Key Requirements for Enterprise-Wide Risk Management; Lessons Learned from the Global Financial Crisis

Article excerpt


Every organization should examine the effectiveness of its enterprise-wide risk management program to see what worked in the crisis and what needs to improve. by James Lam

At the 2009 World Economic Forum in Davos, Switzerland, it was reported that the global financial crisis has destroyed 40-45% of world wealth. While there have been other severe recessions, this one stands out in an important way: Its impact is felt not only by every country and industry, but also by every company and individual.

Many failures contributed to this once-in-a-lifetime event, or "black swan": ill-conceived housing policies, lax regulatory oversight, complex structured products, inaccurate debt ratings, and undisciplined lenders and borrowers. At the core of the financial crisis, however, was a failure in risk management.

Corporate failures in risk management fall into two groups. The first is the "risk ignorant" companies that "didn't know what they didn't know." These companies outsourced risk analysis to the rating agencies or used faulty models and assumptions that didn't consider critical risks. The second group is the "risk incompetent" companies. These companies had better risk information, but they didn't make the right decisions because of corporate cultures and incentives that encouraged excessive risk.

Even companies that exercised prudent risk management got caught in the severe downdraft in the capital markets. For all companies, a key lesson to be learned from the current crisis is the need to manage highly interdependent risks on an enterprise-wide basis. This represents the latest chapter of lessons learned from financial crises over the past three decades.

After the Federal Reserve shifted from targeting rates to targeting reserves in October 1979, increased rate volatility focused attention on interest rate risk. The crisis in the less developed countries during the early 1980s highlighted credit risk, particularly in emerging markets. Rogue trader losses in the mid-1990s highlighted operational risk. On a global scale, the current crisis has demonstrated the critical interrelationships of all key risk factors:

* The strategic, market, credit, liquidity, operational, and reputational risks embedded in a company's business.

* The magnifying effects of leverage (and deleveraging) on these risk exposures.

* The systemic risks associated with linkages across global capital markets.


In the context of the financial crisis, every organization should examine the effectiveness of its enterprise-wide risk management (ERM) program to see what worked and what needs to improve. This article will discuss fundamental issues that an effective ERM program must address and offer potential solutions.

Key Issues for ERM

As shown in Figure 1, four fundamental issues are related to ERM:

* Governance structure and policies. Who is responsible for providing risk oversight and making critical risk management decisions?

* Risk assessment and quantification. How (ex-ante) will these risk management decisions be made in terms of analytical input?

* Risk management. What specific decisions will be made to optimize the risk-return profile of the company?

* Reporting and monitoring. How (ex-post) will the company monitor the performance of risk management decisions (that is, a feedback loop)?

These four issues may sound basic, but addressing them effectively can be a challenge for companies. Still, those that do will have a highly effective ERM process.

Governance Structure and Policies

Governance structure and policies address who is responsible for making risk management decisions (that is, individuals or committees) and the policies that provide incentives, requirements, and constraints (for example, risk limits) for the decisions makers. …