The importance of properly setting the objectives for ERM cannot be overstated. It sounds trivial to do, but in fact the setting of the objectives for the risk management function can be quite difficult and quite contentious to accomplish within the confines of an organization. Different stakeholders have very different views of what risk management is, and thus accordingly different expectations for the risk management function.
In risk workshops that we have conducted, simply getting a common definition of risk can be very tricky. Moving beyond that to the objective of the risk management function often leads to a sour expression on workshop participants as workshop participants are frequently under the impression that the sole function of the risk department is to say no to projects: not the culture and spirit that one needs to have for risk to be a value-added function within an organization.
One of the main factors that sets the risk management function off on a negative footing is the definition of risk used throughout the organization. The definition of risk is the starting point for setting the objectives of the risk management function. In this chapter, we start with discussing several possible definitions of risk and from this move to discussing several different objectives for the risk management function.
What Is Risk?
This seems to be such a basic question. The answer appears to be obvious. Equally obvious is the fact that the answer forms the basis for the entire risk management function. We briefly covered this question in the Introduction and again in Chapter 1, but it is such a critical question for the development of a healthy and effective ERM program that it is worth exploring in more detail here.
In corporate risk workshops that we have conducted, the question “what is risk?” is the one question that brings the most varied responses, and is actually the toughest for the participants to answer. Often workshop participants develop an intense interest in their shoes as they try to avoid responding to the question out of an embarrassment that they do not have what they believe to be an acceptable answer. However, without a consistent answer for an organization, an ERM program will be much more difficult to successfully employ as everyone will have their own inconsistent, and perhaps even counterproductive, definition of risk.
If you casually ask the typical person for their definition of risk, you will get something like “risk is the possibility that something bad will happen.” This definition is common, and it is implicit behind the notion that risk is something to be avoided, or at least minimized or mitigated. However, this is not the only definition of risk that exists.
Another common organizational definition of risk is that of volatility and uncertainty. Technically speaking, volatility and uncertainty are not the same thing. Furthermore, in the technical literature about risk, it is important to note that risk and uncertainty are not synonyms for each other. It is instructive to take a few minutes to examine these academic differences as they are helpful for our later discussion about setting the objectives for risk management.
Volatility is how much a value moves around. For instance, the price of short-term treasury bills tends to have little variance in price. Conversely, the price of the crypto currency Bitcoin tends to vary dramatically from one day to the next (or at least at the time of the writing of this chapter). From this we claim that the volatility of treasury bills is relatively low, while the volatility of Bitcoin is high. Volatility is generally measured by the variance (or somewhat equivalently by the standard deviation which is the square root of the variance) of the changes (or returns for a financial variable). Of course, using the statistical variance as a measure for volatility is only valid for quantitative variables.
It is important to note that volatility does not imply that the value of a variable is trending upwards, or conversely trending downwards. It simply means that the price moves up and down, and the more volatile, the greater and more rapid the up and down movements are.
Uncertainty is where you do not know what will happen. For instance, if you are under the age of forty, the job that you will have in 20 years is highly uncertain for the simple fact that the job you will have in 20 years likely does not even exist today. We can speculate on the type of jobs that may exist in 20 years, but for our parents the jobs of web designer or app developer did not exist when they were beginning their careers.
The technical definition of risk is where you do not know exactly what will happen, but you have a range of possibilities and furthermore you have an estimate for the mathematical distribution of the probabilities. For instance I do not know what the return of Apple stock will be over the next year, but I suspect it will be somewhere between a negative 100 and 5,000 percent. I also suspect that it will have a mathematical distribution that looks a lot like the normal distribution with an average near its long-term average return and a standard deviation near its long-term standard deviation.
Strictly speaking we do not always have enough knowledge to apply the technical definition of risk to all of the aspects of an organization’s operations that we would like to. In fact, with the exception of financial style data we almost never have the details necessary to apply the technical definition of risk. This is one of the reasons why financial risk at times seems to be so much more advanced and “scientific” when compared to operational risk. For financial risk, such as stock prices, or commodity prices or interest rates, we have a significant amount of historical data from which we can get good estimates (not perfect estimates) of the factors we need to calculate risk. Thus, there are a plethora of technical risk analysis that can be compiled for financial risk that does not apply to qualitative risks.
There is another bias that comes out of these technical definitions of risk that one needs to be cognizant about when developing enterprise risk. A lot of the theory, and the base for the models of enterprise risk, have as their basis the models developed for financial risk. That does not mean that the models are always appropriate. For instance, one consulting client which ran a series of nursing homes was tasked by a member of their Board, who was also on the Board of a financial services company, to come up with a value at risk model for someone dying of natural causes in a nursing home. Value at risk is a well-known technique for measuring the possible economic loss of a financial firm for undertaking risky investments. However, it makes little sense in the context of a nursing home. The Board member had just learned that value at risk was a state of the art risk measurement and they thought they were doing a brilliant thing by demanding that of the nursing home operator and making it a cornerstone measurement of the ERM system. (Asking for the value at risk, or more appropriately, the earnings at risk of the financial results of the company would have been a valid request.)
Before leaving the definition of risk, it is interesting to quickly visit the usual definition risk as “the possibility that something bad will happen.” As will be discussed in Chapter 6, the common way to measure this for risks for which quantitative data is available is through calculating the standard deviation. The equations for calculating standard deviation are presented in Chapter 6, but at this moment it is sufficient to know that standard deviation measures risk symmetrically around the average value of the data. That is, a good risk event happening counts the same as a bad risk event happening. To put that in concrete terms, unexpectedly finding $2 will contribute more to the risk measure of the firm than unexpectedly losing $1 will. If the objective is to reduce risk, then this traditional measure of risk would advocate adopting strategies that favor the losing of $1 over those strategies that increase the probability of earning an extra $2. A silly example, but one that many companies are following due to an incomplete understanding of the nature of risk, and not being careful about the meaning of both the definition of risk and the measures used to calculate it.1
Why Is the Definition of Risk So Important?
The definition of risk is important because it sets not only the tone, but also the direction and focus of risk management, and by extension ERM. At this stage our definition of risk could be; (a) the possibility that something bad may happen, (b) the volatility of results, (c) uncertainty, or (d) a mathematical distribution of possible future outcomes. This may seem to be a bit of nit-picking, but the definition of risk matters as it will dramatically change the objectives of, the design of, as well as the outcomes of the ERM program for the organization.
We believe the most useful, and the most straightforward definition of risk for use in developing an ERM program is “risk is the possibility that bad or good things may happen.” There are three elements to this definition. The first if that risk has an element of the future. ERM is a forward-looking activity, trying to maximize future outcomes rather than fretting about the past about which nothing can be done about except learn from experience. The second element is that risk is about uncertainty; we do not know what will happen in the future, but we can come up with some possibilities and perhaps even some mathematical probabilities. The third element is that risk has both an upside and a downside. Risk is two-sided.
This definition of risk best allows for ERM to be a value-added function that encompasses the full range of operations of an organization. It is a definition that allows risk to be a positive catalyst for the achievement of objectives rather than an element with a negative connotation. It means that risk management covers the full range of risks, not just those that can be mathematically quantified. It means that the risk function changes from the area that prevents things from happening to a mindset that comes up with solutions for how to do things more risk efficiently.
The definition of risk is ultimately important as it sets the tone for the risk culture of the organization. A positive risk culture means that people understand risk and thus will be more likely to both think about risk, be better attuned to look for risks, and more willing to manage risk. If risk is seen as a negative, or as a mathematical or calculation exercise, then the natural reaction for most managers is to avoid risk, avoid talking about risk or even avoid managing risk in the hopes that the risk will simply somehow dissipate or go away. However, hope is a very poor risk strategy as it is a poor operating strategy.
In the rest of the book we will use this less technical, but more operational definition of risk that “risk is the possibility that bad or good things may happen.” However, it is important to remember that in some contexts, that volatility, uncertainty and risk may have quite different technical meanings.
What Is Risk Management?
If risk is the possibility that bad or good things may happen, then it follows quite naturally that risk management must be managing so as to increase the probability and magnitude of good risk events happening, while also managing so as to decrease the probability and severity of bad risk events happening.
It is important to note that not all organizations will agree with this definition of risk management, and again, it depends on the choice for the definition of risk. Some organizations decide that risk management is managing so as to avoid loss. Other organizations decide that risk managing is managing so as to reduce uncertainty or to reduce volatility. At first blush, these alternative definitions of risk management appear to be more or less similar, but our experience shows quite clearly that such limited, as well as limiting, definitions of risk management lead to negative connotations for the risk management function and to less effective risk management. Perhaps most importantly the risk management function does not become a value-added function for the organization. If risk management, and in particular ERM, is to align with the strategic goals of the organization, then the definition of risk management must also align. I suspect the goal of your organization, whether it be a for-profit, or even a not-for profit, is not to limit bad things happening, but instead to allow for good things to happen such as more profits, or more people served. In other words, the main strategic objective of the organization is not limiting and thus neither should the goal of risk management.
Having said that, it is useful to take a step back and briefly discuss a sociological phenomenon known as “utility theory.” Utility theory, developed by the Nobel Prize winning economist Daniel Kahneman and his research partner Amos Tversky, says that we regret a loss more than we favor an equivalent gain. In other words, the pain we feel from losing a dollar is more than the joy we feel from gaining a dollar. It appears as a social animal that we are programmed by instinct to focus more on downside risk than on upside risk.
Combining utility theory with the impetuous for the early development of ERM which grew out of the corporate debacles of the 1990s, it is easy to see why so many organizations unconsciously slip into the belief that risk management is all about managing the downside. There is nothing wrong about solely managing downside risk, other than the fact that it ignores all of the positive benefits that can accrue to an organization that also uses the powerful techniques of ERM for also optimizing upside risk.
The ERM Objective
Simply stated the ERM objective should be to advance the strategic objectives of the organization which inherently would include optimizing the upside of risk. Ancillary benefits may include, (and arguably should include), enhanced compliance, enhanced safety, better insurance and credit ratings, more predictability in operations, better planning reliability, and a variety of other benefits.
The trick is designing an evaluation process that will demonstrate and measure how ERM activities enhance the strategic objectives. Having a measure of whether or not ERM is adding value is itself a value-adding exercise. Admittedly, measuring the value of ERM is not easy, straightforward, or a scientific process. It can be a messy and subjective exercise. However, a regular review of the value-added by ERM allows management and the Board to assess the effectiveness of the ERM program and to make changes to the program to increase its effectiveness.
Recall the Hydro One case study from Chapter 1 which discussed the implementation of ERM at Hydro One, an electrical distribution utility in the Province of Ontario Canada. At Hydro One, ERM was completely integrated with the strategy as well as the operations of the firm. Capital was allocated to the various divisions based on the risk levels of the various divisions. If there was no risk, then there was no allocation of capital to that division. This strict tying of capital allocation to risk led to the concept of “risk bang for the buck,” where the capital allocated on a yearly basis was evaluated based on the change in the risk level.2
While perhaps too literal and too severe a process for many organizations to emulate, the concept of risk bang for the buck is a very valid one. If risk management is evaluated each year as a ratio between the value it added to the strategic objectives and the cost of the risk implementation, then one has a measure of the value-added of ERM. This way of evaluating ERM is particularly useful when applied on a forward looking pro forma basis. For example, two different ERM methodologies could be examined and their risk bang for the buck ratios could be compared. It becomes a very helpful way to assess alternative risk management strategies.
Making a conscious effort to measure the effectiveness of ERM has a further benefit in that it demonstrates that risk management function is actively trying to advance the objectives of the firm, rather than act as an entity within the firm that is answerable only to itself.
It is important to note that when we suggest that ERM should be a value-added function we do not mean that ERM should be a profit center on its own. In the 1990s, there were several well publicized risk management debacles that occurred, the most well-known being Proctor and Gamble, where several firms tried to manage their financial risk management functions as profit centers.
Case Study: Proctor and Gamble
Proctor and Gamble (P&G) had long said that their policy was to use “plain vanilla swaps” to hedge the company’s floating rate debt obligations as part of their financial risk management strategy. However, P&G veered away from this policy and started to use some highly exotic leveraged swaps in order to profit from some potential currency and interest rate moves. It was imprudently using risk management not as part of managing the business but as a way to profit directly and solely from risk management. The two interest rate contracts that they entered into cost them a loss of $157 million. If interest rates for American and German currency continued to fall, P&G stood to make massive profits on their exotic swaps. However, months prior it was largely speculated that the Federal Reserve Bank would be increasing U.S. rates and it was not a question of if they would, but it was only a question of when. That is the main reason the swaps offered such a large potential if things went right for P&G. As an outsider it appears that perhaps a greed and gambling mindset took over for the possible big windfall but where was the ERM system that would have questioned why P&G who as a consumer goods company is getting into leveraged swaps? Where was the alignment of risk management with the operating objectives of the firm? A proper ERM framework would have exposed and evaluated the relative benefit of the risks. It would have exposed the downside of the leveraged swaps or at the very least led to discussions on what the relative upside and downside risks were. It also should have revealed that there was not a proper understanding of the swap product and the risks associated with it. This should have provoked further discussions on whether or not to implement these swaps.3
In other words, P&G, which did not have appropriate expertise in financial trading, tried to make risk management in their treasury function a profit center by aggressively trading financial products. Basically, the false thinking behind this is that if a little bit of a financial hedge is good, then even more of a financial hedge must be better. Just as with taking medicine, more than the prescribed dose is not always better and in fact is generally much worse.
ERM and Compliance
As previously noted, ERM gained in popularity as a way to respond to the increased demands for regulatory reforms given some of the corporate debacles of the 1990s. In particular, the roots of the popular risk framework produced by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) ERM framework4 can in part be traced to the introduction of the Sarbanes-Oxley Act (commonly known as SOX).5 As a consequence, ERM frameworks were developed in part for risk management, but arguably in larger part to provide a regulatory compliance framework. Thus ERM and compliance have become closely linked for many organizations.
While there are some synergies to be gained by linking ERM to compliance, we strongly believe that organizations should be careful to ensure that the main objective of the ERM program is to advance the achievement of the strategic goals of the organization. Compliance is obviously necessary, but compliance is not sufficient to capture the full benefits that a properly designed and implemented ERM program can provide.
Compliance management is generally not good risk management. The objectives of regulators are very different from that of organizations. Generally speaking, compliance is in place mainly to protect others in the case of adverse events. Compliance is not in place for the betterment of the organization, and compliance is not in place to help the organization advance its goals and finally compliance generally does not concern itself with positive risk or positive opportunities. Compliance also tends to be backwards looking and frequently in part politically motivated.
The ERM program should be designed to achieve the objectives of the organization. Only if appropriate, and only if it can be done without affecting the integrity of the ERM framework, can elements be added to the ERM platform to deal with the compliance issues. If the compliance issues cannot be suitably incorporated into the ERM framework, then a separate framework and process should be developed for managing compliance issues.
In a similar vein, auditing is not risk management. Auditing is to ensure that controls and processes are being maintained. While auditing the processes for ERM is necessary, the ERM function is to be much more active and forward looking. Simplifying, auditing checks that the processes are being followed correctly. ERM asks if the right processes are in place. Auditing is more or less a passive activity while ERM is a dynamic activity.
Concluding Thoughts
It sounds so basic, but getting the proper definition of risk, and also of risk management is so essential for the development of a successful ERM program. Setting the objective of ERM to be advancement of the organization’s goals sounds so intuitive, yet many organizations choose to focus on minimization of downside risk, or minimization of volatility. It is very little more effort to design an ERM program to focus on both upside as well as downside risk, but the difference in value it makes for the organization is very significant.
1Chapter 6 will also discuss an alternative form of calculating standard deviation, called semi-standard deviation, that overcomes this obvious flaw.
2For details see, Aabo, T., J.R.S. Fraser, and B.J. Simkins. 2005. “The Rise and Evolution of the Chief Risk Officer: Enterprise Risk Management at Hydro One.” Journal of Applied Corporate Finance 17, no. 3, pp. 62–75.
3http://nytimes.com/1994/04/14/business/worldbusiness/14iht-procter.html