What 1s ERM?

4
Learning Objectives
After complet1ng this reading you should be able to:
Describe enterprise risk management (ERM) and Describe the role and responsibilities of a chief
risk officer (CRO) and assess how the CRO should
compare and contrast differing definitions of ERM.
Compare the benefits and costs of ERM and interact with other senior management.
describe the motivations for a firm to adopt an ERM Describe the key components of an ERM program.

initiative

Exce s Chapter 4 o f E n t e r p r i s e Risk M a n a g e m e n t : F r o m Incentives t o Controls, S e c o n d Edition, b y J a m e s Lam.

59
 Earlier, reviewed the concepts and
we The legal and insurance functions to address regulatory
processes applica-
ble to almost all of the risks that a
company will face We and liability issues.
also argued that all risks can be
thought of as a bell curve. It is not difficult to see how an integrated approach could
Certainly, it is a
prerequisite
that a company develop an
more effectively manage these risks. An enterprise risk
effective process for each of its
significant risks. But it is management (ERM) function would be responsible for
not enough to build a
separate process for each risk in
isolation. establishing firm-wide policies and standards, coordinate
risk management activities across business units and
Risks are by their yery nature dynamic, fluid, and
highly functions, and provide overall risk monitoring for senior
interdependent: As such, they cannot be broken
into management and the board
separate components and managed
prises operating in today's volatile independently Enter Nor is risk monitoring any more efficient under the silo
environment require a
much more integrated roach. The problem is that individual risk functions
approach to managing their port
folio of risks. measure and report their specific risks using different
methodologies and formats. For example, the treasury
This has not always been
recognized.
panies managed risk in organizational Traditionally, com function might report on interest rate and FX risk expo-

and
silos. Market, credit, sures, and use value-at-risk as its core risk measurement
operational risks were treated separately and often methodology. On the other hand, the credit function
dealt with by different individuals or functions within an would report delinquencies and
institution. For example, credit experts evaluated the risk outstanding credit
exposures, and measure such exposures in terms of out-
of default, mortgage
specialists analyzed prepayment risk, standing balances, while the audit function would
traders were responsible for market
risks, and actuaries report
outstanding audit items and assign some sort of audit
handleg liability, mortality, and other insurance-related score, and so on.
risksCorporate functions such as finance and audit
handled other operational risks, and senior line Senior management and
managers but not the whole
the board get pieces of the puzzle,
addressed business risks. picture.In
many companies, the risk
func
tions
produce literally hundreds of pages of risk
However, it has become increasingly apparent that such a month after month. Yet, oftentimes, reports,
fragmented approach simply doesn't work, because risks they still don't man-
age to
are highly provide.management and the board with
interdependent and cannot be segmented and
managed by entirely independent units The risks associ-
informationt Agood acid test is to ask if the senioruseful risk
ment knows the answers to the manage
following basic questions:
ated with most businesses are not one-to-one
matches for
the primary risks (market, credit, What are the company's top 10 risks?
operational, and insur-
ance) implied by most traditional organizational struc- Are any of our business objectives at risk?
tures.Attempting to manage them as if they are is likely Do we have key risk
indicators that track our
to prove inefficient and
potentially dangerous. Risks can risk exposures against risk tolerance critical
fall levels?
throughthe cracks, risk
inter-dependencies and port What were the company's actual losses
folio effects may not be captured, and and
organizational gaps and did we identify these risks in incidents
and redundancies can result in previous risk assess.
suboptimal performance. ment reports?
For example, imagine that a
company is about to launch a Are in
new product business in
or a foreign country. Such an ini
we
compliance with laws, regulations, and corno
tiative would require: rate risk policies?
If company is uncertain about the answers to any of
a
The business unit to establish the
right pricing and these questions, then it is likely to benefit from a more
market-entry strategies; integrated approach to handling all aspects of risk-
The treasury function to
provide funding and pro- enterprise risk management (ERM)
tection against interest rate and
(FX) risks;
foreign-exchange
The Information 'Other popular terms used to describe enterprise risk manage
Technology (IT) and operations func- ment include firm-wide risk management, integrated risk
tion to support the
business; and management, and holistic risk management.
 ERM DEFINITIONS
Since the practice of ERM is stll relatively new, there have
vet to be any widely accepted industry standards with
reaard to the definition of ERM. As such, a multitude of
different definitions is available, all of which highlight and
prioritize different aspects of ERMConsider, for example, a
definition provided by the Committee of Sponsoring Orga-
nizations of the Treadway Commission (COso) in 2004:
"ERM is a process, effected by an entity's board
of directors, management, and other personnel,
applied in strategy setting and across the enter-
prise, designed to identify potential events that
may affect the entity, and manage risk to be within
its appetite, to provide reasonable assurance
regarding the achievement of entity objectives."
Another definition was established by the International
Organization of Standardization (ISO 31000):
Risk is the "effect of uncertainty on objectives" and
risk management refers to "coordinated activities
to direct and control an organization with regard
to risk."
While the COSO and IsO definitions provide useful con
cepts (eg., linkage to objectives), I think it is important
thatERM is defined value added function. Therefore,
as a
would suggest the following definition:
Risk is a variable that can cause deviation from
an expected outcome. ERM is a comprehensive
and integrated managing key risks
framework for
in order to achieve business objectives, minimize
unexpected earnings volatility, and maximize
firm value.
confusion
The lack of standard ERM definition can cause
a
framework. No
Tor a company looking to set up an ERM
ERM definition is perfect or applicable to every organiza-
tion. My general advice is for each organization to adopt
an ERM definition and framework that best fit their busi-
ness scope and complexity.
THE BENEFITS OF ERM
ERM is ll about integration, in three ways.
an integrated
iFSt, enterprise riskmanagement requires centralized risk
OrganizationThis most often means a
management unit reporting to the CEO and the Board in
support of thelr corporate- and board-level risk oversight
responsibilitiesA growing number of companles now
have a Chief Risk Officer (CRO) who is responsible for
overseeing all aspects of risk within the organization
we'll consider this development later.
Second, enterprise risk management requires the integra-
tion of risk transfer strategies. Under the silo approach,
risk transfer strategies were executed at a transactional
or individual risk level.For example, financial derivatives
were used to hedge market risk and insurance to trans-
fer out operational risk. However, this approach doesn't
incorporate diversification within or across the risk types
in a portfolio, and thus tendso result in over-hedging and
excessive insurance cover.An ERM approach, by contrast,
takes a portfolio view of all types of risk within a company
and rationalizes the use of derivatives, insurance, and
alternative risk transfer products to hedge only the resid-
ualrisk deemed undesirable by management
SThird, enterprise risk management requires the integra
tion of risk ppanagement into the business processes of a
companyRather than the defensive or control-oriented
approaches used to manage downside risk and earnings
volatility, enterprise risk management optimizes busi-
ness performance by supporting and influencing
pricing,
resource allocation, and other business decisions.It is dur
ing this stage that risk management becomes an offensive
weapon for management.
All this integration is not easy. For most companies, the
implementation of ERM implies a multi-year initiative
that requires ongoing senior management sponsorship
and sustained investments in human and technological
resources. Ironically, the amount of time and resources
dedicated to risk management is not necessarily very dif
ferent for leading and lagging organizations.
The most crucial difference is this: leading organizations
make rational investments in risk management and are
proactive, optimizing their risk profiles Lagging organiza-
tions, on the other hand, make disconnected investments
and are reactive, fighting one crisis after anotherThe
investments of the leading companies in risk manage-
ment are more than offset by improved efficiency and
reduced losses
Let's discuss the three major benefits to ERM: increased
organizational effectiveness, better risk reporting, and
improved business performance.
 and early-warning indicators/This might take
Organizational Effectiveness exposurs,
includes timely and con-
the form of a risk dashboard that
MEst conmpanies aineady have risk nmanagement and cise informatlon on the company's key risks. Of course,
orporate-orersight tunctions, such as finance/insurance, this goes beyond the senior management level; the objec
audit and compliance in addition there may be special tive of ERMreporting is by its nature to increase risk
st rsh units tor example. investment banks
usually have transparency throughout an organization.
matket Tigk management units, while energy companies
have commodity TIsk managers
Business Performance
The apoointment of a chief risk officer and the
establish- Companies that adopt an ERM approach have experi
ment of an enterprise risk function
provide the top-down
enced significant improvements in business performance.
coordinat on necessary to make these various functions
wok cohesively and Figure 4-1 provides examples of reported benefits of ERM
efficiently An integrated team from a cross-section of companies. ERM supports key
can better address not
only the individual risks facing
management decisions such as capital allocation, product
the company, but also the interdependencies between
these risks development and pricing, and mergers and acquisitions.
This leads to improvements such as reduced losses, lower
earnings volatility, increased earnings, and improved
Risk Reporting
shareholder value.
Aspreviously noted. one of the key requirements of risk These improvements result from taking a portfolio view of
management is that it should produce timely and relevant all risks; managing the linkages between
risk risk, capital, and
reportine for the senior management and board of profitabilityand rationalizing the company's risk transfer
directors. As we also noted, however, this is frequently not strategiesThe result is not just outright risk reduction:
the case"in a silo framework, either no one takes respon- companies that understand the true risk/return econom
siblity for overall risk reporting, and/or every risk-related
ics of a businesstake more of the profitable risks
can
unit supplies nconsistent and sometimes contradictory that make sense for the company and
less of the ones
fenprtS that don't.
An enterprise risk function can prioritize the level and Despite all these benefits, many companies would
content of risk reporting that should go to senior man-
balk at
the prospect of a full-blown ERM
initiative were it not for
agement and the board' an enterprise-wide perspective the existence of heavy internal and
external pressures. In the
on agoregate losses, policy exceptions, risk incidents, key business world, managers are often
galvanized into action

Benefit Company Actual Results

Market value Top money center bank
umprovement
Outperformed S&P 500 banks by 58% in stock
price
performance
Early warning Large commercial bank Assessment of top risks identified over 80% of future
of risks losses
global risk limits cut by one-third prior to Russian crisis
Loss reduction Top asset-management 30% reduction in the loss ratio enterprise-wide, up to
company 80%
reduction in losses at specific business units
Regulatory capital Large international commercial $1 Billion reduction of regulatory capital requirements,
relief or
and investment bank about 8-10%
Risk transfer Large property and casualty $40 million in cost savings, or 13% of annual reinsurance
rationalization insurance comparny premium
Insurance premium Large manufacturing company 20-25% reduction in annual insurance premium
reduction

FIGURE 41 ERM benefits.

 aftor a near missPither a disoster averted within their own
Organizatron or an actual crisis at a similar organization
In response the board and senior management are likely
to question the effectiveness of the control environment
and the adequacy of risk reporting within ther company.
To put it another way. they will begin to question how wel
they 1eally hnow the organization's major risk exposures
Such ncidents are also often followed by critical assess-
ments from auditors and regulators-both groups which
are consttutionally concerned with the effectiveness of
risk management Consequently. regulators focus on all
aspects of risk during examinations, setting risk-based
capital and compliance requirements, and reinforcing key
roles for the board and senior management in the risk
management process.
This introspection often leads to the emergence of a risk
champion among the senior executives who will sponsor
publications such as CFO magazine, the Wall Street Jour-
nal, and even USA Today
Today, the role of the CRO has been widely adopted in
risk-intensive businesses such as financial institutions,
energy firms, and non-financial corporations with sig-
nificant investment activities and/or foreign operations.
Today. I would estimate that as many as up to 80% of the
biggest US. financial institutions have CROs
The recent financial and economic meltdowns have
increased the demand for comprehensive ERM frame-
works. As an indication of this increased demand,
executive management training programs in ERM are
offered by leading business schools. For
increasingly
example, in November 2010, Harvard Business School
implemented a five-day program designed to train CEOs
COOs, and CROs managing risk as corporate leaders:
in

a major program to establish an enterprise risk manage- there have been two other sessions to date, one in Febru-
ment approach As noted above, this risk champion is ary 2012, and one just recently, in February 20132
increasingly becomng a formalized senior management the heads of credit risk,
ypical reports to the CRO are
position-the chief risk officer, or CRO. market risk, operational risk, insurance, and portfolio
Aside from this, direct pressure also comes from influen- management. Other functions that the CRO is commonly

tial stakeholders such as shareholders, employees, ratings responsible for include risk policy, capital management,
risk analytics and reporting risk management within
and
agencies, and analysts. Notonly do such stakeholders
individual business units.Tn general, the office of the CRO
expect more earnings predictability, management have
fewer excuses today for not providing it. Over the past few isdirectly responsible for:
(VaR)
as value-at-risk
years, volat1lity-based models such Providing the overall leadership, vision, and direction
and risk-adjusted return on capital (RAROC) have been for enterprise risk management;
applied to measure all types of market risk within an orga risk management framework
Establishing an integrated
is now spreading to credit risk, and
even
ization, their use for all aspects of risks across the organization;
to operational risk. The increasing availability and liquidity
of alternative risk transfer products-such as credit deriva Developing risk management policies, including the
quantification of the firm's risk appetite through spe-
tives and catastrophe bonds-also means that companies
risks they cific risk limits;
are no longer stuck with many of the unpalatable
the availabil- Implementing a set of isk indicators and reports,
previously had no choice but to hold. Overall,
including losses and incidents, key risk exposures, and
of such tools makes it more difficult and less acceptable
ity early warning indicators;
for companies to carry on with primitive and ineffi-
more

Cient alternatives. Managing risk is management's job. economic capital to business activities based
Allocating
on risk, and optimizing the company's risk portfolio

through business activities and risk transfer strategies;

THE CHIEF RISK OFFICER stake-
Communicating the company's risk profile to key
stock
atten- holders such as the board of directors, regulators,
h e role of a chief risk officer has received a lot of
community, as well as analysts, rating agencies, and
business partners:; and
ion within the risk management
Om the finance and generai management audiences.

Articles on chief risk officers and ERM appear frequentiy

A Reappraisal" Risk
in trade publications such as Risk Magazine and Risk Winokur, L.A. "The Rise of the Risk Leader
Professional, April 2012, 20
and
insurance, but have also been covered in
genera

Chanter 4 What Is ERM? 63

 Developing the
analytical, systems, and data manage- their audit committees were responsible for risk
ment manage
capabilities to support the risk management ment."5 However, this presents problems of its own;
often
programn times, audit committees are already working at
Still, given that
maximum
enterprise risk management is still a capacity just handling audit matters, and are unable to
relatively new field, many of the kinks have properly oversee ERM as well. Henry Ristuccia, of Deloitte
smoothed out of the Chief Risk Officer yetto be
rolefor example, affirms that unless the "audit committee [can
improve] its
there are still substantial amounts
of ambiguity with grasp of risk management. a separate
regard to where the CRO stands in the
. .

risk committee
hierarchy between needs to be formed."
the board of directors and other
C-level positions, such as
CEOS, CFOS, and COOs. The lack of an ERM standard is also a
significant barrier to
the positive development of the CRO role.
n many instances, the CRO reports to the CFO Mona Leung,
or CEO CFO of Alliant Credit Union,
but this make firms vulnerable to
can says that "we have too many
internal friction varying definitions" of enterprise risk management, with
when serious
çlashes of interest occur between corpo- the result that ERM means
rate leadersFor
example, when Paul Moore, former head something different to every
of regulatory risk at company, and is implemented in different
HBOS, claimed that he had been firms from different ways. Of course,
fired.. for warning about reckless lending." industries should (and must) tailor
the resulting their approaches to risk management in order to
investigations led to the
resignation
tive, Sir James Crosby,
the deputy chairman
as
of HBOS' chief execu-
requirements of their specific busines models meet the
of the tory frameworks, but and regula-
Financial Services Authority.3 nonetheless, it is important to have a
general ERM standard.
One organizational solution is to
establish a dotted-line Despite the remaining ambivalences in
report1ng relationship between the the structure of
the board or board risk
risk chief officer and the CRO Irole, believe that it has
committeeOnder extreme cir- agement profession in some elevated the risk man-
cumstances (e.g., CEO/CFO fraud,
major important waysFirst and
or
regulatory issues, excessive risk taking reputational foremost, the appointment of
executive
beyond risk primary
management has managers whose
appetite tolerances), that dotted line focus is risk
convert to a
solid line so that the may
chief risk officer can go
directly to
ibility and organizational effectiveness improved
many companies. The of that
the vis-
the board without fear
for his or her job successes of these function at
pensation. Ultimately, security or com- have only increased the
appointments
to be effective, risk management the CRO position. recognition and
must have an
independent voice. A direct acceptance for
channel to the board is
communication /second, the CRO
is heard.
one way to ensure that this voice position provides an
path for risk who want to attractive career
professionals
view of risk and business
For these dotted-line take a broader
CRO and the board
reporting structures between the
professionals management:Mn
could only aspire to the past,
(and between the business line
officers and the CRO), it is critical risk a become the head risk
narrowly focused risk function such
that an organiza- of
tjon clearly establish and document the Nearly 70 percent of the 175 as
credit or audit.
Basic ground rules include risk ground rules. seminar that I gave on participants in one
escalation and September 13, 2000, online
tion protocols,
and the role of the board or communica a_pired to become CROs. said they
CRO in hiring/
firing, annual goal setting, and Today, CROs have beg to move even
compensation
riskand compliance professions who report todecisions of
porate ladder by becoming serious furth
urther up the
them. cor
Another board risk oversight the positions of CEO and CFO. contendersfor
For example, Matthew
audit committees to
option is to alter existing Feldman, formerly CRO of the
incorporate risk
management. In a Federal
Chicago, was appointed its CEO and Home Loan B.Bank of
survey of the S&P 500, "58% of
respondents said that 2008. Likewise, Deutsche Bank President in May of
CR Hugo
candidate for UBs CEO. Kevin
ehler, of Banzige
a
ger was
Davy, Peter.
October 5, 2010.
"Cinderella Moment," Wall Street
Journal,
McKinsey &
Lam, James.
June 2009, 44."Structuring for Accountability" Risk Progressional, Banham, Russ. "Disaster Averted," CFO
Magazine, April
1, 2011,
6bid. 2
 co's, affirms that the gradual movement of CROs from
units implement risk management at the enterprise level.
control functions to more strategic roles
the primary
is While it is unikely that any single individual would pos-
contributing factor to their success, and that with the sess all of these skils. it is important that these compe-
coming years, this progress is only likely to accelerate tencies exist either in the CRO or elsewhere within his or
her organization.

Some argue that a company shouldn't have a CRO

becauspthat job is already fulfilled by the CEO or the
COMPONENTS OF ERM
CFO Supporting this argument is the fact that the CEO is
always going to be ultimately responsible for the risk (and A successful ERM program can be broken down into
return) performance of the company, and that many risk seven key components (see Figure 4-2) Each of these
departments are part of the CFO's organization. So why
components must be developed and 1nked to work as an
create another C-level position of CRO and detract from
integrated whole. The seven components include
the CEO's or CFO°'s responsibilities?
1 . Corporate governance to ensure that the board of
h e answer is the same reason that companies create directors and management have established the
roles for other C-level positions, such as chief informa appropriate organizational processes and corpo
tion officers or chief marketing officers.These roles are rate controls to measure and manage risk across the
defined because they represent a Core competency that company
is critical to the success for the company-the CEO needs
2. Line management to integrate risk management into
the experience and technical skills that these seasoned
the revenue-generating activities of the company
professionals bring.Perhaps not every company should (uncluding bus1ness development, product and rela
have a full-time CR0, but the role should be an explicit
tronship management., pricing, and so on).
one and not simply one implied for the CEO or CFO
3. Portfolio management to aggregate risk exposures,
For companies operating in the financial or energy mar incorporate diversification effects, and monitor risk
kets, or other industries where risk management repre- concentrations against established risk limits.
sents a core competency, the CRO position should be
4. RIsk transfer to mitigate risk exposures that are
considered a serious possibility. A CRO would also benefit
deemed too high, or are more cost-effective to trans-
companies in which the full breadth of risk management
fer out to a third party than to holdin the company's
experience does not exist within the senior management
risk portfolio.
team, or if the build-up of required risk management
5. Risk analytics to provide the risk measurement, analy-
infrastructure requires the full-time attention of an experi
sIs, and reporting tools to quantify the company's risk
enced risk professional.
exposures as well as track external drivers
What should a company look for inCRO? An ideal CRO
a

Would have superb skills in five areas. The first would 1. Corporato Governance
be the leadership skills to hire and retain talented risk Establish top-down risk management
professionals and establish the overall vision for ERM.
The second would be the evangelical skills to convert 3. Portfolo
2. Line Management 4. Risk Transfor
Skeptics into believers, particularly when it comes to Businesstrategy 1Aanagoment Tranafer out
Think and act liko a
Overcoming natural resistance from the business
units. allgnment fund managor" concentrated or
Third would be the stewardship to safeguard the com- Ineficient risks
be
pany's financial and reputational assets. Fourth would
5. Risk Analytice 6. Data and
to have the technical skills in strategic, business,
credit, Technoogy
fifth Develop acvanced Aescurcees
market, and operational risks. And, last but not least, analytcal tools Intograte data and
WOuld be to have consulting skills in educating the board syetom capabiitties
business
Senior management, as well as helping 7. Stakeholders Management
Improve risk traneparency tor koy
stakoholders
Kur,L A. "The Rise of the Risk Leader: A Reappraisal" Risk
Professional, April 2012, 17. FIGURE 4-2 Seven components of ERM
 6. Data and technoiogy resources to Providing appropriate opportunities for organizational
support the analyt-
ICS and reporting processes. learning, including lessons learned from previous prob
7. Stakeinoider management to communicate and lems, as well as ongoing training and development.
report the
company's risk information to its lkey
stakeholders Line Management
Let's consider these in turn.
Perhaps the most important phase in the assessment and
pricing of risk is at its inception. Line management must
Corporate Governance align business strategy with corporate risk policy when
Corporate governance ensures that the board of pursuing new business and growth opportunities. The
tors and
direc
management have established the appropriate risks of business transactions should be fuly assessed and
organizational processes and corporate controls to mea- incorporated into pricing and profitability targets in the
Sure and manage risk across the company. The mandate execution of business strategy.
For effective corporate governance has been brought to
the forefront by
Specifically, expected losses and the cost of risk capi-
regulatory and industry initiatives around tal should be included in the
pricing of a product or
the
world. These initiates include the Treadway Report the required return of an investment
from the United States, the Turnbull project. In busi-
Report from the UK, ness development, risk
acceptance criteria should be
and the Dey Report from Canada. All
of these made rec- established to ensure that risk
ommendations for establishing corporate controls and management issues are
considered in new product and market
emphasized the responsibilities of the board of directors opportunities.
Transaction and business review
and senior
processes should be
management. Additionally. the Sarbanes-Oxley developed to ensure the appropriate due
Act provIdes both specific requirements and severe
penal cient and transparent review
diligence. Effi
processes will allow linee
tes for non-compliance.
managers todevelop a better understanding of
those
risks that they can accept
From an ERM perspective, the responsibilities of the independently and those that
board of directors and senior management include: require corporate approval or management.
Defining the organization's risk appetite in terms of risk
polices, loss tolerance, risk-to-capital leverage, and tar Portfolio Management
get debt rating
The overall risk portfolio of an
Ensuring that the organization has the risk manage- organization should not
ment skiis and risk absorption capability to support its
just happen-that is, it should not just be the
cumula-
tiveeffect of business transactions conducted
business strategy entirely
independently. Rather, management should act like a
Establishing the organizational structure of the ERM fund manager and set portfolio targets and risk
limits to
framework and defining the roles and responsibilities ensure appropriate diversification and optimal
for risk management, including the roie of chief risk
portfolie
returns.
offi.cer
The concept of active portfolio managernent can be
Implementing an integrated risk measurement and appled to all the risks within an organization Diversifica.
management framework tor strategic, busine5s, opera tion effects from natural heges can oniy be fuly cap.
ional, firancal, and compliance risks tured if an organization's risks are viewed as a whole, in

Establishing risk assessinent ond audif proce55es, as a portfolio. More inportantly, the portiolio managemen.

well as
function providesadirect link botween risk managemo
benchmarking company practices against indus t
and shareholder value maximization.
try best practices
For example, a key barrier for many insurance companie
Shaping the organization s risk cuiture by setting the
each of the tinanciaB risks
tone from the top not only thrQugh words but also in implementing ERM is that
through actions, and reinforcing that commitment within the overall bustnes porttoti s Tianasged indeen
through incentives. furnction is responsible tor estimatina
dentiy The actuarial