Lam James

Implementing Enterprise Risk Management


Скачать книгу

Board members and senior corporate executives should read Chapters 1, 3, 6, 9, 10, 12, 15, and 19.

      • Mid- to senior-level risk professionals, up to a CRO, should read the above chapters plus Chapters 4, 5, 7, 8, 11, and 16.

      • Students and junior-level risk professionals should read the entire book.

      Acknowledgments

      I would like to thank the Enterprise Risk Management team at Workiva for contributing to this book through excellent research and editorial support. In particular, I would like to thank Joe Boeser, Melissa Chen, Adam Gianforte, Garrett Lam, Jay Miller, Diva Sharma, Rachel Stern, and Zach Wiser. I want to especially thank Mark Ganem and Neil O'Hara for their outstanding editorial support. This book was the result of a collaborative team effort and it was truly my pleasure to work with such a great team.

      I would also like to extend my appreciation to Paymon Aliabadi, Matt Feldman, Susan Hooker, Merri Beth Lavagnino, Bob Mark, and Jim Vinci for sharing their stories and experiences as chief risk officers across different industry sectors. Their experiences in ERM implementation provide useful and practical insights. They also offer good advice to risk professionals who aspire to become a CRO. Their compelling stories are featured in Chapter 11. I am confident that risk professionals, regardless of where they are in their careers, will be inspired by their stories and benefit from their advice. I know I have.

      Finally, I would like to thank Bill Fallon and Judy Howarth from John Wiley & Sons for their patience and assistance throughout the book production process.

Part One

      ERM in Context

CHAPTER 1

      Fundamental Concepts and Current State

      INTRODUCTION

      In October 1517, Ferdinand Magellan requested an investment of 8,751,125 silver maravedis from Charles I, King of Spain. His goal: to discover a westerly route to Asia, thereby permitting circumnavigation of the globe. The undertaking was extremely risky. As it turned out, only about 8 percent of the crew and just one of his four ships completed the voyage around the world. Magellan himself would die in the Philippines without reaching home.

      What would motivate someone to undertake this kind of risk? After all, Magellan stood to gain only if he succeeded. But those long-term rewards, both tangible and intangible, were substantial: not only a percentage of the expedition's revenues, but also a 10-year monopoly of the discovered route, and numerous benefits extending from discovered lands and future voyages. What's more, he'd earn great favor with a future Holy Roman Emperor, not to mention fame and the personal satisfaction of exploration and discovery.

      But I doubt that even all of these upsides put together would have convinced Magellan to embark on the voyage if he knew that it would cost him his life. As risky as the journey was, most risks that could arise likely appeared manageable. Magellan already had a great deal of naval experience and had previously traveled to the East Indies. He raised sufficient funding and availed himself of the best geographic information of the day.1

      All in all, Magellan's preparations led him to the reasonable expectation that he would survive the journey to live in fame and luxury. In other words, by limiting his downside risk, Magellan increased the likelihood that he would reap considerable rewards and concluded that the rewards were worth the risk.

      Whether taking out a loan or driving a car, we all evaluate risk in a similar way: by weighing the potential upsides and trying to limit the downsides. Like Magellan, anyone evaluating risk today is taking stock of what could happen if things don't go as planned. Risk measures the implications of those potential outcomes. In our daily lives, risk can cause deviation from our expected outcome and keep us from accomplishing our goals. Risk can also create upside potential. We will use a similar definition to define risk in business.

      The purpose of this book is to provide the processes and tools to help companies optimize their risk profiles, but first we must have the necessary vocabulary for discussing risk itself. Then we can begin to construct a working model of an enterprise risk management (ERM) program, which we will flesh out over the course of this book. This chapter will cover the fundamental concepts and summarize ERM's history and current state of the art.

      But first, some definitions.

      WHAT IS RISK?

      Risk can mean different things to different people. The word evokes elements of chance, uncertainty, threat, danger, and hazard. These connotations include the possibility of loss, injury, or some other negative event. Given those negative consequences, it would be natural to assume that one should simply minimize risks or avoid them altogether. In fact, risk managers have applied this negative definition for many years. Risk was simply a barrier to business objectives, and the object of risk management was to limit it. For this reason, risk models were designed to quantify expected loss, unexpected loss, and worst-case scenarios.

      In a business context, however, risk has an upside as well as a downside. Without risk there would be no opportunity for return. A proper definition of risk, then, should recognize both its cause (a variable or uncertain factor) and its effect (positive and negative deviation from an expected outcome). Taken thus, I define risk as follows:

      Risk is a variable that can cause deviation from an expected outcome, and as such may affect the achievement of business objectives and the performance of the overall organization.

      To understand this definition more fully, we need to clarify seven key fundamental concepts. It is important not to confuse any of these with risk itself, but to understand how they influence a company's overall risk profile:

      1. Exposure

      2. Volatility

      3. Probability

      4. Severity

      5. Time Horizon

      6. Correlation

      7. Capital

      Exposure

      Risk exposure is the maximum amount of economic damage resulting from an event. This damage can take the form of financial and/or reputational loss. All other factors being equal, the risk associated with that event will increase as the exposure increases. For example, a lender is exposed to the risk that a borrower will default. The more it lends to that borrower, the more exposed it is and the riskier its position is with respect to that borrower. Exposure measurement is a hard science for some risks – those which result in direct financial loss such as credit and market risk – but is more qualitative for others, such as operational and compliance risk. No matter how it is measured, exposure is an evaluation of the worst–case scenario. Magellan's exposure consisted of the entire equity invested by King Charles I, his own life, and the lives of his crew.

      Volatility

      Volatility is a measure of uncertainty, the variability in potential outcomes. More specifically, volatility is the magnitude of the upside or downside of the risk taken. It serves as a good proxy for risk in many applications, particularly those dependent on market factors such as options pricing. In other applications it is an important driver of the overall risk in terms of potential loss or gain. Generally, the greater the volatility, the greater the risk. For example, the number of loans that turn bad is proportionately