Implementing Enterprise Risk Management. Lam James

      Key interdependencies exist between financial and business risk, business and operational risk, and operational and financial risk. Furthermore, each major risk category comprises subcategories. For example, financial risk, as demonstrated in the figure, can be broken down into market risk, credit risk, and liquidity risk. These financial risks in turn have their own interdependencies.

      Let's examine loan documentation as a practical example of a key interdependency between operational risk and financial risk (in particular credit risk). As a business process, loan documentation quality is considered an operational risk. If a loan is performing (i.e., the borrower is making timely interest and loan payments), the quality of that specific loan document has no real economic impact. But if the loan is in default, the documentation quality can have a significant impact on loss severity because it affects collateral and bankruptcy rights. Loss analyses conducted by James Lam & Associates at lending institutions revealed that up to one-third of “credit losses” were associated with operational risks.

      According to the AFP survey above, about 12 percent of firms still use a siloed, decentralized structure. But in a complex, interlocking system of company-wide risks, this strategy is clearly insufficient. Some risks may remain poorly understood or even ignored. Gaps and redundancies may go unnoticed and unaddressed. And aggregate risk exposures across the organization could pose hidden threats. For example, if business units use different methodologies and systems to track counterparty risk, then it is difficult to quantify the aggregate exposure for a single counterparty. While the individual exposures at each business unit might be acceptable, the total counterparty exposure for the organization may exceed tolerance levels.

      On the other hand, an overly centralized system of risk management can fail to integrate the relevant risk information into the decision-making processes of an organization. A full 28 percent of organizations have a centralized risk management system, which can lead to ineffectual top-down management of risk-related decisions. Most organizations (60 percent) operate under a structure with centralized processes but decentralized implementation. In this arrangement, the risk monitoring, reporting, and systems are centralized, but the implementation of risk management strategies is in the hands of each business unit.5

      In a volatile economic climate, the most successful companies establish comprehensive, fully integrated risk management processes at each level of decision-making. ERM provides integrated analyses, strategies, and reporting with respect to an organization's key risks, which address their interdependencies and aggregate exposures. In addition, an integrated ERM framework supports the alignment of oversight functions such as risk, audit, and compliance, which rationalizes risk assessment, risk mitigation, and reporting activities. It also considers how macroeconomic factors, such as interest rates, energy prices, economic growth, inflation, and unemployment rate, can impact the organization's risk/return profile. This interweaving of ERM into an organization adds strength throughout, whereas merely applying a superstructure from the top down may leave weaknesses unaddressed.

      Integration Adds Value

      The value that integration adds is visible in many areas of business and life, including fitness and sports. Over the past few decades, many disciplines have experienced greater effectiveness through integration. Take the example of cross-training in fitness. By integrating cardiovascular workouts with strength training, flexibility, and endurance, athletes can prevent and rehabilitate injuries as well as enhance strength and power. Similarly, the integration of various fighting styles into mixed martial arts (MMA) has added value to centuries-old practices and beliefs. Whereas martial artists once argued about which style was superior, the emergence of MMA has changed their attitude. Mixed martial artists combine karate, kung fu, jujitsu, tae kwon do, wrestling, and multiple other fighting styles, allowing them to adapt to any situation. This gives them a significant advantage over a fighter trained in a single style.

      So too, integration of ERM into business strategy leads to more informed and effective decisions. In fact, I believe the integration of strategy and risk is the next frontier in ERM, as it allows a company's board and management to understand and challenge the underlying assumptions and risks associated with their business strategy. Expanding technological capabilities have put this within the grasp of most companies. System integration allows for enterprise-level data management, robust business and data analytics, straight-through transaction processing, and more effective reporting and information sharing.

      According to a 2013 Deloitte study, 81 percent of the executives surveyed now have an explicit focus on managing strategic risks, in contrast to the traditional focus on financial, operational, and regulatory ones.6 The study suggests a reason, too: Strategic risks represented approximately 36 percent of the root causes when publicly traded companies suffered significant market value declines over the past 10 years. This was followed by external risks (36 percent), financial risks (17 percent), and operational risk (approximately 10 percent).7

      WHERE ERM IS NOW

      The numbers show that corporations around the world are recognizing risk management as a priority and moving toward integrated ERM. The 2013 Deloitte Global Risk Management survey indicated that 83 percent of all global financial institutions have an ERM program or are in the process of implementing one, up from 59 percent in 2010.

      As a management framework, ERM has been more widely adopted than other management frameworks (e.g., reengineering, balanced scorecard, total quality management). Organizations with established ERM programs have realized and reported significant benefits. For example, 85 percent of financial institutions that had ERM programs in place reported that the total value derived from their programs exceeded costs.8 Three quarters of today's executives feel that their ERM programs provide significant value compared with merely half in 2008.

      As ERM adoption has increased over the past several years, the CRO has grown in stature. The 2013 Deloitte Global Risk Management survey indicated that 89 percent of global financial institutions had a CRO or equivalent position. Moreover, 80 percent of the institutions said their CRO reports directly to the CEO and had a formal reporting relationship with their board, up from about 53 percent in 2010.

      Outside the financial sector, it's a different story, however. A 2012 paper produced by McKinsey & Company9 pointed out that, unlike financial institutions, most corporates still do not have a CRO, leaving the de facto role of risk manager to the CFO. Furthermore, the goals for ERM improvement vary between the two sectors. Financial institutions are keen to improve their risk culture, IT, and data infrastructure while corporates focus on improving risk-related decisions and processes. Still, the frequency and heft of the CRO is growing throughout all sectors.

      Board involvement in ERM has increased as well, particularly since the global financial crisis. Several surveys indicate that risk management has replaced accounting issues as the top concern for corporate boards. Approximately 80 percent of boards now review risk policies and risk appetite statements.10

      Although ERM has made significant progress over the past decade, much remains to be done. In a sense, the global financial crisis was the ultimate risk management “stress test.” Many organizations failed, and even those with established ERM programs reported mixed results. Today, organizations appear to understand the need for change. Deloitte's 2013 survey reported that 94 percent of organizations have changed their approach to strategic risk management over the previous three years. Companies cite cultural issues and integrating data across the organization as the two biggest stumbling blocks to improvement.11

      WHERE ERM IS HEADED

      With

Скачать книгу