Enterprise risk management (ERM) is a recent technique, practiced increasingly by large corporations in industries throughout the world. Sensible risk management flows from the recognition that a dollar spent on managing risk is a dollar cost to the firm, regardless of whether this risk arises in the finance arena or in the context of a physical calamity such as fire. ERM thus proposes that the firm addresses these risks in a unified manner, consistent with its strategic objectives and risk appetite.
Most corporations adopt the definition of ERM proposed by the Committee of Sponsoring Organisations of the Treadway Commission (COSO) in their 2004 ERM framework. It intended to establish key concepts and techniques for ERM. In this framework, ERM is defined as “a process, affected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives”. This definition highlights that ERM reaches the highest level of the organisational structure and is directed by corporations’ business strategies. The concept of risk appetite is crucial. Risk appetite reflects a firm’s willingness and ability to take on risks in order to achieve its objectives.
As a rising management discipline, ERM varies across industries and corporations. The insurance industry, financial institutions, and the energy industry are among the industry sectors where ERM has seen relatively advanced development in a broad range of corporations. Recently, even the public sector, are becoming aware of the potential value of ERM and risk managers are increasingly bringing it to top executives’ agendas.
Notwithstanding the attractiveness of ERM conceptually, corporations are often challenged to put it into effect. One of the main challenges is to manage the totality of corporation risks as a portfolio in the operational decision process, rather than as individual silos, as is traditionally done.
Operationalisation of ERM
The core of the challenge lies in operationalising ERM. Integration of risks is not merely a procedure of stacking all risks together, but rather a procedure of fully recognising the interrelations among risks and prioritizing risks to create true economic value. Important components of this procedure include risk identification, risk measurement, risk aggregation/other modelling approaches, risk prioritisation, and risk communication.
The four major categories of risks considered under an ERM framework are hazard risk, financial risk, operational risk, and strategic risk.
Under ERM, the identification of individual risks in different categories should facilitate successive prioritisation and integration of risks to best achieve business objectives within the corporation’s risk appetite. Any event that may adversely affect the corporation’s achievement of its objectives is considered a risk under ERM. Proper objective identification is a prerequisite for risk identification. For example, business objectives can be described by certain key performance indicators (KPIs), which are usually financial measures such as ROE, operating income, earnings per share (EPS), and other metrics for specific industries, eg, risk adjusted return on capital (RAROC) and risk-based capital (RBC) for financial and insurance industries. Risks are then recognised by means of these company performance metrics.
Prioritisation
To realise effective risk integration, ERM also promotes risk prioritisation. Risk prioritisation stems from the fact that risks are not equally important to corporations. Prioritisation should reflect different aspects of the company’s strategies and risk-management philosophy, eg, cost to tolerate that risk, reduce it, elicit and apply management’s risk preferences, etc.
ERM and compliance
ERM at first arises from corporations’ efforts to comply with laws and regulations. To this end, it is seen more as an efficient internal control process. Within a corporation, it is often conducted with internal control functions and supervised by internal auditors. The most significant regulatory forces responsible for the rise of ERM are the Sarbanes Oxley Act of 2002, the Basel Capital Accord II, and rating criteria set forth by rating agencies such as Standard & Poor’s (S&P).
ERM future – value creation
ERM practices may have been initially driven by compliance needs, but developments should continue to serve as an internal control function for better corporate governance. One common objective for corporations is to maximise firm value. ERM provides a framework for corporations to consciously optimise risk/return relationships. This optimisation is achieved through the alignment of corporate strategic goals and risk appetite. At the operational level, the alignment guides virtually all activities conducted by the corporation. Specific risks are identified and measured. They are prioritised and integrated by recognising the interrelations and relative influences affecting different risky outcomes. Risk management strategies are developed for the entire portfolio of risks and their effects are assessed and communicated.
This article is an edited version of an entry in the “Encyclopedia of Quantitative Risk Analysis and Assessment”, Copyright © 2008 John Wiley & Sons Ltd. Used by permission.