Dr. Robert Mark is the founding chief executive officer of Black Diamond Risk Enterprises, which provides corporate governance, risk management consulting, risk software tools, and transaction services. As enterprise risk management systems continue to gain a higher profile, many organizations need to identify, understand and quantify the return on investment (ROI) of these crucial systems. In a recent interview, Dr. Mark shared his insights and perspectives on this topic.
Waynette Tubbs: What are the barriers that many organizations are encountering as they begin to think about the ROI of enterprise risk management?
The barriers will vary, of course, based on the organization’s unique circumstances. But I think the overarching question they’re encountering is this: If you’re going to invest significant time, energy, finances and talents in improving your ability to make fact-based decisions – that is, reinvigorating your IT infrastructure – what kinds of things are you seeking to obtain in return? Is it the quality of the information? Is it the timeliness – are you moving from weekly to daily data? Completeness is another attribute – what is the value of having the flexibility to drill into the data? What percentage of data is satisfactory from operational and regulatory perspectives? Ultimately, companies need to identify what metrics are most useful for determining ROI within a regulatory context.
WT: In your opinion, what metrics can be most useful in measuring the ROI of risk management?
BM: In many instances, the classic metric is still the best: risk-adjusted return on capital. In the numerator, you have variables that are impacted by a new investment (say in a risk system). These variables in the numerator include the projected impact on revenues and costs as well as the , impact on expected losses . In the denominator, you have risk capital .You would need to carefully examine the ultimate risk capital that would be impacted by the proposed investment that would accrue to the denominator of that RAROC calculation.RAROC remains an ideal way to assess the ROI for an ERM system since it is consistent with the way a business thinks about their investments. In other words,it can be deployed to examine the tradeoff between net return from an investment and the impact on the amount at risk associated with that investment.
WT: What about soft metrics? What’s a best-practice way to evaluate an ERM decision with an eye to generating the greatest ROI that reflects the value of other aspects that are difficult to quantify?
BM: You know, in addition to the classic financial metrics such as RAROC, there are many soft-metrics that have a significant impact on ERM ROI. They can include timeliness, orderability, flexibility, completeness, and so forth. A decision process that overlooks these elements does a disservice to the organization. There has to be a combination.Many organizations rely on a Technology Committee to evaluate the proposals and make investment decisions. And they’ll ask about the operational risk profile, the regulatory risk profile, and the technology risk profile. If the investment is significant enough, they might bring the decision to the Management Committee.
WT: Are there particular categories of risk that are more challenging than others in terms of quantifying benefits?
BM: Absolutely. For example, if I’m a financial services institution, the classic risk categories are market risk, credit risk, and operational risk – categories that are easy to quantify and measure. But there are other critical – but more nuanced – aspects that impact risk: business risk (i.e., the ability to generate volume), reputational risk, or strategic risk. Maybe even liquidity risk. Companies cannot ignore these risk factors or their impact on ROI calculations. And the way to measure that is quite debatable, of course.
WT: What are the right priorities for ERM that achieve the greatest/fastest ROI?
BM: In other words, “What’s the optimal way of doing this?” I think that’s a question that is best answered by a company’s Technology Committee or Management Committee because there will always be competing priorities. For example, a financial services institution will presumably improve its performance through cross-selling and upselling. At the end of the day, the company has to decide what its priorities will be based on policies, methodology, and infrastructure– because those are usually the dimensions on which risk is graded. Technology can drive down risks in these areas. What you need is a strategy – and for that strategy to succeed, you need to have the right technology that’s aligned with your risk-reducing, performance-enhancing strategy.
This conversation with Dr. Bob Mark is one of many that we’ve had with risk officers during the last several months to help answer the question, “How do executives know that their investment in risk management systems are being directed toward the right outcomes?” Download No Silver Bullet. Measuring Return on Investment in Risk Systems for best practices and tips from risk officers around the globe.