Enterprise Risk Management

When risk becomes a four-letter word

Financial crisis exposes need for changes in quantifying risk and better communication among operating units

By Michael J. Moody, MBA, ARM

The current financial crisis continues to make headline news daily. Even after Congress approved more than a $770 billion rescue plan, trouble has been dominating the headlines. This of course is not difficult to do as the stock market of late has turned into a rollercoaster, with swings of 500+ points in a single session.

Despite this distraction, Congress is doing its best to determine the causes of the mess, and many are feeling the pain. Executives of many of the failed financial service sector companies have confirmed that they were aware of internal problems long before they became known to the public. Rating agencies, for their part, had noted that their rating matrixes need a major overhaul. Even ex-Fed Chairman Alan Greenspan expressed surprise at the scope of the current financial mess. Where all of this goes is anyone’s guess at this point.

Risk is risk

An area that will ultimately come under scrutiny is how well ERM performed during the meltdown. The financial services industry—and more specifically the banking sector—has been a strong supporter of ERM over the past 10 years. While the results still are not clear, S. Michael McLaughlin, a fellow and president-elect of the Society of Actuaries, a Chartered Enterprise Risk Analyst (CERA), and principal and global leader for actuarial and insurance solutions at Deloitte Consulting, notes that ERM theory is constantly advancing, but he points out that “we cannot forget ERM is still somewhat new.” He says that ERM models and tools are improving all the time.

“We are certainly getting a much better handle on risk,” McLaughlin says. “What we are finding in ‘normal’ times versus extreme times is that correlations change and risks that appeared independent most of the time are not independent during extreme times.” A perfect example, he says, is the subprime mortgage crisis, which centered on extreme leveraging. “We have found that extreme events are not really independent as originally thought,” he comments. In fact, he notes, “they may exacerbate each other.”

Without question, McLaughlin says, “The ERM frameworks that were in place were not expecting this level of risk.” A number of firms have taken extreme positions, when the theory of ERM said they should not be that far out on a limb. The current crisis has shown that those events believed to be remote were not; rather, they were “unlikely.” This will require a change in the quantification of risk, says McLaughlin.

“We’re getting better at identifying risk,” he asserts, remarking that this is particularly true regarding the aggregation of risk. He notes, “Increasingly we are able to look at the full spectrum of risk and investigate how these risks aggregate, and today we are actually able to quantify the impact of events where there is little or no data.”

The human side of ERM

While noting advancements in the theory of ERM, McLaughlin asserts the need for advancements in the human side as well, since ERM will require acceptance throughout the organization. “It will be very important that coordination of various functions is taking place within the ERM program,” he says. “The flow of information between the CRO and the operating units needs to improve.”

He points out that frequently this important communication is lacking. The coordination of information will become a critical aspect of the CRO’s job and a key component of the human side of the ERM equation.

As a result of recent events in the financial sector, McLaughlin points out that increased regulation will logically follow. The lesson from the current financial crisis is that many firms were just “going too far out on a limb in terms of leverage,” he says. “In hindsight, we now realize that someone needed to be able to pull back on the reins. It has become apparent that we have not fully figured out that part of ERM yet.” McLaughlin also believes that CROs may now gain more veto power as a result of the current situation. While new regulations will be important, he says companies should embrace ERM, not so much for its regulatory aspects “but because it represents good management.”

The SOA leading the way

For the past several years the Society of Actuaries (SOA) has taken a leadership role in advancing ERM. In July 2007 it added a formal credentia-ling program, the Chartered Enterprise Risk Analyst (CERA), to the Society’s offerings. McLaughlin says that “this is the first new credential since the SOA was formed 58 years ago” and adds that the response has been great.

There are currently 185 CERAs, he says, and about 120 more need to complete just one additional requirement in order to receive the designation. He believes that at the start of 2009 there will be 300 CERAs. The SOA is projecting another 200 to 300 new candidates during calendar year 2009.

The SOA recognizes the need for additional accredited individuals, McLaughlin says. “We are actively moving on that as quickly as we can to increase the supply while maintaining a constant quality,” he comments. “We have actively been working to increase our emphasis on ERM.” The hope is that there will be several thousand accredited individuals within three to four years. But it’s not just the supply side; the SOA is actively talking to employers on the demand side as well. In addition to the obvious demand from financial service sector firms, the SOA is also talking to employers in many other industry sectors, such as energy, retail, and transportation.

The SOA, McLaughlin says, realizes that competing organizations also are training people in ERM. He observes, however, “We know we have the most rigorous training and the most sophisticated mathematical tools, which will provide the best information for improving the quality of decision making.” The SOA, he says, is not trying to have the largest number of qualified credentialed individuals. “It has never been about the numbers,” he says. However, he says, “We do need to have at least sufficient numbers to make the impact we want.”

Summing up

Each day brings new revelations regarding the current financial woes facing the world. As a result, it may be quite some time before the true picture emerges as to the scope of damages. However, it’s clear that while many in the financial service sector were embarking on ERM programs, sufficient progress had not been made. McLaughlin points out that despite ERM’s progress, many of the ERM programs were not in place when most of the troublesome financial deals were originally entered into. “Additionally, many CROs need to have a stronger voice in the organization’s operations,” he asserts.

McLaughlin suggests that some of the solution will come in the form of increased regulation, “whether we want it or not.” Regulators, he comments, are obviously concerned about firms’ ability to self-regulate, and “to limit aggressive exposures.” Increased use of ERM, he says, “should not just be because government regulations are holding us back; it should be because it’s good management.”

At the end of the day, when all the dust settles, ERM should be viewed in a more positive light. And ERM should become even more embedded in the culture of most corporations. If that is the case, the SOA’s accredited ERM programs will be providing qualified CROs for a number of business sectors. *

The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF), an independent consulting firm that was established to advance the practice of enterprise risk management. The primary goal of SuRF is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.