Читать книгу Implementing Enterprise Risk Management - Lam James - Страница 9

The above concepts interact to determine the specific risk levels and enterprise risk profile of an organization. For individual risks – such as credit, market, and operational – the risk levels are greater the higher the exposures, probabilities, severities, and time horizons of the specific positions. At the portfolio level, the risk profile will be greater the higher the concentrations and correlations within that portfolio of risks. At the overall level, the correlations across risk portfolios (e.g., credit risk, market risk, operational risk, etc.), and the organization's risk capacity, will determine the enterprise risk profile.

Risk Is a Bell Curve

A simple visualization effectively synthesizes these ideas: a bell curve. The notion that risk is a bell curve is a key idea that I will discuss throughout the book. When using bell curves to represent risk in a given context, each point on the curve represents a different possible outcome. The horizontal axis provides the range of outcomes, and the vertical axis provides the probabilities associated with those outcomes. As such, the bell curve is a vector of probabilities and outcomes, and collectively these probabilities and outcomes represent the aggregate risk profile. Figure 1.1 provides an illustration of a bell curve.

FIGURE 1.1 Risk as a Bell Curve

It is important to consider the following points when conceptualizing and quantifying risk as a bell curve:

• Risk comes in different shapes and sizes. Some risks – such as interest rate risk or market risk – tend to be symmetrical.2 These risks are normally distributed where there is equal probability of gains or losses of similar sizes. Other risks – such as credit risk or operational risk – are asymmetrical with more downside than upside. If a loan pays off, the lender gains a few percentage of interest income, but if it defaults, the lender can lose the entire principal. If a core IT operation is running smoothly, it is business as usual, but a failure can cause significant business disruption. Risks can also be asymmetrical with more upside than downside, such as an investment in a new drug or a disruptive technology. Such investments can produce unlimited upside but the downside is limited to the amount of the investment.

• Risk should be measured relative to business objectives. The risk metric used should be based on the context of the specific business objective and desired performance. For example, at the enterprise level the risk metrics can be earnings, value, and cash flows to quantify earnings-at-risk (EaR), capital-at-risk (economic capital or CaR), and cash flow-at-risk (CFaR), respectively. Such performance-based models can support the organization in managing corporate-wide objectives related to earnings performance, capital adequacy, and liquidity risk. At the individual business or risk level, the risk metric used should be linked to the specific business objective, such as sales performance, IT resilience, and talent management.

• The bell curve provides the downside, but also the mean and upside. Risk managers tend to focus mainly on downside risk. For example, EaR, economic capital, and CFaR models usually quantify the downside outcome at a 95–99 % confidence level. However, a proper definition of risk must include all eventualities. The bell curve provides the full spectrum of risk, including the mean (i.e., expected outcome) as well as the downside and upside scenarios. By adopting a more expansive consideration of potential outcomes, risk managers can make more informed risk-based business decisions. The same variables that can produce unexpected loss can also produce unexpected gain. Downside risk analysis can inform capital management, hedging, insurance, and contingency planning decisions. Analyses of expected value can support financial planning, pricing, and budgeting decisions while upside risk analysis can shape strategic planning and investment decisions.

• The objective of management is to optimize the shape of the bell curve. It has often been said that value maximization is the objective of management. To accomplish this objective, management must maximize the risk-adjusted return of the company. In other words, it must optimize the shape of the bell curve. For example, management should establish risk appetite statements and risk transfer strategies to control downside tail risks. Pricing strategies should fully incorporate the cost of production and delivery, as well expected loss and economic capital cost. Strategic planning and implementation should increase expected earnings and intrinsic value (moving the mean of the bell curve to the right). This objective extends to a non-profit organization, but return is driven by its organizational mandate.

By conceptualizing – and ideally, quantifying – any risk as a bell curve, companies can manage them most effectively. This applies even to intangible risks that are difficult to quantify. Let's use reputational risk as an example. The mean of the bell curve represents the current reputational value of the organization. Reputational risks would include the key variables and drivers for the organization in meeting the expectations of its main stakeholders: customers, employees, regulators, equity holders, debt holders, business partners, and the general public. As with other risks, these variables and drivers can be measured and managed to enhance the organization's reputation, including downside and upside risk management.