Uncertainty abounds in today's economy. Every organization is in the business of risk management to some extent. It is impossible to "create a business that doesn't take risks." (1) Thomas Stewart aptly summarizes the implication of risk in business: "Risk--let's get this straight upfront--is good. The point of risk management isn't to eliminate it; that would eliminate reward. The point is to manage it--that is, to choose where to place bets, where to hedge bets, and where to avoid betting altogether." (2)
Historically, risk management in even the most successful business tended to occur in silos--the insurance risk, the technological risk, the financial risk, the operational risk, the environmental risk--all managed independently in separate compartments or departments. Coordination of risk management was usually nonexistent, and the identification of new risks was sluggish. (3) As a business continually changes, so do the risks. In today's business environment, stakeholders increasingly want companies to identify and manage their business risks.
The mismanagement of risk can carry an enormous price. The business community has witnessed a number of risk debacles in recent years that resulted in considerable financial loss, decreased shareholder value, damaged company reputations, the dismissal of senior management, and, in some cases, the destruction of the business. Consider the impact of companies selling defective products or unnecessary services, coupled in some cases with severe mishandling of the product recall or service problem; environmental disasters and inadequate attention to the resulting crisis; rogue traders lacking oversight and inadequate controls assuming enormous risks; organizations trading in complex derivative instruments without understanding the risks involved; mergers destroying shareholder value; insurance salespeople churning customers' accounts; sexual harassment of employees; and racial slurs by management and discrimination against employees.
This risk environment, in which a debacle can have major and far-reaching consequences, requires that senior management adopt enterprise risk management (ERM). The value of ERM is that it makes managers and employees at all levels sensitive to and concerned about risk management. Table 1 identifies three key aspects of ERM that are distinct from traditional risk management.
ERM is also referred to as integrated, strategic business-wide risk management. Here we use these risk terms interchangeably. In general, the term "risk" includes any event or action that will adversely affect an organization's ability to achieve its business objectives and execute its strategies successfully. The scope of risk covers all events, internal and external, that may prevent an organization from achieving its objectives. Adding the word "management" to integrated, business, or enterprise-wide risk implies a "structured and disciplined approach" that "aligns strategy, processes, people, technology, and knowledge with the purpose of evaluating and managing uncertainties that the enterprise faces as it creates value." (4)
The business climate in the United Arab Emirates (UAE) in general--and Dubai in particular--is similar to that in other countries globally. The UAE is a federation of seven emirates that includes Abu Dhabi and Dubai. Abu Dhabi has exploited its comparative advantage in large-scale capital and energy-intensive downstream industries such as petrochemical and fertilizers. In light of its depleting oil resources, Dubai has pursued an outward-oriented strategy of openness to trade, trade facilitation, and a favorable business environment that has enhanced diversification by stimulating trade and trade-related services. The diversification of the economy also has been driven by the rapid expansion of the services sector in the areas of tourism, finance, transport, and communication. The prudent management of oil wealth, trade openness, and an efficiently functioning business environment supports a higher intensity of trade integration and diversification in Dubai relative to other neighboring countries in the Middle East. Dubai plays a key role as the country's commercial capital. At the same time, businesses in Dubai are exposed to the various risks inherent in rapidly growing economies.
This article evaluates the current status of ERM in the business organizations in Dubai by specifically focusing on several key questions concerning businesses there. We surveyed business executives in Dubai to find answers to these questions: What types of risks are crucial for these businesses? How important is ERM for them? How do the companies identify and measure risk? What tools and processes are in existence for ERM, and are they adequate? How are various risks categorized by the businesses? What steps could be followed to improve implementation of ERM in Dubai?
We will begin with a discussion of the methodology and survey results. Based on the survey results, we suggest an appropriate step-by-step ERM process for Dubai businesses to follow. We then finish with an examination of the limitations and various conclusions that can be drawn from the results.
METHODOLOGY AND STUDY RESULTS
The survey was conducted by the senior graduating BBA Finance and Banking students registered in Insurance and Risk Management in February-March 2006 at the College of Business Administration-University of Dubai. Responses were received from managers and executives from more than 100 businesses in Dubai, UAE. Of these, 92 responses contained complete information and were usable. The survey comprised a structured questionnaire that covered the five components of the Enterprise Risk Management--Integrated Framework of the Committee of Sponsoring Organizations of the Treadway Commission (COSO): control environment, risk assessment, control activities, information and communication, and monitoring. In addition to a preliminary analysis, logit model techniques were used to identify statistically significant factors that can explain the various questions in this study.
BUSINESS ENVIRONMENT OF SAMPLE DUBAI FIRMS
For the purpose of clarity, we grouped the respondents into three overall categories: banks, nonbanking finance companies (NBFC), and miscellaneous (MISC). Figure 1 shows the distribution of respondents across the three categories. The biggest category is banks, which represents 51% of the total group. Bank respondents come from 20 domestic and six foreign banks. The NBFC category (23%) breaks down into finance (5% of total), Islamic finance (5%), and insurance (13%) companies. Ten of the insurance companies were domestic, and two were foreign. Respondents in MISC (26%) came from domestic hotels (5% of total) and service (8%), trading (10%), and manufacturing (3%) businesses.
STATUS OF RISK MANAGEMENT IN DUBAI BUSINESSES
The survey asked a set of questions to analyze the status of ERM in Dubai. The first questions asked respondents about the types of risk their businesses experience. Results show that businesses in Dubai are like many other businesses elsewhere in that they experience varying degree of financial, operational, and market risks in their business operations.
Bank managers and executives responded that they experienced credit, operational, interest rate, market, financial, liquidity, currency, money laundering, and country risks in their businesses. Their responses are shown in Table 2.
Table 3 shows the responses from NBFC. Respondents from insurance companies reported mortality, catastrophe, and liquidity risks. As long-term financial institutions, most insurance companies are expected to have maturity risk in their assets and liabilities. Surprisingly, this risk was not mentioned by the sample of Dubai insurers. Respondents from finance and Islamic finance companies experienced liquidity, market, credit, operational, interest rates, and currency risks in their businesses.
Table 4 shows the response from MISC categories of businesses. Managers and executives of businesses in the MISC category mentioned listed operational, credit, marketing, and financial risks in their businesses.
The next question asked how companies identified risk. The responses were not uniform across the three categories. While 82% of insurers reported that they used risk checklists to identify risks, only 59% of banks used this method. Further, a majority of the banks used credit score models and financial statements to systematically identify risks. The identification of risks in finance and Islamic finance businesses was not systematic, and these managers and executives were not aware of the tools that could be used to systematically identify various types of risks.
Next, participants were asked how they measured risks. While 74% of bank respondents reported that they used credit scoring models and financial statements, and 91% of insurers said that they used case presentation, debriefings to assess the risks, and statistical tools, 96% of the MISC category responded that they relied on past experiences to informally measure risk.
The methods of communicating risks also varied. Eighty-seven percent of respondents in banks reported that they use e-mails and circulars to communicate with their staff regarding risks; 82% of managers and executives from NBFC reported using periodical meetings in addition to seminars and circulars; and 97% of respondents from the MISC business category reported that they used frequent group meetings.
In regard to the magnitude of importance of ERM to their businesses, 84% of the banks, 91% of NBFC, and 73% of MISC respondents felt that ERM was important.
Potential for ERM to address the top business issues
Figure 2 shows the distribution of sample responses on a scale of 0% (lowest) to 100% (highest) regarding the extent to which ERM has the potential to address various priority risk issues. Bank respondents reported that the extent of potential was greatest (78%) for ERM to address business issues such as capital management and asset liability management (ALM). The key issues where ERM had the greatest potential (83%-89%) for NBFCs were earnings, capital management, revenue, and return on capital (ROC). Earnings and revenues (73%-75%) were the top business issues where ERM had a greater potential for use in MISC companies. Thus, the potential of ERM varied for each type of business. Although not reported here, logit model results indicate that the likelihood of ERM to address key business issues is significantly higher in banks compared to the NBFC and MISC categories. Further, ERM's importance is likely to increase significantly as business issues such as revenue growth and mergers and acquisitions gain momentum across the three categories of business.
Are there barriers to ERM in Dubai?
While executives of banks and NBFC see the potential value of using ERM strategically to help them build value, they also report significant frustration and dissatisfaction with the current state of ERM in their businesses. Figure 3 shows the distribution of responses regarding the type of ERM barriers.
In particular, executives in banks and NBFC cite several barriers in their path to ERM. Those cited most often (60%-63%) by bank executives are process, skills, tools, culture, cost, and organizational structure. Time availability, intellectual capital, and technology are relatively lower barriers in banks.
The biggest barriers (60%-70%) for NBFC respondents are culture, time availability, cost, process, organizational structure, and tools. Skills, intellectual capital, and technology are relatively lower barriers in NBFC.
In the MISC category, the major ERM barriers (61%67%) are culture, time, and cost. Thus, the businesses encountered multiple barriers, and the degree of these barriers varied across the types of businesses.
Are the current tools adequate to assess, measure, and mitigate financial risks?
The satisfaction with and concern about tools were especially clear for tools intended to assess, measure, and mitigate financial skills (see Figure 4). Seventy-five percent of bank respondents are satisfied with the tools for assessing, measuring, and mitigating liquidity risks; 66% to 69% of the respondents are satisfied with the tools for capital management, managing credit, interest rate, and capital risks; and 61%-64% of the respondents are satisfied with the tools for managing currency, market, and reinvestment risks.
Compared to banks, NBFC respondents reported a higher level of satisfaction with the tools to assess, measure, and control financial risks: 76% to 80% were satisfied with the tools for managing market, reinvestment, liquidity, currency, and capital risks, while only 65% were satisfied with the tools to manage interest rate risks. On the other hand, respondents in the MISC category consistently reported a lower level of satisfaction with the current tools to manage all types of financial risks.
Logit model results significantly indicate that the current tools are adequate for assessing, measuring, and mitigating credit risks, interest rate risks, and reinvestment risks across the three categories of businesses, but they are inadequate for managing liquidity risks.
Are the current tools adequate to assess and control operational risks?
Figure 5 shows the level of satisfaction that respondents in the three categories have with the ability of current tools to assess and control operational risks.
The level of satisfaction of bank respondents ranged from 61%-69% in regard to the ability of the current tools to control and assess all the operational risks that included reputation/rating, technology, intellectual capital, distribution channel, political and regulatory, expense, product, and catastrophe. As with some of the financial risks, NBFC respondents consistently reported higher levels of satisfaction (about 69%-78%) in using current tools to manage these operational risks. Respondents in the MISC category, however, reported a mixed level of satisfaction when compared to banks and NBFC. While they reported higher levels of satisfaction (68%-73%) with the current tools to manage reputation, technology, product, and expense risks, they were less satisfied (43%-56%) with the tools that assess, measure, and mitigate operational risks such as distributional channels, regulatory, and catastrophe risks.
Table 5 shows the mapping of financial and operational risks of the Dubai sample businesses. As seen in Panel A, all the risks identified by bank respondents are categorized as moderately severe, and the likelihood of occurrence is moderate. This substantiates the finding that the current tools banks use are moderately adequate to assess, mitigate, and transfer various kinds of risks.
Panel B maps the risks identified by the NBFC respondents. While the majority of the risk categorization is similar to that of banks, interest rate risk and liquidity risk (both financial risks) are of relatively high severity, and the likelihood of occurrence of these risks is moderate.
For the MISC companies, Panel C shows that financial risks such as liquidity and expense control are of relatively high severity, and their likelihood of occurrence is moderate. The likelihood of occurrence is low for the other financial risks--interest rate, reinvestment, and currency risks--and the operational risks--namely, product, reputation, regulation, technology, distributional channel, and intellectual capital risks--and the severity of these risks is moderate.
ACTION THROUGH RISK MODELING
In terms of risk management processes, survey respondents were dissatisfied most with their current ability to include operational risk in the determination of economic capital; model (qualitatively and quantitatively) the important operational and financial risks; optimize financial and operational risk management strategies in light of the organization's risk/return requirements; and accurately model the impact of risks and strategies on key performance indicators. This suggests the need for bringing more comprehensive awareness about ERM across all categories of businesses in Dubai, including banks. That is why we propose a systematic process that will help create awareness for businesses in Dubai on measuring, controlling, and mitigating various types of risks through a strategic approach. The process involves five strategic steps:
1. Differentiate the financial and operational risks
2. Classify and prioritize strategic and manageable risks
3. Model the risk
4. Assess the impact of risk on key performance indicators (KPI)
5. Manage ERM change
Step 1. Differentiate the financial and operational risks. For the most part, financial risks originate from outside the organization and are beyond a firm's direct control. These include macroeconomic risks, such as interest rates, exchange rates, and asset performance, as well as insurable risks, which include mortality and property/casualty claims. Financial risks are managed through building statistical model distributions representing each of the financial risks--and then mathematically combining the distributions.
Unlike financial risks, operational risks mostly arise due to factors that are internal to the organization. Operational risks are managed through changes in processes, technology, people, organizations, and culture--not through hedging in the financial markets. Managers need a risk modeling approach that provides them with information on how the operational risk would change if they were to implement alternative operational decisions. Operational risks can be loosely classified into event risks and business risks. Event risks refer to isolated occurrences that generate losses (such as technology failure, fraud, etc.). Business risks are created by business decisions (for example, changes in distribution strategy, launching a new product, etc.).
As with financial risks, we believe that structural (i.e., causal) models of operational risk are more robust. Structural and system methods simulate the dynamics of a specific business system by developing cause-and-effect relationships between all the variables of that business system. The methods, such as system dynamics simulation, fuzzy logic, and Bayesian belief networks, are examples of causal methods that best suit the unique requirements of operational risk modeling. Because risks are not correlated 100%, it is important to capture the diversification benefits of total risk. Business managers in Dubai can try some of the commercial simulation packages available, such as Risk Metric and Capsim, to educate themselves as well as their employees about the categories of risks, identification of risks, risk measurement and prioritization, and management techniques.
Step 2. Classify and prioritize strategic and manageable risks. Strategic risks are risks that can be addressed only through substantial expenditures and/or a change in strategic direction. Many financial risks fall into this category because of the substantial impact they pose. Strategic operational risks can arise, for example, when an organization enters unfamiliar business territory because there is a major acquisition, a new competitor emerges, or customers' buying preferences change.
Manageable risks, however, can be addressed with existing capabilities and without requiring substantial expenditures. These risks might include weak contingency planning in critical functions or employee dissatisfaction with opportunities for advancement. The proper response to manageable risks is to use existing organizational capabilities to mitigate them.
In prioritizing manageable and strategic risks, the objective is simply to organize risks into broader categories of importance, such as low, moderate, and high, for management review. It is important that there is general agreement on how the risks are categorized. Once risks are prioritized, they are allocated to each managerial level in consideration of their priority and scope (i.e., the highest-priority risks are reviewed by the board and senior management, the middle priority level by business unit managers, and the lowest priority level by operating staff).
The simplest way to accomplish this task is to establish a cross-functional team that reviews the information documented during the risk identification step and then assign a score to each risk on a Likert scale of 0-5. To establish a consistent scoring system, the cross-functional team needs to be briefed on management objectives, financial and operational performance metrics, and the risk attributes to be considered, such as likelihood, severity, timing, controllability, and correlation.
Step 3. Model the risk. Once they have been differentiated, classified, and prioritized, the risks need to be modeled by developing a probability distribution on outcomes that represent the uncertainty associated with a specific risk factor. A risk model of interest rates, for example, will generate a probability distribution of each point on the yield curve. Modeling the risk associated with the productivity of a distribution channel would generate a probability distribution of sales volume associated with that channel.
Step 4. Assess the impact of risk on KPI. After modeling strategic and manageable risks and integrating them with potential financial and operational strategies, the next step is to measure the impact of the strategies on the organization's key performance indicators (KPI) given the risk environment. Risks affect elements of the financial statements or their constituent variables by making their value uncertain. These variables are replaced by the probability distributions for the corresponding risks that are developed in Step 1. For example, the number of policies sold in a given period in an insurance company, the number and volume of new loans sanctioned in a bank, and the new products sold in a manufacturing company are examples of constituent variables in calculating revenue, a KPI. Risk of competition and economic environment makes the number of policies, loans, and products sold uncertain. Risk of competition can be modeled as a probability distribution to represent uncertainty associated with the number of policies, loans, and products sold in the financial model. In this manner, all strategic and manageable risks with their correlation are reflected in the business model, making this a stochastic business model.
The business model is then used to run simulations that generate alternative scenarios of financial performance in terms of KPI. Consequently, the output of this stochastic model is a probability distribution on key financial metrics such as net income, return on investment (ROI), return on equity (ROE), market share, and so forth. These metrics provide important insights as to what the impact of a particular risk would be on the business. The businesses, therefore, need to keep contingency resources in hand to proactively mitigate the severity of damages these risks may cause.
Step 5. Manage ERM change. Regardless of the precise ERM process undertaken, there are four "ERM change enablers" that must be in place for systematic implementation of ERM in the business organizations: leadership, communication, involvement, and measurement.
Leadership. Leadership credibility is essential to motivate employees to recognize the importance of ERM. The single most important factor in building and sustaining ERM change is the example set by the leaders who command respect, have complete ERM knowledge, and influence others.
Communication. When leaders communicate well and engage directly in the process, they have an enormous impact. The business organization should have a communication-rich culture in order to create lasting ERM change. Communication is the glue that holds an organization and its people together, and it creates real employee connection. The sporadic team meetings of the few employers and employees as reported in the present study are not adequate to stimulate the ERM change. In fact, effective multimedia and multidirectional ERM communication between an organization and its employees is critical in a fast-paced, high-performing ERM workplace. Creating an ERM environment where all the employees have the right ERM information helps to fully engage them in their ERM work.
Involvement. To change employees' thinking on ERM, management must first show the employees the advantages of ERM (or the negative consequences of failing to implement it). Employees also must be given the power to act, whether by expressing their point of view on ERM, giving feedback on new ERM systems, identifying obstacles to ERM change, and brainstorming and developing ERM solutions. In other words, employees need to be involved in the ERM process every step of the way in order to bring the ERM culture into the company. The interactive, self-selective nature of Internet technology can rapidly facilitate this kind of employee involvement.
Measurement. If managers do not have the right information from ERM processes, they cannot make appropriate decisions about the right course of ERM action. Businesses can customize an array of proven ERM tools, such as probabilistic scoring models, and establish a comprehensive KPI against which to determine appropriate ERM action. This action helps to gauge progress, make midcourse corrections, assess the effectiveness of various ERM interventions, and evaluate ROI in new ERM processes or programs.
Are the managements of businesses in Dubai prepared to follow and implement these steps? Only time will tell. Our experiences with various businesses in Dubai have not been too positive. We believe, however, that proactive steps by the businesses are urgently required. These businesses are experiencing strategic and operational problems such as decreasing margins, increasing competition from unconventional sources, demanding stakeholders, and too much capital pursuing too little business. All these risks lend themselves to ERM change as outlined in this article.
We evaluated the current status of ERM in business organizations in Dubai by specifically focusing on several questions: How important is ERM for Dubai businesses? What types of risks are crucial for these businesses? How are the risks identified and measured? What tools and processes are in existence for ERM in these businesses, and are they adequate? How are various risks categorized by the businesses? What steps could be followed to improve implementation of ERM in Dubai?
The study's main limitation is the relatively small number of sample observations used (92). It would have been interesting if more data points would have been available. For the same reason, the logit model could not be validated using the hold-out sample. To that extent, the findings of the study are specific to Dubai businesses and are not able to be generalized.
The findings indicate that businesses in Dubai are currently implementing some aspects of risk management, but more needs to be done through an integrated strategic ERM process. There is a need to create comprehensive awareness about ERM across all categories of businesses in Dubai. In line with that objective, we outlined a five-step systematic process to help businesses in Dubai make well-informed decisions. The process involves differentiating the financial and operational risks; classifying and prioritizing strategic and manageable risks; modeling the risk; assessing the impact of risk on KPI; and managing change through ERM leadership, communication, involvement, and measurement. By following this process, Dubai businesses will be able to better assess and control their risks, which will help them to continue to grow and succeed in the future.
Recent Trends in ERM and Literature Review
Enterprise risk management is a concept that has gained popularity over the last 15 years. Increased accountabilities and the recognition of a riskier business operating environment have led several professional organizations to address control and risk assessment. In addition, several of the major accounting firms have produced documents expounding on the value of ERM.
In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued Internal Control--Integrated Framework. This trailblazing document departed from the traditional internal accounting control model by presenting a broad control framework of five interrelated components: control environment, risk assessment, control activities, information and communication, and monitoring. In 2004, COSO developed guidelines on the framework that would be readily usable by managements to evaluate and improve their organizations' ERM. (a) According to COSO, control is the responsibility of the board of directors, management, and other personnel within the organization--not just the accountants. Particularly relevant is the identification of risk assessment as a vital component of control.
According to Jack Shaw, corporate management of risks of various types has been handled in isolated "silos."b He reports that the problem in the silo approach is that it entirely misses two critical aspects of risk management from a corporate, or ERM, perspective: corporate risk appetite and the management of emergent risks. Shaw suggests seven steps to implementing an effective ERM program for any organization: Assemble and educate a cross-functional team representing each significant functional area of business, identify risks and opportunities, determine risk tolerance, identify correlations among risks and opportunities, prioritize risks and opportunities, determine appropriate actions for mitigating risks or exploiting opportunities as necessary, and put an ERM system in place to monitor and respond to events and trends on a continual basis. Shaw also suggests that it is very helpful to have a risk management consultant assisting the business in the ERM process.
The 2005 Financial Executive Report on Risk Management by Oversight Systems Inc. reports that despite the fact that ERM is one of the hot strategic business tools that companies are employing, many firms still have a long way to go toward proper execution. (c) In most of the businesses, the critical elements of risk management are not in place. Most of the financial executives in the Oversight Systems survey responded that they were best prepared to assess financial reporting risk and that they were planning to leverage what they found during Sarbanes-Oxley compliance into an ERM program.
According to Gary W. Adams and Mary Campbell, many CFOs are looking at ERM as a way to leverage their significant investment in compliance and convert it into a shareholder value strategy like cost containment or revenue enhancement strategies. (d) The authors suggest a capability maturity model (CMM) to help an organization assess the state of its own risk management. Using a CMM can help an organization determine its current ERM capability level and, more importantly, determine how much needs to be done to bring current capabilities to the next level. Whether the company is rolling out ERM across the organization or piloting it with a few business units, Adams and Campbell assert that the logical first step for either initiative is to conduct a formal risk assessment.
Laurie B. McWhorter, Michele Matherly, and Deseree M. Frizzell suggest a strategic performance measurement system (SPMS) to improve organizational performance, employee efficacy, and enhance the ERM system. (e) According to these researchers, SPMS and ERM have several similar characteristics. Both encourage a holistic view of the organization. Also, when using SPMS and ERM, it is important to establish a link to organizational strategy: SPMS links with the organizational strategy through performance measures, and ERM links with the organizational strategy through risk management. Finally, both SPMS and ERM educate employees about strategic objectives.
Because SPMS and ERM share these characteristics, the researchers evaluated whether using SPMS strengthens risk management. In their study, 62% of SPMS users (compared to only 36% of nonusers), believe their organization's risk management system is a valued function within their organization. Additionally, 63% of SPMS users say their organizations encourage individuals to communicate urgent risks through their risk management system.
Mark Beasley, Al Chen, Karen Nunez, and Lorraine Wright suggest linkages between balanced scorecards and ERM. (f) While balanced scorecards measure an organization's progress toward achieving strategic goals, ERM helps company leaders think through positive and negative factors that can affect the achievement of their goals. A core element of ERM is that risks and strategy are aligned and are integral to strategic planning and performance assessment. On the other hand, a generic balanced scorecard translates an organization's overall mission and strategy into specific and measurable operational and performance metrics across four perspectives: learning and growth for employees, internal business processes, customer satisfaction, and financial performance. These researchers demonstrate that ERM and balanced scorecard systems share many elements, including a focus on strategy, holistic perspective, emphasis on interrelationships, top-down emphasis, desire for consistency, and focus on accountabilities. Leveraging balanced scorecards into ERM actually strengthens the scope of management's focus on broader sets of risks. It broadens the scope by explicitly linking risk management to strategic performance measurement.
(a) COSO, Enterprise Risk Management--Integrated Framework, AICPA, New York, N.Y., September 2004.
(b) Jack Shaw, "Managing All of Your Enterprise's Risks," Risk Management, September 2005, pp. 2228.
(c) Oversight Systems, The 2005 Financial Executive Report on Risk Management, www.oversight systems.com/survey.
(d) Gary W. Adams and Mary Campbell, "Where Are You on the Journey to ERM?" Risk Management, September 2005, pp. 16-20.
(e) Laurie B. McWhorter, Michele Matherly, and Deseree M. Frizzell, "The Connection between Performance Measurement and Risk Management," Strategic Finance, February 2006, pp. 50-55.
(f) Mark Beasley, Al Chen, Karen Nunez, and Lorraine Wright, "Working Hand in Hand: Balanced Scorecards and Enterprise Risk Management," Strategic Finance, March 2006, pp. 49-55.
(1) Richard E.S. Boulton, Barry D. Libert, and Steve M. Samek, Cracking the Value Code: How Successful Businesses Are Creating Wealth in the New Economy, Harper Business, New York, 2000, p.181.
(2) Thomas A. Stewart, "Managing Risk in the 21st Century," Fortune, February 7, 2000, p. 202.
(3) Thomas L. Barton, William G. Shenkir, and Paul L. Walker, Making Enterprise Risk Management Pay Off, Financial Executives Research Foundation Inc., Financial Times/Prentice Hall, 2002.
(4) James W. DeLoach, Jr., and Nick Temple, Enterprise-wide Risk Management--Strategies for Linking Risk and Opportunity, Financial Times Briefings, London, U.K., 2000.
Ananth Rao, Ph.D., is associate professor and dean, College of Business Administration, University of Dubai. He can be reached at (971) 4-2072618 or email@example.com.
Attiea Marie, Ph.D., is associate professor and chair of the accounting department, College of Business Administration, University of Dubai. You can reach Attiea at firstname.lastname@example.org.
Table 1: KEY FEATURES OF ERM VS. TRADITIONAL RISK MANAGEMENT TRADITIONAL RISK MANAGEMENT (TRM) 1. Fragmented--department/function manages risk independently; accounting, treasurer, internal audit primarily concerned 2. Ad hoc--risk management done whenever managers believe the need for it exists 3. Narrowly focused--primarily insurable risk and financial risks ENTERPRISE RISK MANAGEMENT (ERM) 1. Integrated--risk management coordinated with senior- level oversight; everyone in the organization views risk management as part of his or her job 2. Continuous--risk management process is ongoing 3. Broadly focused--all business risks and opportunities considered Adapted from Economist Intelligence Unit, Managing Business Risks, June 1995, p. 2. Table 2: IMPORTANCE OF RISKS REPORTED BY BANKS PERCENTAGE THAT REPORTED CATEGORIES OF RISKS IMPORTANCE OF RISKS * Credit 23 Operational 15 Interest rate 11 Market 10 Financial 10 Liquidity 8 Currency 7 Money laundering 6 Country 5 * Total does not add up to 100% due to multiple responses. Table 3: IMPORTANCE OF RISKS REPORTED BY NBFC PERCENTAGE THAT REPORTED IMPORTANCE CATEGORIES OF RISKS OF RISKS * Insurance Companies Mortality & catastrophe 6 Liquidity 6 Credit 4 Interest 3 Market, FEX, technical, 1 operational & country Finance & Islamic Liquidity 4 Finance Companies Market 4 Credit 3 Operational 3 Interest rate 3 Currency & market 2 * Total does not add up to 100% due to multiple responses. Table 4: IMPORTANCE OF RISKS REPORTED BY MISC COMPANIES PERCENTAGE THAT REPORTED CATEGORIES OF RISKS IMPORTANCE OF RISKS * Operational 7 Credit 4 Marketing 3 Financial 2 * Total does not add up to 100% due to multiple responses. Table 5: RISK MAPS OF SAMPLE BUSINESSES IN DUBAI PANEL A: SEVERITY AND QUALITY OF FINANCIAL AND OPERATIONAL RISKS FOR BANKS Likelihood High Moderate Interest Rate, Credit, Reinvestment, Asset Value, Capital Management, Liquidity, Currency, Product, Reputation, Regulation, Expense Control, Technology, Distribution Channel, Intellectual Capital Low High Moderate Low PANEL B: SEVERITY AND QUALITY OF FINANCIAL AND OPERATIONAL RISKS FOR NBFC Likelihood High Moderate Interest Credit, Reinvestment, Asset Value, Rate, Capital Management, Currency, Liquidity Product, Reputation, Regulation, Expense Control, Technology, Distribution Channel, Intellectual Capital Low High Moderate Low PANEL C: SEVERITY AND QUALITY OF FINANCIAL AND OPERATIONAL RISKS FOR MISC Likelihood High Moderate Liquidity, Credit, Asset Value, Capital Expense Management, Currency Control Low Interest Rate, Reinvestment, Currency, Product, Reputation, Regulation Technology, Distribution Channel, Intellectual Capital High Moderate Low Figure 1: DISTRIBUTION OF RESPONDENTS MISC 26% NBFC 23% Banks 51% Figure 2: TO WHAT EXTENT WILL ERM ADDRESS THE FOLLOWING ISSUES? Business Priority Issues Asset Capital Liability Return on Revenue Management Management Earnings Capital Growth Banks 78 78 72 72 67 NBFC 86 79 89 83 85 MISC 67 64 73 64 75 Expenditure Control Competition Pricing M&A Banks 67 65 64 58 NBFC 69 74 69 58 MISC 62 59 58 43 Figure 3: TO WHAT EXTENT ARE THE FOLLOWING BARRIERS TO ERM? Barriers to ERM Process Skills Tools Culture Cost Banks 63 62 61 61 61 NBFC 64 57 60 70 66 MISC 51 37 37 67 63 Organizational Intellectual Turf Time Capital Technology Banks 60 58 57 55 NBFC 63 70 57 57 MISC 58 61 43 39 Figure 4: HOW SATISFIED ARE THE BUSINESSES WITH CURRENT TOOLS TO ASSESS, MITIGATE, AND CONTROL FINANCIAL RISKS? Financial Risks Capital Liquidity Management Credit Interest Rate Banks 75 69 68 66 NBFC 79 76 72 65 MISC 69 65 59 39 Market Value of Currency Assets Reinvestment Banks 64 63 61 NBFC 77 80 80 MISC 45 58 42 Figure 5: EXTENT OF SATISFACTION WITH CURRENT TOOLS TO ASSESS, MITIGATE, AND CONTROL OPERATIONAL RISKS Operational Risk Intellectual Distribution Reputation Technology Capital Channels Banks 69 68 67 66 NBFC 73 77 74 69 MISC 76 73 73 56 Political & Regulatory Expense Products Catastrophe Banks 66 66 64 61 NBFC 69 77 78 71 MISC 43 68 71 50…