Enterprise Risk Management: Pulling It Together

Article excerpt

The concept of risk management has changed dramatically over the past several years. A number of buzzwords such as "enterprise," "holistic," "strategic" and "integrated" have emerged to describe a philosophy for quantifying and managing the full spectrum of threats to an organization's earnings, cash flows and operations.

Despite agreement from organizational disciplines as varied as auditing, finance and strategy that enterprise risk management is a valuable tool, there has been little practical guidance on how to institute this process.

But before we look at implementation, it is important to define exactly what we're talking about: enterprise risk management (ERM) is the consistent application of techniques to manage the uncertainties surrounding the achievement of an organization's objectives.

There are some key terms in this definition:

Consistent application: The ERM approach demands consistency in the assessment of risks within the context of the organization's risk-taking philosophy. Traditional "silo" approaches to risk management, in which individual exposures are handled separately, are characterized by inconsistency. For example, the depth of assessment and mitigation for property/casualty risks typically differs widely from the evaluation of entry into a new market or the introduction of a new product. The result is a mixture of mitigation strategies ranging from the deeply conservative to the dangerously aggressive.

Uncertainties: All potential threats to the achievement of the organization's objectives are considered sources of uncertainty. A key proposition of enterprise risk management is risk diversification so that the variability of the organization's combined exposure portfolio is less than the sum of the individual exposures. Unfortunately, the silo approach has hindered understanding of the diversification of risks within organizations, resulting in the overuse of external risk transfer mechanisms to protect individual silos.

Achievement of objectives: Enterprise risk management supports the organization's strategy by ensuring greater certainty in the achievement of its stated objectives: ERM is also linked to financial plans by incorporating a more accurate assessment, in economic terms, of the risks inherent in the corporate strategy.

Enterprise risk management can be viewed as a defensive measure that helps to reduce uncertainties or prevent unwelcome outcomes. Some highly publicized corporate disasters (e.g., BCCI, Barings, Maxwell, Perrier and Kidder Peabody) have led many senior managers to take a closer look at their risk exposures. In addition, enhanced corporate governance guidelines, such as the Committee of Sponsoring Organizations of the Treadway Commission in the United States, the Cadbury Commission in the United Kingdom and Dey in Canada, have promoted a broad enterprise approach to managing risk. Many companies are now required to make public statements on the uncertainties in their business as well as the processes in place to manage them.

Enterprise risk management can also be used as an offensive tool focused on maximizing shareholder value. The capital asset pricing model [cost of equity = risk-free rate + beta (risk premium, the historical difference between the market rate of return and the risk-free return)] and the dividend discount model [price = earnings per share/(cost of equity - growth rate)] establish an inverse relationship between a company's price/earnings ratio and risk. With a slowdown in earnings growth, successful risk management (to reduce volatility in future earnings streams) is seen as a way to meet continued pressure from investors for improved shareholder value.

It is easy to agree with the theories behind enterprise risk management. Intuitively, the idea of adding value by reducing the level of uncertainty surrounding target rates of return makes sense. Practical implementation, however, is not as easy because enterprise risk management is a complicated undertaking. …