Enterprise Risk Management: A Modern Consensus from Corporate Studies

Enterprise Risk Management (ERM) Introduction

Enterprise Risk Management (ERM) is one of the hottest areas in the risk management discipline today, with new advances in technology and communications creating both opportunities and challenges in the area. Experts have conducted considerable research in the field of ERM in the last fifteen years and it’s useful to understand how the consensus set of best practices in the area has evolved.

For those not familiar with the concept of Enterprise Risk Management, the Risk Management Society definesit as “a strategic business discipline that supports the achievement of an organization’s objectives by addressing the full spectrum of its risks and managing the combined impact of those risks as an interrelated risk portfolio.”¹In particular, ERM is a significant evolution versus traditional risk management techniques in that it encompasses all areas of an organization and looks at the overall set of risks that result from interrelated processes, people, and structures across the organization. The following is a good example of laying out the principles of an organization’s risk management goals. These are excerpts from Wells Fargo & Company’s 2014 Annual report:

Risk Management Framework and Culture

The key elements of our risk management framework and culture include the following:

• We strongly believe in managing risk as close to the source as possible. We manage risk through three lines of defense, and the first line of defense is our team members in our lines of business who are responsible for identifying, assessing, monitoring, managing, mitigating, and owning the risks in their businesses. All of our team members have accountability for risk management. Our Corporate Risk group, led by our Chief Risk Officer who reports to the Board’s Risk Committee, as well as other corporate functions such as the Law Department, Corporate Controllers, and the Human Resources Department serve as the second line of defense and provide company-wide leadership, oversight, an enterprise view, and appropriate challenge to help ensure effective and consistent understanding and management of all risks by our lines of business. Wells Fargo Audit Services, led by our Chief Auditor who reports to the Board’s Audit and Examination Committee, serves as the third line of defense and through its audit, assurance, and advisory work evaluates and helps improve the effectiveness of the governance, risk management, and control processes across the enterprise.
• We have a significant bias for conservatism. We strive to maintain a conservative financial position measured by satisfactory asset quality, capital levels, funding sources, and diversity of revenues. Our risk is distributed by geography, product type, industry segment, and asset class, and while we want to grow the Company, we will attempt to do so in a way that supports our long term goals and does not compromise our ability to manage risk.
• We have a long-term customer focus. Our focus is on knowing our customers and meeting our customers’ long-term financial needs by offering products and value added services that are appropriate for their needs and circumstances. In addition, our team members are committed to operational excellence, and we recognize that our infrastructure, systems, processes, and compliance programs must support the financial success of our customers through a superior customer service experience.
• We must understand and follow our risk appetite. Our risk management framework is based on understanding and following our overall enterprise statement of risk appetite, which describes the nature and level of risks that we are willing to take to achieve our strategic and business objectives. This statement provides the philosophical underpinnings that guide business and risk leaders as they manage risk on a day-to-day basis. Our CEO and Operating Committee, which consists of our Chief Risk Officer and other senior executives, develop our enterprise statement of risk appetite in the context of our risk management framework and culture described above. The Board approves our statement of risk appetite annually, and the Board’s Risk Committee reviews and approves any proposed changes to the statement to help ensure that it remains consistent with our risk profile.

Research in ERM

Early research in ERM showed that less than a thirdof companies had adopted an ERM framework, with most companies that had such a system having been pushed to develop one either by internal risk managers, the firm’s Board, or regulatory authorities.²Over time, ERM has started to become more important to regulators and shareholders. The Financial Crisis of 2008-2009 made it clear that risks can develop where few expected them and even the largest organizations need to carefully assess their level of exposure to a variety of different risk factors. In addition, since the Crisis, government regulators have taken a harder line on risk management practices in a variety of industries. Further adding to the importance of ERM, rating agencies like Moody’s and Standard & Poor’s have begun to incorporate a company’s ERM practices into their rating methodology not only for insurance and banking firms, but for non-financial firms as well.

Enterprise Risk Management, the 2010 book from Wiley edited by John Fraser and Betty J. Simkins, details best practices in the field of ERM and notes that “the expectations that boards of directors and senior executives are effectively managing risks facing an enterprise are at all-time highs. Much of this shift in expectations was prompted initially by corporate scandals and resulting changes in corporate governance requirements…This shift toward greater expectations for enterprise-wide risk management oversight is complicated by the fact that the volumes and complexities of risks facing an enterprise are increasing as well.”³It is clear that not having a comprehensive system for managing the myriad array of risks that all firms face today is not an option. From cyber intrusion related risks to problems with employees to financial risks, no firm can afford to ignore the need for a risk management system and ERM offers the best holistic set of tools to address this need.

ERM not only makes sense from a risk mitigation stand point, but there is increasing evidence that it can have financial benefits as well. In a 2008 research study, Simkins and Ramirez found that effective ERM programs can enhance the financial performance of the firm.⁴An important part of this improved financial performance is making corporate governance standards and ERM practices work together. The two are related but distinct. Corporate governance centers on monitoring and managing the firm on behalf of shareholders in accordance with regulations while ERM is concerned with evaluating and controlling the risks in the organization. In essence, a good corporate governance system is akin to having a watchful manager, while an effective ERM program is like having a sage outside business advisor that reins the manager in when they are taking on too much risk. The two go hand-in-hand and are complementary, but distinct.

In fact ERM needs to work not only with corporate governance functions but also with other functions across an organization. A 2006 research papercoauthored between insurance executive Brian Nocco and financial economist Rene Stulz noted that to develop an effective ERM system, firms need to decide on a risk “appetite” and then figure out how to measure the risks the firm is bearing.⁵With that completed, management at the organization can then decide which risks to retain and which risks should be transferred to others, either through insurance, financial products like swaps, or even jettisoning excessively risky non-core business lines. In the case of Nationwide Insurance for instance, the firm attempts to limit “non-core” risk exposures related to financial markets like interest rate and equity risks while taking on core insurance related risks. Nationwide is certainly not alone in needing to address this issue and decide as an organization which risks are core to the business and which should be mitigated or offloaded wholesale.

Flaws in ERM

Indeed, ERM is often a more complex issue than many observers recognize at first. For instance, during the 2008 Financial Crisis, many outsiders faulted firms for flawed risk management processes and claimed that a lack of proper risk management was an important driver of the Crisis. Yet as somestudieshave shown, many of the decisions made by risk managers were flawed but reasonable at the time they were made.^6,7Risk management can fail for a variety of reasons that are often misunderstood. Choosing the wrong risk metrics and mismeasuring risks are often issues that all ERM systems need to confront. Similarly, communication between risk managers and top management can also break down and lead to ineffective guidance and information for decision makers. Current risk management practice can be improved today by accounting for data from past crises and using that data to model potential future crisis scenarios. A variety of statistical tools can aid in this forecasting process. These models go beyond the scope of this article but business intelligence methods including quantile regressions and random effects models. Risk models that can be useful under these scenarios span the gamut from order variance forecasting to macroeconomic variable modeling. These models enable firms to create effective scenario planning tools based on forward-looking economic data and analysis. Economists still have very limited ability to predict economic crises at a macroeconomic level, but the challenges of these crises and their after-effects are better understood.

Arguably the most valuable aspects of ERM are the use of economic capital models and the creation of dedicated risk management positions within an organization. Ideally, a dedicated risk manager should report directly to the CEO or the Board to cut down on communications issues. This is particularly important at insurance companies and financial firms. A 2014 studyshowed that these steps add significantly to cost savings at a firm, and help boost the bottom line.⁸The authors found that in the case of insurance companies, the addition of an economic capital model yielded an 8.4% increase in the cost efficiency of life insurers translating into $63 million in cost savings (based on average total costs within the sample of $751 million). The addition of such an economic capital model also boosted organizational return on assets (ROA) by 0.54% with overall ERM programs improving ROAs by anywhere from 0.34% to 0.89% with cost savings ranging from $19.8 million to $73.6 million. Similarly a 2011 studyand a 2014 studyboth found that ERM programs increase firm value in capital markets.^9,10For a well laid out ERM reporting structure, see below from Wells Fargo & Company 2014 annual report:

Optimizing ERM Programs

Given the economic benefits of ERM, management at organizations large and small should be interested in optimizing their existing ERM programs or modifying legacy risk management functions to account for risks on an enterprise basis. The essential steps to do this are:

• Identify risks across the enterprise
• Measure risks for the enterprise
• Formulate strategies to limit risks for the enterprise
• Execute those strategies
• Monitor enterprise and strategies to assess results

For example Wells Fargo & Company 2014 Annual Report states “The Corporate Market Risk Group has oversight responsibilities in identifying, measuring and monitoring the Company’s market risk.” And for operational risk: “Provide a structured approach for identifying, measuring, managing, reporting and monitoring operational risks across all areas of Wells Fargo;…”

This approach is validated in studiesof successful corporate practices, but perhaps the most important takeaway from a decade of research into ERM is that there are no hard and fast mechanistic rules that work well for all organizations.^11,12Effective enterprise risk management needs to be tailored to the needs of a specific organization. This is true whether that organization wants to use economic capital models, scenario planning, dedicated risk managers, or any other tool. Simple frameworks from COSO (Committee of Sponsoring Organizations) and other industry associations are insufficienton their own. For instance in a 2012 study, Paape and Spekle find that the application of the COSO framework on its own is not flexible or comprehensive enough to significantly reduce the incidence of risk management issues.¹³As with so many other business functions, there is no silver bullet in ERM; instead firms need to adopt the attitude that an effective Enterprise Risk Management system is a business imperative and then do whatever it takes to build a system that works for their specific industry and organization.

References

1. https://www.rims.org/ERM/Pages/WhatisERM.aspx
2. http://onlinelibrary.wiley.com/doi/10.1111/1098-1616.00020/abstract?userIsAuthenticated=false&deniedAccessCustomisedMessage=
3. Page 32
4. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1657036
5. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=963398
6. http://onlinelibrary.wiley.com/doi/10.1111/jacf.12103/pdf
7. http://www.tandfonline.com/doi/abs/10.1080/09638180.2012.661937
8. http://onlinelibrary.wiley.com/doi/10.1111/jori.12022/abstract?userIsAuthenticated=false&deniedAccessCustomisedMessage=
9. http://onlinelibrary.wiley.com/doi/10.1111/j.1539-6975.2011.01413.x/abstract?userIsAuthenticated=false&deniedAccessCustomisedMessage=

• http://jaf.sagepub.com/content/26/4/641.short
• https://business.illinois.edu/~s-darcy/papers/erm.pdf
• http://papers.ssrn.com/sol3/papers.cfm?abstract_id=950421
• http://www.tandfonline.com/doi/abs/10.1080/09638180.2012.661937

About the Author

Michael has served as a business consultant for various companies, providing training and content authoring services as a subject matter expert in finance and economics for firms like IBM and Stanley Black & Decker. Previously Michael worked as a data scientist for a tech start-up in the financial industry, as a municipal bond trader for Wachovia Securities holding a Series 7 and Series 63 license, and for a large hedge fund in doing data mining and analysis. Currently, Michael is Assistant Professor of Finance at Fairfield University in Connecticut. He also gives lectures on a variety of corporate finance and investment topics from mergers and acquisitions to corporate governance.

Michael has developed and delivered courses in a variety of business areas and for a variety of participants ranging from undergraduate students to career professionals. He has developed a variety of numerous courses including topics such as microeconomics, macroeconomics, business simulation, financial economics, introductory corporate finance, advanced corporate finance, investments, derivatives, and case studies in finance and economics.

Michael has worked on projects ranging from research projects to professional consulting assignments. For example, Michael has consulted for a mid-sized asset management fund and worked on projects related to portfolio management and asset allocation. His work in analyzing investment analysis and corporate finance has appeared in several professional journals, and has been presented at major professional meetings like the Financial Management Association Annual Meeting, the American Finance Association Annual Meeting, and the Eastern Finance Association Annual Meeting. His work has also been written up by the Wall Street Journal and CFA Institute.

Michael holds a Ph.D. in Business Administration with a Concentration in Finance from the University of Tennessee. He also holds a Master of Arts in Economics and a Bachelor of Science in Industrial Engineering, both from Clemson University.

Copyright © 2015 by Global Financial Markets Institute, Inc.

Download article