rmmagazine.

com

http://www.rmmagazine.com/2010/03/01/10-common-erm-challenges/

10 Common ERM Challenges

Very few organizations find enterprise risk management implementation easyit requires a rare combination of
organizational consensus, strong executive management and an appreciation for various program sensitivities.
Despite the effort required, however, ERM is worth it because it forces most organizations to step back and
identify their risks, which is one of the first steps to protecting capital and driving shareholder value. As boards and
executive management evaluate ERM, however, they usually come away with more questions than answers.
While each company faces specific concerns, the more challenging ERM issues are generally consistent across
companies and are largely unrelated to industry, geography, regulation or competitive landscapes. By examining
some of these common ERM challenges, as well as the creative solutions that have been applied by other
organizations, management will be better equipped to develop and revamp their own enterprise risk management
programs.
1. Assessing ERMs Value
The issue: In an economy driven by positive return on investment, organizations often struggle to demonstrate
sufficient ERM value to justify implementation costs. While traditional investment decisions are evaluated using
common risk and reward metrics such as return on equity (ROE), return on assets (ROA) and risk adjusted return
on capital (RAROC), ERM value drivers are less prescriptive. Despite growing guidance, ERM remains largely
voluntary, resulting in a value proposition void of compliance language and regulatory encouragement.
Potential solution: Many organizations establish ERM value, risks and costs using a traditional business case.
The typical business case looks at ERM value in four categories.
The first is shareholder value added, such as equity premium driven by positive public perception, an improved
credit rating or risk score, and the integration of risk results with operations. Next is avoided risk, such as reduced
volatility through hedging or insurance products and reduced risk through incremental controls. Another category
is hard dollar savings such as risk infrastructure and process consolidation, reduced insurance and costs, and
reduced regulatory capital requirements. Finally, other qualitative benefits can include improved risk transparency
and awareness, improved risk management coordination and accountability, improved risk and financial statement
metrics, and the elimination of siloed risk management activities.
After evaluating a programs potential value, many companies then look at ERM implementation costs and risks.
While most companies manage risk as a matter of standard business practice, ERM programs typically involve
enhanced risk assessment processes, risk and business integration, and governance concerns. These activities
may require new resources, technologies, policies and process enhancementsall of which assume varying
degrees of capital expenditures.
As an alternative to the business case, management may implement ERM on a pilot basis or as an ERM lite
program. This program typically involves a prominent business unit with large financial risk and a business unit
with higher nonfinancial exposures such as strategic, reputation or operational risk.
2. Privilege
The issue: An ERM program allows management to quantify the companys risks. As risk information becomes
increasingly event-driven and dollar-based, company lawyers may raise issues regarding risk distribution to
external regulators, auditors and constituents. Organizations must balance risk visibility and legal exposure.
Potential solution: The easiest way to provide risk insight while protecting sensitive information is to gather and
report risk data according to broad categories without providing specifics regarding contracts, legal cases,
projects, events, counterparties and products. Alternatively, risk information (e.g., severity) may be documented in
qualitative terms with no link to specific dollars or dollar ranges. While the more conservative approach is more
commonly applied by companies, the industry appears to be moving towards greater risk transparency.

Companies with a more liberal approach typically manage data sensitivity issues using several techniques. For
example, companies can conduct all risk assessment activities under legal supervision, with the objective of
making the output privileged.
Alternative ERM risk assessment approaches where privilege is not available or where the company does not
wish to involve counsel include producing multiple risk reports and distributing them according to business need
(e.g., provide a detailed version to the board and small executive team and a broader report to a larger
distribution) and relying on confidential and for internal use only protections.
3. Defining Risk
The issue: One of the biggest challenges is establishing a consistent and commonly applied risk nomenclature.
Any inconsistencies between risk definitions or methodologies are likely to jeopardize the program?s success.
Potential solution: Establishing a formal risk management framework and common risk nomenclature can be
accomplished through working groups comprised of at least one representative from each significant business unit
and shared service function. The most critical goal of the group is to establish the definition of risk itself. While
each risk category may be distinct, the definition of risk must be consistent and supported by clear guidance. The
group must also create a risk inventory and supporting risk taxonomy to further define and rank all the risks faced
by the organization.
4. Risk Assessment Method
The issue: Enterprise risk assessments are performed using a variety of approaches and tools, including
surveys, interviews and historical analysis. Each approach offers its own value and drawbacks that must be
closely reviewed to determine organization suitability.
Potential solution: The risk assessment method employed is largely based on the number of respondents
surveyed, corporate culture andperhaps most relevantorganizational familiarity with risk management. Face-toface assessments are helpful as they facilitate risk management education and guidance, encourage discussion
and allow for data collection. Conversely, automated tools can be applied by organizations with broad risk
management knowledge or a predisposition for technology-based tools.
In addition, the risk assessment method is generally tailored to the audience. For example, many organizations
administer executive risk assessments using a group interview session and apply individual techniques to
management or technical personnel.
5. Qualitative Versus Quantitative
The issue: A key decision for many organizations is whether risks are assessed using qualitative or quantitative
metrics. The decision is generally driven by the organization?s industry, commitment to ERM, its view regarding
privilege and overall cost.
The qualitative method provides management with general indicators rather than specific risk scores. Qualitative
results are commonly presented as red, yellow and green light, or high, medium and low risks. Qualitative
assessments may be open to interpretation, guided by descriptors (e.g., assess red light or high risk where the
exposure represents a catastrophic exposure) or framed using broad dollar ranges (e.g., a green light indicates
an exposure less than $10 million).
Qualitative risk assessments are frequently favored because they require less sophisticated risk aggregation
methods, mathematical support and user training, which means lower implementation costs. Conversely,
qualitative results are commonly criticized for their limited alignment with key financial statement and budgetary
indicators. Additionally, some critics suggest qualitative results are generally more difficult to interpret, which limits
management?s ability to assign accountability and remediate.
Potential solution: While companies predominately apply the qualitative risk assessment approach, the industry
appears to be shifting towards quantitative risk measurement. Companies that transition to the quantitative

method typically do so using a phased approach and will apply narrow risk ranges that expand the risk severity
scale from three categories (e.g., high, medium and low) to five or more (e.g., very high, high, moderate, low and
very low) and adjust narrative or dollar ranges accordingly. Frequently, they will also use a separate risk severity
scale for financial risks and nonfinancial risks such as strategic or reputational exposures.
6. Time Horizon
The issue: The time horizon of ERM risk assessment is largely based on the organizations intent to use ERM
risk results and its willingness to invest in risk management.
Many companies use ERM results for quarterly or year-end planning, while more sophisticated companies
integrate ERM results into annual budgeting and longer-term strategic planning processes.
The shorter-term time horizon (less than 12 months) is generally preferred as it requires less user training,
provides increased risk estimation accuracy and is generally less expensive than the longer-term alternative. The
longer-term solution is applied where management values risk visibility beyond the annual financial reporting
period and additional time to remediate. Regardless of the approach, the risk assessment time horizon must be
consistent with intended ERM program objectives.
Potential solution: Despite its ease, companies appear to be shifting from the short-term risk assessment to a
longer-term or hybrid solution. Additionally, companies are increasingly utilizing a rolling time horizon (e.g., 12-18
months) to mitigate annual assessment limitationsnamely reduced risk visibility and time to mitigate as the year
progresses (e.g., the fourth quarter risk assessment covers three months of remaining risk).
7. Multiple Potential Scenarios
The issue: Consider the following scenario: The ERM team asks a respondent to assess the likelihood of
counterparty default and its subsequent loss impact during the current fiscal year. The respondent determines
that there is a 100% probability of at least one counterparty default with a low financial impact over the defined
time horizon (high probability/low impact event). There is also a 5% probability of at least one counterparty default
with a significant financial impact (low probability/high impact event) and several default scenarios with varying
loss severity estimates (moderate probability/moderate impact).
This situation highlights an issue associated with basic risk assessment methods?most risks have multiple event
likelihoods and risk severities.
Potential solution: There are two common approaches to the problem. Under the most basic approach,
respondents provide a loss severity based on their best estimates. For example, the organization recognizes a
significant investment loss four times per year. The respondent then estimates severity considering all four
potential loss events, portfolio sizes, historical loss records and the companys investment stress test results. If
the respondent estimates $100,000 in loss severity, it roughly equates to $25,000 per loss event.
The more advanced method requires the respondent to identify a distinct loss severity for all potential events and
calculate a mathematical average. To minimize computational requirements, companies often limit the number of
likelihood scenarios and potential outcomes (e.g., unlikely, moderately likely, likely, very likely, probable).
The decision to pursue a basic or more complex method is largely based on an organizations familiarly with
probability and loss concepts, the risk assessment method employed (e.g., in person or technology-based) and
the level of sophistication supporting risk tolerance definition.
8. ERM Ownership
The issue: The question regarding who should own ERM is often unclear and commonly disputed at the board,
audit committee and management levels.
Potential solution: In most programs, risk is primarily owned by line management with oversight from
independent risk, compliance and management oversight functions. The broader question regarding ERM

program ownership is less decisive and largely based on board and audit committee accountability, established
risk management function and infrastructure, and corporate risk philosophy.
While there is no one single industry practice with respect to organization structure, ERM administration should
generally be held by risk management followed by internal audit, finance/treasury, legal and various supporting
departments (e.g., compliance, strategic planning).
9. Risk Reporting
The issue: Organizations often struggle with two risk reporting issues: 1) what information should be shared with
various internal and external constituents, and 2) how should risk be communicated.
Potential solution: Most organizations have multiple risk owners with varying accountabilities and needs. As
such, leading companies establish risk packages commensurate with recipient responsibilities and specified
delegation of authorities. Common risk packages are created for the board/audit committee, management risk
oversight committee, business unit leaders and line management. Reports are typically generated from a
common risk database and taxonomy where information varies based on recipient accountability, risk type and
organizational impact.
Board reports, for example, typically present risks that exceed a defined threshold, describe high value strategic,
emerging and unquantified exposures, and exclude superfluous information. Business unit and line reports, on the
other hand, may illustrate mid-level exposures, tactical risks and transactional compliance data.
The external reporting issue is often less challenging. Public organizations are often required to share certain risk
information through financial statements, annual meetings, quarterly earnings announcements, public
presentations and various regulatory responses. While external reporting requirements are fairly prescriptive,
organizations attempt to use ERM results to formulate or support risk assertions.
Barring prescriptive external reporting requirements, organizations vary with respect to internal risk reporting
format. To the extent an organization applies dollar-based results, management generally selects between one
and three format options: specifically, expected loss, loss severity or a combination. Loss severity is typically
applied by companies that prefer to view maximum potential loss unadjusted for probability of occurrence.
Opponents suggest loss severity overstates required risk remediation activities and related capital. As a
compromise, many organizations report a combination of risk results and designate one primary metric to allocate
capital (usually expected loss).
10. Simulations and Stress Tests
The issue: Stress tests allow management to assess the degree that business operations may be negatively
affected by prescribed events and gauge the organizations ability to respond. While the concept is intuitive,
organizations often struggle to balance the need for meaningful simulation and stress tests against a nearly
infinite number of potential scenarios. Similarly, organizations frequently struggle to identify and predict unknown
or unlikely risks (also known as black swans or game changers).
Potential solution: While there is no industry consensus regarding the number and type of simulations to
perform, bank regulatory guidance requires financial institutions to stress test ?base case? forecasts under worst
case and other macroeconomic scenarios. While worst case is not specifically defined, examples suggest stress
tests represent extreme scenarios rather than catastrophic events. In fact, most banks calculate value-at-risk
and economic capital thresholds using a two (95% confidence) or three (99%) standard deviation test rather than
a doomsday scenario.
Organizations typically address black swan events through periodic and highly targeted brainstorming sessions
where these events are inventoried and reviewed to determine what management action will be required. The
brainstorming session is typically limited to executives and performed during an off-site retreat or during a
regularly scheduled leadership/risk oversight committee meeting.
Copyright 2003-2015 RIMS, Inc. All rights reserved.