Читать книгу Implementing Enterprise Risk Management - Lam James - Страница 10

The concepts I've described so far form the foundation for risk analysis, but understanding risk is just a preliminary step toward managing it. We are now ready to lay the groundwork for implementing enterprise risk management (ERM). Specifically, we will discuss:

• A definition of ERM

• Early development of risk management

• The development of ERM in the 1990s

This brief overview of ERM will show how the events of the past half-century have shaped ERM's current critical role in business strategy.

What Is Enterprise Risk Management?

A proper definition of ERM should describe what it is, how it works, its main objective, and its main components. With these criteria in mind, I will define ERM as follows:

ERM is an integrated and continuous process for managing enterprise-wide risks – including strategic, financial, operational, compliance, and reputational risks – in order to minimize unexpected performance variance and maximize intrinsic firm value. This process empowers the board and management to make more informed risk/return decisions by addressing fundamental requirements with respect to governance and policy (including risk appetite), risk analytics, risk management, and monitoring and reporting.

Let's briefly expand on this definition. First, ERM is a management process based on an integrated and continuous approach, including understanding the interdependencies across risks and implementing integrated strategies. Second, the goal of ERM is to minimize unexpected performance variance (defensive applications) and to maximize intrinsic firm value (offensive applications). As discussed, risk management is not about minimizing or avoiding risks, but optimizing risk/return trade-offs (the bell curve). Third, an ERM program supports better decisions at the board and management levels. Board decisions may include establishing risk appetite, capital and dividend policy, as well as making strategic investments. Management decisions may include capital and resource allocation, customer and product management, pricing, and risk transfer. Finally, the key components of ERM include governance and policy (including risk appetite), risk analytics, risk management, and monitoring and reporting. These four components provide a balanced and integrated framework for ERM.

Early Development of Risk Management

Protecting ourselves against risk is a natural practice that goes back well before Magellan. In fact, one could argue that risk management has existed as long as human history. As long as attacks from animals, people, or businesses have been a threat, we have constructed safeguards and defenses. As long as buildings have faced floods and fires, risk management has included structural design and materials used, or, in modern times, transferring that risk to an insurer. As long as money has been lent, lenders have diversified among borrowers and discriminated between high- and low-risk loans. Despite the intuitive nature of risk management – or perhaps because of it – it did not become part of formal business practice until the second half of the last century.

It wasn't until 1963 that the first discussion on risk appeared in an attempt to codify and improve such practices. In their Risk Management and the Business Enterprise, authors Robert Mehr and Bob Hedges posited a more inclusive risk-management practice that went beyond the status quo of merely insuring against risk. They proposed a five-step process reminiscent of the scientific method: Identify loss exposures, measure those exposures, evaluate possible responses, choose one, and monitor the results. They also described three general approaches to handling risks: risk assumption, risk transfer, and risk reduction. At this early stage, risk management emphasized hazard risk management. Financial risk entered the scene later. These traditional theories focused on what are called “pure” risks, such as natural disasters, which result either in a loss or no change at all, but never an improvement. Modern ERM practice now encompasses speculative risk, which involves either loss or gain. Stock market investment is a classic example of speculative risk.

The lack of attention to financial risk in early risk management programs reflected the comparative stability of global markets at the time. This began to change in the following decade. In 1971, the United States abandoned the gold standard, and in 1972, many developed countries withdrew from the 1944 Bretton Woods agreement, which had kept most foreign exchange rates within narrow bands since World War II. This brought an unprecedented volatility to global exchange rates. The Seventies also brought soaring oil prices due to the decision by the Organization of Petroleum Exporting Countries (OPEC) to decrease global supply after the 1973 Yom Kippur War. Like the proverbial butterfly's wings, this had multiple effects around the globe. Rising oil prices drove up inflation, which caused the U.S. Federal Reserve to raise interest rates to historical levels, a response that fueled volatility not only in the United States but worldwide as well. These economic changes created a need for financial risk management that companies had not experienced before.

The Seventies and early Eighties saw the introduction of new financial risk-management tools, particularly derivatives such financial futures, options, and swaps. These new tools allowed companies to manage volatile interest rates and foreign exchange rates and were effective when used properly. But some firms suffered severe losses from ill-conceived derivatives trades. In 1993, the German corporation Metallgesellschaft barely avoided bankruptcy after a $1.3 billion loss due to oil futures contracts. The next year, Procter & Gamble lost $157 million due to an injudicious swap. In the Nineties, devastating losses due to operational risk were all too common, often for lack of standard controls such as management supervision, segregation of duties, or basic checks and balances. In 1995 Barings Bank was driven bankrupt after a loss of $1.3 billion due to unauthorized derivatives trades. Only months later, Daiwa Bank was forced to end all U.S. operations in the aftermath of a $1.1 billion scandal surrounding unauthorized derivatives trading. Early risk managers operating under traditional practices simply overlooked operational risk, leaving it to the relevant business units.3