31 March 2010

Published in: Risk governance

How to test your ERM framework

Is it right for your level of risk? Does it incorporate best practice? Will it mean your business is better run? Gap analysis can help you answer these questions, explains Andrew Harley

Effective enterprise risk management (ERM) in companies does not come with a road map. Nor can it, since the start and end points (if indeed there is an end) will be different for each organization.

Companies therefore need to develop their own checks and balances for making sure that their ERM programme is truly capturing, reflecting and mitigating the current risks they face within a business strategy. This is all the more important when markets and consumers are now so quick to penalize those companies whose risk management is perceived to be flawed.

Amid the fallout from economic events of the past one to two years, the encouraging thing is that most companies, particularly those in financial services, appreciate the need for a better framework for understanding and managing risk. What can be harder to evaluate objectively is ensuring that the programme they are deploying is right for the level of risk within the business, that it is incorporating best practice and that it is moving them towards a better-run business.

What is needed is a methodology for simplifying this assessment. Rather than invent a new process to complicate the issue, we can use the tried and tested techniques of gap analysis, which can do the job equally well.

For most companies, the task can be broken down into six areas:

• governance
• decision making
• risk modelling
• integration
• operational risk
• benchmarking

While each may warrant closer individual examination, there is also a need to be mindful of what ERM is all about. This means considering risks in aggregate and holistically. A silo risk assessment approach will miss interactions, aggregations and concentrations that, when considered together, may result in very different decisions being taken across the organization.

So, keeping that in mind, let's consider the various elements.

Governance

ERM roles within companies are changing, which is fine as long as fissures in the lines of communication don't start to appear.

Many organizations have, for example, added the specific or designated role of chief risk officer (CRO) as a senior member of the management team in recent years. Furthermore, enterprise risk committees are increasingly common and risk management is typically no longer just a report into a firm's audit committee. This reflects the fact that risk education is still an important consideration for a number of companies, particularly for board members.

Polls undertaken by EMB in November 2006 and again in December 2009 show the emerging picture. In 2006, when asked "Who owns your ERM process?", 20% of respondents replied that it was in the hands of a risk management team, including a separate ERM function. By the end of 2009 this had risen to 31%, including a CRO.

Another interesting trend to note from the two surveys is the delegation of responsibility for risk management by CEOs. According to the surveys, the percentage of CEOs who own the ERM process has dropped from 18% to 8% in three years. Conversely, more chief financial officers appear to be in the driving seat of ERM with one in five companies reporting them as their functional risk head.

The fact that risk management is being allocated boardroom airspace is to be welcomed. The identity and role of the figurehead is not, however, necessarily the critical factor.

What is more important is that there is clear ownership and authority from the top down. Gap analysis would typically therefore focus on whether there is a robust approach to identifying and managing emerging risks. Have the company's risk management leaders been able to create an environment for effective communication and data capture? Can support and governance structures be relied upon, and is there a culture of openness to underpin these structures?

Decision making

One of the key aspects of ERM is defining a consistent risk tolerance for the business. But if that definition doesn't match up to company goals, then what is the point?

Let's not forget that an ERM approach is not about regarding all risk as necessarily bad. Indeed, most risks have a potential upside and the assessment framework should consider both the potential pros and cons of a particular course of action. This all encompassing approach helps companies to link risk/reward with strategy and appetite.

Aligning risk management to wider strategy will also ensure that the risk tolerance is aligned to the interests of company stakeholders, since each group has the potential to affect the company's ability to achieve its objectives.

For example, regulators become nervous if levels of capital cover stray outside certain boundaries; a rating agency downgrade can be disastrous to the business's ability to raise funds; stock markets will typically react unfavourably to news that "isn't in line with expectations"; and policyholder and intermediary sentiment can quickly turn against an organization in the face of an uncertain outlook - as we have seen very vividly, very recently.

In order to lend further credibility to any defined risk tolerance, an external risk metric might be used. This is an area not much explored by many companies. As part of EMB's December 2009 poll of US companies, only 9% said their risk tolerance was based on external (rating agency) metrics: 38% cited the use of internal benchmarks, while the remainder were either unsure about any external benchmarking or did not answer.

Risk modelling

The complexity of risks faced by many financial services companies in our increasingly global and interdependent economy means that risk and financial models are almost indispensable in helping them to understand and quantify their risks. Most professionals and commentators now appreciate that the bad press models received during the banking crisis resulted from governance issues rather than technical failings.

In any case, the percentage of companies building and using internal models in the surveys nearly doubled between 2006 and 2009.

Gaps in modelling typically hinge on whether companies have their key risks, and their associated interdependencies, modelled. It is also important to understand how a model is influenced by the techniques used to build it, and to be able to stress-test the key assumptions and scenarios within the model.

Common failings in modelling occur from factors such as replication of critical risks across entities, including economic scenario generation and the compound effect of catastrophe losses. Some companies are also guilty of failing to understand the dependencies between their risks and under-estimating potential financial losses as a result.

Of course, companies are not, nor should they be, run by models. While models are valuable support tools, management teams frequently need to change direction or alter strategies to take account of market realities and developments. From a risk management perspective, the questions about models are whether they can recognize these interventions in a joined-up fashion and project the financial impact in areas such as capital reserves, asset balance and, for insurers at least, reinsurance purchase.

Integration

Regardless of how companies are evaluating risk, it is best done on an integrated basis. For insurers, are significant decisions such as reinsurance and mergers and acquisitions linked into capital requirement calculations? Conversely, levels of economic capital should be factored into risk-adjusted decisions in areas such as pricing and reinsurance. All of the axes of risk assessment need to interrelate.

The same argument applies to human resources. From an organizational point of view, if capital management is assigned to one area of the business, is it taking advantage of the expertise in other areas such as reserving, pricing and asset management?

Operational risk

One of the hardest aspects of ERM is developing robust assessments of operational risk.

The diversity of methodologies in use is illustrated by our December 2009 poll. Asked how operational risk is included in their risk management process, 19% of companies indicated they use a risk register only; 17% use risk registers with a flat load into a capital model; 10% use explicit risk models; and a further 5% have explicit risk models that tie into other models.

This indicates a lot of variability around what may constitute a best practice methodology. However, the underlying requirements of any technique are that the probability and severity of events is being recognized, the dependency between operational risks is understood and the knock-on effects of specific operational risks are included in modelled risks.

Benchmarking

Present a case long enough and it has a good chance of becoming the accepted wisdom. The danger with any company approach to modelling risks and wider ERM is that an internal view of the world evolves.

That's why the scenarios used to evaluate and model risk, the parameters used and the dependency assumptions between those parameters, and the range of economic forecasts selected will all benefit from periodic external benchmarking.

Round pegs for round holes

Effective ERM is not a "one size fits all" process. Nor will it ever be, since the key elements will be different for each organization.

Solutions are not straightforward. As the numerous definitions that have been put forward over the years imply, ERM is complex and reaches, or should reach, into every part of the organization and should be helping companies to identify "good" risk, as well as "bad". That's why an easily understood assessment framework can help.

Gap analysis has become a tried, tested and trusted business technique. Used appropriately, it can help illuminate previously impenetrable aspects of ERM and keep your programme on track.

Andrew Harley is a director in the business consultancy team at actuarial and business consultants, EMB

Back to top