Enterprise risk management: a definition
Although the components that make up the discipline of enterprise risk management (ERM) are familiar enough, the concept itself is quite new. It is therefore important to come up with a good definition sooner rather than later. At this stage in the evolution of a discipline, a definition can be quite influential, especially if it becomes commonly accepted and widely understood, as we hope the RMA definition will be.
A good definition is one that is easy to communicate and remember. At the same time, it should be flexible enough to accommodate legitimate differences in approach among institutions, as well as any shifting nuances as the discipline develops in the years ahead.
So with those criteria in mind, our definition of ERM is: "The methodical management of all material risks."
Understanding the Definition: "All Material Risks"
To start with, what are "all material risks"? These are any risks large enough to threaten the success of the enterprise in any material way.
Some institutions reserve the term "ERM" for the management of those risks that have to be managed at the enterprise level. They would, for example, view market risk management in a trading operation not as a part of ERM, but rather as a complementary, lower-level activity. They are likely to set the bar quite high for what counts as a "material" risk.
Other institutions use the term to go more deeply--to include the management of specific risks in particular activities. We prefer to interpret the definition this way, so it embraces all levels of risk management. By implication, we set the bar of "materiality" quite low and consider any risk "material" if it threatens the success of any significant part of the enterprise. But we do acknowledge that reasonable people can differ in what they consider material, and we have no objection to the definition being used in different ways by different institutions.
What kinds of risks are we including? In any financial institution we should include not only market, credit, and operational risks, but also ALM and liquidity risks. When it comes to reputational, business, and strategic risks, many institutions would include them, but some would not. Once again, RMA prefers the broader definition, including these three types of risk as covered by ERM, but we do acknowledge that reasonable people could have different, equally valid opinions.
Understanding the Definition: "Methodical Management"
To be truly "methodical," risk management has to be based on some foundation concepts, incorporate some basic practices and processes, include creation of a risk culture, be supported by appropriate tools, and be driven and overseen by committed enterprise leadership.
Concepts. The five planks of the conceptual framework are 1) a risk language, 2) a risk culture, 3) a portfolio approach, 4) capital, and 5) a risk-return trade-off. How important these are depends on the institution. For smaller institutions, risk language and culture are the important ones. For larger institutions, they all matter.
A common language is an important part of any risk management discipline, especially ERM. Everyone who needs to know should be aware of the basic risk types, what is meant by risk appetite and profile, what a risk threshold is and its implications, the difference between "intrinsic risk" and "residual risk," what "loss given default" and "probability of default" mean, and so on.
A common language is a prerequisite for a common risk culture, a set of shared values and beliefs that governs attitudes toward risk-taking, care, and integrity, and which determines how openly risks and losses are reported and discussed.
A portfolio approach means treating an institution as though it is a portfolio of interconnected risks. It means an approach to risk management in which the impact of any one risk is managed with knowledge of how changes in the likelihood or severity of one risk will affect others. It is often expressed in statistical or mathematical terms as co-variance or correlation among risks, but it does not have to be, and indeed sometimes such precision is impossible. Still, thinking about risks in relation to one another is a hallmark of ERM.
Economic capital, the common denominator of all residual risks, is the capital sufficient to absorb loss with a certain level of confidence. Usually, it is set at a 99.9% or a 99.7% level of confidence over a one-year holding period for a particular portfolio or activity. Economic capital can be estimated for credit and market risk with reasonable accuracy in most institutions. In larger institutions, it often can be estimated for operational and liquidity risk, too, but this is difficult and, for the moment at least, the resulting estimates are a good deal less precise and reliable. Although capital cannot be estimated for most other kinds of risk in practice, it is, in principle, a universal measure of risk and consequently it has a place near the center of ERM as a common conceptual link between all kinds of businesses, activities, and risks.
Finally, the idea of a risk-return trade-off is central to the implementation of ERM. When risks are well managed, they nonetheless increase as returns increase, and pursuit of higher returns almost always involves taking on more inherent risks. Institutions may be willing to tolerate higher-than-average levels of risk, provided they are associated with higher-than-average returns. When this is the case, one can think of a large part of ERM as the management of this trade-off between risk and return along the risk-return frontier. For this purpose, many institutions use tools and processes, such as risk-adjusted return on capital (RAROC), where they have sufficient data and the investment in sophistication is worthwhile.
Practices and processes. As for all kinds of risk management, ERM processes start with the familiar steps of identifying, assessing, managing, and mitigating risks. In the ERM context, identification has to be very broad, and assessment has to use a common yardstick for the same kind of risk wherever it arises, be it economic capital or some other measure of probability and severity.
Management involves avoiding unacceptable risks and, where the costs of those strategies are too great, managing down the impact of risks, either by reducing the likelihood or severity in advance of an event, or by reducing the impact if an event occurs by proactively managing the consequences.
Where risks are accepted, common practices for managing risk impacts down include setting limits and thresholds, escalating risks or losses from one level of management to another when thresholds are breached, hedging so that the adverse market impact in one part of the portfolio is offset by a favorable impact in another, and preparing for mishaps through contingency and business resumption planning.
Risk mitigation consists of buying insurance or setting aside capital so that residual risks can be absorbed without threatening the ongoing viability of the enterprise.
Creating a risk culture. Methodical risk management also includes the creation and maintenance of the risk culture. Techniques for creating a culture include the clear assignment of risk ownership, strong controls, and the creation of incentives--both monetary and non-monetary, for prudent risk-taking. The allocation of economic capital can be a major incentive for middle management since it affects performance measures based on rates of return, and that in turn can often affect compensation and recognition.
Finally, methodical management requires the attention of management at all levels regularly, when risks change, and in a crisis. It also requires the allocation of sufficient resources--people, technology, and capital--to risk management. These may seem like elementary points to make, but they are where ERM can fail most quickly.
Tools. To support this integrated management of risk across an institution, most use a variety of analytical frameworks, guides, libraries, surveys, and databases. Today, many of these are automated to some degree and available as software tools. The wise use of tools is an integral part of methodical risk management.
Making Sure It Happens
The previous two sections define "material risks" and "methodical management." But something is still missing from the ERM definition: The full meaning is greater than the sum of the parts.
The missing component is leadership. Effective ERM requires a senior management and a board that are committed to every aspect of ERM. This leadership has to set an example first by giving risk management sufficient attention and resources. ERM requires attention regularly, as well as when circumstances change significantly and during a crisis. It also requires resources and the implementation of sound risk management practices. These may seem like elementary points; however, when they are neglected, ERM becomes nothing more than an empty slogan.
Leadership then must set an example of openness, clarity, care, and integrity, and must recognize and reward risk-taking that reflects the institution's risk appetite and is in accord with the institution's risk culture.
Of course, leadership is also about anticipating threats and opportunities, and an intrinsic characteristic of ERM is that it should be forward looking. It should influence and facilitate business strategy and shape the development and execution of business plans. And in larger institutions it should contribute to, and be evaluated against, definite targets for earnings volatility and bond ratings.
Finally, to make ERM work requires appropriate governance and oversight. Senior management has to create the right environment for risk management throughout the institution, as well as define and implement the risk management framework--the descriptions of risk and the practices and processes we have just described--using policies, procedures, incentives, and supervision. The board of directors has to understand the risks the enterprise takes on, approve the framework, agree on the policies and procedures, and verify through independent audit that what management says is happening is, in fact, really happening. All these elements of good governance are part and parcel of ERM, just as they are of any kind of risk management.
Conclusion
Our definition of ERM--the methodical management of all material risks--is a deceptively simple one. The fact that it refers to "all" material risks makes it comprehensive, and the built-in requirement that an institution adopting ERM should manage its risks "methodically" means it must meet high standards in defining, implementing, and governing a comprehensive risk management framework.
There remains plenty of legitimate scope for different interpretations of ERM in different institutions. And ERM is a young discipline, so, undoubtably, new challenges will emerge, new approaches will be developed, and our notions of what constitutes ERM will evolve over time. Still, our hope is that the RMA definition will prove helpful to financial institutions of all kinds and sizes for some time to come.
Enterprise Risk Management
Definition:
The methodical management of all material risks.
Supporting Definitions:
Material Risks
A potentially significant threat to the success of the enterprise.
Include credit, market, operational, ALM, liquidity, reputational, business, and strategic risks.
Methodical Management
Based on five concepts: risk language, risk culture, portfolio approach, capital, and risk-return trade-off.
Includes four basic processes: identifying, assessing, managing, and mitigating risks.
Involves creating a risk culture through assigning risk ownership, leadership by example, and incentives.
Supported by appropriate tools.
Senior management provides leadership through:
* sufficient attention to risk management--routinely, in change situations, and during crises.
* sufficient allocation of resources to risk management.
* creating the right environment.
* defining the risk management framework and managing its implementation.
* ensuring that the board understands the risks, approves the framework, and corroborates what management tells it through independent audit.
COPYRIGHT 2006 The Risk Management Association
COPYRIGHT 2008 Gale, Cengage Learning
13 comments:
I'm fascinated with better deployments of leadership assessments (e.g. using Rasch, Computer-Adaptive Measurement), to address material human risks. Leadership, customer loyalty, culture and climate have all been historically poorly quantified and mitigated in traditional Audit practices, and modern psychometrics has a great deal to offer. More here http://www.scientificleader.com or http://scientificleader.wordpress.com
ARS provide services forRisk Management Plan , Security Risk Management, Enterprise Risk Management, Risk Management Courses
Hey there, you’ve done a great job. I will certainly digg it and personally recommend to my friends. I am sure they will be Risk Management Software benefited from this web site.
Excellent article and interesting one to read. I am very glad to see this kind of article. Thanks for sharing.
Ethical Hacking Course in Bangalore
Ethical Hacking Institute in Bangalore
Hadoop Training in Bangalore
German Classes in Bangalore
Selenium Training in Bangalore
Data Science Training in Bangalore
German Language Course in Bangalore
Selenium Course in Bangalore
Wow, excellent post. I'd like to draft like this too - taking time and extremely hard work to make a great article. This post has inspired me to write some posts that I am going to write soon on business risk and financial risk.
Nice Blog. concepts are clearly explained.
Data Science Training Course In Chennai | Data Science Training Course In Anna Nagar | Data Science Training Course In OMR | Data Science Training Course In Porur | Data Science Training Course In Tambaram | Data Science Training Course In Velachery
Aw, this was a decent post. Taking the time and genuine exertion to create a brilliant article… yet what would i be able to say… I tarry a ton and never figure out how to complete anything.
evrmag
If you want to have a career in Artificial Intelligence, then this is the place for you. AI Patasala's Online AI Course in Hyderabad program will help you get certified.
Risk management is something very important for any business and I found this blog very informative for my online MBA course I am doing from the distance learning center.
Great Blog
Great blog. The information you shared regarding enterprise risk management is really helpful. ERM is very important for every company as it helps to manage risk efficiently.
Thanks for sharing this blog. If you are looking Risk Management Services in the USA! Get in touch with Risk Management Services.
Risk management is essential for making informed decisions and ensuring stability in the face of uncertainty. It involves identifying, assessing, and proactively addressing potential risks to achieve long-term success.
Post a Comment