Driving Need for ERM
Originally Published: March 31, 2001
Most executives would probably agree that risk management is a part of their job and that risks facing companies are on the rise; However, if you ask executives to define risk management or to elaborate on the levels of risk facing their company, you will certainly get varied responses. Some say, "It's about preventing disasters," while others say, "It's something the insurance or finance people handle."
Financial Executives Research Foundation recently published a book summarizing research on risk management gleaned from five companies in different industries. The book, Making Enterprise Risk Management Pay Off, details how the five (J.P. Morgan Chase & Co., E.I. du Pont de Nemours and Co., Microsoft Corp., United Grain Growers, Ltd., and Unocal Corp.) are implementing enterprise-wide risk management. A key finding in the study is that risk management is not just about disasters or insurance or finance, but rather how to effectively run a business and understand, at the core, the risks facing the business.
Today, successful risk management is not only about the downside-it is just as much about opportunities and the upside. Historically, companies have taken a "silo" approach to managing risk, i.e. they focused on how to manage the most obvious risks individually. This new approach, enterprise-wide risk management, seeks to maintain or improve shareholder value by managing uncertainties that may negatively or positively affect the achievement of company objectives. Further, it is an integrated approach utilized to manage all risks in the aggregate.
What has propelled companies to begin adopting an enterprise-wide approach to risk management? The study identified three major reasons. First, corporate scandals internally or at other companies have shed light on the need to manage strategically in an effort to avoid such catastrophes that often leave executives unemployed. Secondly, many executives believe that risks are higher than ever before. However, they are unsure about how to manage them - therefore, many executives are welcoming risk management plans and infrastructures. Finally, companies have learned that managing risk correctly can lead to increased shareholder value. Companies are hoping to shift from a simple control process to a value creation process using the enterprise-wide approach.
There is no "cookie-cutter" approach to risk management. Each company in the study developed different, yet overlapping methodologies. A three-step process, however, has led each company's management to believe that they have added value to their organization. The three steps are: identify risks, rank risks, and attempt to measure risks.
Risks can be identified in several different ways: using scenario analysis, brainstorming, performing risk self-assessments, and by looking across the enterprise to ensure all major business risks have been covered. However, it is important to realize that risk identification is not static. As risks change due to changes in business, industry, or the economy, the risk identification process must also change.
Once risks have been identified, they should then be ranked according to the effect of the risk on the business. A good start to assessing the effect on the business is to rank risks according to their likelihood. Regardless of the method used, the goal is to make decisions about the importance of all the identified risks facing the business.
Finally, companies should attempt to measure risks. As alluded to earlier, some companies implicitly or explicitly rank risks, while others may validate a risk's perceived importance. Again, regardless of the method, gathering additional evidence helps management effectively allocate capital and avoid over-managing less important risks and/or undermanaging more important ones.
While the impact of certain risks can be measured, others are not easily quantified. When measuring financial risk, the most sophisticated measurements are value at risk (VAR) and stress testing; VAR measures the effect of unlikely events in normal markets while stress testing measures the effect of plausible events in abnormal markets. Risk, however, has been evolving in such a way that it now includes elements of nonfinancial risk. These nonfinancial risks are more problematic for companies because they defy easy, reliable measurements. Nonetheless, you can see below that the companies studied have developed some diverse approaches to measuring these risks.
• United Grain Growers, Ltd. - Developed gain/loss curves to reveal the dollar effect and likelihood of a risk affecting earnings. By doing so, they were also able to negotiate insurance coverage incorporating its most significant risk, grain volume, at no incremental cost.
• DuPont - Developed earnings at risk (EAR) measurement tools to quantify the effect of a risk on reported earnings. As a result, they were able to manage risks to a specified earnings level based on their risk preference. Further, they can now begin to see how risks affect their chances of achieving earnings targets.
• Chase Manhattan - Developed shareholder value added (SVA) measurements to compel decision-makers to consider the cost of risk. While asset growth under SVA has slowed from 15 percent to two percent in three years, cash income is growing at 17 percent.
• Microsoft - Utilized an advanced version of scenario analysis to measure nonfinancial risk. Microsoft's risk management department used several scenarios to identify key business risks, including the possibility of an earthquake in the Seattle region and a major downturn in the stock market.
Measuring risk using an enterprise-wide approach is proving to be very beneficial to companies. In fact, after performing such an analysis, management has often learned that the real effect of a particular risk is significantly higher or lower than previously imagined. Therefore, it has become increasingly important that companies have reliable risk measurement techniques - when management knows the real level of risk they face, they are able to manage those risks more effectively.