Risk-based approaches to decision-making gain traction

By Russ Banham

With the instability of many financial firms from the current economic crisis, the spotlight is on risk management and whether or not these and other organizations are assessing strategic and operational risks in their zealous quest for growth. As the federal government imposes stiff rules for companies receiving taxpayer bailout dollars from the Troubled Asset Relief Program, the onus is on all organizations to conduct more systematic analyses of their risks and more comprehensive risk monitoring and management.

The word risk has become pejorative in the harsh light of the economic downturn, and yet taking calculated risks often separates the winners from the losers on the competitive battleground. In the last decade there has been a movement toward a methodology to better identify, assess and quantify strategic, financial and operational risks. Its called Enterprise Risk Management or ERM for short. Most large public companies have implemented ERM, in some cases because government regulations, rating agencies or stock exchanges require it. Many others have executed the strategy simply because it makes tremendous sense.

ERM is an integrated framework for holistically managing every risk confronting the enterprise to achieve organizational objectives and minimize unexpected earnings volatility. It challenges organizations to view risk as an opportunity. Since companies must hold capital to absorb the risk of loss hedging, absorbing or transferring the risk there is less capital to invest in other profit-producing activities. In effect, ERM helps companies determine the right amount they should direct toward risk.

New Metrics for Valuation

Although the steps involved in an ERM process are essentially the same, each organization goes about implementation in different ways, depending on its strategic objectives, culture and operational structure. Nevertheless, says James Lam, who has written several books on the subject and is president of the eponymous ERM consultancy, James Lam Associates in Wellesley, MA, a solid ERM framework should have four key components: governance structure and policies, risk analytics, risk management strategies, and dashboard reporting and monitoring. Every organization, no matter its size or industry sector, will need to take these components into account in putting forth their ERM strategy, Lam says.

Some organizations, having implemented ERM internally, now pass on their best practices to others. Zurich Financial Services is a case in point, having first adopted ERM and now assisting others to do the same by conveying risk insights and solutions.

Over five years ago, the property and casualty insurance company experienced significant improvement in capital consumption when it switched from an asset-based approach, in which a companys target capital calculation is measured against assets, to a risk-based approach that factors in actual risks to these assets. This risk-based solvency standard encourages Zurich to thoroughly investigate its own risk situation, and to take this into account in its capital calculation.

In switching to a risk-based approach, Zurich Financial Services engaged a thorough review of its strategic, financial, market and operating risks.

The process yielded tremendous value for example, the insurer discovered that its risk-based capital consumption could be reduced, freeing up this money to be better deployed in other profit-producing venues. Zurichs core business is insurance, not asset management or financial products, so today, more than 60 percent of Zurichs capital is allocated to insurance, as compared with 40 percent five years ago. This was just one of the benefits of our ERM journey, says Linda Conrad, director of strategic business risk engineering at global insurer Zurich Financial Services.

The toughest leg in the ERM journey is the first step: a course of action in which risk overseers from across the enterprise come together to share the respective risks within their own spheres of influence. Zurich Financial Services opted for a top-down process it has since trademarked as Total Risk Profiling. It begins with an understanding of the companys strategic priorities emanating from the top of the pyramid; the C-level suite and board of directors established these objectives.

The next step is what Conrad calls a workshop-driven exercise, in which the primary risk managers in each business unit assemble to examine the strategic objectives, the operational solutions to achieve them and the risks these raise. It is amazing what you find when you get people from different disciplines in a room together, with a range of different opinions about what they consider to be the Top 10 risks, Conrad says. It increases the buy-in to mitigate the risks and come to a consensus about key risk drivers.

Once this consensus is reached, the risk drivers are aggregated and rolled up for C-level and board review, a bottom-up process that completes the circle. Senior management now has the ability to determine where best to allocate resources to achieve business objectives, fully cognizant of where the risks reside, their cost, and the mitigation strategies in place.

A Wide-Angle View

Risk identification is not a walk in the park. At Blue Cross and Blue Shield of Florida, the strategic risk identification process alone involved 35 people drawn from different parts of the organization. A review of operational risks, both top-down and bottom-up, was similarly thorough. We conducted 60 process and subprocess interviews to identify operational risks in the company, says John Phelps, director of business risk solutions at the Jacksonville, FL-based health insurer.

Convergys, a Cincinnati-based relationship management services company with $2.8 billion in 2008 revenues, followed a similar path in erecting its ERM structure. In its case, business leaders across the organization were identified and asked, What risks keep you up at night and how do they impede your ability to meet strategic and operational objectives? The companys risk management department then prioritized the risks in terms of their probability and impact.

We rank them insofar as their financial impact on the company and how they might affect our reputation, says Carol Fox, Convergys senior director of risk management. We literally plot the risks to get a wide-angle view.

In this risk identification phase of ERM, Lam advises companies to consider events that may be outside the bell curve, he says, such as a scenario that might affect customer demand. Such risks often do not hit the radar screen theyre not as obvious as a plant burning down or a severe increase in energy costs yet they pose a significant impact on capital. Convergys went outside the bell curve and identified the impact of a risk it previously did not consider as significant: talent risk management, the retention, training and career paths of its 75,000 employees. After gleaning a better understanding of the exposures, its human resources group delivered a talent management strategy for review by senior management.

Talent management risks are becoming front burner issues for many other companies in the current economic environment. Organizations have downsized to cut costs or pulled back on retirement benefits at a time when employees 401(k) retirement plans are underwater. The ability to recruit and retain the best and the brightest has been impaired, and many employees, particularly older ones, are postponing their retirements. One way to manage this risk is to consider an employer-sponsored annuity for plan participants that make a 401(k) plan act more like a traditional pension.

The value for the employer is having employees with greater peace of mind, since the annuity will provide a regular stream of income over the course of their lives, says Mark Foley, a vice president in insurer Prudentials innovative simplicity unit.

Painting a Risk Profile

Insurance broker Aon counsels that simply identifying a risk does not constitute ERM. Companies must understand risks at granular levels of detail. You need to know if there is sufficient information about the risk, will it be timely delivered to the right people to accept or avoid the risk, and then if the risk is accepted how it will be managed, explains Laurie Champion, director of enterprise risk management at Aon Global Risk Consulting.

Once a risk profile is painted, ERM calls for companies to quantify risks in several metrics, such as the potential frequency of an event occurring, the potential severity of financial loss if the event occurs, and whether or not one risk might actually offset another.

One can argue that the subprime mortgage fiasco was, at bottom, a failure of risk measurement. While providers of mortgage-backed securities may have had an understanding of their own commitments, they had failed to quantify the extended impact of a credit crisis involving other organizations on these commitments. Since subprime mortgages and risk-spreading mechanisms like mortgage-backed securities and credit default swaps involved an unprecedented degree of interrelationships, when one organization caught a cold others were soon infected.

There was no intra-industry communication, no centralized understanding, of what was happening in a broader economic sense, relative to some pretty garden-variety risks, says Mat Allen, enterprise risk services and solutions practice leader at insurance broker Marsh.

Such lessons are not Wall Streets alone, of course. Indeed, the subprime debacle trickled down to cause problems for all companies that failed to assess how the risk of a housing downturn or credit crunch might affect their own businesses.

After a company has identified and measured strategic and operational exposures, a consistent strategy for managing and monitoring the risks is required. Technology, particularly dashboard-type business intelligence reporting an early warning system alerting the organization when a potential crisis may be at hand will assist this risk governance obligation. Like all technology, the system is only as good as the data within and the processes created to report this data.

Many organizations have given the responsibility for monitoring enterprise risk to a Chief Risk Officer (CRO) or another high-level executive like a CFO. This is a reaction to the previous silo-based approach to risk, in which insurance risk managers address hazard and liability risks, internal audit manages financial reporting risks, business units handle project risks, treasury deals with foreign-exchange risks and so on.

Once a risk is accepted, it must be monitored through the organization with a consistent approach and central view, Champion says. Whether this is a CRO or someone else depends on the culture of the organization and the structure of the leadership team. What matters is that someone is responsible for risk on a centralized basis.

Russ Banham is a veteran business journalist. His articles have appeared in Forbes. The Economist. CFO. Time and U.S. News & World Report. Banham is the author of 15 books, including The Ford Century .