Enterprise Risk Management
It always comes back to risk appetite
Board involvement is critical and necessary
By Michael J. Moody, MBA, ARM
For a variety of reasons, enterprise risk management (ERM) has been gaining widespread acceptance within corporate America. Initially, its attraction was limited primarily to the financial service sector; however, its utilization has now gained a much broader audience. Unfortunately, some of the earliest roadblocks continue to slow implementation.
One of the initial difficulties had to do with which corporate function would have responsibility for the ERM program. Several corporate functions have come forward to claim ownership of the ERM initiative; however, it soon became apparent that ultimate ownership rests with the board of directors. Events over the past three or four years have confirmed that the board does in fact have final responsibility for both the actions and oversight of the ERM program.
An additional issue that has slowed progress is finding a methodology. At first, there was a lack of influential methodology and, later on, the selection of an appropriate methodology became problematic as over the past five or six years, there have been at least half a dozen frameworks advanced from a wide variety of sources. Today, selecting the proper framework has turned into a difficult project in its own right.
Over and above these items, corporations have had a difficult time fully integrating an ERM program into their overall strategic management process. Many times it simply came down to an issue of what to do next. Regardless of the framework selected, most programs indicated that risk identification was one of the first steps in this process. For that reason, many of the advances that have resulted in more mature ERM programs have depended on the development of the risk identification aspect. Automated assistance in this area has allowed risk management to develop more sophisticated techniques such as risk maps and risk dashboards that can easily portray and prioritize various major risk categories.
Risk appetite basics
Without question, the risk identification step is extremely important; however, while many service organizations have been working on developing more sophisticated risk identification systems, another equally important aspect has received little to no attention, thus leaving a void in developing a comprehensive ERM program. This missing aspect is understanding and articulating a corporation's risk appetite. The first problem that one encounters is obtaining a clear definition of risk appetite. And to date, a clear and consistent definition has been quite problematic.
In many respects, risk appetite is a paradox. On one level, it is a deceptively simple concept. At its core it is easy to understand—no risk, no reward. It's only when you look at risk, beyond the old insurance axiom of avoiding risk at all costs, that things start to get interesting.
Another key factor is the determination of risk tolerance, which is subtly different from risk appetite. It is the combination of these two that is an absolutely critical element to ERM success. These two components provide one of the cornerstones of ERM. Among several widespread definitions, these appear to be commonly accepted:
Risk appetite—“the amount and type of risk an organization is willing to accept in pursuit of its business objectives,” and
Risk tolerance—“the specific maximum risk that any organization will take in pursuit of its business objectives.”
What is it that makes these two simple statements so critical to a successful ERM strategy? First and foremost, every company must take risks in order to achieve its objectives. Given that, the next question then becomes how much risk should it take?
For the most part, the definition of risk under an ERM approach has advanced beyond the traditional insurance-related classification (i.e., operational and compliance risks). This traditional classification has been found to be too small and limits the scope of analysis. In fact, it may miss the mark altogether. A recent Booz & Co. study of 1,200 large companies over a five-year period found that more than 60% of the shareholder value that was lost during this period surrounded strategic risk (i.e., the wrong market, or the wrong product). This is why moving to a holistic view of risk is needed in ERM.
A number of years ago, Mehr and Hedges wrote a classic risk management book titled Risk and Risk Management. In its day, this book was quite important and served as the text for many risk management classes, including the RIMS Associate in Risk Management designation. Over the years, it has provided significant insight and guidance for new risk managers. The authors provided two “rules of thumb” that dealt with risk appetite: (1) “Do not risk more than you can afford to lose,” and (2) “Do not risk a lot for a little.” And while these two “rules of thumb” have been expanded, condensed, modified and reconstructed, after all the dust has settled, they still provide the best summary of what risk appetite is all about.
So the process of determining risk appetite really comes down to a matter of size. It's about finding the balance between expected rewards and related risks. However, it should be noted that this is a very important task and must be completed by the board. While most risk managers now realize that oversight of the risk management program is the exclusive domain of the board, far fewer realize that determining an organization's risk appetite is also the exclusive domain of the board. It is their responsibility to determine the nature and extent of significant risks it is willing to take in achieving its strategic objectives.
Some risk professionals have the mistaken belief that risk appetite is a single, fixed number. Actually, it is more of a “work in progress” and, as such, will by necessity have to change to reflect the adjustments in organizations' financial and exposure bases, as well as external economic conditions. Additionally, there may be significant discussion at the board level as to what the actual risk appetite should be. Discussions like this are necessary to gain consensus among board members so that they can maintain a clear view of the firm's capacity for taking risks. In the final analysis, if the directors are not clear about their company's risk appetite, it will be difficult, if not impossible, to properly oversee the ERM process.
ERM has come a long way; however, some aspects of the ERM process still vex those companies that are struggling to implement a mature program. One of the most critical aspects of any ERM program is the determination of the organization's risk appetite. Even more important is the recognition by the board that they must continually modify the risk appetite to keep pace with changes faced by the organization.
Development of a company's risk appetite is one of the most important issues that the board must face in mapping the future for the company management. It is clear that both risk appetite and risk tolerance are inextricably linked to the overall performance over time. For this reason, the board's involvement is critical and, without its input, the risk appetite chosen is something less that optimal. As a result, it should be one of the first things that the board determines and revisits on a regular basis. While there are still some differences in opinion regarding how best to determine an organization's risk appetite, it needs to be completed nonetheless. If the directors are not clear about their company's risk appetite, it will be impossible for them to oversee the organization's risk management program.