Seven yearsago, I made 10 predictions about the future of risk management in a book that was excerpted in The RMA Journal.1
My book began with a discussion of the key concepts underpinning enterprise risk management (ERM) and reviewed the core components of an ERM framework. It included a deeper discussion of ERM applications with respect to different risk types (credit, market, operational, and business risks) and different industry groups (financial institutions, energy firms, and nonfinancial corporations).This article revisits those predictions, examines the current state of enterprise risk management practices, and discusses what I now consider to be the key trends and challenges for ERM in the years ahead.
My 2003 book made the following 10 predictions:
- ERM will become the industry standard for risk management..
- CROs will become prevalent in risk-intensive businesses.
- Audit committees will evolve into risk committees.
- Economic capital will be in; VaR will be out.
- Risk transfer will be executed at the enterprise level.
- Advanced technology will have a profound impact on risk management.
- A measurement standard will emerge for operational risk.
- Mark-to-market accounting will be the basis of financial reporting.
- Risk education will be a part of corporate training and college-level finance courses.
- The salary gap among risk professionals will continue to widen.
Current state of ERM
Overall, the above predictions are generally consistent with the evolution of ERM. Some of the predictions were on target, others less so. Rather than assess the accuracy of each, it may be more useful to discuss areas where ERM has evolved and matured and areas where significant gaps remain.
One of the most encouraging trends is the global acceptance of ERM as the best-practice standard for risk management. My research shows that 80–90 percent of global organizations with more than $1 billion in revenue are at some stage of planning or implementing ERM. Approximately one-quarter of these organizations have fully implemented ERM. As a management framework, ERM has been adopted widely compared with other management frameworks (e.g., reengineering, balanced scorecard and total quality management). (Also read Rebuilding Trust, findings from a 2010 survey of banking and insurance executives.)
More importantly, organizations with established ERM programs have realized and reported significant benefits. For example, in the Deloitte Global Risk Management Survey (2009), 85 percent of financial institutions with established ERM programs in place reported that the total value of these programs exceeded costs. Meanwhile, in an empirical research study, Hoyt and Liebenberg (2009) found that ERM use among publicly traded U.S. insurance firms was associated with an equity price premium of 16.5 percent.
In conjunction with the adoption of ERM, the role of the chief risk officer also has been elevated over the past several years. The 2009 Deloitte survey found that 73 percent of global financial institutions had a CRO or equivalent position. Moreover, 53 percent of the institutions indicated that their CROs reported directly to the CEO (up from 42 percent in 2006), and 52 percent cited a formal reporting relationship between their CROs and the board (up from 37 percent in 2006).
The level of board involvement in ERM has increased significantly over the past several years. This higher level of awareness and engagement has become most pronounced since the global financial crisis. A number of recent board surveys indicate that risk management has replaced accounting issues as the top concern for corporate boards. And while there is a much higher level of attention paid to ERM, many boards are in the early stages of addressing key issues such as risk governance, board expertise and education, and assurance of risk management effectiveness.
Clearly, ERM has made significant progress over the past seven years. However, much work remains to be done. In many respects, the global financial crisis was the ultimate “stress test.” Many organizations failed, and even those with established ERM programs reported mixed results. A 2008 KPMG/EIU survey of more than 500 senior managers involved in risk management at global banks found that 92 percent have carried out, or are about to carry out, a review of their risk management. The survey also indicated that 42 percent have made or expect to make fundamental changes to their risk management programs.
Key trends and challenges ahead
In the aftermath of the global financial crisis, corporate executives and board members—as well as key stakeholders such as regulators, investors, and rating agencies—recognize that the efficacy of ERM must be improved. What are the key trends and critical challenges for ERM in the next several years? The following are seven areas where I expect to see significant development in ERM practices:
Board risk governance and reporting. Perhaps the most powerful but underleveraged component of an ERM program is the role of the board. Boards wield significant influence over policy decisions and management actions. Executive teams go to great lengths to address issues raised by directors. As such, directors can have a significant impact simply by asking tough questions or requesting key risk reports. However, board members must ask themselves a number of fundamental questions in order to fulfill their role in risk oversight:
- How should we organize the board to oversee the ERM program and monitor critical risks? Should we use a risk committee, the full board, or an existing subcommittee?
- Does our board have sufficient risk expertise, knowledge, and experience?
- What is our board’s role in ERM, including such key areas as strategic, financial, and operational risk oversight?
- How can we strengthen the independence of the board and risk management (and establish the appropriate reporting relationship between the two)?
- How can we improve board reporting to provide concise, effective, and timely information on key risk exposures and trends?
ERM policy with explicit risk-tolerance levels. The ERM policy is an important tool for both the board and executive management. The articulation of explicit risk-tolerance levels for critical risks represents an essential element of the ERM policy. Given the importance of the board and management in controlling the overall risk appetite of the organization, there should be sufficient discussion—and even debate—between them before risk-tolerance levels are established. In addition, the ERM policy should document the organization’s ERM framework and processes, the guiding risk principles, the board and management governance structure, key roles and accountabilities, exceptions management and conflict resolution processes, and ongoing monitoring and reporting requirements.
ERM integration. To optimize the organization’s risk/return profile, ERM must be integrated into key business processes. One major challenge is integrating ERM and strategy. A number of studies—by James Lam & Associates (2004), Deloitte Research (2005), and the Corporate Executive Board (2005)—found that strategic risks represented approximately 60 percent of the root causes of significant declines in public companies’ market value, followed by operational risks (approximately 30 percent) and financial risks (approximately 10 percent). Therefore, strategic risk management represents a significant opportunity for ERM integration. Another key opportunity is risk-adjusted pricing. All companies take risks to achieve their business objectives, but they can establish the appropriate compensation for those risks only when they price their products and services accordingly. As such, pricing models should be fully adjusted for the cost of risk.
Risk analytics and dashboards. The consequences of the global financial crisis revealed some key shortcomings of existing risk analytical models. Commonly used risk models (such as value-at-risk and economic capital) measure risks only within a defined probability level—say, 95 percent or 99 percent. However, organizations have learned they must also prepare for “black swans,” or highly improbable but consequential events. In 2008, for example, we witnessed not only the global financial crisis, but also the swine flu pandemic and the election of the first African-American US president. Each of these events could be considered once in a lifetime, yet they all happened in just one year. Going forward, risk analytics must be expanded to include stress testing and scenario analysisto capture “tail risk” events. Additionally, risk dashboards should be developed to provide forward-looking risk analysis as well as early-warning indicators.
Assurance and feedback loops. How do we know if risk management is working effectively? This is one of the most important questions facing boards, executives, regulators and risk managers. In the past, the common practice was to evaluate the effectiveness of risk management based on the achievement of key milestones or the lack of policy violations, losses or surprises. However, qualitative milestones or the absence of negative outcomes should no longer be sufficient. We need to establish performance metrics and feedback loops for risk management. I believe the objective of risk management is to minimize unexpected earnings volatility—in other words, to minimize not the absolute levels of risks or earnings volatility, but unknownsources of risks or earnings volatility. Figure 1 shows how earnings volatility analysis can be used as the basis for a feedback loop.
In the beginning of the reporting period, the company in this example performed earnings-at-risk analysis and identified several key factors that could result in a $1 loss per share, compared to an expected $3 earnings per share. At the end of the reporting period, the company performed earnings attribution analysis and determined the actual earnings drivers. The combination of these analyses provides an objective feedback loop on risk management performance in terms of minimizing the earnings impact of unforeseen factors. In this example, 20 percent ($0.40/$2.00) of actual earnings volatility resulted from unforeseen factors. That is exactly what risk management is meant to minimize. I am not advocating this particular feedback loop for every company, but all firms should establish some feedback loops for risk management.
Culture and change management. An organization’s risk culture and how to shape it are often overlooked in ERM. Yet risk culture can easily overwhelm all of ERM’s good intentions. For example, in a bad risk culture, people will do the wrong things in spite of existing policies and controls. In a typical risk culture, people will do the right things when instructed by policies and controls. In a good risk culture, people will do the right things in the absence of policies and controls. Thus, risk culture is a critical element of ERM because of its profound impact on behavior and the impossibility of establishing policies and controls for every business situation. The risk culture of an organization is not constant, however; it changes with the business environment—for example, new executive leadership, new incentives, or new risk processes and systems. Therefore, organizations should implement change-management programs to build consensus, address conflict resolution, and provide communication and training. Canadian banks, which many consider to be the best-managed financial institutions in the world, pay significant attention to risk culture and change management.2
Risk and executive compensation. Another key determinant of management behavior is the design of executive compensation systems. A root cause of the excessive risk-taking that led to the global financial crisis was executive compensation that rewarded short-term earnings growth and appreciation of stock prices. Designing incentive programs that reward long-term earnings growth, as well as risk management effectiveness, is a key initiative for many organizations today. These new incentive systems incorporate risk-adjusted return metrics, compliance with risk policies and regulations, longer-term vesting schedules, and clawback provisions in the event of future unexpected losses.
The development and implementation of an ERM program is a multiyear effort requiring significant commitment from the board and senior management. While the practice of ERM has evolved and matured significantly over the past seven years, critical challenges still need to be addressed. If these challenges are not addressed successfully, the promise of ERM will remain unfulfilled.
Defining a culture of integrated ERM requires leaders to bring a clear understanding of past challenges and a vision of innovation and creativity to the table. David Rogers, SAS’ Global Product Marketing Manager for Risk, says that the shuffling of risk professionals resulting from the recent crisis may be an opportunity for progressive firms to embrace new risk techniques. Read this interview with Rogers to learn more advice he thinks risk managers still need to hear.
*Originally published by The RMA Journal inJune 2010. Copyright 2010 by RMA. The Risk Management Association (“RMA”).Edited for length and republished here by permission.
Founded in 1914, The Risk Management Association is a not-for-profit, member-driven professional association whose sole purpose is to advance the use of sound risk principles in the financial services industry. RMA promotes an enterprise approach to risk management that focuses on credit risk, market risk and operational risk. Headquartered in Philadelphia, Pennsylvania, RMA has 2,600 institutional members that include banks of all sizes as well as nonbank financial institutions. They are represented in the association by more than 18,000 risk management professionals who are chapter members in financial centers throughout North America, Europe and Asia/Pacific.
1 Enterprise Risk Management: From Incentives to Controls, published by John Wiley & Sons in 2003, was excerpted in “Ten Predictions for Risk Management,” The RMA Journal, May 2003.
2 See “Post-Crisis Credit Risk Management: Lessons Learned and Best Practices from Canadian Banks,” The RMA Journal, December 2009–January 2010.