Académique Documents
Professionnel Documents
Culture Documents
Risk
management
The ERM Guide from AFP
WRITTEN BY
James Lam
Risk Management: The ERM Guide
2011 Association for Financial Professionals, Inc. All Rights Reserved Page 1
Risk Management: The ERM Guide
Page 2 2011 Association for Financial Professionals, Inc. All Rights Reserved
Risk Management: The ERM Guide
2011 Association for Financial Professionals, Inc. All Rights Reserved Page 3
Risk Management: The ERM Guide
ing counterparty risk and model risk, and rating processes. Equity analysts and insti-
minimum liquidity ratio. tutional investors are paying more attention
The consequences of these and other regulatory to ERM. Debt and stock analysts recognize
requirements go beyond publicly-traded companies the important role that ERM plays in a firms
and financial institutions. As seen in the global im- creditworthiness and valuation. Given the lack
pact of Sarbanes-Oxley, these requirements will have of risk transparency during the global financial
far-reaching influence on regulatory standards and crisis, it is likely that rating agencies, stock
risk management practices. analysts, and institutional investors will demand
Industry initiatives. Beyond regulatory require- more timely and detailed disclosures on a firms
ments, a number of industry initiatives have major risk exposures and ERM practices.
established clear governance and risk standards Corporate programs. Ultimately firms will
around the world. The Treadway Report (United not continue to invest in ERM unless they see
States, 1993) produced the COSO framework potential value. In this regard, corporations
of internal control, while the Turnbull report have reported significant benefits from their risk
(United Kingdom, 1999) and the Dey Report management programs, including stock price
(Canada, 1994) developed similar guidelines. improvement, debt rating upgrades, early warn-
It is noteworthy that the Turnbull and Dey ing of risks, loss reduction, and regulatory capi-
reports were supported by the stock exchanges tal relief. In addition to anecdotal evidence and
in London and Toronto, respectively. Moreover, published reports, there is a growing body of
the Toronto Stock Exchange requires listed empirical studies that have associated superior
companies to report on their enterprise risk financial performance and stock valuation with
management programs annually. More recently, better corporate governance and ERM practices
COSO published Enterprise Risk Management: (see the next section on Creating Value through
Integrated Framework (2004). The International Governance and ERM Practices). Advanced
Organization for Standardization published ERM organizations see their programs as a
ISO 31000:2009 Risk Management (2009). The competitive advantage that helps them mitigate
National Association of Corporate Directors complex risks and achieve business objectives.
published Risk Governance: Balancing Risk and
Reward (2009). These industry initiatives have Creating Value through Governance
gained significant attention from corporate direc- and ERM Practices
tors and executives. Collectively, they provide a In terms of value creation, there is a large body
significant body of work on the key principles, of empirical research and survey data that would
standards, and guidelines for ERM. indicate companies with effective governance, risk,
Rating agencies and investors. Other key and compliance programs are associated with higher
stakeholders have espoused the merits of ERM. levels of profitability and market valuation. In recent
In 2008, Standard and Poors (S&P) started to years, governance and risk topics have received sig-
incorporate ERM assessments into its corporate nificant attention not only from the media, but also
rating processes. While less formalized than researchers. As a result, numerous research projects
S&P, the other rating agencies (Moodys, Fitch, and surveys have been completed to evaluate the
A.M. Best) are also increasing their focus on impact of sound governance and risk practices on
risk management capabilities as part of their company performance. While using different re-
Page 4 2011 Association for Financial Professionals, Inc. All Rights Reserved
Risk Management: The ERM Guide
search methodologies, sample size, and time periods, the correlation between the ISS Corporate
the key research studies and surveys have indicated Governance Quotient ratings and 16 financial
that companies that have adopted better governance performance metrics for more than 5,200 U.S.
and ERM practices are associated with higher levels companies in the 2002-2004 period. They found
of profitability and market valuation. The following that companies with better corporate governance
provides a synopsis of several key studies: have lower risk, better profitability and higher
McKinsey and Company (2002) surveyed valuation. They found that that the top decile
over 200 institutional investors in 31 differ- companies performed significant better than the
ent countries with a combined $9 trillion of bottom decile companies, including 3-to-10%
assets under management. They found that the versus negative return on assets; 8-to-15% versus
large majority of investors were willing to pay a 0.3% return on equity; and 16-to-20% vs. 10-to-
premium for companies with effective corpo- 15% stock price to earnings ratio.
rate governance practices. In North America, Hoyt and Liebenberg (2009) analyzed the
76% of investors were willing to pay an average relationship between the use of enterprise risk
premium of 12-14% of market value. management (ERM) processes and firm value.
Cremers and Nair (2003) investigated how To control for regulatory and market differ-
internal governance mechanisms interacted ences across industries, the researchers focused
with external governance mechanisms. Based on publicly-traded U.S. insurance companies.
on equity prices from 1990 to 2001, they They quantified a 16.5% ERM premium, or
found that a portfolio with strong internal and a positive and statistically significant relation-
external governance produced excess annualized ship between firm value and the use of ERM.
returns of 8%. The same companies achieved Deloitte (2011) surveyed 131 global financial
5.5% higher ROA (return on assets). institutions with more than $17 trillion in total
Gompers, Ishii, and Metrick (2003) constructed assets. When asked about the cost-benefit of
a Governance Index based on 24 governance their ERM efforts, 85% indicated that the value
rules to measure the level of shareholder rights at of their ERM program was greater than its cost.
about 1,500 large firms. They found that during Based on the empirical and survey data pro-
the 1990s, an investment strategy that bought vided above, it is clear that the implementation of
firms with the strongest rights and short firms effective governance and ERM processes can add
with the weakest rights would have earned excess measureable value to firms. In the next section, we
annualized returns of 8.5% during that period. will examine the fundamental requirements for an
Brown and Caylor (2004) analyzed the relation- ERM framework.
ship between corporate governance and company
performance. They found that firms with better Key Components of an
governance achieve better financial performance, ERM Framework
including higher return on equity (9.2% above Any organization implementing ERM should
industry average), higher profit margin (46% develop an overall framework to ensure that the fun-
above industry average), and higher dividend damental requirements are addressed. The decision
payout (0.4% above industry average). is generally to either adopt a published framework
Cheng and Wu (2005) and their research team (e.g., COSO ERM, ISO 31000) or develop a cus-
at Institutional Shareholder Services examined tomized framework based on the unique require-
2011 Association for Financial Professionals, Inc. All Rights Reserved Page 5
Risk Management: The ERM Guide
ments of an organization. Regardless, any ERM Risk Management. What specific decisions will
framework must address four fundamental issues, they make to optimize the risk/return profile of
as shown in Figure 1. Each of the four components the company?
addresses a key question: Reporting and Monitoring. How (ex-post) will
Governance structure and policies. Who is the company monitor the performance of risk
responsible to provide risk oversight and make management decisions (i.e., a feedback loop)?
critical risk management decisions? The above questions may sound simple but ad-
Risk assessment and quantification. How dressing them effectively can be very challenging for
(ex-anti) will they make these risk management most firms. However, an effective ERM framework
decisions in terms of analytical input? must address all four of these issues.
Page 6 2011 Association for Financial Professionals, Inc. All Rights Reserved
Risk Management: The ERM Guide
2011 Association for Financial Professionals, Inc. All Rights Reserved Page 7
Risk Management: The ERM Guide
Page 8 2011 Association for Financial Professionals, Inc. All Rights Reserved
Risk Management: The ERM Guide
provide independent oversight? Can the risk func- drivers, and key performance and risk indicators.
tion balance these two potentially conflicting roles? How do we know if risk management is working
A related question is should the chief risk officer effectively? This is perhaps one of the most impor-
(CRO) report to the CEO or the board? tant questions facing boards, executives, regulators,
One organizational solution may be to establish and risk managers today. The common practice is to
a solid line reporting between the CRO and CEO, evaluate the effectiveness of risk management based
and a dotted line reporting between the CRO and on the achievement of key milestones, or the lack
the board. On a day-to-day basis, the risk function of policy violations, losses, or surprises. However,
serves as a business partner advising the board and qualitative milestones or negative proves should no
management on risk management issues. However, longer be sufficient. Organizations need to establish
under extreme circumstances (e.g., CEO/CFO performance metrics and feedback loops for risk
fraud, major reputational or regulatory issues, and management. Other corporate and business func-
excessive risk taking) the dotted line to the board tions have such measures and feedback loops. For
becomes a solid line such that the CRO can go example, business development has sales metrics,
directly to the board without concern about his or customer service has customer satisfaction scores,
her job security. Ultimately, to be effective the risk HR has turnover rates, etc. In order to establish a
function must have an independent voice. A direct feedback loop for risk management, its objective
communication channel to the board is one way to must first be defined in measurable terms. For exam-
ensure that this voice is heard. ple, the objective of risk management can be defined
as to minimize unexpected earnings volatility. In
Reporting and Monitoring other words, the objective of risk management is not
The risk reporting and monitoring process addresses to minimize absolute levels of risks or earnings vola-
the question of how critical risk information is re- tility, but to minimize unknown sources of risks or
ported to the board and senior management, and how earnings volatility. Based on this definition, Figure
risk management performance is evaluated. It has been 2 provides an illustrative example of using earnings
wisely said that what gets measured gets managed. volatility analysis as the basis of a feedback loop. In
However, there is a general sense of dissatisfaction the beginning of the reporting period, the company
among board members and senior executives with performs earnings-at-risk analysis and identifies
respect to the timeliness, quality, and usefulness of risk several key factors (business targets, interest rates,
reports. Currently, companies often analyze and report oil price, etc.) that may result in a $1 loss per share,
on individual risks separately. These reports tend to be compared to an expected $3 earnings per share.
either too qualitative (risk assessments) or quantita- At the end of the reporting period, the company
tive (VaR metrics). Risk reports also focus too much performs earnings attribution analysis and deter-
on past trends. In order to establish more effective mines the actual earnings drivers. The combination
reporting, companies should develop forward-looking of these analyses provides an objective feedback loop
role-based dashboard reports. These reports should be on risk management performance. Over time, the
customized to support the decisions of the individual organization strives to minimize the earnings impact
or group, whether that is the board, executive manage- of unforeseen factors. While this may not be the
ment, or line and operations management. ERM right feedback loop for an individual organization
dashboard reports should integrate qualitative and (i.e. non-profit), every company should establish
quantitative data, internal risk exposures and external some feedback loop(s) for risk management.
2011 Association for Financial Professionals, Inc. All Rights Reserved Page 9
Risk Management: The ERM Guide
Role of the Board in ERM at the board level. Beyond an organizational chart,
How should boards ensure that they play a con- risk governance establishes the oversight roles and
structive and effective role in ERM? Board members decision points for the board and board committees,
are not involved in day-to-day operations, and they as well as the relationships with management and
have limited time to review materials and meet management committees. In order to strengthen risk
with management. What can they do to effectively governance at the board level, organizations should
oversee ERM and the key risks facing the organiza- consider adopting the following ERM practices:
tion? The role of the board in ERM encompasses Establish a risk committee. While the full
three key levers: (1) establish an effective governance board generally retains overall responsibility for
structure to oversee risk, (2) approve and monitor risk oversight, a growing number of organiza-
an ERM policy that provides explicit risk toler- tions are establishing risk committees. Based on
ance levels, and (3) establish assurance processes to a survey of over 200 board members, a De-
ensure that an effective ERM program is in place. cember 2010 report commissioned by COSO
In academia, the acronym G.P.A. means grade point (COSO Report), 47% of board members at
average. In the context of board risk oversight, the financial services organizations indicated that
same acronym can be used to remember these three they had a risk committee, versus 24% at non-
key levels: governance, policy, and assurance. financial firms. Given the Dodd-Frank Act, and
other regulatory reform, it is likely that these
Governance percentages will increase in the next few years.
A fundamental step in providing ERM oversight is Regardless of the committee structure, the risk
to establish an effective risk governance structure oversight roles of the full board and subcom-
Page 10 2011 Association for Financial Professionals, Inc. All Rights Reserved
Risk Management: The ERM Guide
mittees (e.g., audit, governance, HR) should be necessary tensions and encroachments between
clearly defined. Boards should also ensure that management and the board.
they can effectively challenge management on Integrate strategy and risk. Monitoring an
risk management issues, by appointing board organizations strategy and execution has long
members and/or board advisors with deep risk been the purview of boards. However, accord-
management expertise and providing general ing to the COSO Report less than 15% of
risk education to all board members. board members indicated that they were fully
Align board and management structures. satisfied with the boards processes for under-
The risk governance structures at the board standing and challenging the assumptions
and management levels should be fully and risks associated with the business strategy.
aligned. This alignment includes committee However, a number of studiesJames Lam &
charters, roles and responsibilities, reporting Associates (2004), Deloitte Research (2005),
relationships, approval and decision require- and The Corporate Executive Board (2005)
ments, and information flows. As boards be- have found that strategic risks represented
come more active in establishing risk policies approximately 60% of the root causes when
and risk appetite, the role of the board versus publicly-traded companies suffered significant
the role of management should be clearly market value declines, followed by operational
differentiated. Figure 3 provides an example risks (approximately 30%) and financial risks
of the separation between management and (approximately 10%). As boards become more
board responsibilities for ERM. Alignment active in ERM, the integration of strategy and
and clarification of roles would prevent un- risk is a logical and desirable outcome.
2011 Association for Financial Professionals, Inc. All Rights Reserved Page 11
Risk Management: The ERM Guide
Page 12 2011 Association for Financial Professionals, Inc. All Rights Reserved
Risk Management: The ERM Guide
Lam & Associates worked with a large financial the board and executive management. The articu-
institution to improve its board communication and lation of explicit risk tolerance levels for critical
reporting. In addition to adopting these standards, risks represents an essential element of the ERM
the financial institution developed an ERM dash- policy. Given their importance in controlling the
board distributed through an iPad that provides overall risk appetite of the organization, there
high-level charts as well as drill-down capability to should be sufficient discussion (and even debate)
underlying data. between the board and management before risk
As boards retain independent auditors to review tolerance levels are established.
and assure the financial statements, they should 3. ERM integration. In order to optimize the
retain an independent party to review and assure organizations risk/return profile, ERM must be
the ERM program. The final product of this review integrated into key business processes (e.g., prod-
may be an assessment of the organizations ERM uct development and pricing, risk transfer, capital
program relative to industry best practices and/or its allocation). Another challenge is the integration
development against plan. of ERM and strategy. We discussed studies that
Finally, the board should establish effective feedback have shown both the importance and the lack
loops to gauge the effectiveness of its ERM program. of understanding of strategic risks. While the
In the previous section, the use of earnings volatility integration of ERM and strategy is critical, this
analysis as a feedback loop on ERM was discussed. process is still in its early stages of development.
Regardless of the metric, the board should decide on 4. Risk analytics and dashboards. The conse-
the appropriate feedback loop(s) for risk management. quences of the global financial crisis revealed
some key shortcomings of existing risk analyti-
Key Success Factors in ERM cal models. Commonly used risk models (e.g.,
In this Guide we have discussed (1) basic definitions value-at-risk, economic capital) only measure
and concepts for ERM, (2) major trends and drivers risks within a defined probability level, say 95%
for adoption, (3) evidence that ERM can create or 99%. However, organizations have learned
value, (4) the key components of an ERM frame- that they must also prepare for black swans,
work, and (5) the role of the board in ERM. To or highly improbable but consequential events.
review the key points discussed as well as look ahead Going forward, risk analytics must be expanded
with respect to the challenges in ERM implementa- to include stress testing and scenario analysis
tion, lets examine seven key success factors: to capture tail risk events. Additionally, risk
1. Board risk governance and reporting. Perhaps dashboards should be developed to provide
the most powerful but underleveraged compo- forward-looking risk analysis as well as early-
nent in ERM is the role of the board. Boards warning indicators.
wield significant influence over policy decisions 5. Assurance and feedback loops. How do we
and management actions. Executive teams go to know if risk management is working effectively?
great lengths to address issues raised by direc- This is one of the most important questions fac-
tors. As such, directors can have a significant ing boards, executives, regulators, and risk manag-
impact simply by asking tough questions or ers today. In the past, the common practice was
requesting key risk reports. to evaluate the effectiveness of risk management
2. ERM policy with explicit risk tolerance levels. based on the achievement of key milestones, or
The ERM policy is an important tool for both the lack of policy violations, losses, or surprises.
2011 Association for Financial Professionals, Inc. All Rights Reserved Page 13
Risk Management: The ERM Guide
Page 14 2011 Association for Financial Professionals, Inc. All Rights Reserved
Risk Management: The ERM Guide
Stage 1: Definition and Planning (White Belt) Providing risk briefings for board members and
In Stage 1 the organization is organizing re- corporate executives
sources to define the scope and objectives for its Appointing a chief risk officer and/or ERM
ERM program. Key objectives during this phase project leader
include identifying an organizations ERM re- Organizing an ERM task force and/or
quirements, obtaining board-level and executive ERM committee
support, and developing an overall framework Conducting a benchmarking exercise with
and plan for ERM. Some organizations find it other companies
useful to establish a cross-functional taskforce Assessing the current state of risk management
in order to accomplish these objectives. Stage 1 capabilities
may take 6-12 months to complete and activities Defining the scope, vision, and overall plan
typically include: for ERM
Researching regulatory requirements and Establishing an ERM framework, including a
industry practices risk taxonomy
2011 Association for Financial Professionals, Inc. All Rights Reserved Page 15
Risk Management: The ERM Guide
Stage 2: Early Development (Yellow Belt) Stage 4: Business Integration (Brown Belt)
In Stage 2 the ERM program is in the early stages In Stage 4 the focus is to integrate ERM into
of development. Key objectives during this stage business management and operational processes.
include formalizing roles and responsibilities in an ERM tools and practices become more distributed
ERM policy, identifying key risks through risk as- throughout the organization. It is during this stage
sessments, and providing risk education to enhance that risk and return tradeoffs in business decisions
risk knowledge and awareness. Stage 2 may take 1-2 are evaluated more explicitly. Key objectives include
years and typical activities include: quantifying the cost of risk to support pricing and
Establishing an ERM policy, including roles risk transfer decisions, assessing business risks upfront
and responsibilities as part of business and product development,
Performing annual risk assessments across developing automated risk reporting and escalation
business units technologies, and linking risk and compensation.
Coordinating risk identification and Stage 4 may take 2-4 years and include the following:
control processes across risk, audit, and Expanding the scope of ERM to include
compliance functions business risk
Providing risk education for the board of Allocating economic capital to underlying
directors, as well as risk training for a wider market, credit, operational, and business risks
group of employees Incorporating the cost of risk into product and
Establishing risk functions across the relationship pricing, as well as portfolio
business units management and risk transfer strategies
Integrating risk reviews into new business and
product approval processes
Stage 3: Standard Practice (Green Belt) Automating ERM reporting through the use
In Stage 3 the organization is establishing more of electronic dashboards, including customized
frequent and granular risk analyses. Key objectives queries and real-time escalations
during this stage include performing more frequent Establishing trigger points to make timely
risk assessments, and developing risk quantification business decisions, including risk mitigation
processes. This stage may take 1-3 years and activi- and exit strategies
ties may include: Developing feedback loops on risk
Updating risk assessments on a quarterly or management performance
monthly basis Linking risk management performance and
Developing risk databases, including loss-event executive compensation
information
Developing KRIs and reporting on enterprise-
wide risks on a monthly basis
Integrating credit risk and market risk models,
and building operational risk models
Developing risk-adjusted performance measure-
ment methodologies
Page 16 2011 Association for Financial Professionals, Inc. All Rights Reserved
Risk Management: The ERM Guide
2011 Association for Financial Professionals, Inc. All Rights Reserved Page 17