different shapes and sizes. Some risks – such as interest rate risk or market risk – tend to be symmetrical.2 These risks are normally distributed where there is equal probability of gains or losses of similar sizes. Other risks – such as credit risk or operational risk – are asymmetrical with more downside than upside. If a loan pays off, the lender gains a few percentage of interest income, but if it defaults, the lender can lose the entire principal. If a core IT operation is running smoothly, it is business as usual, but a failure can cause significant business disruption. Risks can also be asymmetrical with more upside than downside, such as an investment in a new drug or a disruptive technology. Such investments can produce unlimited upside but the downside is limited to the amount of the investment.
• Risk should be measured relative to business objectives. The risk metric used should be based on the context of the specific business objective and desired performance. For example, at the enterprise level the risk metrics can be earnings, value, and cash flows to quantify earnings-at-risk (EaR), capital-at-risk (economic capital or CaR), and cash flow-at-risk (CFaR), respectively. Such performance-based models can support the organization in managing corporate-wide objectives related to earnings performance, capital adequacy, and liquidity risk. At the individual business or risk level, the risk metric used should be linked to the specific business objective, such as sales performance, IT resilience, and talent management.
• The bell curve provides the downside, but also the mean and upside. Risk managers tend to focus mainly on downside risk. For example, EaR, economic capital, and CFaR models usually quantify the downside outcome at a 95–99 % confidence level. However, a proper definition of risk must include all eventualities. The bell curve provides the full spectrum of risk, including the mean (i.e., expected outcome) as well as the downside and upside scenarios. By adopting a more expansive consideration of potential outcomes, risk managers can make more informed risk-based business decisions. The same variables that can produce unexpected loss can also produce unexpected gain. Downside risk analysis can inform capital management, hedging, insurance, and contingency planning decisions. Analyses of expected value can support financial planning, pricing, and budgeting decisions while upside risk analysis can shape strategic planning and investment decisions.
• The objective of management is to optimize the shape of the bell curve. It has often been said that value maximization is the objective of management. To accomplish this objective, management must maximize the risk-adjusted return of the company. In other words, it must optimize the shape of the bell curve. For example, management should establish risk appetite statements and risk transfer strategies to control downside tail risks. Pricing strategies should fully incorporate the cost of production and delivery, as well expected loss and economic capital cost. Strategic planning and implementation should increase expected earnings and intrinsic value (moving the mean of the bell curve to the right). This objective extends to a non-profit organization, but return is driven by its organizational mandate.
By conceptualizing – and ideally, quantifying – any risk as a bell curve, companies can manage them most effectively. This applies even to intangible risks that are difficult to quantify. Let's use reputational risk as an example. The mean of the bell curve represents the current reputational value of the organization. Reputational risks would include the key variables and drivers for the organization in meeting the expectations of its main stakeholders: customers, employees, regulators, equity holders, debt holders, business partners, and the general public. As with other risks, these variables and drivers can be measured and managed to enhance the organization's reputation, including downside and upside risk management.
ENTERPRISE RISK MANAGEMENT (ERM)
The concepts I've described so far form the foundation for risk analysis, but understanding risk is just a preliminary step toward managing it. We are now ready to lay the groundwork for implementing enterprise risk management (ERM). Specifically, we will discuss:
• A definition of ERM
• Early development of risk management
• The development of ERM in the 1990s
This brief overview of ERM will show how the events of the past half-century have shaped ERM's current critical role in business strategy.
What Is Enterprise Risk Management?
A proper definition of ERM should describe what it is, how it works, its main objective, and its main components. With these criteria in mind, I will define ERM as follows:
ERM is an integrated and continuous process for managing enterprise-wide risks – including strategic, financial, operational, compliance, and reputational risks – in order to minimize unexpected performance variance and maximize intrinsic firm value. This process empowers the board and management to make more informed risk/return decisions by addressing fundamental requirements with respect to governance and policy (including risk appetite), risk analytics, risk management, and monitoring and reporting.
Let's briefly expand on this definition. First, ERM is a management process based on an integrated and continuous approach, including understanding the interdependencies across risks and implementing integrated strategies. Second, the goal of ERM is to minimize unexpected performance variance (defensive applications) and to maximize intrinsic firm value (offensive applications). As discussed, risk management is not about minimizing or avoiding risks, but optimizing risk/return trade-offs (the bell curve). Third, an ERM program supports better decisions at the board and management levels. Board decisions may include establishing risk appetite, capital and dividend policy, as well as making strategic investments. Management decisions may include capital and resource allocation, customer and product management, pricing, and risk transfer. Finally, the key components of ERM include governance and policy (including risk appetite), risk analytics, risk management, and monitoring and reporting. These four components provide a balanced and integrated framework for ERM.
Early Development of Risk Management
Protecting ourselves against risk is a natural practice that goes back well before Magellan. In fact, one could argue that risk management has existed as long as human history. As long as attacks from animals, people, or businesses have been a threat, we have constructed safeguards and defenses. As long as buildings have faced floods and fires, risk management has included structural design and materials used, or, in modern times, transferring that risk to an insurer. As long as money has been lent, lenders have diversified among borrowers and discriminated between high- and low-risk loans. Despite the intuitive nature of risk management – or perhaps because of it – it did not become part of formal business practice until the second half of the last century.
It wasn't until 1963 that the first discussion on risk appeared in an attempt to codify and improve such practices. In their Risk Management and the Business Enterprise, authors Robert Mehr and Bob Hedges posited a more inclusive risk-management practice that went beyond the status quo of merely insuring against risk. They proposed a five-step process reminiscent of the scientific method: Identify loss exposures, measure those exposures, evaluate possible responses, choose one, and monitor the results. They also described three general approaches to handling risks: risk assumption, risk transfer, and risk reduction. At this early stage, risk management emphasized hazard risk management. Financial risk entered the scene later. These traditional theories focused on what are called “pure” risks, such as natural disasters, which result either in a loss or no change at all, but never an improvement. Modern ERM practice now encompasses speculative risk, which involves either loss or gain. Stock market investment is a classic example of speculative risk.
The lack of attention to financial risk in early risk management programs reflected the comparative stability of global markets at the time. This began to change in the following decade. In 1971, the United States abandoned the gold standard, and in 1972, many developed countries withdrew from the 1944 Bretton Woods agreement, which had kept most foreign exchange rates within narrow bands since World War II. This brought an unprecedented volatility to global exchange rates. The Seventies also brought soaring oil prices due to the decision by the Organization of Petroleum Exporting Countries (OPEC) to decrease global supply after the 1973 Yom Kippur War.