5 Dimensions of Enterprise Risk Management (ERM)

Introduction

 

Enterprise risk management or enterprise-wide risk management is a holistic approach to risk management which attempts to identify and address potential risks to the firm’s strategic objectives. It does so by taking into account the interrelationships among the various risks. 

 

Alternatively a firm may opt for a silo-based risk management approach wherein a firm manages each risk separately, often along its business lines.

 

Advantages of silo-based risk management:

 

1. Silos can enable risk management specialization by business unit. For instance, the finance department can handle the financial risks (credit, liquidity, market risks), the IT department can handle the security risk (operational risk), etc. 

2. Silos create a rich variety of risk management expertise. Since they work in separate ecosystems, they can undergo a structural expert-based risk management approach unrelated to other ecosystems.

 

Disadvantages of silo-based risk management:

 

1. Silos do not take into account the correlation between the various types of risks.

2. A silo-based approach can result in suboptimal performance towards risk management since the approach is fragmented in nature.

3. The metrics used in risk management can eventually turn out to be faulty, misleading and unhelpful since silos do not take into account the various interdependence or correlation factors.

 

Essentially, the lack of consideration of the interdependence between the different types of risks, in a silo-based approach, often results in substandard risk management in a firm opting the method.

 

In an attempt to look at a holistic risk management system that overcomes the shortcomings of a silo-based risk management approach, this blog provides an overview on the enterprise risk management (ERM) approach. 

 

(Must read: Difference between Bitcoin and Bitcoin Cash)

 

Benefits of ERM

 

The concept of enterprise risk management is to put credit, operational, market, regulatory and reputational risk under the same management umbrella. The following 10 benefits depict the relative advantage of enterprise risk management:

 

1. Helps firms define and adhere to enterprise risk appetites.

2. Focusses oversight on most threatening risks.

3. Identifies enterprise-scale risks generated at business line level.

4. Manages risk concentrations across the enterprise. 

5. Manages emerging enterprise risks (e.g., cyber risk, AML (anti-money laundering) risk, reputation risk).

6. Supports regulatory compliance and stakeholder reassurance.

7. Helps firms to understand risk-type correlations and cross-over risks.

8. Optimizes risk transfer expenses in line with risk scale and total cost.

9. Incorporates stress scenario capital costs into pricing and business decisions.

10. Incorporates risk into business model selection and strategic decisions.

 

(Related blog: 10 Types of Exotic Options)

 

 

Dimensions of ERM 

 

In order to figure out how to use the ERM approach, a firm can divide the various ERM practices across 5 dimensions. These dimensions include:

 

1. Targets: 

 

The enterprise's risk appetite and how it connects to its strategic goals are included in targets. Operational measures such as global limit frameworks and incentive compensation programmes are connected to risk appetite. Setting the proper targets and ensuring that they do not clash with other strategic goals is one of ERM's primary goals.

 

(Also read: Introduction to the Basel Norms)

 

2. Structure: 

 

The function of the board, the global risk committee and other risk committees, the CRO, and the corporate governance framework are all part of an ERM program's organisational structure. The objective of enterprise risk management (ERM) is to make each structure responsive to the enterprise-wise risks faced by the firm.

 

The CRO reports directly to the Board of Directors about the overall risk exposure of the firm and methods to handle it. Following are some of the roles of a CRO:

 

1. Developing risk maps and formulating strategic action plans.

2. Creating and disseminating risk analysis reports.

3. Ensuring that risk management priorities are reflected in the company's strategic plans.

4. Formulating and implementing risk assurance strategies.

5. Evaluating possible operational risks that may arise from human error or system failures, which might disrupt or affect business processes.

6. Measuring the organization's risk appetite, and setting the amount of risk that the organization is able – and willing – to take on.

7. Developing budgets for risk-related projects and supervising their funding

8. Conducting risk assurance and due diligence on behalf of the organization, etc.

 

Presence of the CRO and a dedicated risk management function have increased the efficiency with which organizations tackle their risk exposures.

 

(Related blog: An Overview of Economic Moat)

 

3. Identification and metrics: 

 

This dimension of the ERM program entails the identification of the enterprise-wide risks faced by the firm and the severity of these risks. Another important factor that is identified and measured is the frequency of these risks. 

 

Key metrics used for the identification and measuring purposes include enterprise-level scenario analysis and stress testing, aggregate risk measures such as VaR, total-cost-of-risk methodologies, risk-specific metrics, and whole-of-firm risk mapping and flagging mechanisms.

 

Aggregate risk measures proved to be inefficient by the 2007-09 financial crisis because such measures do not take the risk factor relationships into consideration. Scenario analysis along with sensitivity testing and stress testing prove to be better measures and are used extensively in ERM programs across firms.

 

1. Sensitivity testing: Sensitivity testing involves changing one parameter in a risk model to see how sensitive the model result is to the alteration.

2. Stress testing: Stress testing includes changing one or more key variables to explore risk model results under stressful conditions.

3. Scenario analysis: Scenario analysis involves imagining a whole scenario, developing a coherent narrative that explains why the variables change, and assessing the effects of this on the firm’s risk portfolios.

 

4. ERM Strategies: 

 

It is essential for firms using the ERM approach to focus on the strategic dimension which includes formulating specific strategies for managing enterprise-wide risks at either the enterprise level or through business lines. This includes the fundamental decision to avoid, transfer, mitigate or accept the risks along with the choice of enterprise-wide risk transfer instruments.

 

5. Culture: 

 

If targets, structure, and metrics are the bones of the ERM strategy, then culture is the flesh and blood. The risk culture of a firm is the goals, customs, values, and beliefs (both  implicit and explicit) that influence the behaviour of the firm’s employees. Essentially these corporate norms guide individuals in their understanding and responses to risk. 

 

Risk culture eventually translates into a firm’s handling mechanism. A weak risk culture plays a significant role in the lead up to a financial crisis as can be seen in the lead-up to the 2007-09 financial crisis where subprime lending was done in a suboptimal manner so as to maximize profits by financial firms. 

 

A weak risk culture results in situations of money laundering, emarbo breaches, interest rate manipulation, etc. all of which eventually lead to a crisis. A firm that has a strong risk culture is well protected since it has a holistic and long-term view in its culture. 

 

Establishing a strong risk culture is difficult because of the multilayered nature of risk culture. Individuals come with varied risk mindsets to a firm due to the difference in their personalities, demographics, professional standards, personal experiences, etc. The individual then adopts the risk mindset of the group which he/she joins then comes the enterprise-wide mindset. 

 

In order to address the gap between the stated targets of the organization and the behaviour by its employees, the Financial Stability Board (FSB) has specified four risk indicators:

 

1. Accountability: This aspect pertains to the accountability for key risks and the proper escalation processes.

2. Effective communication and challenge: This aspect gauges whether the opposing views are valued, the management is open to dissent and there is a stature associated with risk management.

3. Incentives: This aspect looks at the incentivizing scheme of the firm and to gauge their alignment with the risk culture of the firm.

4. Tone from the top of the organization: This aspect takes into consideration the communication of the senior management including the board and executive compensation, implication of the management’s actions on the risk message, communication of the fit between risk appetite and firm strategies and goals, etc.

 

FSB specified the four key indicators above in an attempt to reduce the risk posed by systemically important financial institutions. It is only one of the methods to score the risk culture. 

 

Other metrics that can be used to measure progress in the aspect of risk culture include risk appetite knowledge, risk literacy, risk information flows, risk/ reward decision, risk stature, whistle blowing, board risk priorities, action against risk offenders, etc. 

 

The dimensions mentioned above will vary across firms due to the fundamental differences in the business strategy adopted by the firm contingent on a myriad of factors including its size, its sector, stakeholders, etc. 

 

(Recommended blog: Commonly Used Technical Indicators)

 

Conclusion

 

Perhaps the biggest argument for ERM is that an enterprise-level perspective is the best way to prioritize risks and optimize risk management. A risk that looks small at the business line level can develop into a threat to the whole enterprise. This blog discussed the 5 dimensions of ERM, an organization needs to target efficiently in order to implement the ERM program effectively. 

 

(Read also: Data Science in Risk Management)

 

All firms put extensive measures for risk management in order to avoid circumstances that may put the financial health of the firm at risk. ERM is one of the best practices used by firms for this purpose since it recognizes any potential enterprise-wide threats at the appropriate time, avoids concentrations across the various domains, provides diversification opportunities and takes into account the various correlation effects.