Top 10 Key Attributes of an Enterprise Risk Management Program

ERM003

Speakers:

• Cindy Roelke, Director, Risk and Insurance, The Western Union Company

• David Young, Lecturer, University of Colorado, Denver

Learning Objectives

At the end of this session, you will:

• Describe the essential qualities of a successful ERM program

• Employ mechanisms that maintain key risk focus across all categories of risk

• Assemble arguments to convince your organization’s primary stakeholders of the benefits of ERM

Source Material

• FNCE 4129/6129 – Practical Enterprise Risk Management• Risk Management & Insurance Program, Business School, University of

Colorado Denver

• Currently seeking Mentors for Summer 2016 / Spring 2017 semesters

• Western Union Student ERM Project – Spring 2015• Graduate Student Project on a publically traded company

ERM 10 Key Criteria1) Enterprise-wide scope – all areas in scope

2) All risk categories – financial, operational, strategic & hazard

3) Key risk focus – not hundreds of risks

4) Integrated Risks – captures interactivity of 2+ risks

5) Aggregated Risk – enterprise-level risk exposure/appetite

6) Includes decision-making – not just risk reporting

7) Risk-return Mgmt. – mitigation plus risk exploitation

8) Risk disclosures – integrates ERM information

9) Value impacts – includes company value metrics

10) Primary stakeholder – not rating agency-driven

4

Enterprise-wide Scope

• “Enterprise” is the first word in ERM, yet in traditional ERM, this usually does not occur

1) Insufficient C-Suite and Board of Director oversight

2) Deemed insignificant

3) Limiting approaches to ERM

4) Differing cultures

5) Incomplete implementation

• It’s not true ERM until all areas are in scope

5

Sample ERM Engagement Model

All Risk Categories

• The word “all”

• A significant step forward in the risk management field

• Must include all risk categories

• Financial (market, credit, liquidity, etc.)

• Strategic (strategy execution, competitor risk, emerging, etc.)

• Operational (human resources, technology, etc.)

• Hazard (mostly insurance related risk)

7

All Risk Categories (continued)

• Traditional ERM focuses mostly on financial risks

• Inability to quantify strategic and operational risks

• Myth regarding importance of financial risks• Studies debunk this• Even true for financial services companies • Partly due to poor risk categorization and definition

• Modeler bias• Education, training and experience all in financial• Methods work best for financial risk• Risk of staying within comfort zone: “Searching under streetlamp”• Dangerous significant digits violation / impression of completeness

8

New Category: Emerging Risk

Communicating Emerging RiskDigitalattackmap.com

Informationisbeautiful.net

Key Risk Focus

• Focus on the organization’s key risks

• An Excel Spreadsheet with 100’s of risks is unmanageable

• Utilize Risk Tolerance calculation to determine key risks

• Most likely these risks will be Strategic and Operational Risks

• Key Risk Focus allows for greater accountability

• Transparency and accountability are critical to ensure risk oversight

Sample Accountability Model

Integrated Risks

• Traditional risk management, and even most traditional ERM programs, have “silo” risk measurement, which is suboptimal

a) Incomplete

b) Inefficient

c) Internally inconsistent

13

Integrated Risks (continued)a) Incomplete

• Ignores real-world complexity

• Having only one risk scenario happen at a given time is like every aspect of your business going perfectly, except one

• Ignores biggest threats

• Ignores offsetting risks

• Two risk events occurring “simultaneously” (during same time period, e.g., one year), one downside and one upside

• Other possibilities?

14

Integrated Risks (continued)

• One example of two downside risk events occurring within the same calendar year that involve offsetting:

• First event: Competitor steals away half of company’s business in Russia

• Second event: Russia passes regulations that increase variable costs (costs as percentage of revenues) on U.S. businesses operating in Russia

15

Integrated Risk (continued)

b) Inefficient

• Over-paying

• Not buying (e.g., hedges) in bulk

• Under-communicating

• Not sharing best practices

c) Internally inconsistent

• Different projections of environment, market

• Different bets

16

Aggregated Risk

• Two Metrics

• Enterprise risk exposure (calculated)• Risk appetite (defined by management) (also called risk tolerance, by S&P)

• Traditional ERM programs have neither, resulting in:

• Inability to do primary job of ERM – managing enterprise risk exposure to within risk appetite

• Inability to have correct chronology:1) Calculate enterprise risk exposure2) Define risk appetite3) Cascade down to risk limits4) Instead, uses local management judgment, instinct or old rules-of-

thumb, causing two errors:• Under-mitigating (potentially dangerous, if risk event occurs)• Over-mitigating (waste of resources, e.g., many insurable risks)

17

Risk Appetite / Risk Tolerance

Risk Decision-Making

• Many ERM programs in their infancy merely identify and then report key risks to the Board

• Misses the primary function: risk decision-making

• “Risk Map” is a popular report

• Focus on key risks with materiality

19

WU Student Project Risk Map

Risk-Return Management

• Traditional risk management created perception of risk leaders as obstacles by business segments

• New ventures thwarted by emphasis of risk exposure

• Upside not fairly considered along with increased risk

• ERM is a significant step forward

• Both downside and upside volatility - risk mitigation and risk exploitation - are in scope

• Risk practitioners are now welcome in strategic discussions, perceived as business partners

21

Risk Disclosures

• Improper risk disclosures: most overlooked risks

• Most are boilerplate with significant auditor input

• Yet ERM sophistication varies widely

• Best, safest practice (and likely soon to be a regulatory requirement) is to inform disclosures with ERM information

http://www.sec.gov/news/press/2009/2009-268.htm

22

Value Impacts

• Virtually all talk about “value-added” activities, yet very few measure value

• Most ERM programs use short-term metrics

• Balance sheet impact

• Next quarter’s earnings impact

Inadequate for quantifying the full impacts of risks

Inadequate for informing risk decision-making

23

Primary Stakeholder

• Traditional risk management programs often focus on ratings / rating agencies

• Maximally satisfying rating agencies does not usually lead to maximizing shareholder value

• ERM must focus on primary stakeholder: the shareholder

• All decisions – even risk-priority – must increase company value

24

Next ERM Regulatory Hurdle?

Thanks for attending!

Enjoy the rest of RIMS 2016!

Questions / Discussion