Nathan Skinner gives an overview of enterprise risk management and looks at some of the drivers

The financial crisis has dealt a severe blow to the reputation of risk management, particularly in the financial services industry. Risk managers are confused that one of the most apparently heavily regulated industries with some of the supposedly strictest risk management controls managed to get it so wrong. Does this mean that enterprise risk management (ERM) is broken?

Actually it does not. ERM in the financial sector had some distinct features which, when put to the test, were at best overlooked and at worst, completely ignored.

Banks were required to have a chief risk officer (CRO) who sat on the management board and who was accountable to the supervisory committee. This position, however, and the fact that his or her remuneration was tied-in to the performance of the company meant that there was not much motivation for the CRO to apply the brakes. And non-executive directors, more often than not, did not have the specialist knowledge or expertise to bolster a company’s risk management efforts.

Many financial institutions that got into trouble were just not getting the basics right. The Société Générale fraud in January last year was an early warning that something was wrong with the way banks managed their traders. They may have had large and highly professional credit and market risk departments, but clearly their operational risk management wasn’t up to much if a single rogue trader could wipe $7bn off the balance sheet.

These problems came to a head during the credit crisis. Risk management departments were too siloed - and that meant there was no single picture of the total exposure to bad debt. ERM was meant to bring it all together and instil a culture of risk management throughout the organisation. Despite the fact that rating models had been affirming these programmes for a number of years, some of them clearly weren’t working properly. Gaps in the ERM frameworks meant the exposures were able to escalate as the market for traded credit products grew. No-one, not the regulators, rating agencies or the banks themselves, properly understood the complex debt structures. So what hope was there for the CRO to get a handle on the overall strategic risk they posed?

Instilling a culture of risk management was hard to achieve in banks, particularly as it didn’t sit well with the bonus culture that allowed them to make such massive profits during the good times. The money-making traders were often at odds with the nay-saying risk managers. But by absolving responsibility for risk to another department and putting pressure on it to approve transactions, the traders went about their business unhindered, with terrible consequences.

There are some important lessons to learn from the financial apocalypse, one of the biggest being never to think that risk management is done and dusted. It requires regular reassessment. Some of the bankers may have thought that risk was outsourced into the hands of the CRO and therefore it must have been managed. They may also have trusted the rating agencies too much, blindly believing the ratings were worth what the rating agencies said they were worth. Another important lesson is not to rely too much on systems and models, particularly if the underlying information is flawed.

It is not, however, worth abandoning ERM altogether. There are a number of key benefits driving organisations to establish an ERM framework of their own.

“If done properly, an embedded ERM framework can decrease risk exposures.

Benefits of ERM

If done properly, an embedded ERM framework can decrease risk exposures and in turn reduce the cost of insuring against those risks, or, through the formation of a captive, eliminate premium payments altogether. By reducing the likelihood of a risk ever actually occurring, ERM can also mitigate the additional losses which might be associated with that incident, such as lost productivity, or a damaged reputation.

‘In this extremely volatile insurance market, caused by the credit crunch and the associated demise of even the biggest of the world’s finance institutions, prudent companies will seek to mitigate their exposure by improving their knowledge of the risks they face rather than simply insuring them,’ says Lindsay John Cox, managing director, Certus products, Neohapsis EMEA. In many ways ERM is more important now than ever.

Clearly documented risk management controls to mitigate the risk of fire are very handy bargaining chips when negotiating property insurance, for example. Applying these principles to all areas of business can substantially reduce premiums and reduce the level of actual claims.

Earning a proper understanding of risk can deliver some other important benefits, which include better use of capital, better decision making, increased efficiency, reduced disruption, business continuity improvements and early warnings about potential problems. ERM also brings a visibility boost to the risk management profession and the opportunity for them to contribute in strategic discussions with senior management. If banks acknowledge that a company has good ERM in place a company may even be able to secure financing at a cheaper rate.

As the credit crisis wave was peaking, RIMS, the US based risk management association, released a report that validated the benefits of ERM. Organisations that embrace ERM realise concrete risk management improvements, said the report. The study found that 93% of organisations with formalised ERM programmes made better risk-informed decisions. The study also linked ERM to better business performance. There is a distinct correlation between those companies that score highly on their ERM assessments and those companies that possess higher credit ratings, said the association.

ERM in ratings

In May 2008 the rating agency Standard & Poor’s said it would include enterprise risk management (ERM) in its ratings of non-financial corporations. The decision to apply ERM ratings to its analysis has helped push risk management into the spotlight. S&P considers ERM a good indicator of ‘forward-looking stability’. However, there are no guarantees that a sign-off from the rating agency actually means a company is well risk managed. S&P has included ERM analysis in its ratings of financial institutions and insurers since 2005, but the agency was unable to provide any early warnings about the financial crisis.

“Organisations should strive for continuous improvement with their programmes and remember that a culture of risk awareness is vital.

One of the problems is that there are still lots of issues to be ironed out in the assessment process. Rating agencies tend to complete their evaluations with limited resources, which means they rely heavily on information provided by the company they are rating. The risk management profession, despite some big efforts, has difficulty defining standards in ERM. Different businesses organise their ERM efforts in totally different ways, which means it is very difficult to compare one with the other.

Despite these difficulties in evaluating ERM, more and more companies are doing it as a result of the rating initiative. One of the stated aims of S&P’s rating process is to evaluate the extent to which companies have addressed risk management across the enterprise. It is now up to the executive management of rated companies to demonstrate an ability to incorporate risk information as a part of the strategic decision-making process in order to score well on the S&P ERM assessment. ‘In order for organisations to capitalise on value creation enabled by ERM, management must play an active role in the risk management process,’ says Carol Fox, ARM, senior director of risk management at Convergys Corporation and chair of RIMS ERM Development Committee.

ERM and technology

Part of the ERM process involves identifying risks to the organisation and collecting and storing information about them. As such, ERM technology solutions can provide a useful repository. Earlier in the year, RIMS published a report to help risk managers identify the right technology systems for their ERM practices. The paper focused on the functional needs of ERM processes and the corresponding functionality available from 20 different technology solutions.

The paper noted that ERM technology should be able to recognise the interdependency of risks. ‘For example, a foundry may ship product to a manufacturing facility that in turn ships product to a distribution center. The organization’s ERM technology solution should be able to identify risks to the foundry that are simultaneously risks to the two sister operations,’ read the report. Clearly one of the hallmarks of the financial crisis was the inability of organisations to understand the interdependency and systemic nature of risks. An important lesson therefore is that ERM technology solutions should be able to accommodate complexity.

The report also displayed the results of two surveys - one of ERM practitioners and one of system providers. There were over 600 responses, 49% of whom reported that their organisations had some ERM process in place. Of those with active ERM, 48% used a technology solution. Other findings revealed the immature nature of the ERM technology marketplace. Desktop applications such as Microsoft Office products were the most commonly cited technology solutions. Monitoring risks, data storage and analysis were the most common functions of the ERM technology deployed by the survey respondents. The ability to address interdependency of risks was the most sought-after future functionality.

Technology systems can help by making the organisation’s objectives and the key risks to achieving those objectives clearly visible to management, according to the report. Meanwhile, mitigation plans can be systemically approved and monitored. ‘Technology can provide strong support for an ERM process; however, practitioners must make certain that the system is user-friendly and flexible enough to accommodate the changes that most ERM programs experience over time,’ said Leslie Lamb, member of RIMS Technology Advisory Council and risk manager at Cisco Systems.

Now is the time for reappraising ERM. Financial businesses have shown that even the most mature programmes cannot prevent disaster. But properly embedded frameworks allow companies to realise some significant benefits - and, with them, companies are probably less likely to get into serious trouble. Organisations should strive for continuous improvement with their programmes and remember that a culture of risk awareness is vital. In this Special Report StrategicRISK will examine best practice in ERM with relation to all of the points discussed above.