but it focuses on much more than the traditional loss runs, safety surveys, and engineering reports used to develop basic programs for managing insurable risk. The steps to ERM are the following: 1. Developing the Framework: Success or failure of an ERM program depends largely on the framework for identifying, ranking, prioritizing, and addressing risk. 2. The Risk Survey: Once the framework is built, the second most important step is surveying the organization to determine the range of risks. 3. Defining and Prioritizing Risks: Once the risks are known, the organization must fit each into a definition within its frameworks so that actions can be prioritized. 4. Developing Action Plans: The ERM process should manage risk mitigation as well as risk identification. This is done by developing action plans for managing the risks that senior executives and the board feel are most urgent. 5. Refinement: Risks change over time as the enterprise changes and the environment in which it operates changes. Every aspect of the program must be re-evaluated at least yearly and risk surveys should be updated continuously.

2. The Risk Survey

The core of the ERM process and the key to success is the risk survey that identifies the universe of risks facing the organization. The heart of the risk survey is a series of interviews with the organization's management team. The organization's managers are usually very familiar with the risks that threaten an organization and ERM is merely the process for collecting, documenting, and analyzing the risks as well as developing appropriate strategies to manage them. -The more interviews that the ERM team can perform, the better the result will be. Interviews must include senior management but should extend to the director level and even managers of functional departments. Interviews are most effective when they are confidential, set up properly, and well structured but allow for open-ended answers. Interviews must be confidential because the persons interviewed may otherwise be reluctant to share their opinions. The goal of the interview is to identify risks that are not being properly addressed and identifying such risks might seem like criticizing senior managers and the company's executives. Interviews should be set up by an announcement from the senior management informing managers that the ERM initiative is being done at its direction. The announcement should explain that the goal is to identify all the risks facing the company and that it is not simply an exercise to deal with insurance-related risks like workers compensation and products liability. It should assure all participants that their interviews are confidential. It may be difficult to coax information from managers with narrow focus and the interviewer should have additional questions related to specific risks that will be more likely to prompt a response. Examples: 1. What sort of "people risk" does your organization face (shortages of skilled labor, benefit costs, regulations, employment class actions, union activity?) Do you have plans to address these risks? Are they manageable? 2. Do you have key suppliers whose inability to deliver would cause a major disruption to your business? Do you have backups in place that can step in to avoid a major disruption? How long would it take?

External Environment

The external environment is part of the business context and is anything outside the organization that can influence the organization's ability to achieve its strategy and business objectives. External stakeholders are part of the external environment. Some examples of external stakeholders are regulatory bodies, investors, the community at large, suppliers, and customers.

1. Developing the ERM Framework

The foundation of ERM process is the process for defining risk. In a basic ERM model this means defining probability and severity. Uniform definitions must be developed so the ERM team will able to compare risks from across the enterprise. Further, uniform definitions are essential to avoiding subjectivity.

Risk Capacity

The maximum amount of risk an organization is able to absorb in the pursuit of strategy and business objectives. Risk capacity must be considered when defining its risk profile and risk appetite.

5. Refinement

The model used to measure and identify risk should be modified over time and risk interviews should be repeated at least annually. A risk assessment can also be done on an ad hoc basis if the organization anticipates a major change such as an acquisition.

Assessing Risks in the Execution of Strategy

The organization's performance should be reviewed to determine how risk has manifested and impacted strategy and business objectives compared to its risk appetite. In monitoring performance, seek to answer the following questions: 1. Has the organization performed as expected and achieved its target? 2. What risks may be affecting performance? 3. Was the organization taking enough risk to attain its target? 4. Was the estimate of the amount of risk accurate? -If performance does not fall within its acceptable variation or the target performance results in a different risk profile than was expected, it may be necessary to do the following: 1. Review the business objective or strategy and choose to change or abandon a business objective if the performance of the organization is not achieved within acceptable variation. 2. Review the strategy and possibly revise it if the organization's results have a substantial deviation from the expected risk profile. 3. Revise target performance to better reflect a reasonable performance outcome. 4. Re-evaluate the severity of a risk by repeating the risk assessment for relevant risks. Results may change based on changes in the business context, the availability of new data or information that enables a more accurate assessment, or challenge the assumptions underpinning the initial assessment. 5. Review how risks are prioritized and take the opportunity to either raise or lower the priority of identified risks to support reallocating resources. 6. Revise risk responses by either altering or adding to the risk responses to bring risk in line with target performance and risk profile. For risks that are reduced in potential severity, an organization may re-deploy resources to other risks or business objectives. For risks that increase in severity, enhance responses with additional processes, people, infrastructure, or other resources. 7. Revise risk appetite by corrective actions taken to maintain or restore the alignment of the risk profile with the organization's risk profile to its risk appetite.

ERM Selling Points

The risk manager who wants to overcome the barriers to ERM has 3 main selling points: 1. The Scorekeeper: The greatest advantage of an ERM program has its function as the risk scorekeeper. ERM catalogs and ranks the fully array of risks facing the organization so that executives and the board of directors can strategically address them. Without ERM, the board and the executives are relying on others in the organization to identify risk and prioritize solutions. That means risk is addressed in ad hoc fashion. Decisions about retaining, avoiding, and managing risk are made by persons who are mainly concerned about short-term goals. In other words, risk management decisions may be made by persons with vastly different risk appetites from the board and senior management. 2. Cultural Change: Usually when something major goes wrong with a company, it is not because someone accepted a calculated risk that led to a disaster. Rather, it is usually because a risk was not fully considered and no decision to accept or avoid it was ever made. It is an example of "ignorance is bliss" until something goes wrong. There is no more "ignorance" of risk, so executives are forced to decide which risks to accept and which to avoid. Ultimately, risk management becomes part of the culture, and it is built into the decision-making process. 3. Value Enhancement: When fully developed, ERM is simply a means of identifying those things that can go wrong. While it does serve that function, a robust ERM program is also a value enhancement because it helps companies prioritize opportunities.

Risk Universe

The risks captured by the risk identification process are commonly referred to as a risk universe, a qualitative listing of the risk the entity faces. Management may use the risk profile in its assessment to do the following: 1. Confirm that performance is within the acceptable variation in performance. 2. Confirm that risk is within risk appetite. 3. Compare the severity of a risk at various points. 4. Assess the disruption point in the curve at which the amount of risk greatly exceeds the appetite of the entity and impacts its performance or the achievement of its strategy and business objectives.

Risk Treatment

The senior management team should consider the following criteria when deciding on the correct treatment for risks: 1. Business Context: Risk responses are selected or tailored to the industry, geographic footprint, regulatory environment, operating model, or other factors. 2. Costs and Benefits: Anticipated costs and benefits are generally commensurate with severity and prioritization of the risk. 3. Obligations and Expectations: Risk responses address generally accepted industry standards, stakeholder expectations, and alignment with the mission and vision of the entity. 4. Risk Priority: The priority assigned to the risk informs the allocation of resources. Risk reduction responses that have large implementation costs (system upgrades or increases in personnel) for lower priority risks need to be carefully considered and may not be appropriate given the assessed severity. 5. Risk Severity: Risk response should reflect the size, scope, and nature of the risk and its impact on the entity. 6. Risk Appetite: Risk response either brings risk within risk appetite of the entity or maintains its current status. Management identifies the response that brings residual risk to within the appetite. This may be a combination of purchasing insurance and implementing internal responses to reduce the risk to an acceptable variation in performance. -In the consideration of the potential costs and benefits of a particular risk response, the management team should evaluate the severity and priority of a risk to the organization's capital allocation for risk responses. There are direct costs, indirect costs (where practicably measurable), and for some organizations, opportunity costs associated with the use of resources.

The ERM Team

To be successful, ERM must be more than a function within the risk management department. It must be embraced by the CEO, and better yet, the board of directors, and implemented at their direction. The board and the CEO must be active participants so that every functional leader and every department manager knows that his enthusiastic participation is expected. -The risk management department should be the scorekeeper and should drive most of the effort, but it may help to develop a more cross-functional team. Members could include the heads of departments that tend to take a more long-term view such as the general counsel and the head of internal audit. A broader team gives the process more credibility.

The Scope of ERM

Value maximization risk management has existed in financial institutions for many years and it is the method for determining how to deploy capital.

The Value of Enterprise Risk Management

We simultaneously model the determinants of ERM and the effect of ERM on firm value. We find a positive relation between firm value and the use of ERM. The ERM premium of roughly 20 percent is statistically and economically significant. Unlike traditional risk management where individual risk categories are separately managed in risk "silos," ERM enables firms to manage a wide array of risks in an integrated, enterprise-wide fashion. Academics and industry commentators argue that ERM benefits firms by decreasing earnings and stock price volatility, reducing external capital costs, increasing capital efficiency, and creating synergies between different risk management activities. ERM is said to promote increased risk awareness that facilitates better operational and strategic decision making. ERM is synonymous with integrated risk management (IRM), holistic risk management, enterprise-wide risk management, and strategic risk management. -However, when viewed as part of the firm's financing policy, corporate insurance may increase firm value through its effect on investment policy, contracting costs, and the firm's tax liabilities. Thus, the theory suggests that firms should purchase insurance because it potentially reduces: 1. The costs associated with conflicts of interest between owners and managers and between shareholders and bondholders. 2. Expected bankruptcy costs 3. The firm's tax burden 4. The costs of regulatory scrutiny -As with corporate insurance purchases, corporate hedging reduces expected bankruptcy costs by reducing the probability of financial distress. Furthermore, the hedging literature suggests that, much like corporate insurance, this form of risk management potentially mitigates incentive conflicts, reduces expected taxes, and improves the firm's ability to take advantage of attractive investment opportunities.