Enterprise Risk Management
Making a business case for ERM
Value-based ERM lets companies quantify the process
By Michael J. Moody, MBA, ARM
|
“A large part of S&P’s ERM focus is going to be on the extent to which insurers have successfully embedded ERM into their business decision-making process.”
— Sim Segal
Senior Manager in the Actuarial and Insurance
Solutions Group of Deloitte Consulting |
Enterprise risk management (ERM) continues to be a hot management topic for many industries. However, the early implementers remain primarily in the financial services industry. The main reason for this is that financial risks more naturally lend themselves to the quantification that is a central part of the ERM process. As a result, banks and now insurance companies are farther along in implementing ERM than most other sectors.
Added scrutiny
However, most insurance executives are now concerned about their ERM programs. What are these programs doing to actually change the way decisions are being made throughout the organization? These concerns have recently been underscored by the attention that ratings agencies are giving to ERM efforts.
According to Sim Segal, a senior manager in the actuarial and insurance solutions group of Deloitte Consulting, “S&P now has a separate rating just for ERM.” He goes on to say; “A large part of S&P’s ERM focus is going to be on the extent to which insurers have successfully embedded ERM into their business decision-making process.” And he says that other rating agencies are likely to follow suit. This is a concern for most insurers, he points out, “since most are not there yet.”
One of the reasons that insurers are not quite there yet, according to Segal, is that most ERM approaches lack the quantitative rigor and metrics to support decision-making. “Most insurance companies have a capital-centric focus when it comes to ERM metrics,” says Segal. “While this can be very useful, it cannot fully support decision-making. To connect ERM to decision-making, companies need to go one step further. That next step is value-based ERM.”
New perspective
Value-based ERM is a concept that has been recently introduced by Deloitte Consulting. According to Segal, the approach is designed to solve one of the key shortcomings of ERM, “the lack of connection between enterprise risk management and value-based management. This approach makes the quantification of value central to all aspects of the ERM process,” says Segal. “This enables companies to easily integrate ERM into their business decision-making processes—from strategic planning to tactical decision-making to pricing.”
Using a value-based approach allows companies to express risk in terms of the current and potential impact on the value of the enterprise. This is the alignment with decision-making. It takes the ERM approach and simplifies it in terms of a key metric—value. “Now you’ve got something that everyone in the company understands,” says Segal, “and that everyone must care about—enterprise value.”
The value-based ERM approach
So, how is a value-based ERM approach performed? “As with any ERM effort, management first establishes the risk governance and ERM framework and plan,” says Segal, “then they move on to risk identification, risk assessment, risk response, performance measurement/management and external reporting.” The steps listed below describe how the value-based ERM approach differs in the risk assessment and risk response phases.
Identification of key risks—The company must pre-qualify those risks critical to the enterprise. Only these key risks will be valued quantitatively. “One of the most important decisions can sometimes be what not to quantify,” Segal notes. “Too often, attempts are made at quantifying everything, which is not feasible.” Accordingly, he recommends, “limiting the key risks to a manageable number, which varies based on company-specific criteria.”
Develop risk scenarios—Due to the nature of the risks, this is done separately for financial risks and operational risks.
Financial Risks—Segal indicates that there is robust market data available to develop a credible set of risk scenarios for most financial risks. Thus, developing scenarios is fairly straightforward for these risks, and a large number of them can be supported.
Operational Risks—Here the value-based approach is totally different. Segal recommends developing a handful of scenarios using largely internal information, to determine where a process could fail, how it could fail and the potential impact of the failure. “It takes experience and a disciplined approach to get meaningful, consistent scenarios across the enterprise,” says Segal. “However, with expert guidance, an interactive exercise between internal risk owners and their subject matter specialists and Corporate ERM, this technique can produce the required credible scenarios in a short timeframe.”
|
A critical element to developing the scenarios for both financial and operational risk is to properly map each risk scenario into its valuation elements to quantify its impacts on enterprise value. “This is probably the most difficult part of the process and the one requiring the most experience,” says Segal, “since it requires the translation of the information into a consistent mathematical framework.”
Figure 1 (left) shows a partial example of the data produced for two risk scenarios (moderate and extreme) for a mid-sized mutual multiline insurance company measuring the risk of a money laundering event. Each risk scenario, as shown in the Figure, has clearly defined financial impacts.
Quantifying the impact on value—A model is then developed to quantify the impact of each risk scenario. A simplified example of such a model is shown for the mutual insurance company in Figure 2. This illustrates quantification of one risk scenario, which is repeated for each risk scenario and for each risk. As noted in the figure, the model revealed that the extreme scenario for the anti-money laundering (AML) risk was expected to destroy almost half of the value of the company. Although the likelihood of the extreme scenario was low, Segal says, “This information helped make management more comfortable with the advanced AML approach it was planning and further justified in its expenditures.”
|
Value-based risk response—The model aggregates data on individual risk scenarios, using likelihoods and simplified correlations to produce an enterprise risk profile. An example of this enterprise risk profile is shown in Figure III, which represents the current enterprise value and the volatility around that value. This is then used for decision-making. This information can answer the questions: What is our current level of “shock resistance,” i.e., how vulnerable is our value to current risk exposures? How might this shock resistance improve if we implement mitigation plan A versus plan B? How might a change in the strategic plan impact our shock resistance? Decisions can be guided by how they change the shape of this “value-volatility” or “enterprise shock resistance” curve.
Conclusion
A key output of the value-based ERM approach is a quantification of the enterprise risk profile in terms of the expected value to the organiza-tion. By using this approach, management can quantify the impact of any potential decision to its value distribution. With these metrics supporting decision-making, a complete integration of ERM into the business decision-making processing is possible, “even seamless,” according to Segal.
Using the value-based ERM approach that Deloitte has developed, many organizations will be able to avoid a key obstacle in the path of ERM implementation. This approach can assist management in embedding the ERM concept into its decision making process—from strategic planning to tactical decision-making. And it can clearly and efficiently build the business case that is necessary to advance ERM. * |