Embed Size (px)
Citation preview
{{
Enterprise Risk Enterprise Risk ManagementManagement
Tim SullivanTim SullivanNAMIC Insurance Company, Inc.NAMIC Insurance Company, Inc.
““The basic rule of risk-taking, whether it is hazard The basic rule of risk-taking, whether it is hazard risk, financial risk or any other form of risk, is that if risk, financial risk or any other form of risk, is that if you do not fully understand a risk, you do not engage you do not fully understand a risk, you do not engage it, regardless of what profits are claimed or reported.it, regardless of what profits are claimed or reported.
This basic rule is, unfortunately, violated by This basic rule is, unfortunately, violated by individuals consistently.”individuals consistently.”
Steven P. D’ArcySteven P. D’ArcyJournal of Risk Management of KoreaJournal of Risk Management of KoreaMay 30, 2001May 30, 2001Pages 13-14Pages 13-14
Academic PerspectiveAcademic Perspective
““I believe in taking calculated risks, I believe in taking calculated risks, provided we do the calculating.”provided we do the calculating.”
Ray Ainger talking to Jake WilliamsRay Ainger talking to Jake Williams
Practitioner’s PerspectivePractitioner’s Perspective
Risk is a condition of reality in which Risk is a condition of reality in which there is a possibility of an adverse there is a possibility of an adverse deviationdeviation from an from an expected expected outcome.outcome.
Risk is inescapable.Risk is inescapable.
It is before us. It is before us.
We always sit at the gambler’s We always sit at the gambler’s table.table.
Definition of RiskDefinition of Risk
Risk is a condition of the real worldRisk is a condition of the real world
Existence of risk creates Existence of risk creates uncertainty uncertainty
However, a person’s conviction However, a person’s conviction about a situation may or may not about a situation may or may not coincide with the conditions of the coincide with the conditions of the real world.real world.
This highlights the need for This highlights the need for measurement.measurement.
Uncertainty’s Relationship to Uncertainty’s Relationship to RiskRisk
Exposure – What do I stand to lose? Exposure – What do I stand to lose? Maximum amount of damage that will Maximum amount of damage that will be suffered if some event occurs. be suffered if some event occurs. While exposure may be measured While exposure may be measured quantitatively, often the qualitative is quantitatively, often the qualitative is just as important, such reputation just as important, such reputation damage.damage.
Volatility – How uncertain is the Volatility – How uncertain is the future? Volatility is the variability of future? Volatility is the variability of potential outcomes. Generally, the potential outcomes. Generally, the greater the variability, the greater the greater the variability, the greater the risk risk
Risk ConceptsRisk Concepts
Probability-How likely is it that some Probability-How likely is it that some risky even will actually occur?risky even will actually occur?
Severity – How bad might it get? While Severity – How bad might it get? While exposure is defined in terms of the worst exposure is defined in terms of the worst that can possibly happen, severity is the that can possibly happen, severity is the amount of damage likely to occur (the amount of damage likely to occur (the average loss)average loss)
Risk ConceptsRisk Concepts
Risk management was first developed in the Risk management was first developed in the 1950s by a group of innovative insurance 1950s by a group of innovative insurance professors. professors.
It wasn't until the 1960s that the field was It wasn't until the 1960s that the field was formally named, principles developed and formally named, principles developed and guidelines established. guidelines established.
Robert Mehr and Bob Hedges are widely Robert Mehr and Bob Hedges are widely acclaimed as the fathers of risk management acclaimed as the fathers of risk management
Landmark Book: Landmark Book: Risk Management in the Risk Management in the Business EnterpriseBusiness Enterprise Robert D. Irwin, Inc., 1963Robert D. Irwin, Inc., 1963
Introduction of Risk Introduction of Risk ManagementManagement
As initially introduced in this text, the As initially introduced in this text, the objective of risk management is:objective of risk management is:
"to maximize the productive efficiency "to maximize the productive efficiency of the enterprise.“of the enterprise.“
Over time, the objective of risk Over time, the objective of risk management was re-stated as:management was re-stated as: “ “ to minimize the cost of risk”to minimize the cost of risk”
The basic premise was that risks should be The basic premise was that risks should be managed in a comprehensive manner, and managed in a comprehensive manner, and not simply insured.not simply insured.
Introduction of Risk Introduction of Risk ManagementManagement
Risk management is a Risk management is a processprocess that that identifies loss exposures faced by an identifies loss exposures faced by an organization and selects the most organization and selects the most appropriate technique for treating those appropriate technique for treating those exposures.exposures.
Risk ManagementRisk ManagementTraditional DefinitionTraditional Definition
Any situation or set of Any situation or set of circumstances in which a loss circumstances in which a loss is possible, regardless of is possible, regardless of whether the loss occurs.whether the loss occurs.
Loss ExposureLoss Exposure
Risk management is a decision Risk management is a decision process; insurance is a method of process; insurance is a method of risk transferrisk transfer
Risk management focuses on Risk management focuses on identifying and measuring risks to identifying and measuring risks to select select the most appropriate the most appropriate technique.technique.
Insurance is only one of several Insurance is only one of several options to treat options to treat purepure loss exposures. loss exposures.
Risk Management Vs. Risk Management Vs. InsuranceInsurance
• Risk is an inescapable part of doing Risk is an inescapable part of doing business. Every business decision involves business. Every business decision involves an element of risk.an element of risk.
• Over time, the decisions a business makes Over time, the decisions a business makes leads to an unique collection of risks – a leads to an unique collection of risks – a unique risk profile.unique risk profile.
• This risk profile will determine the This risk profile will determine the company’s earnings and earnings company’s earnings and earnings volatility.volatility.
• Maximizing return is a dangerous decision Maximizing return is a dangerous decision criterion.criterion.
• While “higher risk, higher return” is While “higher risk, higher return” is widely accepted, the appropriate goal is to widely accepted, the appropriate goal is to optimize the risk/return profile.optimize the risk/return profile.
The Case for ERMThe Case for ERM
The exercise of identifying and The exercise of identifying and measuring all of a firm’s exposures is measuring all of a firm’s exposures is valuable in and of itself.valuable in and of itself.
The process provides managers and The process provides managers and Boards with a Boards with a better understandingbetter understanding of of their business and the risk events that their business and the risk events that can potential hinder a firm’s strategic can potential hinder a firm’s strategic objectives.objectives.
As a result, managers and directors As a result, managers and directors will make better decisions.will make better decisions.
The Case for ERMThe Case for ERM
1.1. Risk is an inescapable part of doing business. Risk is an inescapable part of doing business. Every business decision involves an element of Every business decision involves an element of risk.risk.
2.2. Over time, the decisions a business makes leads Over time, the decisions a business makes leads to an unique collection of risks – a unique risk to an unique collection of risks – a unique risk profile.profile.
3.3. This risk profile will determine the company’s This risk profile will determine the company’s earnings and earnings volatility.earnings and earnings volatility.
4.4. Maximizing return is a dangerous decision Maximizing return is a dangerous decision criterion.criterion.
5.5. The appropriate goal is to optimize the The appropriate goal is to optimize the risk/return profilerisk/return profile
The case for risk The case for risk managementmanagement
Gain of action and the pain of inaction Gain of action and the pain of inaction make the case.make the case.
Managing the risk of a business Managing the risk of a business enterprise is a key responsibility of the enterprise is a key responsibility of the Board.Board.
Managing risk can reduce earnings Managing risk can reduce earnings volatility.volatility.
Benefits of Risk Benefits of Risk ManagementManagement
Starting in the early 1990’s, risk Starting in the early 1990’s, risk management began to evolve from a “silo management began to evolve from a “silo approach” to holistic treatment.approach” to holistic treatment.
At the same time, risk management was At the same time, risk management was elevated to a senior management elevated to a senior management responsibility.responsibility.
Enterprise risk management involves a Enterprise risk management involves a broader view of risk that encompasses broader view of risk that encompasses both hazard and business risk. both hazard and business risk.
ERM integrates all of its risk management ERM integrates all of its risk management activities at the enterprise level. activities at the enterprise level.
The fundamental goal of is to maximize the The fundamental goal of is to maximize the value of the organization.value of the organization.
Enterprise Risk Enterprise Risk ManagementManagement
Well publicized failures spurred insistence Well publicized failures spurred insistence that senior management take responsibility that senior management take responsibility for enterprise wide riskfor enterprise wide risk
Pressure for ERM has come from:Pressure for ERM has come from: RegulatorsRegulators Rating agenciesRating agencies Stock exchangesStock exchanges Institutional investorsInstitutional investors Governance boardsGovernance boards Shareholders in publicly traded Shareholders in publicly traded
companiescompanies Span virtually every developed countrySpan virtually every developed country
External PressuresExternal Pressures
The exercise of identifying and The exercise of identifying and measuring all of a firm’s exposures is measuring all of a firm’s exposures is valuable in and of itself.valuable in and of itself.
The process provides managers and The process provides managers and Boards with a Boards with a better understandingbetter understanding of of their business and the risk events that their business and the risk events that can potential hinder a firm’s strategic can potential hinder a firm’s strategic objectives.objectives.
As a result, managers and directors As a result, managers and directors will make better decisions.will make better decisions.
Proponents of ERM Proponents of ERM Argue ThatArgue That
Know your business; know your risks.Know your business; know your risks.
Establish checks and balances Establish checks and balances for example, segregation of duties for example, segregation of duties Horror Story: Nick Leeson, the rogue trader at Barings Horror Story: Nick Leeson, the rogue trader at Barings
Singapore branchSingapore branch
Set limits and boundariesSet limits and boundaries For financial market risks, trading limits, product limits, For financial market risks, trading limits, product limits,
durationduration For credit risk, mark to market, risk grade, industry, For credit risk, mark to market, risk grade, industry,
countrycountry For operational risks, minimum quality standards (or error For operational risks, minimum quality standards (or error
rates) by operation, system and process; standards for sales rates) by operation, system and process; standards for sales practices and product disclosures; hiring policies including practices and product disclosures; hiring policies including background checks, termination policiesbackground checks, termination policies
Use the right yardstickUse the right yardstick
Balance objective thinking with intuitive thinkingBalance objective thinking with intuitive thinking
Lessons LearnedLessons Learned
Business operations (e. g., customer satisfaction, Business operations (e. g., customer satisfaction, human resources, product development, capacity, human resources, product development, capacity, efficiency, product/service failure, trademark/brand efficiency, product/service failure, trademark/brand erosion)erosion)
Empowerment (delegate too much too soon, change Empowerment (delegate too much too soon, change readiness)readiness)
Information technology (e. g., relevance, Information technology (e. g., relevance, obsolescence, availability, project management)obsolescence, availability, project management)
Integrity (e. g., management fraud, reputation)Integrity (e. g., management fraud, reputation)
Information/business reporting/controls (e. g., Information/business reporting/controls (e. g., budgeting, planning, accounting information, pension budgeting, planning, accounting information, pension fund, investment evaluation, taxationfund, investment evaluation, taxation
Counterparty riskCounterparty risk
Operational RisksOperational Risks
““Plans are nothing; Plans are nothing; planning is everything.”planning is everything.”
Dwight D. EisenhowerDwight D. Eisenhower
Common ERM practices are shared across Common ERM practices are shared across wide variety of organizations and around the wide variety of organizations and around the globeglobe
Process, tools and procedures are not limited Process, tools and procedures are not limited to insurance or even financial services.to insurance or even financial services.
Information sharing has been aided by Information sharing has been aided by technologytechnology
Organizations have been quite willing to Organizations have been quite willing to share best practices and efficiency gainsshare best practices and efficiency gains
““Boundaryless” Boundaryless” Benchmarking Benchmarking
Traditional risk management tended to take a Traditional risk management tended to take a defensive posture toward risk.defensive posture toward risk.
ERM organizations recognize the value-ERM organizations recognize the value-creating potential of risk.creating potential of risk.
Avoidance and minimization remain legitimate Avoidance and minimization remain legitimate strategies in ERM.strategies in ERM.
However, the organization’s willingness to However, the organization’s willingness to swap, keep and actively pursue risk is swap, keep and actively pursue risk is enhanced by its ability to understand, measure enhanced by its ability to understand, measure and exploit riskand exploit risk
Risk As OpportunityRisk As Opportunity
"The "The processprocess by which by which organizations in all industries organizations in all industries assess, control, exploit, finance and assess, control, exploit, finance and monitor risks from all sources for monitor risks from all sources for the purpose of increasing the the purpose of increasing the organization's short and long term organization's short and long term value to its stakeholders."value to its stakeholders."
Casualty Actuarial Society (CAS) Casualty Actuarial Society (CAS) Definition of ERMDefinition of ERM
“… “… a a processprocess, effected by an entity's board , effected by an entity's board of directors, management and other of directors, management and other personnel, applied in strategy setting and personnel, applied in strategy setting and across the enterprise, designed to identify across the enterprise, designed to identify potential events that may affect the entity, potential events that may affect the entity, and manage risks to be within its risk and manage risks to be within its risk appetite, to provide reasonable assurance appetite, to provide reasonable assurance regarding the achievement of entity regarding the achievement of entity objectives.”objectives.”
Source: Source: COSO Enterprise Risk Management – Integrated FrameworkCOSO Enterprise Risk Management – Integrated Framework. 2004. COSO.. 2004. COSO.
ERM COSO DefinitionERM COSO Definition
One common model used in ERM for One common model used in ERM for categorizing risk is as follows:categorizing risk is as follows:
HazardHazard FinancialFinancial OperationalOperational StrategicStrategic
ERM Risk CategoriesERM Risk Categories
Causes of operational riskCauses of operational risk Internal processesInternal processes PeoplePeople SystemsSystemsExamplesExamples Product recallProduct recall Customer satisfactionCustomer satisfaction Information technologyInformation technology Labor disputeLabor dispute Management fraudManagement fraud
Operational RiskOperational Risk
CompetitionCompetition Changing customer wants/needsChanging customer wants/needs Demographic/cultural changesDemographic/cultural changes International developmentsInternational developments New entrantsNew entrants Substitute productsSubstitute products Technological innovationsTechnological innovations Capital availabilityCapital availability Regulatory and political trendsRegulatory and political trends
Strategic RisksStrategic Risks
Identify all risks an organization faces (“Peel Identify all risks an organization faces (“Peel the onion”)the onion”)
Get beyond pure risks Get beyond pure risks Get beyond financial risks Get beyond financial risks Find operational risks Find operational risks Find strategic risksFind strategic risks
Treat all the risks holistically Treat all the risks holistically Regard them as an interrelated systemRegard them as an interrelated system Understand and anticipate correlations Understand and anticipate correlations
Fully quantify all risks Fully quantify all risks
Apply risk management techniques consistently Apply risk management techniques consistently to all risksto all risks
The ERM ChallengeThe ERM Challenge
