With a global financial crisis gripping the world economy, it's no wonder that more executives than ever are focusing on how well they control risk in their organization. After all, if disaster can happen to the largest of players, it's only natural for everyone to be asking, "What about me?"
It's no secret that many publicly listed, closely-held, and even not-for-profit organizations have begun to embrace enterprise risk management (ERM) as a corporate imperative. Corporate boards have reassessed their role in today's legal and economic environment and are beginning to exert pressure on the C-suite (the CFO in particular) to understand and analyze enterprise risk as a necessity to help achieve corporate objectives. Further, analysts are beginning to question CFOs and CEOs during earnings calls about how the company is addressing risk from an enterprise basis. And, with Standard & Poor's and Moody's coming under fire for less-than-rigorous evaluations of risk to corporate ratings, ERM will likely stay at the forefront of leadership attention.
The confluence of the various external pressures on organizations to manage risk, coupled with regulation on both the federal and local levels, has resulted in the marriage of good corporate governance and risk management. As boards and executive management teams identify governance issues to be managed, a spotlight has been cast on the risks and underlying business processes and the relevant controls in place.
When it comes to publicly traded companies, few would argue that the primary goal is to create value for the shareholders. Shareholder value is created, preserved, or eroded by management decisions throughout the organization. Individual decisions -- each with its own value and purpose -- may result in the unintended consequence of heightened risk when taken in the aggregate. An effective enterprise risk program provides the foundation for the organization to deal effectively with potential future events that create uncertainty. As a result, organizations are better enabled to respond in a manner that reduces the likelihood of downside outcomes and increases the ability of the organization to seize additional opportunities. The definition of enterprise risk management may be summed as an approach to aligning strategy, processes, and knowledge to minimize surprises and losses while capitalizing on business opportunities.
A mature, effective, risk management program is designed to enhance governance that supports decision-making throughout the organization by:
- Achieving strategic objectives and improving financial performance by managing risks that have the largest potential impact;
- Assessing risk in the aggregate to minimize surprises and reduce earnings fluctuations;
- Fostering better decision-making by establishing a common understanding of accepted risk levels and consistent monitoring of risks across business units; and
- Improving corporate governance with better risk management and reporting processes, thus fulfilling stakeholder responsibilities and compliance with regulatory requirements.
Putting an ERM Program in Gear
Regardless of whether a company has an existing risk management program in place or is currently exploring how a risk management framework and culture could be implemented to help drive shareholder value, when it comes to managing risk on the enterprise level, the following steps can be followed to achieve program success:
1. Perform a risk readiness assessment. The objective for a risk readiness assessment is to develop the risk "game plan" -- that is, the road map to achieve a fully implemented, integrated program. The key element in the initial risk assessment is to begin the cultural acclimation to tie corporate objectives to overarching, enterprise risks that could hinder the achievement of corporate goals. During this phase, management across the corporation identifies goals, objectives, and related risks to assemble the risk inventory. The risk inventory is then evaluated, often using risk weighting or ranking algorithms, to separate the identified risks into those that are of an enterprise nature and those that are business unit--specific or function-specific. The risk ranking elements include factors considering the probability or likelihood that the event will materialize and an analysis of the severity of the impact on the organization. The estimate of the severity should include not only the period or one-time costs associated with an event, but also any loss in market capitalization that may occur as a result -- the complete estimate of "value at risk."
This high-level view of risk materialization and its impact is then used to identify the operational factors or areas where risk tracking and monitoring may take place, resulting in a game plan to move forward.
2. Lay an ERM foundation. The ERM foundation addresses the key components of change as the organization moves to a risk management culture. When successfully implemented, the risk management culture becomes the way in which the organization does business on a day-to-day basis as opposed to an overlaid control mechanism destined to fail over time -- it becomes a permanent change in orientation.
As the road to risk management is tread, leadership from the senior level is demonstrated by the appointment of a senior manager with the authority and responsibility to manage risk. In some organizations, this responsibility is delegated to a newly anointed "chief risk officer," the CFO or another senior executive. The key is that the risk champion is at a sufficiently senior level to develop and effectively implement the risk management framework.
For each of the enterprise risks identified during the assessment, risk appetites and tolerances must be developed to allow mitigation activities or enhanced opportunity activities to be taken in a timely fashion. This new focus is intended to result in the adoption of a new "risk" language into the corporate lexicon. Risk is viewed as a "portfolio" to be managed to help achieve corporate goals and objectives. However, as part of foundation development, the risk champion is faced with developing the definition of the risk management framework. Some have adopted COSO's ERM framework, while others have adopted AS/NZ 4360, while others have developed their own proprietary framework.
Regardless of the framework approach selected, the key to success is to ensure that all of the key elements are properly integrated -- risk environment, risk appetite, risk management techniques, and the framework analysis. A representation of this integration of function is presented in the chart "An Integrated Risk Management Framework."
3. Gain an understanding of historic risk. As future risks are identified and impacts estimated, historical risk events are also identified and analyzed to provide a perspective for risk reporting going forward. As risk monitoring and tracking matures, historical risk reports are updated to reflect changes in the environment and further the understanding of the impact on shareholder value.
4. Integrate risk measurement and financial reporting. While implementing the risk framework, those risks that have an enterprise impact are disaggregated into their elemental operational components. From this, a series of key risk indicators can be selected and built into existing management reporting systems or business intelligence systems to facilitate monitoring and analysis and reporting -- key elements of a successful risk management program. A number of software vendors have developed and are marketing products designed to be integrated with existing software platforms to manage risk. Many of the commercially available software products were originally developed to support Sarbanes-Oxley compliance but have been expanded to include enterprise risk management capability. (See the case study sidebar.)
5. Establish procedures for ongoing optimization. As the risk management program reaches a mature level and risk measures are reported periodically to serve as management's "early warning system," enterprise risks are revisited along with evolving corporate goals. Risk appetites and tolerances are reviewed, and mitigation actions are updated to correspond to changes in the accepted risk profile -- thus a fully implemented program has been achieved.
Management clearly owns and is responsible for enterprise risk, but there is a key player not yet addressed -- internal audit. Internal audit can play a key role in the ongoing management of an effective risk management program. As business unit audits are conducted, the chief internal auditor may adopt an approach in which business unit effectiveness in managing risk is assessed as part of the regular financial audit plan. This independent assessment provides both line management and executive management with an assessment and identification of areas where the risk management program may be strengthened.
The cost and time investment of implementing a fully integrated risk management program can be substantial, but on the flipside -- the cost of not having a robust risk management program -- can be far greater, with long-term effect.
High-Value Practices to Ensure Success
What are the characteristics that are displayed by corporations that have successfully implemented enterprise risk management programs? What can we learn from the successes and failures of others?
Just as successful corporations have followed similar paths to implementing fully integrated risk management programs, those that have done so -- as well as those that have struggled -- provide insight into the critical characteristics needed for success:
- Leadership from the top of the organization must be strong -- the risk management mentality must be embraced by the organization. Risks are managed as portfolios with clear lines of responsibility and authority.
- Risk measurement and monitoring are built into existing operations. Metrics within business units are identified to link risk with measurement and reporting, providing visibility and insight into existing operations to plan and mitigate the downside and identify upside opportunities to be seized for the creation of incremental value.
- The above notwithstanding, staff should be educated and trained on risk management and how the data obtained may be translated into information having value for management decision-making.
- Internal audit must possess a "business risk mind-set" when auditing operations, to help strengthen and enhance the ongoing risk management program.
At the Intersection of ERM and Financial Planning: Forecasting the Impact of Market Risk on Earnings Volatility
Objective
As a part of its expanding enterprise risk management program, a $25+ billion life insurer and investment company, wanted to improve its ability to understand its enterprise-wide exposure to adverse movements in equity markets. Internally, senior management wanted to factor this downside market risk (equity volatility) into its financial planning and pricing considerations. Externally, company leaders were seeking a better way to articulate and communicate the equity sensitivity of its GAAP and statutory results to Wall Street analysts, rating agencies, state insurance regulators, and others.
The Solution
Risk consultants developed a deterministic model to enable the company to forecast and assess risk while evaluating the impact of price swings in equity-sensitive products and holdings. This model was based on a simpler version that the company had created internally. This deterministic model (a set of differential equations that gives a gives a fixed and precisely reproducible result) was designed to provide a "live" prototype that would be the foundation for the future development of a more complex, stochastic model.
The final deliverable was a multilevel forecasting model that projected both GAAP and statutory financials to derive GAAP EPS and statutory surplus (equivalent to shareholder equity). The planning horizon was one year broken down into full quarterly P&Ls. The risk model enabled the company to input percentage decreases in the equity market, from which it calculated changes in EPS and surplus.
This solution incorporated several key characteristics that actually work together to build capability within the company, with features that are:
- Capable of easy modification by the company's risk and finance professionals to accommodate future products.
- Sufficiently flexible to accommodate a wide range and a changing landscape of potential market and policyholder behavioral scenarios.
- Adaptable to take into account GAAP and statutory components to reflect the company's evolving tax position.
Methodology
To complete this enterprise-wide risk project, consultants addressed several critical issues. First, they defined the input process as follows:
- Identify key assumptions and equity sensitivity drivers.
- Develop risk profiles by equity-sensitive product.
- Determine betas (volatility) applicable to each product or source, if available.
- Model deferred acquisition cost (DAC) assets and reserves.
- Convert raw actuarial data into model inputs.
The second major issue was coordination of the required input from key company functions, including risk management, financial planning, investments, accounting, tax, and actuarial. Through collaboration with these various functions, the consultants uncovered all material aspects of the company that were sensitive to equity market volatility (e.g., investment management fees, DAC, pension funding, etc.).
The consultants then integrated these market risk data into the financial planning process. GAAP and statutory financial projections were developed that incorporated the enterprise-wide market sensitivity elements.
Benefits
This easy-to-use equity risk model for assessing the impact of movements in the equity markets on the company's financial results delivered the following benefits:
- Informed the forecasting process and strengthened decision-making capabilities in such areas as capital management, asset allocation, product pricing, and hedging strategies.
- Provided data that could be used with the stock analyst community, reducing their concerns over the impact of equity price swings on the company's stock price.
- Enabled the company to keep ahead of the evolving demands of the rating agencies (e.g., S&P) and state regulators.
- Provided a better tool to the company's enterprise risk management committee for tracking the changing sensitivity of earnings to equity risk.