management is not about minimizing or avoiding risks, but optimizing risk/return trade-offs (the bell curve). Third, an ERM program supports better decisions at the board and management levels. Board decisions may include establishing risk appetite, capital and dividend policy, as well as making strategic investments. Management decisions may include capital and resource allocation, customer and product management, pricing, and risk transfer. Finally, the key components of ERM include governance and policy (including risk appetite), risk analytics, risk management, and monitoring and reporting. These four components provide a balanced and integrated framework for ERM.
Early Development of Risk Management
Protecting ourselves against risk is a natural practice that goes back well before Magellan. In fact, one could argue that risk management has existed as long as human history. As long as attacks from animals, people, or businesses have been a threat, we have constructed safeguards and defenses. As long as buildings have faced floods and fires, risk management has included structural design and materials used, or, in modern times, transferring that risk to an insurer. As long as money has been lent, lenders have diversified among borrowers and discriminated between high- and low-risk loans. Despite the intuitive nature of risk management – or perhaps because of it – it did not become part of formal business practice until the second half of the last century.
It wasn't until 1963 that the first discussion on risk appeared in an attempt to codify and improve such practices. In their Risk Management and the Business Enterprise, authors Robert Mehr and Bob Hedges posited a more inclusive risk-management practice that went beyond the status quo of merely insuring against risk. They proposed a five-step process reminiscent of the scientific method: Identify loss exposures, measure those exposures, evaluate possible responses, choose one, and monitor the results. They also described three general approaches to handling risks: risk assumption, risk transfer, and risk reduction. At this early stage, risk management emphasized hazard risk management. Financial risk entered the scene later. These traditional theories focused on what are called “pure” risks, such as natural disasters, which result either in a loss or no change at all, but never an improvement. Modern ERM practice now encompasses speculative risk, which involves either loss or gain. Stock market investment is a classic example of speculative risk.
The lack of attention to financial risk in early risk management programs reflected the comparative stability of global markets at the time. This began to change in the following decade. In 1971, the United States abandoned the gold standard, and in 1972, many developed countries withdrew from the 1944 Bretton Woods agreement, which had kept most foreign exchange rates within narrow bands since World War II. This brought an unprecedented volatility to global exchange rates. The Seventies also brought soaring oil prices due to the decision by the Organization of Petroleum Exporting Countries (OPEC) to decrease global supply after the 1973 Yom Kippur War. Like the proverbial butterfly's wings, this had multiple effects around the globe. Rising oil prices drove up inflation, which caused the U.S. Federal Reserve to raise interest rates to historical levels, a response that fueled volatility not only in the United States but worldwide as well. These economic changes created a need for financial risk management that companies had not experienced before.
The Seventies and early Eighties saw the introduction of new financial risk-management tools, particularly derivatives such financial futures, options, and swaps. These new tools allowed companies to manage volatile interest rates and foreign exchange rates and were effective when used properly. But some firms suffered severe losses from ill-conceived derivatives trades. In 1993, the German corporation Metallgesellschaft barely avoided bankruptcy after a $1.3 billion loss due to oil futures contracts. The next year, Procter & Gamble lost $157 million due to an injudicious swap. In the Nineties, devastating losses due to operational risk were all too common, often for lack of standard controls such as management supervision, segregation of duties, or basic checks and balances. In 1995 Barings Bank was driven bankrupt after a loss of $1.3 billion due to unauthorized derivatives trades. Only months later, Daiwa Bank was forced to end all U.S. operations in the aftermath of a $1.1 billion scandal surrounding unauthorized derivatives trading. Early risk managers operating under traditional practices simply overlooked operational risk, leaving it to the relevant business units.3
THE CASE FOR ERM
Despite the high-profile losses, the 1990s saw important steps forward in ERM. Risk quantification became more sophisticated with the advent of value-at-risk models (VaR). Before VaR, the primary risk measure was probable maximum loss, which is similar to the potential loss and can be expressed in the question, “What's the worst that could (reasonably) happen?” By contrast, a VaR metric predicts, to a specific level of confidence, potential losses over various time intervals. Early versions of modern ERM appeared around this time as companies developed more sophisticated risk quantification methods for market risk and credit risk, as well as initial operational risk management programs. In the mid-1990s, companies began appointing chief risk officers (CROs) to establish a C-suite executive who could integrate the various risk management functions under a single organization. Steady progress continued until the 2008 financial crisis, which revealed numerous shortcomings in risk management models and reminded businesses of the need for improvement.
Organizations continue to discover the value of ERM and work to implement their own customized programs. Let us look at three perspectives:
• The current demand for ERM
• The current state of ERM
• What ERM can look like and what it can do
The Current Demand for ERM
We work in a business climate rife with volatility and risk. A recent survey by the Association for Financial Professionals (AFP) found that 59 percent of financial professionals consider their firms to be subject to more earnings uncertainty now than five years previously. Only 12 percent believe they are operating with more certainty today.4 A similar majority said it is more difficult to forecast risk than it was five years ago and foresaw it getting even more difficult three years hence. Risks considered to have the greatest impact on earnings were (in order of decreasing frequency): customer satisfaction and retention, regulatory risk, GDP growth, political risk, energy price volatility, labor and HR issues, and natural disasters.
So what are firms doing to prepare for these risks? By their own admission, less than they would like. Only 43 percent of respondents to the AFP study felt their ability to forecast crucial variables was relatively strong while the rest needed improvement; 10 percent even considered their capabilities weak to nonexistent. Companies recognize a growing need for changes in risk management processes. Organizations are hiring risk professionals, investing in IT systems, automating financial processes, and placing a greater focus on risk awareness and culture. Many have beefed up executive review of business strategy and assumptions (63 percent) while others have increased risk analysis and forecasting as well as reports to management.
The individual ultimately responsible for managing this growing risk is frequently the CFO, named by 38 percent of the firms surveyed. Another 28 percent named the CEO or COO; 14 percent operated under a risk committee, 11 percent named the treasurer, and only 9 percent had a chief risk officer (CRO) as the primary overseer of risk management. It is important to note that these results were based on a cross-industry survey.
Old Methods Won't Work
Today, companies recognize the need for better risk management, but amplifying old methods or tweaking existing structures to deal with increased risk carries dangers. Just one example: the highly interdependent risks that organizations frequently face. Figure 1.2 provides an illustration of risk interdependency in the form of a Venn diagram.
D'Arcy, Stephen P. and Brogan, John C. “Enterprise risk management,”
Wittenberg, Alex.
