Enterprise risk management has a clear series of objectives attempting to ensure that the business both knows and can consider the risks that it is facing and those that it might face. Quantification is important to enable progress, in terms of reducing the level of risk faced, to be clearly monitored by and reported to senior management.
There are a series of key building blocks that are included in all risk programs frameworks. These include the following:
- Senior management support
- Risk appetite
- Risk identification
- The risk register
- Control and risk self-assessment
- Key risk indicators
- Risk consistency
- Stress testing and scenario modelling
There will be other elements that could be included within a risk management framework, but these initial elements should be common to all programs (hopefully).
Senior Management Support
Senior management need to understand the purpose and benefits of the risk management framework. It is not easy being a director of a business in the current world; there are so many things to worry about. With continual changing regulation, employment rules, the changing markets and the global environment being harder to predict, management are so worried about the day-to-day that it can be hard to get them to focus on what might seem to be an arcane requirement. Remember that most senior managers are not actually qualified for the roles that they are fulfilling. Many have no qualifications at all. In a world where bankers, analysts, and other stakeholders are concerned about short-term issues, it is hard to get senior management to focus on what is really important.
Enterprise risk management is important, but it does cost money to implement a proper system. If senior management do not fully appreciate the value of implementing a risk management framework, then they will be unlikely to support it. For the program to be successful, it is necessary to have both their support and their input. If senior management cannot understand why this is being implemented, then they will not be providing the program with the impetus for success that it requires.
Obtaining senior management support is never easy. Boards and senior management teams are made up of individuals with a selection of backgrounds and experience. They bring their prejudices, interests and knowledge to everything that they do. I wish to make one thing crystal clear. As a risk professional without senior management support, you are bound to fail and I will explain this in more detail later.
Engaging with Senior Management
The challenge for the Enterprise Risk Management project leader is to find a way to engage with the senior management team in a way that has resonance to them.
There are a range of approaches that could be adopted, some of which may be appropriate to your firm. However, each comes with a level of associated risk. Taking the wrong approach in the wrong firm could easily become career-limiting!
First piece of advice: A void jargon when communicating with senior management.
One of the problems I have seen is that risk managers are keen to show senior management how clever they are and do so by using technical language that a mere mortal without a couple of math’s degrees would never understand. The mistake being made by the risk manager is that management already know you are clever; that is why they have hired you. Showing management that you think they are stupid is not really a good way to progress.
Remember that there are no such things as stupid questions, only stupid answers. Whatever question is being posed is obviously a concern to the person who is asking it. You should answer it as carefully and controlled as you can be.
Second piece of advice: Never underestimate the stupidity of your senior management.
Senior management come in a variety of shapes and sizes and each has its own problems. From my experience, it is not necessarily appropriate to assume that they are either logical or numerate. As a risk manager, there is always a requirement to provide options to senior management so that they look like they are making the decision.
Normally, the choices provided by the Risk Management function will be nirvana, pestilence and plague. The risk team will expect the senior management team too select nirvana, whereas in practice they do tend to select plague or pestilence. You now have a problem. While they have selected what you consider to be the wrong answer, you cannot let them know that you biased the choices. You are stuck with plague or pestilence and when it all goes wrong it could be seen as your fault.
Their lack of numeracy skills is also a concern. Recently when trying to explain why expenses could not reduce by 350 percent, I ended up resorting to using the fruit bowl.
“OK – here is an apple. Let’s take away 100 percent of the apples. How many are left?”
“There aren’t any left”
“So, where will the other two and half apples come from??”
I am far from certain that they were either convinced or really understood the point.
But risk managers make this even worse. We talk about confidence levels and values as if we know things with a level of accuracy that we know is not viable. Why should your senior management team understand confidence levels? If you are discussing with them a loss of $10 million with a 95 percent confidence level, they will hear that you are saying they will lose $10 million, whereas you are trying to say something quite different. You are trying to say that most of the time they will not lose $10 million, but they could lose more than that amount. Is that so hard to say? At least they would understand you.
Third piece of advice: Do not rely upon regulations as the reason for doing something
If you must fall back on regulation to justify something that you are recommending, then you will never win the argument. You need to find a way to communicate with them in a language they understand that has a resonance with them. As soon as you start to talk about rules and regulations, you can hear the snoring and the rumbling of tummies.
Regulation might be the driver for what you want to achieve. Your challenge is to come up with a reason for doing things that means something for your audience.
Recently, I was trying to explain stress testing to a Board, which included a retired general. I talked about the number of bullets you give a soldier and suggested that you would typically give them 40 percent more than you expected them to use, that being a stress test.
The Chairman of the Board called over and said I had done something that nobody else had achieved — I had managed to wake up the general! By talking about the bullets that you might need, rather than the ones you would definitely need, I had engaged usefully with the Board to enable them to understand why what they were doing was so important.
Final piece of advice: Make them believe they are fully engaged in the process.
The Board does need to give input into the process. They know the strategy of the firm and it is the strategy that drives the risk management program. However, they do not need to know everything that you are developing.
Risk Appetite or Tolerance
Often spoken about, but rarely understood, risk appetite is a key concept and will be discussed in more detail in the next section. As a basic definition, it is the level of divergence from goals and missions that is unacceptable to stakeholders. It is clearly an all-risk figure and indeed, that is where the complexity arises. It is a driver of behavior and a key building block.
Risk Identification and Register
Before any firm can introduce enterprise risk management, they need to first identify the risks that they are facing. To achieve this, they require some form of risk register with clear risk definitions, although creating such a document is no easy task.
This is a business-owned document consolidated and reported to senior management and driving behavior. It is not a regulatory construct; rather it is crucial to the development of a successful enterprise risk management framework. It needs to incorporate both the risks that the firm manages and those that are outside of its direct control. There are actions to be taken and these need to be considered.
Most of your team will not have any understanding of risk, so asking them to populate a database is essentially unrealistic. Accordingly, much work needs to be conducted to enable the exercise of developing the risk register to be successful. Again, we shall return to this subject later.
Control and Risk Self-Assessment
The logic of this part of the framework is that management have the best understanding of their control environment and how this could be improved. Whether this is actually the case, as we shall consider later, the goal of control and risk self-assessment is to obtain the views of management as to how they will improve their control environment, but it does more than this.
Enterprise risk management seeks to achieve an optimum balance of control against risk, which is consistent throughout the business.
Control and risk self-assessment achieves the necessary management buy in as the importance of the process. There are acknowledged problems, but at its most basic through linking risk to control and subsequently monitoring a well-managed program enterprise risk management can add significant value.
Key Risk Indicators
This is another topic that is often referred to, but is poorly understood. In any business, there are a wide range of indicators, many of which are not risk indicators and certainly, are not key risk indicators.
There are essentially three types of indicator to consider:
- Key risk indicators
- Key control indicators
- Key performance indicators
These are all quite different. First, not all indicators are key. Key indicators are of course important, attached to their impact on risk appetite. Many indicators are useful, but not key. What that means in practice is that they will not need to be reported to senior management.
Key control indicators tell you that a key control is operating as expected and identify when problems are being faced. A key control indicator is required where a control materially mitigates risk as measured against risk appetite.
Performance indicators are different since they tell you that an adequate level of performance is being provided. For example, the length of time that it takes to answer the phone is a performance issue. If the phone is not answered, the consequence could be a disgruntled or lost client, so there is a loss. However, whether the performance is adequate is judged against targets and objectives, rather than against risk.
Key risk indicators inform management as to the potential arrival of a material risk. They are always weighted metrics since it is unrealistic to expect a single metric to be effective in identifying future problems. You will know if you have an appropriate suite since the key risk indicator should flash if an event occurs that exceeds the unitary risk appetite.
Risk Consistency
A vision for enterprise risk management is crucial to the development of a successful risk management framework. Clearly, enterprise risk management considers all risks and the correlations between them. There is no point in being able to tell your Board that if an event happens, you will have credit losses at a certain level if you fail to explain the impact on other risk types. For this to be conducted effectively, there is a need for consistency in modelling approaches between risks. Unless the person building the framework has risk consolidation as a primary objective, the work that is conducted will be severely flawed.
Stress Testing and Scenario Modelling
The final key building block is stress testing and scenario modelling. Too many Boards focus on the day-to-day management of the business to the detriment of ensuring operational and future business resilience. Management should be able to protect the business operations as they work on a regular basis, so the Board should not spend their time editing such work. Rather they should focus on the things that might happen and their impact on the strategy and profitability of the firm.
Sensitivity analysis takes one of the key variables of the business and seeks to appreciate the impact of a unitary movement. This might be the impact of a 1 percent increase in raw material prices, for example. If such an event occurs, the firm may be able to increase its prices or improve efficiency such that the full cost of the increase in prices is not faced directly. Sensitivity analysis provides information on the profitability of the business and the importance of key variables.
Stress testing takes this to a plausible extreme. Clearly costs cannot become infinite since nobody has infinite funds; consequently, an infinite increase in prices is not plausible. Basically, it takes expectations to the level where the relationships between variables break down. It enables a trend to be identified and actions to be considered if the plausible event occurs. It is useful for management in trying to think of things that might happen before they actually happen.
Scenario modelling is a different technique. Scenarios do not arise as a consequence of a trend; rather they just occur like fires, earthquakes and terrorist events. Again, their value is in terms of considering the actions that would potentially be available were such an event to occur. Without some form of management action resulting, the process becomes purely a waste of time.