| Many risk managers have attempted to take | | | | But given that the fundamental concepts of ERM are |
| enterprise risk management (ERM) from a slick | | | | not yet standardized, how could an information |
| consulting pitch to a practical management system. | | | | system be designed from the ground up to support |
| But while ERM has helped many of these | | | | it? There are systems that will, with the help of an |
| professionals improve the strategic structure of their | | | | analyst or actuary, allow risk managers to develop |
| risk financing programs, few have fully achieved their | | | | and run simulations of limited sets of risks. Few, |
| ambitions. One obstacle is the risk management | | | | however, are designed to collect the requisite data in |
| information system (RMIS) built without an | | | | the first place. |
| enterprisewide orientation toward risk data. | | | | Because the insurer can predefine its risk through |
| For ERM programs to fulfill their potential, the RMIS | | | | coverage definitions, exclusions, retentions, |
| must focus on the risk financing needs and processes | | | | deductibles and limits, these risk-limiting tools |
| of the entire company-i.e., reporting based on its | | | | ultimately shape the structure of today's RMIS. The |
| specific financial and operational dynamics. It cannot | | | | risk manager, however, cannot predefine risks and |
| just tally the insurance companies' claims and losses, | | | | cannot describe every loss incident in terms of the |
| as it does now. The system should incorporate | | | | coverage definitions intended to serve the needs of |
| occurrence descriptions and retained loss costs. It | | | | the insurer. Risk managers need an information |
| should support a range of risk financing methods and | | | | structure that extends beyond the insurers' |
| the financial analysis and reporting needs of the risk | | | | boundaries. |
| manager. | | | | Without standardized methods of management and |
| The recommendations that follow do not describe a | | | | analysis-and the technology to link the information |
| total ERM system. (Indeed, building a separate ERM | | | | together-it is difficult to implement ERM programs |
| system would be like constructing an independent six | | | | and information systems. And the lack of information |
| sigma program. Both must be built into other | | | | systems to collect the loss experience data on |
| enterprise processes to be effective.) Rather, the | | | | nontraditional risks prevents the development of ERM |
| recommendations that follow offer suggestions for | | | | procedures and methodologies. The absence of each |
| the next steps in the evolution of RMIS design, which | | | | element hinders the evolution of the other. |
| will, if adopted, make RMIS an integral part of ERM | | | | Making ERM tractable will require a pioneer effort to |
| practices. | | | | develop the intellectual tools, the prerequisite data |
| ERM: Great Concept, Intractable Implementation? | | | | standards and information systems that will let us |
| Current professional and academic schools of thought | | | | achieve a real breakthrough. Unfortunately, today's |
| dictate that ERM should achieve proper allocation of | | | | RMIS provides no support for this kind of analytics. |
| risk capital across three major risk categories-financial, | | | | And a lack of compelling market demand for |
| credit and operational risk. | | | | enterprise risk assessment tools has failed to induce |
| To this end, financial risk management is highly | | | | IT entrepreneurs to invest in the development of |
| standardized. (This is possible because of the | | | | systems that support ERM. |
| extensive statistical data available from large, open | | | | A Cost/Benefit Analysis |
| markets-equity, bond, currency, derivative and | | | | Risk managers already use elements of |
| commodity trading systems-and the traders' interest | | | | enterprisewide risk management to improve the |
| in any analytical systems that provide a competitive | | | | efficiency of risk spending. They make estimates of |
| advantage.) Credit risk management methods are | | | | the scope and size of risks facing the firm and thus |
| less developed than those for financial risk | | | | allocate risk financing resources to bring the firm |
| management, but they are rapidly evolving. | | | | closer to an optimal allocation of risk capital. The |
| Operational risk is the least developed. | | | | estimates start with risk mapping-plotting the |
| Operational risk includes traditional property/casualty | | | | expected frequency and severity of each risk (often |
| risks, but it is also a catch-all term for any risk that is | | | | displayed on an x-y coordinate chart). |
| not financial- or credit-related. This includes risks that | | | | This is followed by scenario analysis, which |
| are typically beyond the scope of the traditional risk | | | | stress-tests the potential loss amounts. A low |
| manager: business control risks, corporate | | | | probability (95 percentile) sequence of adverse |
| governance risks and capital-intensive project risks. | | | | outcomes is developed from the chain of events |
| For these, we lack statistical data and validated | | | | following a major loss event. The total cost of the |
| statistical methods to gauge the risks, and therefore | | | | path associated with these adverse outcomes is then |
| few transfer markets have developed for them. | | | | calculated. |
| Though we have accurate data on the actuarial | | | | For example, an earthquake damages a key facility. |
| dimensions of the frequency and severity of many | | | | This damage prevents delivery of products, leading |
| risks, operational risks often are multidimensional. | | | | to disruption of contracts and revenue loss. The lost |
| Across an enterprise, risks have widely varying time | | | | revenue subsequently prevents wage increases, |
| horizons, degrees of certainty and predictability. The | | | | leading to a labor union action, which further disrupts |
| nature of an occurrence or event can vary widely | | | | production. Unreliable production drives away potential |
| (e.g., discrete versus continuous occurrences, | | | | new customers, further reducing future sales. |
| speculative versus fortuitous outcomes). And the | | | | An initial event often has ripple effects. The full cost |
| correlations between risks typically are not well | | | | of the loss extends far beyond the original damage |
| understood. | | | | to the facility. Stress-testing or scenario analysis |
| Operational risks frequently derive from specialized | | | | allows the firm to paint a more complete picture of |
| functions where evaluating the risks requires | | | | risks, and to gauge the extent of the firm's exposure |
| experience and expertise (e.g., information systems | | | | to catastrophic events. |
| security, environmental health and safety, contractual | | | | To improve these analyses, the risk manager needs |
| risks). Within those business functions, specialists are | | | | to use RMIS to capture more data on the |
| often unwilling or unprepared to conform their risk | | | | downstream effects of the initial loss event. Invisible |
| assessment methods to a broader system. So while | | | | costs could be calculated and incorporated into the |
| we may be able to get their participation in creating | | | | overall risk picture. This might include the cost of |
| assessments, the assessments cannot be easily | | | | overtime hours for recall and remediation of a |
| aggregated with other loss probability distributions | | | | defective product, lost sales due to bad publicity, or |
| across the organization. Even if we are somehow | | | | the added cost of debt service due to a downgrade |
| able to aggregate risk assessments, the credibility of | | | | of the firm's financial rating. |
| the results may be questioned by the decision maker | | | | Unlike financial risks or even most traditional property |
| to whom it is presented because its method of | | | | casualty risks, there is virtually no statistical history on |
| calculation is not clear, or required assumptions are | | | | these kinds of costs. And yet, these are the costs |
| disputed. | | | | that most often threaten the viability of a company |
| All of this reflects a lack of commonly understood | | | | in the wake of a catastrophe. |
| and accepted ERM principles, concepts and standards | | | | Without more advanced RMIS technology, risk |
| around which to build business processes and | | | | managers are limited to recording the company's loss |
| systems. | | | | experience or collecting other firms' case histories and |
| Where Current Generation RMIS Falls Short | | | | using techniques like modeling and Monte Carlo |
| Current generation RMIS technology was designed | | | | simulations. |
| primarily to support insurance claims processing, and it | | | | So, would the cost of developing a robust, |
| does this quite well. It organizes data in a way that | | | | ERM-supportive RMIS exceed its benefits? The costs |
| most closely resembles the claims processing | | | | are immediate and tangible; the benefit is difficult to |
| systems used by insurance companies. The basic | | | | estimate or demonstrate. Risk managers already |
| data record is for an insurance claim, meaning that | | | | struggle with how to explain the value of a loss that |
| incidents must at least be potential insurance claims | | | | is prevented or financed, particularly as measured by |
| to be supported. The data to fill these claims records | | | | the net present value of the improved capital |
| are normally provided by the insurer or third party | | | | allocation. Even if the risk reduction is significant, it is |
| administrator and loaded into the database by the | | | | a potential future benefit, not an assured, immediate |
| RMIS provider. In other words, the system is | | | | expense reduction. |
| primarily intended for electronic storage and retrieval | | | | Whether the risk assessments from RMIS are likely |
| of traditional insurer loss runs. This is great if you are | | | | to lead to enough marginal benefits to offset the |
| running a claims department, but ERM requires much | | | | cost of data tracking and analysis depends on the |
| more. | | | | company's risk profile. Large firms stand to gain the |
| If the goal of ERM is to maximize the firm's net | | | | most from refining the efficiency of risk capital |
| income, then the fundamental premise of ERM is that | | | | allocation. But as the cost of the computing tools |
| risk decisions are capital allocation decisions. Risk | | | | needed to collect data and perform the sophisticated |
| managers strive to assign the right amount of capital | | | | modeling and analyses continue to decrease, the |
| to a mix of risk financing or mitigation methods to | | | | benefits grow for all organizations. Ultimately, RMIS |
| optimize results. To accomplish this, they need to | | | | may pay for itself by empowering an organization to |
| understand their company's risk tolerance in light of | | | | avoid or effectively finance that one catastrophic |
| their organization's cash flows, debt position, credit | | | | loss that would otherwise slash the company's |
| rating and price-earnings ratio (if publicly traded). | | | | financial results. |