Читать книгу Implementing Enterprise Risk Management - Lam James - Страница 11

Despite the high-profile losses, the 1990s saw important steps forward in ERM. Risk quantification became more sophisticated with the advent of value-at-risk models (VaR). Before VaR, the primary risk measure was probable maximum loss, which is similar to the potential loss and can be expressed in the question, “What's the worst that could (reasonably) happen?” By contrast, a VaR metric predicts, to a specific level of confidence, potential losses over various time intervals. Early versions of modern ERM appeared around this time as companies developed more sophisticated risk quantification methods for market risk and credit risk, as well as initial operational risk management programs. In the mid-1990s, companies began appointing chief risk officers (CROs) to establish a C-suite executive who could integrate the various risk management functions under a single organization. Steady progress continued until the 2008 financial crisis, which revealed numerous shortcomings in risk management models and reminded businesses of the need for improvement.

Organizations continue to discover the value of ERM and work to implement their own customized programs. Let us look at three perspectives:

• The current demand for ERM

• The current state of ERM

• What ERM can look like and what it can do

The Current Demand for ERM

We work in a business climate rife with volatility and risk. A recent survey by the Association for Financial Professionals (AFP) found that 59 percent of financial professionals consider their firms to be subject to more earnings uncertainty now than five years previously. Only 12 percent believe they are operating with more certainty today.4 A similar majority said it is more difficult to forecast risk than it was five years ago and foresaw it getting even more difficult three years hence. Risks considered to have the greatest impact on earnings were (in order of decreasing frequency): customer satisfaction and retention, regulatory risk, GDP growth, political risk, energy price volatility, labor and HR issues, and natural disasters.

So what are firms doing to prepare for these risks? By their own admission, less than they would like. Only 43 percent of respondents to the AFP study felt their ability to forecast crucial variables was relatively strong while the rest needed improvement; 10 percent even considered their capabilities weak to nonexistent. Companies recognize a growing need for changes in risk management processes. Organizations are hiring risk professionals, investing in IT systems, automating financial processes, and placing a greater focus on risk awareness and culture. Many have beefed up executive review of business strategy and assumptions (63 percent) while others have increased risk analysis and forecasting as well as reports to management.

The individual ultimately responsible for managing this growing risk is frequently the CFO, named by 38 percent of the firms surveyed. Another 28 percent named the CEO or COO; 14 percent operated under a risk committee, 11 percent named the treasurer, and only 9 percent had a chief risk officer (CRO) as the primary overseer of risk management. It is important to note that these results were based on a cross-industry survey.

Old Methods Won't Work

Today, companies recognize the need for better risk management, but amplifying old methods or tweaking existing structures to deal with increased risk carries dangers. Just one example: the highly interdependent risks that organizations frequently face. Figure 1.2 provides an illustration of risk interdependency in the form of a Venn diagram.

FIGURE 1.2 Risk Interdependencies

Key interdependencies exist between financial and business risk, business and operational risk, and operational and financial risk. Furthermore, each major risk category comprises subcategories. For example, financial risk, as demonstrated in the figure, can be broken down into market risk, credit risk, and liquidity risk. These financial risks in turn have their own interdependencies.

Let's examine loan documentation as a practical example of a key interdependency between operational risk and financial risk (in particular credit risk). As a business process, loan documentation quality is considered an operational risk. If a loan is performing (i.e., the borrower is making timely interest and loan payments), the quality of that specific loan document has no real economic impact. But if the loan is in default, the documentation quality can have a significant impact on loss severity because it affects collateral and bankruptcy rights. Loss analyses conducted by James Lam & Associates at lending institutions revealed that up to one-third of “credit losses” were associated with operational risks.

According to the AFP survey above, about 12 percent of firms still use a siloed, decentralized structure. But in a complex, interlocking system of company-wide risks, this strategy is clearly insufficient. Some risks may remain poorly understood or even ignored. Gaps and redundancies may go unnoticed and unaddressed. And aggregate risk exposures across the organization could pose hidden threats. For example, if business units use different methodologies and systems to track counterparty risk, then it is difficult to quantify the aggregate exposure for a single counterparty. While the individual exposures at each business unit might be acceptable, the total counterparty exposure for the organization may exceed tolerance levels.

On the other hand, an overly centralized system of risk management can fail to integrate the relevant risk information into the decision-making processes of an organization. A full 28 percent of organizations have a centralized risk management system, which can lead to ineffectual top-down management of risk-related decisions. Most organizations (60 percent) operate under a structure with centralized processes but decentralized implementation. In this arrangement, the risk monitoring, reporting, and systems are centralized, but the implementation of risk management strategies is in the hands of each business unit.5

In a volatile economic climate, the most successful companies establish comprehensive, fully integrated risk management processes at each level of decision-making. ERM provides integrated analyses, strategies, and reporting with respect to an organization's key risks, which address their interdependencies and aggregate exposures. In addition, an integrated ERM framework supports the alignment of oversight functions such as risk, audit, and compliance, which rationalizes risk assessment, risk mitigation, and reporting activities. It also considers how macroeconomic factors, such as interest rates, energy prices, economic growth, inflation, and unemployment rate, can impact the organization's risk/return profile. This interweaving of ERM into an organization adds strength throughout, whereas merely applying a superstructure from the top down may leave weaknesses unaddressed.

Integration Adds Value

The value that integration adds is visible in many areas of business and life, including fitness and sports. Over the past few decades, many disciplines have experienced greater effectiveness through integration. Take the example of cross-training in fitness. By integrating cardiovascular workouts with strength training, flexibility, and endurance, athletes can prevent and rehabilitate injuries as well as enhance strength and power. Similarly, the integration of various fighting styles into mixed martial arts (MMA) has added value to centuries-old practices and beliefs. Whereas martial artists once argued about which style was superior, the emergence of MMA has changed their attitude. Mixed martial artists combine karate, kung fu, jujitsu, tae kwon do, wrestling, and multiple other fighting styles, allowing them to adapt to any situation. This gives them a significant advantage over a fighter trained in a single style.

So too, integration of ERM into business strategy leads to more informed and effective decisions. In fact, I believe the integration of strategy and risk is the next frontier in ERM, as it allows a company's board and management to understand and challenge the underlying assumptions and risks associated with their business strategy. Expanding technological capabilities have put this within the grasp of most companies. System integration allows for enterprise-level data management, robust business and data analytics, straight-through transaction processing, and more effective reporting and information sharing.

According to a 2013 Deloitte study, 81 percent of the executives surveyed now have an explicit focus on managing strategic risks, in contrast to the traditional focus on financial, operational, and regulatory ones.6 The study suggests a reason, too: Strategic risks represented approximately 36 percent of the root causes when publicly traded companies suffered significant market value declines over the past 10 years. This was followed by external risks (36 percent), financial risks (17 percent), and operational risk (approximately 10 percent).7