Monday, August 25, 2008

Step-by-step enterprise Risk Management

Step-by-step enterprise Risk Management


Brown, Benton A


The purpose of this article is to explain to CEOs and other senior managers the scope, mechanics and potential benefits of enterprise risk management. In addition, risk managers with a more targeted purview (i.e., credit risk managers, interest rate risk managers, insurance risk managers, insurance program managers) may find the article useful for evaluating the context and contribution of their activities.


Identify, Measure, Monitor, Control


A corporate risk policy facilitates a four-step process: identify the major risks faced by the company, and then create an organized approach to measure, monitor and control those risks.


Measuring is the process of assigning a value to a given risk level, either quantitatively or qualitatively. Monitoring is the process of tracking changes in that risk measure over time, often reported against a limit or benchmark. Controlling is the process of modifying the risk level to comply with the risk-taking appetite and policies set by the shareholders and board of directors, including transferring, eliminating, financing or reducing losses or potential losses.


This framework is applied to each classification of risk. The table below examines eight significant risks that fall into four categories: financial risk, operational risk, strategic risk and hazard risk.


This taxonomy demonstrates one approach to identification. All risks can be categorized into four subject areas. Financial risks are those that relate to treasury and investment activities. Operational risks are those that relate to the ongoing business activities (people, processes, technologies) necessary to produce and sell an entity's products. Strategic risks relate to the entity's decision-making process at the senior management and board of directors level. Hazard risks are unforeseen events that arise outside of the normal operating environment (often thought of as insurable risks). Any particular entity will face a unique set of component risks under these four categories.


By dissecting each category of risk, and explaining these processes to senior management, we take the first step in introducing enterprise risk management. That is, by defining the parts, we can eventually show how they all work together. The first step is elaborating on the taxonomy.


Financial: Market Risk


-Identification: Adverse movements in prices (such as stocks or commodities) or rates (such interest rates or foreign exchange rates).


-Measurement: Notional measures such as position values; sensitivity measures such as duration and beta relative to changes in benchmark risk factors; and optionality measures, such as delta, gamma, vega, theta and rho, which assess risk relative to small changes in a specific risk factor.


-Monitoring: Position reports, valueat-risk (VaR), scenario simulations and stress testing.


-Controls: Effective methods for controlling market risk involve establishing and closely monitoring a limit structure appropriate for the institution's level of risk. Such a limit structure would include limits on net positions, stop/loss limits, value-at-risk limits and other limits based on maturity or optionality. Such a limit structure should be closely related to credit and liquidity controls.


-Application: A bond trader uses a daily VaR report to monitor the market risk of his taxable bond positions. The VaR report shows the current potential losses embedded in his positions based upon historical volatility. When the potential losses exceed his limit, the trader will sell the more volatile assets and reduce his value-atrisk to acceptable levels.


Financial: Credit Risk


-Identification: Counterparty fails to perform as agreed under contract, due to either an unwillingness or inability to pay in a timely manner.


-Measurement: Credit risk is often measured with a relative value score such as a credit rating. Assessment factors include financial capacity such as current levels of earnings, cash flow and capital, as well as historical payment patterns and recent events.


-Monitoring: An annual review of the counterparty's credit file (with updated information), increased frequency of reviews for riskier counterparties, and spotting trends in economic and industry factors that may contribute to adverse credit migration (deterioration in the counterparty's credit score).


-Controls: Limits on exposure to individual counterparties, industry concentrations and product types, netting agreements across subsidiaries and products, third party guaranties, and credit swaps.


-Application: A load portfolio reviews several counterparty credit files. As a result of deteriorating economic conditions, operating profits have dropped for several companies. As a result, the internally assigned credit scores have dropped. In order to reduce the risk of default or slow payment, several unused lines of credit are cancelled. Restrictions are imposed on new lending to customers.


Financial: Liquidity Risk


-Identification: Liquidity risk includes funding-relating to an organization's inability to meet its obligations due to inadequate cash flow or liquid assetsand market liquidity-when an asset cannot be converted to cash without significant loss of value.


-Measurement: Cash-on-hand, working capital, lines of credit, assessments of unrealized losses on capital and the impact of early termination of derivatives and other contracts.


-Monitoring: The most important goal of any liquidity monitoring process is to provide credible advanced warning of a pending liquidity crisis. Components of liquidity monitoring can include daily position reports and cash flow forecasts. Daily net-open-position reports can be used to indicate overall liquidity. Cash flow forecasting can measure short-term liquidity positions.


-Controls: A critical control mechanism is the contingency liquidity plan. This plan can provide objective guidance during times of a liquidity crisis. A liquidity crisis can deteriorate rapidly, leaving management little to time analyze and implement a solution. Other components of liquidity risk control can include strict notional limits on illiquid financial instruments. In addition, minimum earnings and capital thresholds that trigger asset sales to raise cash can help maintain cash balances during periods of declining operating cash flows.


-Application: A property and casualty risk manager reviews cash flow forecasts- He observes that projected casualty losses in the next twelve months are increasing, and that the corporate cash position has remained stable but the value of the equity portfolio has declined. He instructs the investment manager to reduce real estate and venture capital holdings and to raise the level of short-term treasury securities.


Operational: Systems Risk


-Identification: The risk that an information technology system will fail to perform or be otherwise deficient such that the company is exposed to a significant avoidable loss.


-Measurement: Mean time between failures, average down time per period and processing error rates.


-Monitoring: Capacity utilization and other monitoring software should be installed to monitor system usage, load and capacity constraints.


-Controls: Well-developed business continuity and disaster recovery plans respond to major systems failures, addressing a range of possibilities including catastrophic loss of a critical location and major internal and external component failures.


-Application: The chief information officer reviews the monthly operating statistics and notices that the secure server has been knocked off-line more frequently due to system overloads. The system has been operating at 90 percent capacity for several months. He contracts with a service provider to handle peak operating loads and develops a contingency plan to move operations to another site in the event of catastrophic system failure lasting more than a few days.


Operational: Human Error Risk


-Identification: The risk that an employee, agent or contractor will fail to perform, or be otherwise deficient, such that the company is exposed to a significant avoidable loss.


-Measurement: Performance measures such as processing error rates measure mistakes that have occurred. Academic and professional qualifications assess the potential for human errors.


-Monitoring: Ongoing management testing of employee knowledge, specific audit programs, quality control programs.


-Controls: A well-written, comprehensive set of critical procedures covering all aspects of operations as well as an ongoing objective testing and training function represent effective controls for human error.


-Application: A project manager reviews the error rate of a document coding team. She notices that five weeks after initial training, error rates increase dramatically. She implements a mandatory refresher course at fourweek intervals.


Strategic: Legal and Regulatory Risk


-Identification: Legal and regulatory risks include the risk of both civil and criminal lawsuits, regulatory sanction, costs of compliance and other restrictions imposed by political authority.


-Measurement: Settlement costs, penalties and fines paid, and the operating budgets of the legal and compliance departments.


-Monitoring: Compliance testing.


-Controls: Corporate policies, internal audits, new product reviews, legal reviews and company training programs can help promote a clean operating environment.


-Application: A compliance manager at a brokerage firm receives a memo from the legal department indicating that lawsuits and settlement amounts are increasing as a result of new regulation. A team from compliance, legal and human resources develops an employee testing and training program for all employees involved.


Strategic: Business Strategy Risk


-Identification: The risk of loss associated with bad decision making by senior management, including mergers and acquisitions, product pricing, market entry and exit and new product development.


-Measurement: Earnings, capital and stock price. More sophisticated measures include economic value added (EVA) and risk adjusted return on capital (RAROC).


-Monitoring: An annual or quarterly benchmarking analysis of performance against a peer group's results.


-Controls: An independent, informed and active board of directors exercising appropriate oversight of management decision making and corporate operations is the primary control of strategic risk.


-Application: The chairman of the board is concerned about the performance of her company's stock. She orders a consulting firm to compare the stock market performance of similarly sized companies competing in the same market. She instructs the CEO to explain the differences in operating results for the company's different market segments on a risk-adjusted basis.


Hazard: D&O Risk


-Identification: The exposure of corporate managers to claims from shareholders, government agencies, employees and others, alleging mismanagement.


-Measurement: Litigation settlements, claims paid and the cost of insurance


-Monitoring: Monitoring of D&O liability is largely a matter of claims tracking and analysis. Additional monitoring can include tracking the time spent by directors on corporate matters and performance evaluations.


-Controls: Sophisticated corporate governance and related compliance programs can help control D&O losses. In addition, nominating committees should carefully evaluate the qualifications of new board members.


-Application: Concerned about rising shareholder litigation and settlement amounts, senior management conducts extensive quarterly briefings designed to educate the board of directors about the complex details of the company's operating strengths and weaknesses. New board members are evaluated on their knowledge of the industry and state of the art management techniques.


All Risk Is Linked


All companies are in the business of taking risk. Any approach to risk management, therefore, must incorporate competitive advantages. Viewing all segments of risk in the same frame facilitates this. In this process, consider the following:


1. Risk as a variable cost element. If return is the benefit then risk is the cost. Risk, like other costs, can be fixed or variable. Analyzing the risk profile reveals how risk levels vary with different business activities. This way companies can determine what risks they manage better than others. With this understanding, they can increase the business activities in which they manage risk well, and lower commitments to business activities with little or no risk management advantage. This may mean a strategic exit or an outsourcing opportunity.


2. Efficient risk taking. Another way to look at risk taking is to plot the efficient frontier of business activities. One approach is targeting commitments to business activities that offer higher returns and lower risks. This approach allows a company to manage its risk profile in such a way that reinforces its advantages in generating returns, as in managing risks.


3. The portfolio of risk approach. Larger and more diversified organizations, such as holding companies or conglomerates, can be considered portfolios of subsidiary companies. Each company has its own unique risk profile, yet the risk profile of the parent company may be completely different given corporate support and other synergies. From a portfolio management perspective, these companies should ask: How do the subsidiaries relate to each other, both operationally and financially? What is the level of support available from the parent? Under what conditions would the parent sell a subsidiary? Any company with more than one product line can be analyzed this way.


4. Mergers and Acquisitions. The risk is unknown liabilities in the target company. Inadequate information about a target's risk profile can raise the cost of financing the transaction or depress the selling price. Specific risks of concern include: environmental issues, product liabilities and warranties, class action litigation, and tax treatment. A well-developed enterprise risk management program can provide adequate information to a suitor or serve as a reference for evaluating the "goodness of fit" of a target.


Board of Directors


Once senior executives comprehend the different divisions of risks that are linked within the company, the next step is to make them aware of their role in risk management.


Ultimately, the board of directors needs to approve of the overall approach to risk taking. The company's risk management policies and procedures should provide guidance and operating parameters that allow for the identification, monitoring, measurement and control of the risks involved with its business lines and other significant activities. Additionally, the lines of risk-taking authority and accountability should be clearly defined.


The board must:


1. Create an annual review of risk policies and critical procedures. This is the most fundamental practice by which the board of directors can express its appetite for risk and its attitude toward risk management.


2. Be involved in approving the risk limits. Limits are an essential method for controlling risks. Limits are an explicit statement of the company's appetite for risk.


3. Create a new product development process. This is a key process in controlling future exposures. The board should ensure that all new products are subject to a comprehensive review by such areas as audit, legal, compliance, operations and risk management


4. Monitor policy exceptions. It is equally important for the board to ensure the proactive elements of risk management, as defined above, as it is to determine a reactive approach. Handling exceptions to risk policies should be well defined and strictly audited, and should be closely monitored by the board.


Testing ERM


Enterprise risk management has many drivers. In the banking industry the Federal Reserve and Office of the Comptroller of the Currency conduct "safety and soundness" examinations of the larger banks. For all practical purposes, these are enterprise risk exams. The National Association of Corporate Directors encourages audit committees to expand their scope of risk management reviews. A recent article on CFO.com noted that 41 percent currently have an ERM approach, 19 percent plan to implement an ERM in the next year and 13 percent plan to have an approach in place in the next two to five years. The spate of publicly traded corporate profit warnings over the last two quarters also suggests that there may be increased interest in exploring this opportunity.


The holistic movement is moving. Senior managers need to understand the costs and benefits of their risk-taking activities, and that unity of purpose is possible across completely different risk classes. They need to ask, at least annually, and preferably quarterly, "Are we getting the most out of our risk taking?" All companies may find that there is a hidden reserve of profit improvement and added shareholder value waiting to be tapped through improved risk management. An organized and methodical approach to enterprise risk management can exploit this wealth efficiently.


Do you use ERM?


Reader Forum at rmmag.com


Copyright Risk Management Society Publishing, Inc. Sep 2001
Provided by ProQuest Information and Learning Company. All rights Reserved



Posted by Prasetyo at 2:59 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)