Enterprise Risk Man. 09/02

ENTERPRISE RISK MANAGEMENT

UNDERSTANDING YOUR RISK PORTFOLIO

A holistic view of risk allows businesses to find
valuable opportunities as well as threats to the bottom line

By Michael J. Moody, MBA, ARM

ERM graphic2 The central focus of enterprise risk management (ERM) is its holistic view of business risk. The concept is based on a company's ability to implement a broad view of all its risks and then develop a methodology to handle these risks on a consolidated basis. By definition, this process requires some significant modification within the corporation in order to break down time-honored risk silos. It is easy to understand how much resistance a company and its various operational units can have to this new approach to
risk management.

However, companies no longer can avoid recognizing the benefits of enterprise risk management. Recent world and national events demand that they look at risks with a much broader view. The rash of financial disasters that led to a "crisis in corporate confidence" and resulted in the bankruptcy of a number of high-profile corporations has now gotten the public's attention. Over the next six to 12 months, many sanctioning groups (e.g., SEC, NYSE, etc.) will begin to clearly articulate that corporate governance must include provisions for a broad interpretation of risk management. Further, they will begin to place ultimate responsibility for an enterprise risk management approach squarely on the shoulders of the board of directors.

Given this changing landscape, and what we have reported in previous articles regarding the general lack of resources, how should a company proceed with implementing an ERM program? Since many organizations lack internal expertise, they must turn to outsourcing as a possible solution. In that regard, a number of international auditing and actuarial firms do provide these types of services on a fee-for-service basis. Additionally, some insurance brokers also provide similar services. Another source of these service offerings is a large international insurance company, such as Zurich Insurance Co. Through its IC² Group, the company has been assisting clients with enterprise risk identification/mapping, program development and integration, risk quantification, and modeling for more than two years. Today, it is assisting a variety of clients in these initial steps in the ERM process on a fee-for-service basis.

The Zurich IC² operation

Zurich's IC² provides a service that is directed at assisting clients in determining their business risks, as well as developing approaches to manage those risks which will serve the best interest of the organization as a whole. Steve Saporito, senior vice president of Zurich IC², notes: "This takes into consideration the perspective that risk also offers opportunity. Enterprise-wide risk management should be as much about helping create value as it is about preserving value." This implies that management's approach to risk should "reflect the way the real world works." In the real world, he says, "risks do interact and they interact differently based on the decisions management makes."

IC² considers business risks to basically fit into one of four quadrants: strategic, operational, financial, and hazard. Saporito notes that "the science of risk management has historically focused in the areas of hazard and financial risks." He adds that it only makes sense to bring more rigorous attention to strategic and operational risks (particularly as they offer great potential for either creating or destroying value). But again all of this has to be carried out from a holistic viewpoint.

Enterprise risk management consulting from Zurich IC² is first and foremost dedicated to making management more informed. "Better understanding and information enables smarter decisions about the business risks associated with their entire organization." IC² can deploy a variety of processes, but the main objectives of a typical corporate-wide engagement are to:

* Help identify and analyze critical business risks, as well as key performance variables

* Quantify the values and interaction of those risks and variables

* Model the outcomes of alternative strategies

* Track performance to maintain an appropriate risk and reward balance

A common starting point

In the initial stages of a project, the IC² team often assists corporate executives in developing a comprehensive risk profile of its operations. While the mechanics of this initial work can take a number of forms, the most popular is an interactive workshop. These workshops can vary in length; however, IC² has found that the 1.5-day sessions, which incorporate an overnight break, tend to work the best. The first day is used to begin exploring the risks of the company, while the second day is utilized for follow-up discussions and buy-in from the participants.

It is important to include the appropriate people at the workshop. Saporito notes that, while his team's role is that of a facilitator, company participants must be willing to provide a free exchange of ideas during the sessions. It is critical to the long-term success of the venture that key company officials attend and participate in the sessions. Further, without the active participation and cooperation of top management, the value of this process, like the entire ERM effort itself, is significantly diminished.

Risk analysis

Once there is agreement among the participants, IC² will document the results of the workshop and begin its quantification work. For this part of the process, IC² has access to a variety of forecasting models that are utilized in the development of a corporate risk profile. The use of priority software assists with this section of the project. After completion, the profile can be used to identify risks that are catastrophic, critical, significant or marginal. This process results in a risk map being prepared for the client. The risk map can be a powerful analytical tool to categorize and prioritize risks.

Zurich IC² is taking a very aggressive view of the new business prospects for its service offering, despite an apparent reduced overall interest in enterprise risk management. As Saporito observes, "There was a lot of talk about developing ERM programs a few years ago, but then it seemed to have quieted down."

He continues: "It is hard to tell what direction it is going because the term itself has become so ill-defined and misused. The most common misuse suggests that ERM is synonymous with an integrated insurance program."

Rather than a "big bang" approach to implementing an ERM program, a recent focus of interest today is a more "surgical approach in its application." As Saporito explains, some of Zurich IC²'s initial engagements can deal with "specific issues involving a select number of critical uninsurable risks." The involvement then often grows as other potential improvements invariably surface when an organization really begins to look at its risk differently.

While other groups provide assistance to management regarding risk identification and quantification, according to IC², these approaches have several fundamental weaknesses. Among the weaknesses are not fully integrating processes into the client's organizational structure and frequently, "quantification is provided at too high of a level." Saporito states: "The problem that this creates is that while line management may be asked to commit time and resources to an ERM improvement process, it is unable to measure the returns. The result can be deteriorating enthusiasm for the program."

For this reason IC²'s service offerings strive for granularity. Often a greater level of detail is required in order to really understand what is in the organization's best interest. Additionally, quantifying returns is also fundamental to sustaining interest and buy-in to an enterprise risk management program. According to Saporito, "You must be able to measure returns in hard numbers." He also points out that despite periodic renewals of interest from events such as the Enron bankruptcy, corporations will need to develop ERM programs that are self-sustaining. In order to do this, "You cannot stray too far from being able to clearly measure the derived value." This sort of analysis will be required to move risk management to the next level.

While one of the services that IC² provides is a preliminary review and analysis, which conceivably could be potentially used for an integrated product offered by Zurich Corporate Solutions, Saporito indicates that "our goal is not at all about opening a dialogue with a corporation to sell a product." In fact that is the exact opposite of enterprise-wide risk management and is one of the reasons it is such a misunderstood term. Happily, serious buyers of ERM are pretty savvy and can usually recognize "product sellers" before getting too involved.

"The value of our work is measured by the ERM deliverables we commit to providing, period," Saporito says. IC² believes the end game for ERM is "for an organization to migrate from valuing risks individually in terms of their frequency and severity." Rather valuation should be in the context of the organization's "risk portfolio." Once risks can be valued on a portfolio basis, the function of ERM then becomes helping management optimize returns in relation to the level of overall risk they are willing to assume. In the end, Saporito states, "It is about getting the risk/reward balance right."

While there are many benefits from utilizing the services of Zurich IC², Saporito reiterates, "It is as much about helping a company create value, as preserving value." While its work clearly does assist a corporation in the more traditional risk management role of asset preservation, by providing greater detail regarding the risk analysis and projections, IC² also creates value by "helping management make more intelligent risk-taking decisions."

Conclusion

Restoring faith and trust in America's businesses is going to be a difficult task. Boards of directors and senior management at companies of all sizes will need to develop and implement proactive programs that assure their stakeholders that they are firmly in control of the destiny of their companies. One way to do this is by implementing a comprehensive program of a corporation's business risk via an enterprise risk management program. Those companies that realize that ERM can create value as well as protect assets will have a significant advantage over their competitors. *

The author

Michael J. Moody, ARM, is managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management.

"This [ERM] takes into consideration the perspective that risk also offers opportunity. Enterprise-wide risk management should be as much about helping create value as it is about preserving value."

--Steve Saporito, Senior Vice President, Zurich IC²