Académique Documents
Professionnel Documents
Culture Documents
com
http://www.rmmagazine.com/2010/03/01/10-common-erm-challenges/
Companies with a more liberal approach typically manage data sensitivity issues using several techniques. For
example, companies can conduct all risk assessment activities under legal supervision, with the objective of
making the output privileged.
Alternative ERM risk assessment approaches where privilege is not available or where the company does not
wish to involve counsel include producing multiple risk reports and distributing them according to business need
(e.g., provide a detailed version to the board and small executive team and a broader report to a larger
distribution) and relying on confidential and for internal use only protections.
3. Defining Risk
The issue: One of the biggest challenges is establishing a consistent and commonly applied risk nomenclature.
Any inconsistencies between risk definitions or methodologies are likely to jeopardize the program?s success.
Potential solution: Establishing a formal risk management framework and common risk nomenclature can be
accomplished through working groups comprised of at least one representative from each significant business unit
and shared service function. The most critical goal of the group is to establish the definition of risk itself. While
each risk category may be distinct, the definition of risk must be consistent and supported by clear guidance. The
group must also create a risk inventory and supporting risk taxonomy to further define and rank all the risks faced
by the organization.
4. Risk Assessment Method
The issue: Enterprise risk assessments are performed using a variety of approaches and tools, including
surveys, interviews and historical analysis. Each approach offers its own value and drawbacks that must be
closely reviewed to determine organization suitability.
Potential solution: The risk assessment method employed is largely based on the number of respondents
surveyed, corporate culture andperhaps most relevantorganizational familiarity with risk management. Face-toface assessments are helpful as they facilitate risk management education and guidance, encourage discussion
and allow for data collection. Conversely, automated tools can be applied by organizations with broad risk
management knowledge or a predisposition for technology-based tools.
In addition, the risk assessment method is generally tailored to the audience. For example, many organizations
administer executive risk assessments using a group interview session and apply individual techniques to
management or technical personnel.
5. Qualitative Versus Quantitative
The issue: A key decision for many organizations is whether risks are assessed using qualitative or quantitative
metrics. The decision is generally driven by the organization?s industry, commitment to ERM, its view regarding
privilege and overall cost.
The qualitative method provides management with general indicators rather than specific risk scores. Qualitative
results are commonly presented as red, yellow and green light, or high, medium and low risks. Qualitative
assessments may be open to interpretation, guided by descriptors (e.g., assess red light or high risk where the
exposure represents a catastrophic exposure) or framed using broad dollar ranges (e.g., a green light indicates
an exposure less than $10 million).
Qualitative risk assessments are frequently favored because they require less sophisticated risk aggregation
methods, mathematical support and user training, which means lower implementation costs. Conversely,
qualitative results are commonly criticized for their limited alignment with key financial statement and budgetary
indicators. Additionally, some critics suggest qualitative results are generally more difficult to interpret, which limits
management?s ability to assign accountability and remediate.
Potential solution: While companies predominately apply the qualitative risk assessment approach, the industry
appears to be shifting towards quantitative risk measurement. Companies that transition to the quantitative
method typically do so using a phased approach and will apply narrow risk ranges that expand the risk severity
scale from three categories (e.g., high, medium and low) to five or more (e.g., very high, high, moderate, low and
very low) and adjust narrative or dollar ranges accordingly. Frequently, they will also use a separate risk severity
scale for financial risks and nonfinancial risks such as strategic or reputational exposures.
6. Time Horizon
The issue: The time horizon of ERM risk assessment is largely based on the organizations intent to use ERM
risk results and its willingness to invest in risk management.
Many companies use ERM results for quarterly or year-end planning, while more sophisticated companies
integrate ERM results into annual budgeting and longer-term strategic planning processes.
The shorter-term time horizon (less than 12 months) is generally preferred as it requires less user training,
provides increased risk estimation accuracy and is generally less expensive than the longer-term alternative. The
longer-term solution is applied where management values risk visibility beyond the annual financial reporting
period and additional time to remediate. Regardless of the approach, the risk assessment time horizon must be
consistent with intended ERM program objectives.
Potential solution: Despite its ease, companies appear to be shifting from the short-term risk assessment to a
longer-term or hybrid solution. Additionally, companies are increasingly utilizing a rolling time horizon (e.g., 12-18
months) to mitigate annual assessment limitationsnamely reduced risk visibility and time to mitigate as the year
progresses (e.g., the fourth quarter risk assessment covers three months of remaining risk).
7. Multiple Potential Scenarios
The issue: Consider the following scenario: The ERM team asks a respondent to assess the likelihood of
counterparty default and its subsequent loss impact during the current fiscal year. The respondent determines
that there is a 100% probability of at least one counterparty default with a low financial impact over the defined
time horizon (high probability/low impact event). There is also a 5% probability of at least one counterparty default
with a significant financial impact (low probability/high impact event) and several default scenarios with varying
loss severity estimates (moderate probability/moderate impact).
This situation highlights an issue associated with basic risk assessment methods?most risks have multiple event
likelihoods and risk severities.
Potential solution: There are two common approaches to the problem. Under the most basic approach,
respondents provide a loss severity based on their best estimates. For example, the organization recognizes a
significant investment loss four times per year. The respondent then estimates severity considering all four
potential loss events, portfolio sizes, historical loss records and the companys investment stress test results. If
the respondent estimates $100,000 in loss severity, it roughly equates to $25,000 per loss event.
The more advanced method requires the respondent to identify a distinct loss severity for all potential events and
calculate a mathematical average. To minimize computational requirements, companies often limit the number of
likelihood scenarios and potential outcomes (e.g., unlikely, moderately likely, likely, very likely, probable).
The decision to pursue a basic or more complex method is largely based on an organizations familiarly with
probability and loss concepts, the risk assessment method employed (e.g., in person or technology-based) and
the level of sophistication supporting risk tolerance definition.
8. ERM Ownership
The issue: The question regarding who should own ERM is often unclear and commonly disputed at the board,
audit committee and management levels.
Potential solution: In most programs, risk is primarily owned by line management with oversight from
independent risk, compliance and management oversight functions. The broader question regarding ERM
program ownership is less decisive and largely based on board and audit committee accountability, established
risk management function and infrastructure, and corporate risk philosophy.
While there is no one single industry practice with respect to organization structure, ERM administration should
generally be held by risk management followed by internal audit, finance/treasury, legal and various supporting
departments (e.g., compliance, strategic planning).
9. Risk Reporting
The issue: Organizations often struggle with two risk reporting issues: 1) what information should be shared with
various internal and external constituents, and 2) how should risk be communicated.
Potential solution: Most organizations have multiple risk owners with varying accountabilities and needs. As
such, leading companies establish risk packages commensurate with recipient responsibilities and specified
delegation of authorities. Common risk packages are created for the board/audit committee, management risk
oversight committee, business unit leaders and line management. Reports are typically generated from a
common risk database and taxonomy where information varies based on recipient accountability, risk type and
organizational impact.
Board reports, for example, typically present risks that exceed a defined threshold, describe high value strategic,
emerging and unquantified exposures, and exclude superfluous information. Business unit and line reports, on the
other hand, may illustrate mid-level exposures, tactical risks and transactional compliance data.
The external reporting issue is often less challenging. Public organizations are often required to share certain risk
information through financial statements, annual meetings, quarterly earnings announcements, public
presentations and various regulatory responses. While external reporting requirements are fairly prescriptive,
organizations attempt to use ERM results to formulate or support risk assertions.
Barring prescriptive external reporting requirements, organizations vary with respect to internal risk reporting
format. To the extent an organization applies dollar-based results, management generally selects between one
and three format options: specifically, expected loss, loss severity or a combination. Loss severity is typically
applied by companies that prefer to view maximum potential loss unadjusted for probability of occurrence.
Opponents suggest loss severity overstates required risk remediation activities and related capital. As a
compromise, many organizations report a combination of risk results and designate one primary metric to allocate
capital (usually expected loss).
10. Simulations and Stress Tests
The issue: Stress tests allow management to assess the degree that business operations may be negatively
affected by prescribed events and gauge the organizations ability to respond. While the concept is intuitive,
organizations often struggle to balance the need for meaningful simulation and stress tests against a nearly
infinite number of potential scenarios. Similarly, organizations frequently struggle to identify and predict unknown
or unlikely risks (also known as black swans or game changers).
Potential solution: While there is no industry consensus regarding the number and type of simulations to
perform, bank regulatory guidance requires financial institutions to stress test ?base case? forecasts under worst
case and other macroeconomic scenarios. While worst case is not specifically defined, examples suggest stress
tests represent extreme scenarios rather than catastrophic events. In fact, most banks calculate value-at-risk
and economic capital thresholds using a two (95% confidence) or three (99%) standard deviation test rather than
a doomsday scenario.
Organizations typically address black swan events through periodic and highly targeted brainstorming sessions
where these events are inventoried and reviewed to determine what management action will be required. The
brainstorming session is typically limited to executives and performed during an off-site retreat or during a
regularly scheduled leadership/risk oversight committee meeting.
Copyright 2003-2015 RIMS, Inc. All rights reserved.