7/28/2019 erm imp material.docx
1/13
Enterprise risk management is difficult to define, but generally it's a relatively new (less than a decade
old) management discipline that calls for corporations to identify all the risks they face, to decide which
risks to manage actively, and then to make that plan of action available to all stakeholders (not simply
shareholders) as part of their annual reports. (To read more about risk, check out Determining Risk And
The Risk Pyramid and Measuring And Managing Investment Risk.)
In putting together ERM initiatives, companies are supposed to focus not only on the downside of risk
but the upside as well. The traditional approach was to focus on the downside - the losses from currency
or interest rate trades in financial markets, for instance, or financial losses that might be caused by a
disruption in a supply chain or cyber or terrorism attack that impairs a company's information
technology.
In thinking about the upside, companies are supposed to consider competitive opportunities andstrategic advantages that might arise out of deft management of risk. Some of these "better decisions"
involve items like where to locate a plant or office abroad based on a risk analysis that would look at the
political environment in a country.
Evolving Risk Management
Studying how corporations manage the incredibly diverse number of risks they face - everything from
movements in currencies, interest rates to public perceptions of their reputations is playing an
extremely important role in the investment process. Knowledge of individual corporate "risk profiles"might have led you to invest in companies with the confidence that they could meet corporate
objectives and investor expectations (not only in good times, but also in bad). Knowledge of these
profiles might have also helped you identify up-and-coming organizations for investment - or helped you
better understand which companies to let into your community through a new plant or office, believing
that they would do everything possible to avoid environmental damage and to treat employees well.
Until now, particularly in the U.S., the vast majority of corporations have made very little information
about their overall risk profiles available to stakeholders. Companies in many other industrialized
countries, like Canada, the U.K. and Australia, are much more forthcoming about their risk and ERM
activities.
7/28/2019 erm imp material.docx
2/13
The situation's poised to change as rating companies start to factor in a company's ability to manage
ERM. Stakeholders will start to gain a plethora of new risk-related data and information available to
them. This story of risk management is likely to expand greatly over the next decade.
ERM: A Constantly Changing Management Discipline
Of course, companies have been managing risk for years. Historically, they've done this by buying
insurance. More recently, companies have managed risk through the capital markets with "derivative
instruments" that help them manage the ups and downs of moment-to-moment movements in
currencies, interest rates, commodity prices and equities. From a mathematical point of view, all of
these risks or "exposures" have been reasonably easy to measure, with resulting profits and losses going
straight to the bottom line.
Where ERM comes in is where companies manage the risks that defy easy measurements or a
framework for management. These include crucial risks such as reputation, day-to-day operational
procedure, supply chain, legal and human resources management, financial and other controls related
to the Sarbanes-Oxley Act of 2002 (SOX), and overall governance. All of these and other exposures fall
under the ERM umbrella.
Back to the Upside
The "upside" that we discussed earlier also includes focusing on preventive measures that help a
company avoid potential disasters down the road. For example, some of these actions may include
determining when and how the physical assets they own need to be maintained and replaced. This way,
the company can avoid unexpected and costly plant and equipment failure that might result in
shutdowns, explosions or other events that put a company's employees, communities and reputations
at risk.
Understanding that their most important and valuable asset is their reputation, some companies work
proactively to protect the company when dealing with man-made or natural disasters. In one of themost storied reputation risk management stories in recent history, Tylenol found itself in need of a
burnished reputation in the face of product tampering. It reacted by being honest with the media and
quickly and aggressively removing and replacing its products at retail outlets. From 2006 to 2008, the
recent push for companies is to prove they are "going green", hoping that aggressive environmental risk
management will position their products, plants, supply chain and other operations positively with
7/28/2019 erm imp material.docx
3/13
current and future customers. (Read more about this in For Companies, Green Is The New Black and The
Green Marketing Machine.)
How to Find ERM-Friendly Companies
It is a difficult task for investors to discover which companies are working to manage risk from an
enterprise-wide perspective - and an even more difficult job discovering who is doing so effectively.
Many board members don't understand ERM, believing it to be simply another potentially costly, hard-
to-measure regulatory fiat from Washington. Many others believe that effective ERM can be achieved
simply by expanding their SOX-related reporting and controls efforts, which is not the case.
Because it's a new management discipline, what constitutes "best practices" in ERM has yet to be
defined; currently it's being defined industry by industry, but few if any companies promote themselves
as being "best of the best" in ERM or risk management.
So, how do you know who's working hard at effective ERM? A growing number of companies,
particularly outside the U.S., devote a significant portion of their annual reports discussing risk
management, regardless of whether they specifically call it ERM. Generally, investors interested in
discovering who's doing a comprehensive job at risk management - and reporting it publicly in their
annuals - need to look abroad. Just north of the border, Canadian-based companies discuss risk
extensively in their annuals and they are a good place to start looking into this area further.
One way to quickly see if the company you are researching does have ERM is to check for a Chief Risk
Officer (CRO). While CROs are most often found in the energy, banking and insurance industries, more
aggressive manufacturing companies are moving in that direction as well. Another clue is found in a tiny
nut of companies that have managers specifically in charge of coordinating their ERM efforts. These
managers will have the words "enterprise risk" in their titles.
Intensive additional sleuthing from investors may offer worthwhile dividends. Simply searching"enterprise risk management" online will give investors access to numerous recent conference agendas
on the topic. Investors should then take note of which companies have executives lecturing on ERM.
Also check out the websites of the few associations dedicated to promoting ERM, such as the Risk &
Insurance Management Society in New York or the Committee of Chief Risk Officers. The Conference
Board in New York also has a dedicated practice examining corporations and their ERM endeavors, and
7/28/2019 erm imp material.docx
4/13
the National Association of Corporate Directors has done a somewhat dated but invaluable Blue Ribbon
report on how corporate board members think about risk - and how that needs to change.
Risk Management Doesn't Mean Risk Free
As a word of caution, just because a company has a CRO - or brags about what it's doing in ERM -
doesn't mean you should take it at its word; you'll need to look deeper and ask investor relations
executives detailed questions. For years, the banking industry has boasted of having the best risk
management and ERM programs of any industry. None of that, however, prevented the 2007 credit
crunch and mortgage meltdown. (Keep reading about this subject in The Fuel That Fed The Subprime
Meltdown.)
Conclusion
The investment landscape is constantly changing and it is important to get a handle on which companies
are doing a good job at managing enterprise risk. This is a relatively young field of study, but it is worth
considering because it will continue to play a significant role in the investment community for many
years to come.
http://www.investopedia.com/articles/fundamental-analysis/08/enterprise-risk-management.asp
The Evolution of Enterprise Risk Management
The philosophy of enterprise risk management addresses issues that we, as a profession, have always
dealt with. Its evolution prescribes a new organizing concept in creating value for an entity.
By Robert Wolf
About a decade ago, the now popular study performed by Mercer Management Consulting firm cited
the primary causes of significant stock price failures amongst the Fortune 1000 Companies in the
booming '90s as events more descriptive under strategic and operational failures than events
traditionally categorized as hazardous and financial. Ninety percent of the cases were categorized undercauses that represented strategic and operational failures as the primary reasons for the stock drops. In
almost every instance, the study cited multiple reasons for each of the individual stock collapses. In
addition, in virtually every instance, the reason for the stock decline was categorized as a market
reaction to a series of unanticipated and correlated events that generated non-fortuitous domino
effectsbringing down the value of the firm.
http://www.investopedia.com/articles/fundamental-analysis/08/enterprise-risk-management.asphttp://www.investopedia.com/articles/fundamental-analysis/08/enterprise-risk-management.asphttp://www.investopedia.com/articles/fundamental-analysis/08/enterprise-risk-management.asp7/28/2019 erm imp material.docx
5/13
Traditional risk management has viewed risk as a series of single elements, or silos. Each risk stood alone
and was not related to the others. Optimizing risk management individually in each of the business units
of a company meant optimizing risk management in the company overall.
Traditional hazard/casualty risk management strategies were essentially comprised of buying insurance
that was inexpensive enough so that retained risk could be managed for as little cost as possible
internally. In other words, the typical marching orders for a risk manager at a company were, in essence,
"Here is your budget. Buy the cheapest insurance possible. Keep what you save. Use it to manage what
risk you retain. And, by the way, don't let anything bad happen." Optimizing traditional risk
management, in essence, meant keeping within risk management's expense budget.
Figure 1
Commodity price and interest rate fluctuation risks were hedged with trading instruments that were
deemed, until recently, the holy grail of hedging strategies for financial risks.
Other risks facing a company, which stem from strategic and operational failures, that made up the
aforementioned 90 percent of the stock failures in the '90s, and reflect the risks that could not be
traditionally transferred or traded away, were delegated to those managing the operations of the firm.
The Mercer study, in addition to discussions and papers written in various industry forums, prompted
discussion of whether stock price risk within a firm could be managed within a typical risk management
strategy. Can the traditional risk management toolkit address unanticipated/correlated events that have
the potential to destroy shareholder value at individual companies?
By implication of the study, one can suggest that since virtually all such failures result from multiple
correlated causes, only an integrated approach to risk management could recognize and mitigate
against such events. Herein lies the impetus of the current wave of interest in enterprise risk
management (ERM).
It is worth noting that none of the failures in the Mercer study were caused by such hazard risks as
lawsuits or natural or man-made disasters. The use of insurance to hedge such risks has worked in the
past for many years and continues to work today as an effective risk management tool. Insurance has
7/28/2019 erm imp material.docx
6/13
naturally been a venue that the actuarial profession has served well in the past, and is expected to
continue to do so today and in the future.
It is also worth noting that a handful of the individual stock failures from the Mercer study were due to
risks typically financial in nature (6 percent), such as foreign macroeconomic issues, high input
commodity prices and interest rate fluctuations. These types of risks, at least in the 1990s, were deemed
to be appropriately managed by tools that have been generally accepted as effective instruments (e.g.,
derivatives, futures, etc.).
Financial risk management continues today as it was thena growing venue and opportunity for our
profession as actuaries continue to manage risk through the use of financial hedging instruments. It is
also a ripe opportunity for our profession to address the increasing fallout in credibility of traditional
financial models and instruments in use today. At the same time, we also need to address the increasingneed for improved tools and strategies to gauge the correlation of financial events that have dominoed
into a series of correlated outcomes and recently crippled the financial and credit markets.
The Evolving View of Risk Management truly represents the motivational evolution within business
communities. This motivational evolution has transcended the traditional goals of reducing costs and
reducing/avoiding/transferring risk to the more contemporary vision of maximizing revenue at
reasonable risk to add value, the essence statement of an ERM framework. From the realization that
silo-based risk management has its flaws, the emergence of new and larger risks (e-commerce, man-
made and natural catastrophes, Enron-esque risk), the steady consolidation of insurance and financial
institutions and the increased pressures on management accountability and corporate governance, the
ERM evolution continues to affect us today with opportunities for our profession to make a difference.
More comprehensive than the Committee of Sponsoring Organizations of the Treadway Commission
(COSO) framework, the ERM definition developed by the Casualty Actuarial Society and adopted by the
Society of Actuaries"the discipline by which an organization in any industry assesses, controls, exploits,
finances and monitors risk from all sources for the purpose of increasing the organization's short- and
long-term value to its stakeholders"suggests a dual role of managing both the risk and the returns of acompany. In essence, true ERM could really be coined enterprise risk and return management. Several
insurance companies, such as Allstate, are already using this terminology in their ERM framework.
At the end of the day, ERM does not encompass any new concepts. The philosophy of ERM addresses
issues that we, as a profession, have always dealt with. Its evolution prescribes a new organizing
7/28/2019 erm imp material.docx
7/13
concept in creating value for an entity. How ERM adds value is in its conceptual framework of optimizing
strategies based on the characteristics and tools involving the laws of probability and statistics with
regards to diversification and correlation.
Traditional risk management, arguably, has long been based on diversification benefits. Even today,
some financial theorists argue that a company employing an ERM strategy does not add value to the
firm as risk management strategies are more efficiently carried out by investors outside the firm in
diversifying their respective investment portfolios. In addition to the argument that other stakeholders
also matter, I follow the counter-argument that unique risk (unique to the operations of the firm) is best
handled within a firm's operations and that optimizing risk and return strategies and business plans have
always been (and always should be) the foundation of a firm's strategies to maximize enterprise value.
Implementation of enterprise risk management has its challenges, some unique within various industryvenues. ERM is truly in different stages by industry and even in our profession's respective specialties.
These will be addressed in upcoming issues in this series where we discuss the evolution of enterprise
risk management and the various stages in our profession's specialty sectors: namely life insurance,
general insurance (property/casualty), health insurance, other financial institutions and non-financial
corporations.
However, in my experience with companies delving into an ERM-based culture, there are three general
challenges that pervade all industries and sectors. I consider these challenges our profession's
opportunity to make a difference in the sectors we currently serve and the ones we will serve in the
future. They are as follows:
Out of Sight, Out of Mind
In general, individuals, let alone companies, are extremely negligent in dealing with things that have
either just happened or have not happened recently.
We tend to optimize our strategies on risks after things (we tried to avoid) have just occurred. As a
baseball coach for my son's 12-year-old travel team, many times I have caught myself positioning my
outfielders in positions precisely where the last ball was hitwith the brilliant foresight that on the first
pitch to the next batter the ball will be hit to that same precise location.
7/28/2019 erm imp material.docx
8/13
Most of us thought of 9/11 a lot on 9/12, 9/13 and for the subsequent years thereafter. But how many
of us thought of it today? How many of us think about possible and unimaginable risk events for
tomorrow? On 9/10, how many of us contemplated the possibility of 9/11?
Extreme event and catastrophe models have evolved in recent decades to provide a sense of loss
magnitude when extreme events, such as pandemics and natural or man-made catastrophes, occur.
Instead of focusing on whether these events are one in 100, one in 50 or one in five years (we just don't
know), our focus as a profession is to devise strategies of how to recover, whenever they may occur.
How much can we afford to lose? How can we split the damage? How much time do we have to
recover? What hedging and risk management strategies do we need in place to recover? In other words,
the opportunity for our profession to make a difference is to focus on recovery, rather than catastrophe.
Models that Do Assume Deviation and then Reversion to Normality
As practitioners, we tend to place full reliance on models that perform well under normal conditions.
But in reality, are situations ever normal? Our opportunity as a profession is to look beyond the models
that assume conditions revert back to the mean, that abnormal events are abnormal, that markets are
continuously efficient, and that human behavior follows precise mathematical and well-defined
distributional formulas, even as dominoes fall. This aspect is evident in today's financial times.
Budgets and Incentive Compensation
The greatest challenge I have seen in developing an ERM culture within a firm is in typical budget
mentality and incentive compensation. Budgets drive corporate behavior. Incentive compensation
drives goals and targets.
The opportunity for our profession in the ERM discipline is to devise effective means to promote the
ERM culture in firms via incentives. James Lam, in his book Enterprise Risk Management: From
Incentives to Controls, states that a great portion of the ERM discipline is in managing the behavior and
results of its people.
Incentive compensation plans that are earnings- and growth-based, solely due to targets within a
manager's strategic business unit, focus the manager on just his or her business unit's results with less
consideration to other business units and the company as a whole. Depending on the specifics of the
7/28/2019 erm imp material.docx
9/13
incentive compensation plan, the manager may be motivated to take on more risk than is rewarded by
the returns.
On the other hand, incentive compensation plans should not be entire company goal-based, because, in
general, companies benefit from innovation and ingenuity within the strategic business units. Such
incentives should be in place to encourage originality and creativity within the units.
Where is the balance between rewarding/punishing an integrated result and promoting an
entrepreneurial innovation? Maintaining a true holistic view of risk across silos requires taking a true
holistic view of management behavior incentives in achieving the goals of the firm. Once again, the
ongoing theme of managing returns with the risks and managing the risks with the returns is prevalent.
It is this very essence that defines the evolution from traditional risk management to enterprise risk
management.
As risk management has evolved, so too has the very nature of our profession. The actuarial profession
has evolved, and continues to evolve, from traditional risk management to enterprise risk management.
The actuarial profession has outgrown the traditional risk management concept of being risk "costers"
or "provisioners." The actuarial profession used to primarily address how many people will die, get sick,
get in accidents, get sued, have property damage, etc. The days of solely communicating, "We need to
charge this amount to cover the expected costs (costing)," and/or "We need to set aside so many dollars
so that we have enough in the bank later to pay claims/benefits (reserving)," are gone.
In the ERM evolution, we address the profession's tagline, Actuaries: Risk is Opportunity. We are
speaking about risk/return strategies. We are recommending how much capital to hold to support the
risks underwritten at insurance companies. We are advising on competitive prices (pricing, not costing).
We are hedging long-term inflation risk with the investing of stock portfolios. We are hedging life
insurance products with variable annuity products.
On a macro basis, we are at the table discussing new ways to retire. We are discussing the health care
crises. We are discussing the availability and affordability issues in property insurance. We are discussing
strategic and operational risks.
7/28/2019 erm imp material.docx
10/13
In subsequent issues, we will begin exploring opportunities to make a difference, starting with, but not
limited to, the individual backyards that we serve today and have the opportunity to do so in the future
in specific specialties.
http://www.soa.org/Library/Newsletters/The-Actuary-Magazine/2008/June/act-2008-vol5-iss3-
wolf.aspx
Enterprise Risk Management (ERM) versus Traditional Risk Management
All organizations are faced with risks that challenge the business. Successful firms are employing best
practice and a cohesive team and infrastructure to address the strategic, financial, operational, and
hazard risks that they face.
Recent Findings
In a traditional risk management service structure, the effort is departmentalized and focused primarily
on hazard risks. Using this approach, an organization rarely makes relative comparisons among its risks
to determine how they interact with one another or to evaluate their cumulative effect on the
organization. Conversely, in an ERM environment, there is a senior executive or Chief Risk Officer (CRO)
who compares and evaluates all of the risks the organization faces in a more holistic way.
Key Differences and Solutions
Enterprise risk management is an extension of traditional risk management, and differs in the following
ways.
Strategic application. An ERM approach is integrated into an organizations business decisions. Because
the effort is enterprise-wide, it supersedes any departmental or functional autonomy to encourage
continuous review and support of the organizations most value-based objectives.
Risks considered. ERM involves managing all of the risks affecting an organizations ability to meet its
goals, regardless of the types of risks being considered. This carefully reviewed and benchmarked
approach allows organizations the ability to stay focused on key areas of prosperity and survival.
http://www.soa.org/Library/Newsletters/The-Actuary-Magazine/2008/June/act-2008-vol5-iss3-wolf.aspxhttp://www.soa.org/Library/Newsletters/The-Actuary-Magazine/2008/June/act-2008-vol5-iss3-wolf.aspxhttp://www.soa.org/Library/Newsletters/The-Actuary-Magazine/2008/June/act-2008-vol5-iss3-wolf.aspxhttp://www.soa.org/Library/Newsletters/The-Actuary-Magazine/2008/June/act-2008-vol5-iss3-wolf.aspxhttp://www.soa.org/Library/Newsletters/The-Actuary-Magazine/2008/June/act-2008-vol5-iss3-wolf.aspx7/28/2019 erm imp material.docx
11/13
Performance metrics. ERM emphasizes results-based performance measurement throughout the
organization. Results indicate whether a risk management technique helped to achieve a business goal,
such as return on investment or return on assets. All forms of risk management, including ERM, are
intended to help minimize the adverse effects of missed opportunities and losses. The specific benefits
of ERM include maximizing the possible opportunities for growth, minimizing the expected
organizational losses and therefore increasing the expected income and asset value, and reducing the
residual uncertainty in all areas of the enterprise.
While many organizations have qualified representatives who are capable of managing their individual
functional risks, it is the unique and highly profitable organization that manages risk across the entire
enterprise.
http://www.blackburngroup.com/newsroom/124
Five Key Benefits
The most impact and recognition of value is often perceived more at the executive and director levels,
than other layers of management. Five key benefits and values from ERM include:
Increased consistency and communication of risks within the organization
Enhanced reporting and analysis of corporate risks (risk data)
Improved focus, attention and perspective to risk data
More efficient and effective activities related to regulatory, compliance and audit matters
More cost-effective management and monitoring of risks
Increased Consistency and Communication ERM provides a standard terminology and conceptual
framework for all members and departments in the organization. This consistency and commonality
provides improved opportunities for communication and coordination among various layers and
departments.
In addition, communication regarding risk is often lacking within organizations due to concerns of
confidentiality, propriety and job security. As a result, data and information relative to strategic risks,
and risks to achievement of corporate objectives and plans, are not shared across department lines.
http://www.blackburngroup.com/newsroom/124http://www.blackburngroup.com/newsroom/124http://www.blackburngroup.com/newsroom/1247/28/2019 erm imp material.docx
12/13
Enhanced Reporting Implementing ERM supports better structure, reporting and analysis of risks. Risk
dashboards, consolidating risks across the entire enterprise, increase the focus of directors and
executives, enabling better decisions relative to risk thresholds, risk appetite and risk tolerance. The
reporting, therefore, has better categorization and classification of risk data, allowing various types of
reporting (department vs. entity-wide, financial vs. compliance, high vs. low risk, quantitative vs.
qualitative factors, etc.).
Ultimately, the greatest overall value from ERM and related reporting is the timeliness, conciseness, and
flexibility, which facilitate improved decision making capabilities within the executive and director levels,
and in other layers of management.
ERM helps unlock synergies and potential for increased analysis and assessment of risks by
aggregating and sharing all corporate risk data and factors, and evaluating them on a consolidated basis.
Improved Focus and Perspective of Risk Data Utilizing ERM methodologies and techniques provides a
means to further identify and assess key performance indicators regarding risks. This allows a method to
measure and better quantify risk factors and tolerances. The use of key metrics and measurements of
risk further improve the value of reporting and analysis.
ERM models also permit more effective and complete viewpoints of risk. Traditional risk practices focus
on risk from a perspective of mitigation, acceptance or avoidance. However, effective ERM processes
will give management a framework in which to evaluate risk as an opportunity to increase competitive
positions and exploit certain market, operational and related conditions.
More Efficient Coordination of Regulatory and Compliance Matters Bond rating agencies, financial
statement auditors, regulatory examiners and other audit activities (including internal audit) have begun
to inquire, test, and often leverage and utilize monitoring and reporting data from ERM programs. Since
ERM data involves identifying and monitoring controls and mitigations relevant to various risks across
the organization, this information can provide an effective means for leveraging and reducing the effortand cost of such audits and reviews.
Cost Effective Management of Risk Through all of the benefits noted above, ERM enables better cost
management and cost effectiveness related to audit activities; better management of market,
7/28/2019 erm imp material.docx
13/13
competitive and economic conditions; and increased leverage and consolidation of disparate risk
management functions.
Organizations can use ERM data and reporting to more effectively coordinate with investment
custodians, better manage capital/investment decisions and make more timely decisions regarding
hedging instruments. By potentially reducing the overall cost of risk management processes, reducing
audit costs or minimizing resources needed for regulatory responses, and streamlining monitoring and
reporting functions, ERM has the capability to reduce the cost of the existing processes and functions for
these respective components within the organization.
http://www.insideindianabusiness.com/contributors.asp?id=2148
http://www.insideindianabusiness.com/contributors.asp?id=2148http://www.insideindianabusiness.com/contributors.asp?id=2148http://www.insideindianabusiness.com/contributors.asp?id=2148Top Related