Guiding Principles for Implementing Enterprise Risk Management (ERM)

(1)

Guiding Principles for Implementing

Enterprise Risk Management (ERM)

0 ©Towers Perrin

SEAC Conference

New Orleans

November 15-17, 2006

Hubert Mueller

(860) 843-7079

© Towers Perrin

ERM raises many implementation challenges for senior executives Stakeholders have challenged senior executives to ask questions with regard to

integrated, enterprise-level risk analysis and their decision-making: How can we identify the key and emerging risks that deserve senior

management attention?

How do we measure and manage operational risks to the same degree as financial risks?

How much capital do we need and what return should we get on it? How should we deploy capital to business segments and evaluate their

performance?

How do we select our growth strategies, given our risk environment? How can we maximize our return on capital, given our risk appetite? How do we best invest our assets, given the structure of our exposures? How much, and on what terms, should we insure and hedge?

How should we report our risk management results and communicate with external audiences about our risk management programs?

How do we build a risk culture within the organization? How do we coordinate all of this? And how do we get started?

(2)

Enterprise Risk Management should address key management issues at each stage of the journey from compliance to value creation

Companies Need to Manage Risks from Many Interrelated Areas

In te rn al/Ex te rn al Dime ns io n Financial/Operational Dimension Marketing Economy Legal/social Regulatory/political Competition Insurance People Processes Hazards Other

How do I take action? Execution

What can we do about them? Solution Options

What is their impact? Diagnostics and Analytics

What are my risks? Compliance and Governance

Management Issues ERM Stages

Guiding Principles: ERM as a means to add value to an organization

1. ERM serves strategic purpose — not for audit

ERM is more than an audit. Risk management optimizes the risk/return relationship not only the avoidance of risk

2. ERM generates economic value

Create value by reducing the cost of capital and by increasing profits through better risk-based decision making

3. ERM is focused on managing risks in an integrated manner, as a portfolio of risks

Analyze risks in combination to reveal systemic risks and interactions, and explicitly considers the interrelationships and correlations between risks

4. ERM considers both “downside” risks and “upside” opportunities

Optimize the risk/return profile of the enterprise

5. ERM is best operationalized by making it part of the normal business process

Coordinate with corporate planning and the allocation of capital and resources to fully integrate into the mainstream of business decision-making

(3)

1. ERM serves strategic purpose — not for audit

All businesses must take risks to earn returns. Risk management should therefore be the optimization of the risk/return relationship and not only the avoidance of risk Audit examines whether specified procedures and processes are being followed.

It reduces risk, but does not consider the risk/return tradeoff

Audit strategically mitigates risk, however, what to audit and how much time and effort to invest in audit is determined through a risk management process

Supports decision making Supports monitoring and reporting

Considers interaction of risks to expose areas of concentration and diversification Analyzes risks in silos

Considers unexpected upside scenarios; identifies opportunities for risk taking based on relative ability to manage risks vs. competition

Defensive: Focuses only on downside risks

Articulates strategy and identifies risks to achieving strategic objectives

Starts with a checklist of risks

ERM Approach Audit Approach

“Risk Triage” process filters strategic risks from tactical risks

Tactical Risks Strategic Risks Corporate Business Unit Business Unit Organizational Unit Organizational Unit Organizational Unit Organizational Unit Risk Filters IMPLEMENTING ERM

(4)

2. ERM generates value: Risk-Capital-Value Framework

What type of capital do I need? Capital Structure How much capital do I need? Risk Structure Risk and Capital Management Value Management Capital Costs Return on Risk Capital Adequacy Portfolio of Capital Resources Portfolio of Enterprise Risks Economic Capital Value Creation Maximize value by

relating a firm’s decisions on the risks it takes to the decisions on the

capital it uses to finance

its business

3. ERM is focused on managing risks

in an integrated manner, as a portfolio of risks Why manage risks in an integrated manner?

Systemic risks

−

Risks which in isolation are small within each organization, but because of common causes can in the aggregate across the enterprise pose a significant risk

Concentration of risk

−

Separate risk events that have common consequences Correlation of risks

−

When companies fail, often it is because several related risks occur simultaneously. Important to understand the interactions among risks

−

The lack of perfect correlation of risks means that the aggregate financial risk

is less than the sum of each individual risk — may be overspending on risk management if managing risks independently

Exposure of risk

−

Understand relative exposure across all risks to optimally allocate resources (financial and human) to mitigate risks

Use risk analysis to develop risk-adjusted performance of business units — a best practice in the financial services sector

(5)

Risk identification should capture the “Anatomy of Risk” Benefits of recognizing the anatomy of risk:

Illustrates interactions among causal factors and consequences across risks to identify systemic risks and risk concentration

Cause 2 Cause 3 Risk Event 3 Risk Event 2 Risk Event 1 Systemic Risk Concentration of Risk Cause 4 Consequence 1 Consequence 2 Consequence 3 Consequence 4 Consequence 5 Consequence 6 Cause 1

4. ERM considers both downside risks and “upside” opportunities A fundamental objective of ERM is to optimize the risk/return trade-offs

The “downside” of each business activity is the risk of financial loss, the “upside” is higher profitability

When evaluating options to mitigate the “downside” of risks, need to also consider whether it reduces the “upside”

Identify and embrace risks that the company can manage better than competitors

An insurance company that believes it can better price auto risk pursues riskier (and more profitable) drivers and even identifies competitors who are offering lower prices

Better management of political, foreign exchange and supply chain risks creates a competitive advantage in considering strategy to enter developing countries

These are generally core business risks, such as risks directly related to the manufacturing and distribution of core products

(6)

5. ERM is best operationalized by making it part of the normal business process, fully integrated into the decision-making activities

Assets Liabilities Current Assets Fixed Assets Current Liabilities Long-Term Liabilities Equity Expenses Revenues Costs Net Income Operating Income Other Income Taxes Begin End Operation Financing Investment Cash Flow Operation Financing Investment Operational Risks Business Risks Business interruption Corporate image, brands Economic cycles Insurable risks Mortality Property/Casualty Human Resources Market risks Interest rate Equity markets Foreign exchange Other Credit risks Business Plan ERM Analysis Impact of Risk-Management Decisions Assets

Use assessment method that reflects true nature of risks

This is what risks look like..

$ $ $ Expected loss Expected loss Expected loss Pr o b a b ility Pr o b a b ility Pr o b a b ility

Risks

Simplifies distribution of loss scenarios into a single scenario — which scenario?

Underemphasizes real risks: low likelihood of large losses

Likelihood x Impact represents expected loss — not risk

…but the traditional method of assessing risks distorts the picture

Impact Likelihood Low < $x Med $x - $y High >$y Low < x% Med x% - y% High >y% IMPLEMENTING ERM

(7)

Execute

Solve

Quantify

Identify

How do I take action? What value does it create? What are my risks?

Who is watching them?

How much do they weigh? What is their impact

What can we do about them? How do we decide?

Implementing ERM:

A 4-stage process at any level of the firm

The ERM Framework links strategy to the organization and processes that drive risk-based decision-making

Risk definition

Goals and objectives

Risk tolerance levels and guidelines

Strategy

Organization Governance

Accountability: Roles and Responsibilities Process Identify Quantify Solve Execute ERM Framework

Monitoring and Reporting

Tools