Enterprise Risk Management
Establishing the value proposition
New book integrates decision-making into ERM process
By Michael J. Moody, MBA, ARM
As most readers of this column know, I have been a strong proponent of enterprise risk management (ERM) for many years now. The various methods that have appeared over time have done a lot of good for their organizations. Yet, up until now, most ERM programs have shared a critical flaw that limits their reach: They are not connected to the business decision-making side of the house. However, a new ERM book that has just come on the market reveals an ERM approach that makes sense to the business decisions makers, in addition to the risk personnel, within an organization. This new book, Corporate Value of Enterprise Risk Management: The Next Step in Business Management, provides a practical, yet advanced approach, called "the value-based ERM approach," for implementing ERM in a way that builds buy-in and that can be integrated into traditional day-to-day business decision-making.
According to the author, Sim Segal, FSA, CERA, "Most ERM programs lack a connection to decision-making." He also notes that one reason is that, "The ERM metrics often cannot support decision-making because they typically only measure financial risk, ignoring the bulk of the corporation's other risks, which arise from strategic and operational sources." For ERM to work, he says, all sources of risk must be addressed equally. "If the ERM program is not measuring strategic and operational risks, then management can't make informed decisions involving strategy and operations, which usually constitute the bulk of the important decisions in a firm."
A second reason that approaches to ERM lack a connection to decision-making is that they frequently focus only on downside, by concentrating on the mitigation of risk. "Risk-return is one of the most common phrases in business." However, he indicates, "Many ERM programs ignore upside volatility, thus making it impossible to consider both risk and return together." He goes on to say, "In ERM, you cannot address one without the other."
Segal points out that this is further complicated by the fact that a poor definition of risk adds yet another reason that most ERM programs fail to support decision-making. Most risk management programs define risk as "an impact to one of a disparate set of key risk indicators or as an impact to a single, short-term metric, such as balance sheet capital." Segal point out, "Risk must be defined by its impact on the value of the organization, which for corporate entities must be the company value." Ultimately, he says, "This is critical not only to fully capture the impact of risks, but to provide a business case for any decision, in terms of its impact on the expected value of the firm as well as value volatility."
Value-based ERM
Segal's book discusses how the value-based ERM approach resolves these typical challenges to ERM programs. As part of this work, Segal also outlines a new set of standards for ERM programs. He does this by providing 10 key ERM criteria that define a robust ERM program, and that also can be used to benchmark any ERM program.
The chart above is taken from Segal's book and serves as an outline of the basis of the value-based ERM approach. According to Segal, the chart incorporates the first three steps in the ERM process cycle: risk identification, risk quantification, and risk decision-making. On the left side of the chart there is a list of potential risks, which gets narrowed down using a two-step process. In the first step, the company's strategic plan acts as a filter, removing all risks that are not relevant, based on the company's choice of products, distribution channels, target markets and value proposition. In the second step, a qualitative risk assessment facilitates a ranking and prioritization. This involves collecting a consensus internal ranking on both the likelihood of the risk occurring, and the potential impact of the risk should it occur.
According to Segal, the risk quantification portion of the figure shows the importance of quantifying all types of risk, including those for which sufficient objective data exists to easily develop risk scenarios, such as financial (and insurance) risks, as well as those for which no such data set exists, such as strategic and operational risks. For the latter, Segal details "how a simple and long-standing technique, called Failure Modes and Effects Analysis, which is adapted from the manufacturing sector, can be used to develop risk scenarios." This addresses, he says, "the first obstacle to connecting ERM to decision-making, which is measuring all types of risk."
As a result of the above noted analysis, Segal points out, "The risk scenarios developed include upside scenarios as well as downside scenarios." For example, he says, "The competitor risk scenarios can range from one where a competitor makes an aggressive move to one where a competitor fails." And he adds, "By doing this, it paints the full picture of the distribution of outcomes"—thus addressing the second obstacle to connecting ERM to decision-making, which was including both upside and downside volatility, by providing supporting consideration of both risk and return on an integrated basis.
In the chart, Segal shows how risk management tactics, such as mitigation, also act as a filter to dampen the impact of the risk scenarios. Segal emphasizes the importance of measuring risks on a pre-mitigation basis as well as on a post-mitigation basis since, "You never know how well your mitigation will work in practice, so it is important to measure risks on both bases."
The ERM model is then used to quantify risk scenarios on a one-at-a-time basis and also on a multiple, simultaneous risk scenario basis in terms of their potential impact on the company value. To do this, the ERM model first performs a baseline valuation of the company, using a projection of future distributable cash flows, consistent with the company's baseline strategic plan projection. Risk is then defined and quantified as anything that causes a deviation—up or down—from the baseline expectations. This is expressed as a change in baseline company value and the likelihood of that occurring (value volatility). This addresses the third obstacle to connecting ERM to decision-making, "which is defining risk in terms of its impact on company value."
Conclusion
Segal uses the company value metric as a unifying element in the value-based ERM approach. This metric allows management to aggregate the measurement of risk to an enterprise-level risk exposure. In turn, this allows management to define risk appetite—what they want enterprise risk exposure to be—at the aggregate enterprise level. Segal indicates that, "This is sorely missing from most ERM programs and is in and of itself a valuable benefit." But what comes next is even more enlightening.
If management is not happy with the current level of enterprise risk exposure, e.g., enterprise risk exposure is currently higher than the desired level of risk appetite, then they can use decision-making to change this. Management is free to change strategy or tactics at any point along the decision-making process. Segal believes that, "This shows the value-based ERM approach to be one that fully supports decision-making." He says, "Not only does it allow management to understand and quantify enterprise risk exposure, define risk appetite, and manage the two together, it also provides a better framework for any type of business decision."
And after all, he says, "Shouldn't that be the primary purpose of ERM?"
Segal's book offers numerous examples of actual case studies, involving organizations from a range of industry sectors, where this approach has proved to be successful. Since this approach to ERM represents such a change from most of the other views, Rough Notes, in an up-coming issue will provide an in-depth review of one of the case studies. This will include interviews with appropriate corporate officials, so as to gain additional insight into this value-based approach.
Building a business case for ERM has been a major stumbling block for many of the ERM Frameworks that have been advanced to date. Finding an approach that makes its own business case for adoption and facilitates both internal and external buy-in should benefit anyone involved with ERM. Segal's book appears to do that.
|
|
|
"Risk must be defined by its impact on the value of the organization, which for corporate entities must be the company value. This is critical not only to fully capture the impact of risks, but to provide a business case for any decision, in terms of its impact on the expected value of the firm as well as value volatility."
—Sim Segal, FSA, CERA |
|
|
|