Seven predictions for enterprise risk management

Focus on these key areas to map out a successful enterprise risk management strategy

In the aftermath of the global financial crisis, corporate executives and board members — as well as key stakeholders such as regulators, investors and rating agencies — recognize that the efficacy of enterprise risk management (ERM) must be improved. What are the key trends and critical challenges for ERM in the next several years?

The following are seven areas where I expect to see significant development in ERM practices:

1. Board risk governance and reporting.
Perhaps the most powerful but underutilized component of an ERM program is the board. Boards wield significant influence over policy decisions.Executive teams go to great lengths to address issues raised by directors. As such, directors can have a significant impact simply by asking tough questions or requesting key risk reports. However, board members must ask themselves a number of fundamental questions in order to fulfill their role in risk oversight:

• How should we organize the board to oversee the ERM program and monitor critical risks? Should we use a risk committee, the full board or an existing subcommittee?
• Does our board have sufficient risk expertise, knowledge and experience?
• What is our board's role in ERM, including key areas such as strategic, financial, and operational risk oversight?
• How can we strengthen the independence of the board and risk management (and establish the appropriate reporting relationship between the two)?
• How can we improve board reporting to provide concise, effective and timely information on key risk exposures and trends?

2. ERM policy with explicit risk-tolerance levels.
The ERM policy is an important tool for both the board and executive management. The articulation of explicit risk-tolerance levels for critical risks represents an essential element of the ERM policy. Given the importance of the board and management in controlling the overall risk appetite of the organization, there should be sufficient discussion — and even debate — between them before risk-tolerance levels are established. In addition, the ERM policy should document the organization's ERM framework and processes, the guiding risk principles, the board and management governance structure, key roles and accountabilities, exceptions management and conflict resolution processes, and ongoing monitoring and reporting requirements.

3. ERM integration.
To optimize the organization's risk/return profile, ERM must be integrated into key business processes. One major challenge is integrating ERM and strategy. A number of studies—by James Lam & Associates (2004), Deloitte Research (2005), and the Corporate Executive Board (2005)—found that strategic risks represented approximately 60 percent of the root causes of significant declines in public companies' market value, followed by operational risks (approximately 30 percent) and financial risks (approximately 10 percent). Therefore, strategic risk management represents a significant opportunity for ERM integration. Another key opportunity is risk-adjusted pricing. All companies take risks to achieve their business objectives, but they can establish the appropriate compensation for those risks only when they price their products and services accordingly. As such, pricing models should be fully adjusted for the cost of risk.

4. Risk analytics and  dashboards.
The consequences of the global financial crisis revealed some key shortcomings of existing risk analytical models. Commonly used risk models (such as value-at-risk and economic capital) measure risks only within a defined probability level—say, 95 percent or 99 percent. However, organizations have learned they must also prepare for "black swans," or highly improbable but consequential events. In 2008, for example, we witnessed not only the global financial crisis, but also the swine flu pandemic and the election of the first African-American US president. Each of these events could be considered once in a lifetime, yet they all happened in just one year. Going forward, risk analytics must be expanded to include stress testing and scenario analysis to capture "tail risk" events. Additionally, risk dashboards should be developed to provide forward-looking risk analysis as well as early-warning indicators.

5. Assurance and feedback loops.
How do we know if risk management is working effectively? This is one of the most important questions facing boards, executives, regulators and risk managers. In the past, the common practice was to evaluate the effectiveness of risk management based on the achievement of key milestones or the lack of policy violations, losses or surprises. However, qualitative milestones or the absence of negative outcomes should no longer be sufficient. We need to establish performance metrics and feedback loops for risk management. I believe the objective of risk management is to minimize unexpected earnings volatility — in other words, to minimize not the absolute levels of risks or earnings volatility, but unknown sources of risks or earnings volatility.

In the beginning of the reporting period, the company in this example performed earnings-at-risk analysis and identified several key factors that could result in a $1 loss per share, compared to an expected $3 earnings per share. At the end of the reporting period, the company performed earnings attribution analysis and determined the actual earnings drivers. The combination of these analyses provides an objective feedback loop on risk management performance in terms of minimizing the earnings impact of unforeseen factors. In this example, 20 percent of actual earnings volatility resulted from unforeseen factors. That is exactly what risk management is meant to minimize. I am not advocating this particular feedback loop for every company, but all firms should establish some feedback loops for risk management.

6. Culture and change  management.
An organization's risk culture and how to shape it are often overlooked in ERM. Yet risk culture can easily overwhelm all of ERM's good intentions. For example, in a bad risk culture, people will do the wrong things in spite of existing policies and controls. In a typical risk culture, people will do the right things when instructed by policies and controls. In a good risk culture, people will do the right things in the absence of policies and controls. Thus, risk culture is a critical element of ERM because of its profound impact on behavior and the impossibility of establishing policies and controls for every business situation. The risk culture of an organization is not constant, however; it changes with the business environment — for example, new executive leadership, new incentives, or new risk processes and systems. Therefore, organizations should implement change-management programs to build consensus, address conflict resolution, and provide communication and training. Canadian banks, which many consider to be the best-managed financial institutions in the world, pay significant attention to risk culture and change management.

7. Risk and executive compensation.
Another key determinant of management behavior is the design of executive compensation systems. A root cause of the excessive risk-taking that led to the global financial crisis was executive compensation that rewarded short-term earnings growth and appreciation of stock prices. Designing incentive programs that reward long-term earnings growth, as well as risk management effectiveness, is a key initiative for many organizations today. These new incentive systems incorporate risk-adjusted return metrics, compliance with risk policies and regulations, longer-term vesting schedules, and clawback provisions in the event of future
unexpected losses.

The development and implementation of an ERM program is a multiyear effort requiring significant commitment from the board and senior management. While the practice of ERM has evolved and matured significantly over the past few years, critical challenges still need to be addressed. If these challenges are not addressed successfully, the promise of ERM will remain unfulfilled.

Originally published by The RMA Journal in June 2010. Copyright 2010 by RMA. The Risk Management Association (RMA). Edited for length and republished here by permission.

Bio:
James Lam is President of James Lam & Associates and author of Enterprise Risk Management: From Incentives to Controls.

James Lam,
James Lam & Associates