The Evolution of Enterprise Risk Management

The Evolution of Enterprise Risk Management

The philosophy of enterprise risk management addresses issues that we, as a profession, have always dealt with. Its evolution prescribes a new organizing concept in creating value for an entity.

By Robert Wolf

About a decade ago, the now popular study performed by Mercer Management Consulting firm cited the primary causes of significant stock price failures amongst the Fortune 1000 Companies in the booming '90s as events more descriptive under strategic and operational failures than events traditionally categorized as hazardous and financial. Ninety percent of the cases were categorized under causes that represented strategic and operational failures as the primary reasons for the stock drops. In almost every instance, the study cited multiple reasons for each of the individual stock collapses. In addition, in virtually every instance, the reason for the stock decline was categorized as a market reaction to a series of unanticipated and correlated events that generated non-fortuitous domino effects–bringing down the value of the firm.

Traditional risk management has viewed risk as a series of single elements, or silos. Each risk stood alone and was not related to the others. Optimizing risk management individually in each of the business units of a company meant optimizing risk management in the company overall.

Traditional hazard/casualty risk management strategies were essentially comprised of buying insurance that was inexpensive enough so that retained risk could be managed for as little cost as possible internally. In other words, the typical marching orders for a risk manager at a company were, in essence, "Here is your budget. Buy the cheapest insurance possible. Keep what you save. Use it to manage what risk you retain. And, by the way, don't let anything bad happen." Optimizing traditional risk management, in essence, meant keeping within risk management's expense budget.

Figure 1

Commodity price and interest rate fluctuation risks were hedged with trading instruments that were deemed, until recently, the holy grail of hedging strategies for financial risks.

Other risks facing a company, which stem from strategic and operational failures, that made up the aforementioned 90 percent of the stock failures in the '90s, and reflect the risks that could not be traditionally transferred or traded away, were delegated to those managing the operations of the firm.

The Mercer study, in addition to discussions and papers written in various industry forums, prompted discussion of whether stock price risk within a firm could be managed within a typical risk management strategy. Can the traditional risk management toolkit address unanticipated/correlated events that have the potential to destroy shareholder value at individual companies?

By implication of the study, one can suggest that since virtually all such failures result from multiple correlated causes, only an integrated approach to risk management could recognize and mitigate against such events. Herein lies the impetus of the current wave of interest in enterprise risk management (ERM).

It is worth noting that none of the failures in the Mercer study were caused by such hazard risks as lawsuits or natural or man-made disasters. The use of insurance to hedge such risks has worked in the past for many years and continues to work today as an effective risk management tool. Insurance has naturally been a venue that the actuarial profession has served well in the past, and is expected to continue to do so today and in the future.

It is also worth noting that a handful of the individual stock failures from the Mercer study were due to risks typically financial in nature (6 percent), such as foreign macroeconomic issues, high input commodity prices and interest rate fluctuations. These types of risks, at least in the 1990s, were deemed to be appropriately managed by tools that have been generally accepted as effective instruments (e.g., derivatives, futures, etc.).

Financial risk management continues today as it was then–a growing venue and opportunity for our profession as actuaries continue to manage risk through the use of financial hedging instruments. It is also a ripe opportunity for our profession to address the increasing fallout in credibility of traditional financial models and instruments in use today. At the same time, we also need to address the increasing need for improved tools and strategies to gauge the correlation of financial events that have dominoed into a series of correlated outcomes and recently crippled the financial and credit markets.

The Evolving View of Risk Management truly represents the motivational evolution within business communities. This motivational evolution has transcended the traditional goals of reducing costs and reducing/avoiding/transferring risk to the more contemporary vision of maximizing revenue at reasonable risk to add value, the essence statement of an ERM framework. From the realization that silo-based risk management has its flaws, the emergence of new and larger risks (e-commerce, man-made and natural catastrophes, Enron-esque risk), the steady consolidation of insurance and financial institutions and the increased pressures on management accountability and corporate governance, the ERM evolution continues to affect us today with opportunities for our profession to make a difference.

More comprehensive than the Committee of Sponsoring Organizations of the Treadway Commission (COSO) framework, the ERM definition developed by the Casualty Actuarial Society and adopted by the Society of Actuaries–"the discipline by which an organization in any industry assesses, controls, exploits, finances and monitors risk from all sources for the purpose of increasing the organization's short- and long-term value to its stakeholders"–suggests a dual role of managing both the risk and the returns of a company. In essence, true ERM could really be coined enterprise risk and return management. Several insurance companies, such as Allstate, are already using this terminology in their ERM framework.

At the end of the day, ERM does not encompass any new concepts. The philosophy of ERM addresses issues that we, as a profession, have always dealt with. Its evolution prescribes a new organizing concept in creating value for an entity. How ERM adds value is in its conceptual framework of optimizing strategies based on the characteristics and tools involving the laws of probability and statistics with regards to diversification and correlation.

Traditional risk management, arguably, has long been based on diversification benefits. Even today, some financial theorists argue that a company employing an ERM strategy does not add value to the firm as risk management strategies are more efficiently carried out by investors outside the firm in diversifying their respective investment portfolios. In addition to the argument that other stakeholders also matter, I follow the counter-argument that unique risk (unique to the operations of the firm) is best handled within a firm's operations and that optimizing risk and return strategies and business plans have always been (and always should be) the foundation of a firm's strategies to maximize enterprise value.

Implementation of enterprise risk management has its challenges, some unique within various industry venues. ERM is truly in different stages by industry and even in our profession's respective specialties. These will be addressed in upcoming issues in this series where we discuss the evolution of enterprise risk management and the various stages in our profession's specialty sectors: namely life insurance, general insurance (property/casualty), health insurance, other financial institutions and non-financial corporations.

However, in my experience with companies delving into an ERM-based culture, there are three general challenges that pervade all industries and sectors. I consider these challenges our profession's opportunity to make a difference in the sectors we currently serve and the ones we will serve in the future. They are as follows:

Out of Sight, Out of Mind

In general, individuals, let alone companies, are extremely negligent in dealing with things that have either just happened or have not happened recently.

We tend to optimize our strategies on risks after things (we tried to avoid) have just occurred. As a baseball coach for my son's 12-year-old travel team, many times I have caught myself positioning my outfielders in positions precisely where the last ball was hit–with the brilliant foresight that on the first pitch to the next batter the ball will be hit to that same precise location.

Most of us thought of 9/11 a lot on 9/12, 9/13 and for the subsequent years thereafter. But how many of us thought of it today? How many of us think about possible and unimaginable risk events for tomorrow? On 9/10, how many of us contemplated the possibility of 9/11?

Extreme event and catastrophe models have evolved in recent decades to provide a sense of loss magnitude when extreme events, such as pandemics and natural or man-made catastrophes, occur. Instead of focusing on whether these events are one in 100, one in 50 or one in five years (we just don't know), our focus as a profession is to devise strategies of how to recover, whenever they may occur.

How much can we afford to lose? How can we split the damage? How much time do we have to recover? What hedging and risk management strategies do we need in place to recover? In other words, the opportunity for our profession to make a difference is to focus on recovery, rather than catastrophe.

Models that Do Assume Deviation and then Reversion to Normality

As practitioners, we tend to place full reliance on models that perform well under normal conditions. But in reality, are situations ever normal? Our opportunity as a profession is to look beyond the models that assume conditions revert back to the mean, that abnormal events are abnormal, that markets are continuously efficient, and that human behavior follows precise mathematical and well-defined distributional formulas, even as dominoes fall. This aspect is evident in today's financial times.

Budgets and Incentive Compensation

The greatest challenge I have seen in developing an ERM culture within a firm is in typical budget mentality and incentive compensation. Budgets drive corporate behavior. Incentive compensation drives goals and targets.

The opportunity for our profession in the ERM discipline is to devise effective means to promote the ERM culture in firms via incentives. James Lam, in his book Enterprise Risk Management: From Incentives to Controls, states that a great portion of the ERM discipline is in managing the behavior and results of its people.

Incentive compensation plans that are earnings- and growth-based, solely due to targets within a manager's strategic business unit, focus the manager on just his or her business unit's results with less consideration to other business units and the company as a whole. Depending on the specifics of the incentive compensation plan, the manager may be motivated to take on more risk than is rewarded by the returns.

On the other hand, incentive compensation plans should not be entire company goal-based, because, in general, companies benefit from innovation and ingenuity within the strategic business units. Such incentives should be in place to encourage originality and creativity within the units.

Where is the balance between rewarding/punishing an integrated result and promoting an entrepreneurial innovation? Maintaining a true holistic view of risk across silos requires taking a true holistic view of management behavior incentives in achieving the goals of the firm. Once again, the ongoing theme of managing returns with the risks and managing the risks with the returns is prevalent. It is this very essence that defines the evolution from traditional risk management to enterprise risk management.

As risk management has evolved, so too has the very nature of our profession. The actuarial profession has evolved, and continues to evolve, from traditional risk management to enterprise risk management.

The actuarial profession has outgrown the traditional risk management concept of being risk "costers" or "provisioners." The actuarial profession used to primarily address how many people will die, get sick, get in accidents, get sued, have property damage, etc. The days of solely communicating, "We need to charge this amount to cover the expected costs (costing)," and/or "We need to set aside so many dollars so that we have enough in the bank later to pay claims/benefits (reserving)," are gone.

In the ERM evolution, we address the profession's tagline, Actuaries: Risk is Opportunity.® We are speaking about risk/return strategies. We are recommending how much capital to hold to support the risks underwritten at insurance companies. We are advising on competitive prices (pricing, not costing). We are hedging long-term inflation risk with the investing of stock portfolios. We are hedging life insurance products with variable annuity products.

On a macro basis, we are at the table discussing new ways to retire. We are discussing the health care crises. We are discussing the availability and affordability issues in property insurance. We are discussing strategic and operational risks.

In subsequent issues, we will begin exploring opportunities to make a difference, starting with, but not limited to, the individual backyards that we serve today and have the opportunity to do so in the future in specific specialties.

Robert Wolf, FCAS, MAAA, is a staff actuary for the Society of Actuaries.