ERM an emering model for bulding shareholder value

Globalisation, e-business, new organisational partnerships, and the increasing speed of business activity are rapidly changing and expanding the risks organisations face.One significant

Enterprise Risk Management

An emerging model for building shareholder value

Introduction 2

The current environment: How risk management is evolving 4

How organisations are deploying ERM: Tools and techniques in use today 6

An emerging model for deriving value from risk management 10

Implications and opportunities 17

Conclusion 18

Appendix I: Interviews with leading risk management specialists 19

Endnotes 27

Contacts 28

Contents

As business leaders seek new ways to build shareholder value, they have begun

to think in new ways about how risk management is tied to value creation Acrossindustries and organisations, many are recognising that risks are no longer merelyhazards to be avoided but, in many cases, opportunities to be embraced “Risk initself is not bad,” asserts Suzanne Labarge, chief risk officer at Royal Bank

of Canada “What is bad is risk that is mismanaged, misunderstood, mispriced,

or unintended.”1Indeed, many are realising that risk creates opportunity, thatopportunity creates value, and that value ultimately creates shareholder wealth.How best to manage risks to derive that value has become the critical question

In this context, enterprise risk management (ERM) has emerged as an importantnew business trend ERM is a structured and disciplined approach aligningstrategy, processes, people, technology, and knowledge with the purpose ofevaluating and managing the uncertainties the enterprise faces as it creates value “Enterprise-wide” means the removal of traditional functional, divisional,departmental, or cultural barriers A truly holistic, integrated, future-focused, andprocess-oriented approach helps an organisation manage all key business risks and opportunities with the intent of maximising shareholder value for theenterprise as a whole

Leaders face a variety of new challenges in their drive to maximise value

Globalisation, e-business, new organisational partnerships, and the increasing speed

of business activity are rapidly changing and expanding the risks organisations face.One significant result is that risk management must now extend well beyondtraditional financial and insurable hazards to encompass a wide variety of strategic,operational, reputation, regulatory, and information risks As a means of identifying,prioritising, and managing such risks across an enterprise or division—and linkingthem to value creation—ERM has the potential to provide organisations with a newcompetitive advantage

Most organisations, however, are uncertain about how, exactly, to translate theconcept of ERM into concrete action steps that will help them enhance shareholdervalue Leaders agree that as important as ERM might be in theory, it will never bevaluable in practice unless it enables organisations to use risk information to drivebusiness value in a way they could not do otherwise

Introduction

ERM has the potential to provide

organisations with a new

competitive advantage.

This white paper describes ERM as it has begun to evolve today, emphasising thatorganisations may be able to benefit more fully from their ERM efforts than theymay have done thus far It addresses how leaders should seek to analyse theircritical risks—balancing them with their objectives for improved returns—and thenuse that information to drive business value To that end, this document outlines

a new ERM model, one that can provide organisations with new action steps theymay use to enhance business decision-making and, potentially, shareholder value

As risks change and proliferate, managers in a variety of industries are seeking

to ensure that they are taking both the right risks as well as the right amount ofrisk—compared with their own organisations’ risk tolerance or “appetite” andbenchmarked against others in their markets and industries An organisationdetermines its risk appetite, and its capacity for taking on additional risks, in much the same way individual investors balance their own tolerance for variousrisks against their desire for greater returns and use that knowledge to diversify the portfolio of stocks, bonds, and other financial instruments they hold (see box below)

The current environment: How risk management is evolving

An organisation’s “appetite” or tolerance for risk will vary with its strategy as well asevolving conditions in its industry and markets Each organisation’s risk tolerance isunique, and it will vary according to organisational culture as well as external factors

A critical aspect of management’s responsibility is to determine which risks, and howmuch of each of them, the organisation should take and then to re-evaluate those choices

as circumstances change Unlike Total Quality Management (TQM), which tolerates

no failures, ERM maintains that a defined number of failures can be tolerated if the cost

of guarding against them is more expensive than the risks they impose

Consider the perspectives of a government buying computer chips for use in cruisemissiles and a computer manufacturer buying the same chips for use in personalcomputers Both entities have high standards for the quality and integrity of thecomputer chips, but widely differing tolerances for failures in them The cruise missilemanufacturer can tolerate no chip failures The likelihood of such failures may be low,but the magnitude of the consequences is too high for all organisational stakeholders.That manufacturer must thus test every chip to ensure that it fully meets the highstandards the organisation has established

The PC manufacturer, on the other hand, need not test all its chips because it can,

in fact, tolerate a few failures It can bank on the limited likelihood of such failures,because the magnitude of the consequences is considerably lower than with chipfailures in cruise missiles This difference in risk appetite will drive differences

in resource allocations and other management choices

Defining Risk Appetite

“Globalisation has completely changed both the risks organisations face and their management

of those risks When you’re no longer making things in Lancaster, Pennsylvania, for example,but in Bangladesh, or Marissa, or Hong Kong, you’ve got risks, along with opportunities, along the entire value chain A large portion of our product is sourced overseas, so as with all retailers, we have to work hard to be sure that working conditions are what they should be.What do the plants look like, and do we own them? How do we ensure that they are safe andhumane and that workers are appropriately compensated? Failing to pay close attention to therisks related to those issues can result in tremendous liabilities, not the least of which isdegradation of the brand.”2

Vice President Financial Operations

Enterprise risk management is evolving in this context It is an important means

of identifying the critical risks the organisation faces—for example, reputation,ethics, e-business, or health, safety, and environmental risks (not just financial

or insurable hazards) It is also important for managing and optimising thatportfolio of risks in a way that realises financial rewards Interpretations

of ERM vary widely by industry and among organisations Consequently, definitions of ERM also vary widely—but many agree that it is a top-down

approach, based on and supportive of organisational strategy, that is focused

on new ways to manage and optimise the risks of highest importance to the board and management

Depending on how they perceive ERM, organisations are using it in a variety

of ways, with varying results, as described in the next section

Intrigued by ERM, organisations are using risk management concepts to consider

a number of questions:

■ What risks am I facing, and how do they compare to those of my peers

or competitors?

■ How are these risks changing based on changes in my business environment?

■ What level of risk should I take?

■ How should I manage those risks?

To help answer these questions, many organisations are collecting and analysingrisk information using a variety of basic tools such as one or more of thosedescribed below:

■ Identification/Assessment tools enable a management team to collectivelyidentify and assess the risks facing the organisation These tools also enable theteam to evaluate each risk according to its “likelihood” (that is, the probabilitythat the risk will occur) and its “magnitude” (the impact the risk would have

if it did occur) (See Figure 1.)

How organisations are deploying ERM:

Tools and techniques in use today

Reduce Risk

Reduce Control

Pass O n

Accept

Term inate

Impact

<$X <$X to $X <$X to $X <$X to $X <$X to $X

Management can derive considerable power from augmenting its knowledge about risklikelihood and impact Through this process they will make judgments on the likelihood andimpact of various risks, creating an analysis such as that depicted above Once such an analysis

is done, some risks will require no action, but when a risk has a potentially high likelihood andsubstantial impact (such as those in the upper right quadrant), management should take action

to move that risk into an acceptable range or even eliminate it altogether, based on a risk/returnanalysis of the effects of such action on the entire organisation Risks in the lower left quadrant

Figure 1: Business Risk Matrix

■ Are the critical strategies appropriate to enable the organisation

to meet its business objectives?

■ What are the risks inherent in those strategies, and how mightthe organisation identify, quantify and manage these risks?

■ How much risk is the organisation willing to take?

■ What risks result from e-business developments?

■ What are the risks inherent in the processes that have beenchosen to implement the strategies?

■ How does the organisation identify, quantify, and manage theserisks given its appetite for risk? How does it adapt its activities

as strategies and processes change?

■ What are the risks to brand and reputation inherent in how theorganisation executes its strategies?

■ What risks are related to compliance with regulations

or contractual arrangements—not just those that are financially based?

■ Have operating processes put financial resources at undue risk?

■ Has the organisation incurred unreasonable liabilities to supportoperating processes?

■ Has the organisation succeeded in meeting measurable business objectives?

■ Is our data/information/knowledge reliable, relevant and timely?

■ Are our information systems reliable?

■ Do our security systems reflect our e-business strategy?

■ What risks have yet to develop? (These might include risksfrom new competitors or emerging business models, recessionrisks, relationship risks, outsourcing risks, political or criminalrisks, financial risk disasters (rogue traders) and other crisisand disaster risks.)

The CEO and the board of directors should consider a number of questions during riskidentification and assessment Such questions include:

Identifying and Assessing Risk from an ERM Perspective

Typically, users plot risks in a matrix that depicts risks in categories, thusdetermining how particular risks compare to the organisation’s defined risk appetite.Multiple tools provide a structured framework for identifying and assessing risks.They may also assist in identifying risk “owners” (those to whom organisationsassign responsibility and authority for the management of specific risks).

■ Categorisation tools help organisations group and prioritise their risks, byindustry or within an entity Such tools help management to ensure that theyhave captured all categories of organisational risks, not just traditional,

financial hazards (see Figure 2 below).

■ Financial quantification tools help organisations understand the potential impact

of risks A number of sophisticated models are available to evaluate risk infinancial areas These models—encompassing, for example, value-at-risk and options theory—have been most commonly applied in financial servicesorganisations, in which credit and market risks, among others, are highlyquantifiable In addition, risk-adjusted returns on assets or equity have beenquantified by many organisations to better manage and balance the inherentdifferences in their divisions or product lines How to model other categories ofrisks is less well understood, although some organisations have attempted to do so

Having systematically assessed and categorised their risks—and perhaps havingtried to understand their impact—many organisations try to determine which risksshould be managed at the corporate level and which risks should also be pusheddown into the structure of the organisation

Figure 2: Risk categories

Organisational approaches to risk management may be centralised at the corporatelevel or decentralised among divisions or processes, depending on the nature of therisks in question and the organisational preferences of management While there

is no right or wrong way to organise, organisational principles are emerging

as follows:

■ Centralised risk management tends to focus on risks that affect the achievement

of key corporate objectives and strategies and significantly affect most if not allfunctions and processes (e.g., reputation) These risks may be referred to asenterprise-wide risks Accountability for enterprise-wide risks may reside withthe CEO and the board of directors (although responsibility for these risks may

be dispersed throughout the organisation) Other risks that may be managedcentrally include those that require specialised skill sets that cannot be

duplicated at the division level or those that require partnering or contracting

at the corporate level

■ Decentralised risk management pushes the responsibility of risk management

to those who live with it day to day Risks that may best be managed in thisway are division or process-level (PL) risks, which are those that are significantonly within a particular process but nonetheless affect the organisation’s ability

to successfully implement its strategies overall

Regardless of whether risks are managed in a centralised manner, in a

decentralised manner, or with a hybrid of these structures, a new organisationaltrend is to create ERM “program offices” and appoint chief risk officers (CROs),who are responsible for developing and managing risk management strategy NotesPamela G Rogers, assistant treasurer, risk management with Sears, Roebuck &Co., “Just as companies have revenue and profit strategies, there’s got to be a riskstrategy, and the CRO needs to set it.”3

In summary, experience shows that many leaders believe ERM is important—andpotentially a competitive differentiator—but many of them remain largely unable

to translate risk information into the action steps that can drive business value.They may have learned a great deal from the information they have collected, but they are seeking new ways to use and derive value from it The next sectiondescribes a new ERM implementation model designed to further the value

enhancement process

Organisations are engaged in a wide variety of risk assessment and monitoringefforts, but many of them remain largely unable to point to the specific value they derive from these activities The emerging models for risk management areintegrating how leaders think about risk with how they manage their businessesand are designed to monitor how risk management provides value Leaders canparticipate in this ERM evolution by broadening and expanding the tools and

concepts used today, as shown in Figure 3.

Figure 3: Risk Management is evolving…

Tying ERM to Business StrategyEarly models of risk management viewed risk as a market imperative—something

to be understood and analysed for its own sake The new models maintain thatERM should be intrinsically linked to the entity’s business strategy—whichencompasses an organisation’s established vision, mission, and objectives; itsprocess for defining operational imperatives; and its philosophies, policies,

plans, and initiatives for growth and development (see Figure 4)

An emerging model for deriving value from risk management

Risk as individual hazardsRisk identification and assessmentFocus on all risks

Risk mitigationRisk limitsRisks with no ownersHaphazard risk quantificationRisk is not my responsibility

Risk in the context of business strategyRisk “portfolio” development

Focus on critical risksRisk optimisationRisk strategyDefined risk responsibilitiesMonitoring and measurementRisk is everyone’s responsibility

Aligning ERM resources and actions with the business strategy is necessary

to maximise organisational effectiveness What’s more, by linking ERM to thestrategy, risk processes can be carried out in the context of where a business isheaded, not solely based on where it is today This differentiator is critical in anenvironment in which many organisations are changing their business models andstrategies with increasing speed, driven by influences such as the rise of e- and m-commerce, the globalisation of business, and changing consumer expectations

In the course of this process, an organisation may find that it is unsure of its actual risk appetite By developing measurements to evaluate levels of risk, anorganisation may determine how it may need to adjust its risk appetite, based

on business outcomes and assessments Linking the business strategy to ERM can also provide a context for setting risk appetite and risk measures so that they are linked to a long-term view of the entity Otherwise, if appetite and relatedmeasures are established inappropriately, leaders may make decisions that toleratemore or less risk than the strategy establishes as ideal Newer models of ERMestablish a link with business strategy, which can increase ERM’s relevance to theorganisation as a whole

Risk strategy is built around and supports the business strategy Risk portfolio development,optimisation, and measuring and monitoring take place in the context of these strategies,based on an established structure for ERM that provides the means of embedding it inorganisational culture

Deriving Action Steps from Risk AssessmentRisk assessment has proved to be a highly useful process for identifying,categorising, and assessing critical risks based on their likelihood of occurrenceand magnitude of impact The key issue that has arisen, however, is what to do withthe information when the risk assessment is finished In some instances, entitiesfind that the process has identified so many risks that they cannot possibly trackthem all In others, they find they have not been able to translate the risk assessmentinto specific action steps—in the context of management’s risk appetite—that drivevalue for the organisation.

To address these issues, the new models of ERM are taking the concept of risk

assessment several steps further to encompass a risk portfolio The concept

of a risk portfolio assumes that various risks share certain characteristics and/orinterdependencies Risks are considered in groups, based on how they relate

to each other, and within these groups one or more risks may rise or fall whenother risks rise or fall In addition, when one risk is transferred, another may arise.For example, by outsourcing a non-core function to mitigate performance risk,

an organisation assumes credit and supply-chain risks By understanding andmapping such interdependencies, leaders can begin to parcel risks into broadcategories that will influence how these risks are managed and optimised

Figure 5: Benchmarking performance indicators to understand risk management

Measuring risk based on the performance of an organisation and comparing it to industry-based returns may point out opportunities to optimise risk

Another key concept of the risk portfolio is that it acknowledges organisationallimitations Management has time and resources to focus on a limited number

of risks Evaluating risks in a portfolio enables leaders to perceive impacts andinterdependencies, allowing management to proceed through the ERM process with

a better understanding of which risks are critical and thus may require their increasedfocus—driving a better return on management’s time and resource investment.Optimising Risks

At this point in the ERM process, organisations understand their strategy, haveidentified their risks, have defined the interrelationships of those risks within

a risk portfolio, and have made preliminary decisions as to which risks require the most management attention The next step is to optimise the risk portfolio

Risk optimisation embodies the concept of choice Just as an investor adjusts

the mix of investments based on defined targets for risk and return, a risk portfoliomanager chooses among tactics to manage risk based on the entity’s appetite forrisk and its ability to absorb it These choices can include adding controls or limitsfor risks that may exceed the entity’s risk appetite Such choices also may includereducing costs related to excessive controls or taking action to expand risks inareas where existing controls provide additional risk capacity Thus the managermust continually balance the cost/benefit of taking such action with the need tooptimise risk in the organisation By applying a variety of tactics, risk managerscan begin to affect corporate performance and thereby affect shareholder value

A key part of the optimisation process is to make sure that the risk “limits” areunderstood and that the risk appetite is apportioned appropriately, so that the limitsmanaged separately do not exceed the entity’s risk appetite as a whole This is akey step in the process, as a risk manager’s point of view may affect what he or she deems an acceptable level of risk For example, a corporate CFO mayunderstand that the total dollar amount of risk acceptable in futures trading could

be $20 million Within a division, however, that has $2 million in total sales andthe only futures trading in the entity, the division manager may believe that only

$1 million in risk is acceptable The organisation’s overall performance could beenhanced if the division manager understood that he or she could take more risk.Conversely, if the division undertook a position of risk for $30 million, it is putting

Risk optimisation is an iterative and

ongoing process: as one tactic is

implemented, others should be

reassessed.

Risk optimisation is an iterative and ongoing process: as one tactic is implemented,others should be reassessed While reassessment is typically not possible for everyaction, entities are beginning to track actions related to the organisation’s mostimportant and material risks.

Measuring and Monitoring to Enhance Value

At this point in the process, all of the actions related to ERM should be having

an impact on the organisation Measuring and monitoring these actions now

becomes necessary, as an ongoing means of understanding and reporting on thestatus and impact of risks Many organisations are devising ways to perform theseactivities on both an enterprise-wide and a process level

Monitoring at its most basic level can be embedded in an organisation’s systems

By defining risk limits in terms of specific attributes or measurements, real-timemonitoring can occur and, if limits are exceeded, actions can be taken Achievingthis result requires thoughtful definition of performance measures (both

quantitative and qualitative) that can embody risk characteristics Other monitoringmethods include the use of internal and external auditors, benchmarking againstmarket or other data, and retroactive review of risk results Companies shoulddefine the monitoring and measurement systems that best serve their managementstyles and characteristics

Risk Strategy and Structure Complete the ModelRounding out this ERM construct are two additional concepts The first is that of

a risk strategy Just as a business strategy indicates the direction of the business,

a risk strategy provides guidance for the risk activities within a company It can set the tone for aggressive or conservative risk management activities, dictate howmeasuring and monitoring activities can be carried out, and provide the “bird’s-eye”view needed by management and the board Indeed, it is the risk strategy thatprovides the backbone for embedding ERM within the culture of the business

The risk strategy should be executed by the risk structure Many organisations

today are designing integrated structures that define how ERM is embedded intothe organisation This endeavor will not require a bureaucratic reinvention of thebusiness structures already in place, but rather an enhancement of such structuresthat will embed and align risk management within existing strategies and business

Risk strategy provides the backbone

for embedding ERM within the culture

of the business.