What is Enterprise Risk Management (ERM)?

Enterprise Risk Management Defined.

Written by Max J. Rudolph, FSA, CFA, CERA, MAAA

As you start learning about enterprise risk management (ERM) and the benefits of holistic analysis, first on the list is to define risk. Only then do the returns have context. Experience plays a part in how risk is managed. Young managers learn about fundamental analysis and efficient markets. Those involved in trading during normal times but who have not lived through a major recession often focus on optimizing results. Only those with experience, who have lived through tough times like a depression, are able to let risk define the process. This group of master financiers often focuses on human biases explained using behavioral finance.

RISK DEFINED

Everyone has their own definition of risk, and they are not one and the same. In specific instances each is accurate. Risk counters certainty, the unknown against the known. There must also be exposure; I have no risk of freezing on the planet Mars because I am not located there.

Some early definitions looked at risk as uncertainty. A certain event contained no risk. This can be taken to the extreme, claiming that jumping into a volcano is not risky because there is no uncertainty. You will die. It’s too extreme a definition, but helps to frame the question.

Traders define risk as volatility, using metrics like standard deviation in their daily work. This works fine most of the time, especially in the middle of a statistical distribution that is “bell-shaped”. But when events are expected in the tails of the distribution, the Normal distribution tends to underestimate their occurrence (tails are fat). This is a two-sided view of risk, with potential positive as well as negative impacts.

Investment managers and the general public often consider risk to occur when goals are not met. This is sometimes also called downside risk, and considers only negative events. If a worker wants to retire at age 65 with $1,000,000 net worth, the risk is coming up short of that amount.

RISK MANAGEMENT

Once a broad definition of risk has been defined, specific risks can be managed independently, typically looking at silo risks, one at a time, much like silos of corn and soybeans might stand next to each other. Financial risks may use metrics like the Capital Asset Pricing Model (CAPM) or other tools based on volatility. Variants of return on investment (ROI) involve taking present values of contingent cash flows or accounting metrics are also used. Terms such as opportunity cost or benchmark are finance terms often incorporated here. Variance of net income is a typical metric.

Operational risks like safety can be quantified and also use mitigation methods to reduce the risk. Other risks like strategic and reputational risks are hard to measure quantitatively, and even if they weren’t who is willing to report a non-zero probability that their CEO’s vision is faulty?

ENTERPRISE RISK MANAGEMENT

Risk management has been effectively performed for centuries, but considering interactions between risks and risk aggregation needs to be added to the mix. Picture the silos we built in the risk management section, and add an umbrella over them to manage the group holistically.

Interactions between risks can often be managed quantitatively, considering correlations between risks or assuming they are independent. When various divisions manage the same risk, they need to be aggregated. This can occur when divisions are managed geographically, perhaps by state, region, country or continent. A division in one location may be diversified between risks, while another is concentrated on just one.

There are many benefits to being diversified, e.g., not all manufacturing plants will suffer a tornado or earthquake at the same time. These benefits can be managed for the company as a whole rather than optimized for each division.

Some risks offset each other with so-called negative correlations. For each positive event there is a corresponding negative event. Say there are two railroad routes between a pair of cities, and a cargo has to move from one to the other. Luckily, the firm owns them both and there are no other options. When only one line was owned the business was more volatile than it is now.

Correlations are rarely constant, so this is another variable to monitor and manage. When a tail event happens, financial markets often find that all correlations go to 1. This means that when things go bad there are no asset classes where you can hide, and little benefit to diversification.

RISK IN THE REAL WORLD

Defining risk and how to manage it in total is important to investors, banks, insurers, manufacturers and even the small business in your neighborhood. Each person or firm is unique, and the level of sophistication must be appropriate based on size and complexity. A tourist shop on an ocean beach can be comfortable using qualitative techniques that manage basic safety measures along with simple financial metrics. Larger firms may quantitatively measure many risks while qualitatively identifying new and evolving emerging risks that may appear in the future.

Learn more about Creighton University’s offerings in risk management. We also invite you to join our online Crisis Planning and Enterprise Communication Management course being offered this Summer, 2020.

This article was a contribution by Max J. Rudolph, FSA, CFA, CERA, MAAA. Max is recognized as a thought leader in the Enterprise Risk Management space, is a frequent speaker at seminars and universities, and is an award-winning author with a decade of monthly newsletters. Since 2006 he led an independent consulting practice, helping companies develop their ERM process with a focus on scenario planning. He provides an external view of cross-industry best practices that allows an honest assessment of current practices. Previously, he was employed by Mutual of Omaha as Vice President of Financial Risk Management. He is an adjunct professor for Creighton University’s Heider College of Business. Max has completed research covering ERM, emerging risks, low economic growth, interest rate volatility, pandemics, investments, systemic risk and climate change. He served on the Society of Actuaries Board of Governors along with volunteer activities including CFA Nebraska, the American Academy of Actuaries and the Actuarial Standards Board. He graduated from Michigan Technological University with Bachelor of Science degrees in Mathematics and Engineering Administration, is a credentialed actuary and CFA charter holder.