Enterprise Risk Management (ERM)

By /

Enterprise Risk Management (ERM)

Enterprise risk management (ERM) is a company-wide process to identify, assess, and manage risks to align with strategy and protect or enhance value.

The traditional process of risk management focuses on managing the risks of only parts of the business (products, departments, or divisions), ignoring the implications for the value of the company.

The organization of a risk management process focusing on only parts of a business is referred to as a silo structure. What is needed is a process that management can employ to effectively handle uncertainty and evaluate how the risks and opportunities that a company faces can either create, destroy, or preserve a company’s value.

This process should allow management to:

  • Align the risk appetite and strategies across the company.
  • Improve the quality of the company’s risk-response decisions.
  • Identify the risks across the company.
  • Manage the risks across the company.

This process is enterprise risk management (ERM).

A company’s internal controls provide a mechanism for mitigating risks, and increase the likelihood that a company will achieve its financial objective.

As we will explain, ERM goes beyond internal controls in three significant ways:

  • First, when establishing its strategy for the company, ERM requires that the board consider risks.
  • Second, ERM requires that the board identify what level of risk it is willing to accept.
  • Finally, ERM requires that risk management decisions be made throughout the company in a manner consistent with the risk policy established.

Definitions of ERM

Enterprise risk management is an ongoing process that provides a structured means for reducing the adverse consequences of big surprises due to natural catastrophes, terrorism, changes in the economic, political, and legal environments, tax litigation, failure of the company’s corporate governance, and product and financial market volatility. In fact, Moody’s states that the ultimate objective of a company’s risk management organization should be to make sure that there are no major surprises that place the company in peril. Second, the starting point for an effective ERM system is at the board level. This means that corporate governance is a critical element.

The term “enterprise” can have different meanings within ERM. One is that ERM is linked to strategic planning and organizational objectives of the business enterprise. The second definition is in terms of modern portfolio theory (MPT) that we describe in Chapter 16. In this theory, formulated by Harry Markowitz, the focus is on the risk of the portfolio and not the individual securities comprising the portfolio.3 In other words, the enterprise is a portfolio in this context. This leads to the conclusion that it is not the stand-alone risk of an individual security that is relevant but only the contribution of that as asset makes to a portfolio’s risk.

A portfolio manager can use the basic ideas from MPT to create efficient portfolios, assembling a portfolio that offers the maximum expected return for a given level of risk. The portfolio manager’s task is to select one of these efficient portfolios given the manager’s or client’s risk appetite.

ERM Process

There is no fixed formula for developing an ERM system, but rather some general principles that provide guidance. This is because there is considerable variation in company size, organizational structures (centralized versus decentralized, for example), and types of risk faced in different industries. So, although different internal controls vary from company to company, the underlying principles do not. In the literature, there are several proposals for the ERM process.

The four risk objectives of ERM are the following:

  • Strategic: Supporting the corporation’s strategic goals (i.e., high-level goals).
  • Operations: Achieving performance goals and taking measures to safeguard against loss through operational efficiency.
  • Reporting: Providing reliable financial and operational data and reports internally and externally.
  • Compliance: Complying with laws and regulations at all levels (local, state, national, and in other countries where the company operates).

While there are common risks shared by all companies and there are risks unique to some companies, the building blocks for the ERM process are common to all companies.

Basically, ERM is chiefly concerned with:

  • Evaluating the company’s risk processes and risk controls, and
  • Identifying and quantifying risk exposures.

ERM is broader in its scope than traditional risk management, which focuses on products, departments, or divisions practiced within a silo structure. In ERM, all the risks of a company are treated as a portfolio of risks and managed on a portfolio or company level. That is, the risk context is the company, not individual products, departments, or divisions.

For example, suppose that a company has a target minimum earnings figure established either by its own financial plan or based on Wall Street analyst’s consensus earnings. ERM can be used to identify the threats to the company of hitting that target. Once those risks are identified and prioritized, management can examine the potential shortfall that may occur and decide how to reduce the likelihood that there will be a shortfall using some risk transfer strategies.

Themes of ERM

There are four themes in enterprise risk management:

1. Risk Control

The risk control process involves identifying, evaluating, monitoring, and managing risk.

  • Identify risks
  • Evaluate risks
  • Monitor risks
  • Set risk limits
  • Avoid certain risks
  • Offset certain risks
  • Transfer risks
  • Review and evaluate new investments

2. Strategic Risk Management

The process of reflecting risk and risk capital in strategic options from which a corporation can select is called strategic risk management. This process requires adjusting for risk in valuing investments, making investment decisions, and evaluating an investment’s performance.

  • Estimate economic capital
  • Value investments
  • Make investment decisions
  • Evaluate performance

3. Catastrophic Control

Catastrophic events are extreme events that could threaten the survival of a company. In catastrophic control, several analyses provide information. For example, trend analysis can identify any patterns suggesting potential emergence of catastrophes, and stress testing can show the impact of a catastrophe on the financial condition and reputation of the company.

  • Perform trend analysis
  • Perform stress testing
  • Plan for contingencies
  • Evaluate risk transfer

4. Risk Management Culture

Catastrophic risk management involves planning so as to minimize the impact of potential catastrophic events and having in place an early warning system that, if possible, could identify a potential disaster.

  • Identify best risk management practices
  • Develop supporting documentation
  • Communicate
  • Reinforce through education and training

Once we have an understanding regarding the possible scenarios, we can plan for contingencies, prepare communication strategies for stakeholders, and consider effectiveness and cost to transfer risk.

The Society of Actuaries (SOA) defines a risk management culture as an environment in which the entity has an approach to dealing with risks, and that this approach is part of the entity’s culture. Hence, when a risk event occurs, a plan is in place for dealing with this risk.

Enterprise Risk Management
Enterprise Risk Management

This culture requires that the entity identify and measure risks, and examine best practices in the management of risk.

In addition, the risk management culture requires that the entity develop a system of documenting risk and risk management and communicating risk management policies and practices to stakeholders. Further, a risk management culture should educate all employees or other decision-makers in risk management and provide training regarding risk management. This education and training reinforces the importance of risk management.

Specifying an Entity’s Risk Policy

The implementation of an ERM policy requires that the amount of risk that a company is willing to accept be specified. Corporations through their board set the boundaries as to how much risk the company is prepared to accept. Often in referring to risk, the terms risk appetite and risk tolerance are used interchangeably. However, there is a subtle distinction between the two concepts.

Basically, the company’s risk appetite is the amount of risk exposure that the entity decides it is willing to accept or retain. When the risk exposure of the entity exceeds the risk tolerance threshold, risk management processes kick into return the exposure level back within the accepted range.

Once an entity has implemented a risk policy of the company, it is important to communicate it to stakeholders.

For a corporation, this is through the management discussion and analysis section required in SEC filings (8-K and 10-K), press releases, communications with rating agencies, and investor meetings. Now that the credit rating services are incorporating ERM measures into the credit rating process, it is more important than ever for companies to pay attention to the company’s ERM system and to communicate this system to stakeholders.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top