From its beginnings in the early 1990s to its current incarnation, enterprise risk management (ERM) has undergone a dramatic transformation. Over time, ERM has evolved in response to a number of large-scale macroeconomic events as well as the business and regulatory changes those events precipitated. In so doing, ERM has adjusted its core focus and expanded the scope of risks it covers.
This continuing evolution can be organized into three major phases to reflect the changing landscape of enterprise risks in the past, present, and foreseeable future. Figure 3.1 provides a summary of the two major phases between the early 1990s and the present, as well as the next phase looking forward to the next 5–10 years.
Financial institutions began developing ERM programs in the early 1990s to address financial concerns such as aggregate market risk and credit risk. In 1993, the Group of 30's (G30) “Derivatives: Practice and Principles” addressed risk areas such as credit, market, operations and systems, accounting, and disclosures for derivatives dealers and end users.1 Financial risks continue to be focal points of ERM functions, especially within the banking and financial-services industry.
Unfortunately for a number of derivatives end users—including Orange County, Procter & Gamble, and Gibson Greetings—the risk management practices recommended by the G30 Report didn't arrive on time to prevent significant losses in 1994. At about that period, risk professionals began addressing operational risk, which grew to prominence thanks to the trading scandals (e.g. Barings, Kidder, and Daiwa) that rocked the marketplace in the mid-1990s. These incidents highlighted the importance of applying risk management techniques to ongoing operational processes, and ensuring that protocols, policies, and procedures align with the organization's risk appetite. During this period, the role of chief risk officer (CRO) began to take shape as the executive leader for ERM. A rash of accounting fraud cases in the early 2000s, headlined by the dramatic failures of Enron and WorldCom, led many companies to adopt operational controls specifically aimed at fraud prevention and detection.
Regulators, too, got into the fold. The Sarbanes-Oxley (SOX) Act of 2002 mandated increased oversight with a set of detective and preventative controls to ensure integrity in the financial reporting processes for publicly listed companies.2 A few years later, Basel II sought to provide a framework within which financial institutions could manage their financial and operational risks.3 The framework established minimum capital requirements, supervisory and regulatory review standards, and marketplace transparency guidelines. Although these regulations addressed unexpected losses resulting from certain financial and operational risks, their limitations would become all too clear.
The global financial crisis of 2008 fundamentally changed the world of risk management. The bankruptcy or near-death experience of large banks and the freefall in asset prices around the world left many to ponder the effectiveness of risk management at even the most sophisticated companies.
Regulators demanded that banking institutions take further strides to protect themselves against excessive risk. In the United States, the adoption of Dodd-Frank required banks to conduct stress testing on an annual basis.4 These stress-testing requirements were designed to quantify and address vulnerability to various risk scenarios. The Federal Reserve established stress-testing rules, known as CCAR, for banks with assets of at least $50 billion while the OCC established similar rules for banks holding $10–$50 billion in assets known as DFAST. Such laws and regulations resulted in massive investments in risk, compliance, and audit functions. They also shaped risk governance and oversight at the board level.
Beyond the banking industry, companies have learned critical lessons about systemic risks and the shortcomings of their own risk management programs. As a result, the scope and responsibility of risk-oversight functions have increased significantly in all industry sectors. That positive outcome has been tempered, in my view, by two unfortunate if entirely understandable trends: a primary focus on regulatory compliance, and risk aversion. As a result, forward-looking, strategic risk management initiatives have not been given sufficient attention.
Today, the global economy may have climbed out of the depths of recession, but companies face increasing uncertainty in a wide array of new and emerging risks. Recent headlines have focused our attention on Federal Reserve interest-rate policy; an economic slowdown in China; declining oil prices; Middle East instability; “Brexit”; international and domestic terrorism; and cybersecurity. The ever-evolving globalization of competitive markets exposes many organizations to a new breed of risks, many of which they neither had planned for nor could have even anticipated.
In its Global Risks Report 2016,5 the World Economic Forum identified five global risks with the greatest potential impact:
Globalization is the common driver among these five risks. No industry, geography, or business model is immune to them. These global risks are also similar in a way that underlies their significance: They are all systemic in nature. If any of these risks—much less a confluence of them—comes to fruition, the downstream impact on business would be catastrophic. In order to respond to these risks tomorrow, institutions must understand their interrelationships and potential impacts today.
Addressing these major risks reactively is not a viable solution. Their potential scope and severity are so great that doing so could mean economic destruction. Instead, risk management should become proactive, not simply minimizing negative risk but also maximizing opportunity. To do so, ERM must be a continuous process, constantly monitoring and assessing risk in a forward-looking way that provides companies with a path toward opportunity.
For these reasons, ERM is entering a third phase in its development focused on continuous monitoring, business-decision support, and maximization of shareholder value. Let's examine in great detail what the future of ERM may hold.
We now live and work in a new world that is more volatile and uncertain than ever. The speed of change and the velocity of risk have increased significantly. In addition to the uncertain business environment caused by globalization, companies must also deal with shifting consumer preferences, emerging technologies, demographic and workforce changes, climate-change impacts, and natural-resource constraints.
ERM programs must adapt: A monthly or quarterly process is no longer sufficient. Just as risks and opportunities are changing constantly, ERM programs should monitor and respond on a continuous basis. This is no pipe dream; it has a precedent in market risk management. During the 1990s, trading firms operating in global financial and commodity markets successfully transitioned from daily to real-time risk management.
In addition to becoming a continuous process, ERM must support key business decisions and add shareholder value. In addition, companies must measure the effectiveness of their ERM programs with objective performance metrics and closed feedback loops.
There are seven key attributes of evidenced-based continuous ERM:
Let's look at each of these in greater detail.
ERM is moving from a periodic monthly or quarterly process to a continuous one. This is essential to align the cadence of ERM with the velocity of risk. As a continuous process, ERM can provide business leaders with timely information and predictive analytics on their sensitivity to key business drivers, including:
Strategy and risk are two sides of the same coin. Strategic planning and ERM should be integrated to support the development, implementation, and performance monitoring of corporate and business-unit strategies. Companies ignore strategic risks at their peril. Independent studies of the largest public companies have shown time and again that strategic risks account for approximately 60 percent of major declines in market capitalization, followed by operational risks (about 30 percent) and financial risks (about 10 percent).7 Yet, in practice, many ERM programs downplay strategic risks or ignore them entirely.
Strategic risk can arise throughout the strategy development and implementation processes. The integration of strategy and ERM, or strategic risk management, can add long-term shareholder value in a number of important ways. Strategic risk management helps companies make more informed decisions when they:
To support strategic risk management decisions, the company's performance management system must integrate key performance indicators (KPIs) and key risk indicators (KRIs). An integrated performance and risk monitoring process would include the following steps:
Unfortunately, many companies perform these actions in two distinct silos. As part of strategic planning they perform steps 1 and 2 and report the results to the executive committee and full board. Separately, as part of risk management they perform steps 3 and 4 and report the results to the risk and audit committees. In order to effectively manage strategic risks, these steps must be fully integrated.
An integral part of continuous ERM is the development of key risk metrics, exposure limits, and governance and oversight processes to ensure enterprise-wide risks are within acceptable and manageable levels. A best-practice approach to addressing these requirements is to implement a formal risk appetite statement (RAS). Corporate directors who are ultimately responsible for overseeing their companies' risk management indicated that this practice is not fully developed. According to a National Association of Corporate Directors (NACD) survey, only 26 percent of companies have a defined risk appetite statement.10
An RAS is a board-approved policy that defines the types and aggregate levels of risk that an organization is willing to accept in pursuit of business objectives. In determining the appropriate risk appetite, an organization should also consider its risk capacity (also known as risk-bearing capacity), which represents a company's overall ability to manage the risk and absorb potential losses. Companies can measure risk capacity in terms of liquidity and capital reserves, as well as management capabilities and track record in managing the specific risks.
A dynamic RAS would include the following components:
The following example breaks down a strategic RAS into its three primary components:
The risk bell curve is a graphical depiction of risk with respect to probabilities and outcomes, including expected value (the mean of the bell curve) as well as the potential upside and potential downside (the tails). The objective of ERM is to assess, quantify, and optimize the shape of the bell curve for all of the key risks on an ongoing basis.
Although all key risks take the form of a bell curve, not all bell curves are alike. Figure 3.2 shows how the bell curve can be used to capture various risks.
For example, credit risk has more downside risk (potential loss of principal) versus upside gain (interest income). Market risk (including interest rate risk) follows an essentially symmetrical curve, as market prices (and interest rates) have an equal chance of moving favorably or unfavorably. On the other side of the spectrum, operational risk has a limited upside but a lot of potential downside. After all, not having any IT, compliance, or legal issues simply means business as usual. But a major negative event, such as a cybersecurity breach, IT downtime, or regulatory issue, can have tremendous consequences.
If managed well, strategic risk (not shown) is unique in that its downside can be limited while its upside can be unlimited. For example, the maximum loss of a new investment is 100 percent of the investment, but a new business venture can produce multiples of the investment. An asymmetrical bell curve with significant upside risk can describe any new product or business opportunity, whether that opportunity is part of a corporation's growth strategy or a venture capital firm's new investment.
Consider a decision tree that maps the probabilities and consequences of different decision paths.11 This map not only provides a better picture of the risks and rewards involved, but also helps identify trigger points for action if the initiative lags behind expectations. Taken this way, the optimum strategic risk profile resembles a call option: limited downside exposure with unlimited upside potential. A company can also limit downside risk by “failing faster.” The sooner a company recognizes an initiative is in trouble, the sooner it can take corrective action—such as getting the initiative back on track, deploying risk mitigation strategies, or shutting it down.
Minimizing downside risk and increasing the upside is the objective of “real option theory.” A real option is the right, but not the obligation, to undertake a business investment or change any aspect of that investment at various points in time, given updated information. The beneficial asymmetry between the right and the obligation to invest under these conditions is what generates the option's value.
Venture capital (VC) firms take advantage of this asymmetry as part of their business model. According to research by Shikhar Ghosh, a senior lecturer at Harvard Business School, about 75 percent of venture-backed investments in the United States do not return investors' capital, 20 percent achieve subpar returns, and only 5 percent achieve or exceed the projected return on investment.12 To maintain an ideal risk profile, VCs carefully stagger funding rounds in order to reap outsized returns on the 5 percent of firms that are successful while exiting or minimizing their investments in the other 95 percent. This risk/return profile is why VC firms are always concerned about the size of the market. They don't hit often but when they do they need to hit it big!
Pharmaceutical companies take a similar portfolio approach. They invest in drug development internally or acquire promising patents or entire drug companies. They can then continue to make limited, iterative investments in successful ventures and bow out of those that fail to achieve expected performance levels.
However, the enterprise-wide risk profile shown in Figure 3.2 is more indicative of a bank, for which the upside is limited to net interest income (about 2–3% of average assets) plus fee income while the downside can include large loan losses. This is also known as “fat-tail” risk. The ideal risk profile would be skewed to the right, which is more indicative of venture capital and pharmaceutical firms, which have more upside than downside. Regardless of the industry, companies must make the appropriate business decisions to optimize the shape of their risk bell curves.
In order to add value, companies must integrate the continuous ERM process into their strategic, financial, and operational decisions. Generally speaking, organizations have the following options available to them in response to risk:
While it is important to understand the general categories of choice an organization can make as discussed above, in practice, each business or risk decision falls to a specific committee, function, or individual. These decision makers can be members of the board, corporate management, or business and functional units. Here is a summary of key risk management decisions based on the “three lines of defense” model:
One of the key objectives of continuous ERM is to promote risk transparency with enhanced reporting. The old adage “what gets measured gets managed” certainly holds true in risk management, and business leaders appear to be getting the message. In a 2011 Deloitte study of approximately 1,500 executives across various industries, 86 percent identified “risk information reporting” as a high or moderate priority, making it the most highly prioritized of 13 risk initiative options.13 What's more, this priority was followed closely by “risk data quality and management” (76 percent) and “operational risk measurement system” (69 percent). Clearly, management understands that establishing a robust risk measurement and reporting system is critical to ERM success.
The ideal way to achieve this objective is with a real-time collaborative dashboard reporting system. This system would produce role-based reports designed to support the decision-making requirements of each recipient. When designing a role-based dashboard report, it is useful to determine the key questions each recipient needs to address. For example, the ERM dashboard for the board and senior management may address the following five basic questions:
In addition to the above components of dashboard reporting, new features are surfacing that are becoming part of the emerging reporting standards. An established dashboard system should incorporate the following elements for streamlined reporting:
Performance feedback loops support self-correction and continuous improvement by adjusting a process according to the variances between actual and desired performance. As a foundational component of the scientific method, the feedback loop has long been an essential tool used to support advances in many fields, including economics, engineering, and medicine. More recently, the innovative use of feedback loops has been reported in the hedge fund industry14 and the effective altruism movement.15 It would be difficult to evaluate and improve any process efficiently without a performance feedback loop. Risk management is no exception.
In order to establish a performance feedback loop for ERM, companies must first define its objective in measurable terms. I believe that the primary objective of ERM is to minimize unexpected earnings variance. See Chapter 19 for a full discussion on feedback loops and an example that illustrates the use of earnings volatility analysis as the basis of a performance feedback loop to do exactly that.
Perhaps the best way to illustrate how these seven attributes work together in a corporate environment is with a story. The following account is fictional, but the situations I describe are ones that real-life companies are likely to face.
Elizabeth Heath is the CRO of Legacy Technology, a large, well-established tech company. Recently, Legacy determined that the best way to extend its reach into emerging cloud technologies would be to acquire a company with the capabilities and markets it sought. Legacy found such a company in Galactic Cloud Magic, whose product line and expertise made it well positioned to meet Legacy's strategic needs. Thanks to the backing of her CEO and board, Elizabeth was an integral member of the team that vetted acquisition candidates and ultimately negotiated a deal with Galactic. As we'll see, the process ran into some unexpected issues that might well have torpedoed the deal, but Elizabeth and her team were able to apply all seven attributes of evidence-based continuous ERM to find a solution. Here's how:
As part of an integrated strategic-planning and ERM process, Elizabeth and her team were fully engaged in the M&A analysis and due-diligence process. After thoroughly reviewing Galactic's risk profile, they calculated a cost of risk of $10 per share based on the severity and likelihood of numerous risks. They also determined the level of economic capital Legacy would have to maintain in order to safely absorb these risks post-merger. As a result, the risk team concluded that a properly priced acquisition of Galactic would optimize Legacy's risk profile and add value for its shareholders. The acquisition team, seeking a RAROC of about 12%, agreed on an offer of $100 per share, which Galactic accepted.
The deal was set to close in a couple of weeks when Elizabeth received an early morning call from Legacy's CEO. He just learned that Galactic had suffered a massive cyberattack overnight that may have exposed private customer data. The CEO called together the acquisition team to review their options.
The COO and CIO both argued that Legacy should call off the deal: Galactic's reputation was likely to be irreparably damaged by the breach, and the company was facing multiple potential lawsuits from its customers. Elizabeth argued, however, that it was premature to pull the plug, and urged the group to wait for more information.
As it turns out, Galactic was well prepared for a potential breach. As soon as the attack was detected, the system went into automatic lockdown and customers were informed, as well as required to change their login information with double authentication. A previously created “SWAT team” of technicians, attorneys, security experts, and communications experts was called into action to determine root causes and solutions, assess the damage, minimize impact, and report progress to all stakeholders. Elizabeth's team was equally prepared. They tapped into Galactic's team to receive continuous updates on the situation. They then used this information, as well as governmental data and analyses of similar attacks, to analyze the event's potential strategic, financial, and reputational impact on the acquisition.
As information became available, the risk team updated its assessment and models based on the new risks related to the cyberattack. They also updated their original heat map to indicate a higher level of risk due to the dramatically increased likelihood of consequences such as lawsuits and reputation damage. Finally, they revised their calculation of the cost of risk in the acquisition, which increased from $10 to $25. As a result of this analysis, Elizabeth and her team proposed incorporating this increased cost into a reduced acquisition offer, from $100 to $85.
Executives at Galactic balked at the lower acquisition price, and it looked as though the deal was all but dead. But Elizabeth had an idea. She reached out to Legacy's corporate insurance provider to obtain a quote on a risk-transfer strategy that would cover losses resulting from the cyberattack above a certain level. It was a buyer's market in cyberinsurance, so the premium was economical. In other words, the cost of risk transfer was lower than the cost of risk retention. The overall reduction in risk cost allowed Legacy to raise its offer to $90. At the same time, it lowered projected earnings from the acquisition somewhat. This transaction optimized the risk profile for the company given the new risks, risk-transfer costs, and business requirements. Overall, it meant that Legacy was able to offer a price acceptable to Galactic while still achieving its desired return on investment.
Throughout the process, Elizabeth and her team took care to inform and engage the three lines of defense: operating units, management, and the board.
The first line of defense, which consists of the company's business and operating units, as well as its support functions, gathered ongoing data. In particular, the IT function kept the board and management apprised of the situation as it unfolded. IT provided the risk and deal teams with expert interpretation of the information coming in from Galactic, analyzing it against known scenarios to project likely outcomes.
The CRO and ERM function, along with corporate management, provided the second line of defense. This group was tasked with reevaluating the risk level of the situation as it developed. Elizabeth's team updated assessment and qualification models to recalculate the cost of risk, and formulated the risk transfer strategy. Other members of the management team evaluated these results and offered additional input to fine-tune the ERM team's conclusions. The CEO maintained communication with Galactic, worked with the deal team to build consensus around a revised proposal, and obtained approvals from the board.
Finally, the third line of defense—the board—conducted calls and meetings on an as-needed basis to monitor the situation, challenge management's risk assessment, and approve the risk transfer strategy and new acquisition price.
Although it was a coordinated effort, Elizabeth and her risk team were instrumental in saving the day. The deal, once thought to be dead in the water, was consummated just a month behind schedule.
After a short celebration, the CRO and risk team went back to work to tackle the post-merger integration risks. These risks included continued fallout from the cyberattack (lawsuits, technology updates), performance of the risk-transfer strategy, and integration of management teams, customers, and technology platforms. They also added new metrics and risk-tolerance levels to Legacy's risk appetite statement to reflect these changes.
The successful acquisition paid Elizabeth an additional benefit. Her contribution won over a number of her peers in the C-suite and beyond who had questioned the value of Legacy's continuous ERM program. These former doubters were impressed that the program could escalate and address a new threat on a timely basis. And they were swayed by Elizabeth's ability to quantify and illustrate pre- and post-merger risk profiles, which led to informed decisions about the cost of risk, risk-transfer strategy, and updated acquisition price and expected return.
What's more, they, along with other internal stakeholders, were engaged in the process as it unfolded on the customized risk dashboards that the ERM team had created for them. Even after the deal was signed, these dashboards continued to assist the integration team, senior management, and the board in monitoring and oversight.
For Legacy, ERM was a game-changer. What's more, Elizabeth put to rest the common misperception that ERM's role is to put the brakes on a company's ambitions. Far from impeding a strategically important deal, risk management actually provided a path forward.
The global economy and business world have evolved significantly over the past three decades, and so has the practice of ERM. As companies face great financial and reputational damage from derivatives losses, unauthorized trading, accounting fraud, global recession, and cybersecurity threats, the scope and focus of ERM has expanded to include strategic risk, financial risk, operational risk, regulatory-compliance risk, reputational risk, and cybersecurity risk.
Given the increase in macroeconomic and business uncertainties, regulatory standards, and risk velocity, ERM must continue to evolve. In the following chapters, we'll turn our attention to ERM at the organizational level, starting with the many stakeholders whose requirements must be addressed.