any unexpected loss. The more creditworthy it wants to be, the more capital it will have to hold against a given level of risk. The allocation of economic capital to business units has two important business benefits: It links risk and return and it allows the profitability of all business units to be compared on a consistent risk-adjusted basis. As a result, business activities that contribute to, or detract from, shareholder value can be identified easily so management has a powerful and objective tool to allocate economic capital to its most efficient uses.
In addition to economic capital, risk managers should consider human capital (management talent, experience, and track record) and liquidity reserves relative to a company's risk profile. The combination of economic capital, human capital, and liquidity reserves represents the “risk capacity” of the company.
WHAT DOES RISK LOOK LIKE?
The above concepts interact to determine the specific risk levels and enterprise risk profile of an organization. For individual risks – such as credit, market, and operational – the risk levels are greater the higher the exposures, probabilities, severities, and time horizons of the specific positions. At the portfolio level, the risk profile will be greater the higher the concentrations and correlations within that portfolio of risks. At the overall level, the correlations across risk portfolios (e.g., credit risk, market risk, operational risk, etc.), and the organization's risk capacity, will determine the enterprise risk profile.
Risk Is a Bell Curve
A simple visualization effectively synthesizes these ideas: a bell curve. The notion that risk is a bell curve is a key idea that I will discuss throughout the book. When using bell curves to represent risk in a given context, each point on the curve represents a different possible outcome. The horizontal axis provides the range of outcomes, and the vertical axis provides the probabilities associated with those outcomes. As such, the bell curve is a vector of probabilities and outcomes, and collectively these probabilities and outcomes represent the aggregate risk profile. Figure 1.1 provides an illustration of a bell curve.
FIGURE 1.1 Risk as a Bell Curve
It is important to consider the following points when conceptualizing and quantifying risk as a bell curve:
• Risk comes in different shapes and sizes. Some risks – such as interest rate risk or market risk – tend to be symmetrical.2 These risks are normally distributed where there is equal probability of gains or losses of similar sizes. Other risks – such as credit risk or operational risk – are asymmetrical with more downside than upside. If a loan pays off, the lender gains a few percentage of interest income, but if it defaults, the lender can lose the entire principal. If a core IT operation is running smoothly, it is business as usual, but a failure can cause significant business disruption. Risks can also be asymmetrical with more upside than downside, such as an investment in a new drug or a disruptive technology. Such investments can produce unlimited upside but the downside is limited to the amount of the investment.
• Risk should be measured relative to business objectives. The risk metric used should be based on the context of the specific business objective and desired performance. For example, at the enterprise level the risk metrics can be earnings, value, and cash flows to quantify earnings-at-risk (EaR), capital-at-risk (economic capital or CaR), and cash flow-at-risk (CFaR), respectively. Such performance-based models can support the organization in managing corporate-wide objectives related to earnings performance, capital adequacy, and liquidity risk. At the individual business or risk level, the risk metric used should be linked to the specific business objective, such as sales performance, IT resilience, and talent management.
• The bell curve provides the downside, but also the mean and upside. Risk managers tend to focus mainly on downside risk. For example, EaR, economic capital, and CFaR models usually quantify the downside outcome at a 95–99 % confidence level. However, a proper definition of risk must include all eventualities. The bell curve provides the full spectrum of risk, including the mean (i.e., expected outcome) as well as the downside and upside scenarios. By adopting a more expansive consideration of potential outcomes, risk managers can make more informed risk-based business decisions. The same variables that can produce unexpected loss can also produce unexpected gain. Downside risk analysis can inform capital management, hedging, insurance, and contingency planning decisions. Analyses of expected value can support financial planning, pricing, and budgeting decisions while upside risk analysis can shape strategic planning and investment decisions.
• The objective of management is to optimize the shape of the bell curve. It has often been said that value maximization is the objective of management. To accomplish this objective, management must maximize the risk-adjusted return of the company. In other words, it must optimize the shape of the bell curve. For example, management should establish risk appetite statements and risk transfer strategies to control downside tail risks. Pricing strategies should fully incorporate the cost of production and delivery, as well expected loss and economic capital cost. Strategic planning and implementation should increase expected earnings and intrinsic value (moving the mean of the bell curve to the right). This objective extends to a non-profit organization, but return is driven by its organizational mandate.
By conceptualizing – and ideally, quantifying – any risk as a bell curve, companies can manage them most effectively. This applies even to intangible risks that are difficult to quantify. Let's use reputational risk as an example. The mean of the bell curve represents the current reputational value of the organization. Reputational risks would include the key variables and drivers for the organization in meeting the expectations of its main stakeholders: customers, employees, regulators, equity holders, debt holders, business partners, and the general public. As with other risks, these variables and drivers can be measured and managed to enhance the organization's reputation, including downside and upside risk management.
ENTERPRISE RISK MANAGEMENT (ERM)
The concepts I've described so far form the foundation for risk analysis, but understanding risk is just a preliminary step toward managing it. We are now ready to lay the groundwork for implementing enterprise risk management (ERM). Specifically, we will discuss:
• A definition of ERM
• Early development of risk management
• The development of ERM in the 1990s
This brief overview of ERM will show how the events of the past half-century have shaped ERM's current critical role in business strategy.
What Is Enterprise Risk Management?
A proper definition of ERM should describe what it is, how it works, its main objective, and its main components. With these criteria in mind, I will define ERM as follows:
ERM is an integrated and continuous process for managing enterprise-wide risks – including strategic, financial, operational, compliance, and reputational risks – in order to minimize unexpected performance variance and maximize intrinsic firm value. This process empowers the board and management to make more informed risk/return decisions by addressing fundamental requirements with respect to governance and policy (including risk appetite), risk analytics, risk management, and monitoring and reporting.
Let's briefly expand on this definition. First, ERM is a management process based on an integrated and continuous approach, including understanding the interdependencies across risks and implementing integrated strategies. Second, the goal of ERM is to minimize unexpected performance variance (defensive applications) and to maximize intrinsic firm value (offensive applications).
