| Many risk managers have attempted to take | | | | price-earnings ratio (if publicly traded). |
| enterprise risk management (ERM) from a slick | | | | |
| consulting pitch to a practical management | | | | But given that the fundamental concepts of |
| system. But while ERM has helped many of | | | | ERM are not yet standardized, how could an |
| these professionals improve the strategic | | | | information system be designed from the |
| structure of their risk financing programs, | | | | ground up to support it? There are systems |
| few have fully achieved their ambitions. One | | | | that will, with the help of an analyst or |
| obstacle is the risk management information | | | | actuary, allow risk managers to develop and |
| system (RMIS) built without an enterprisewide | | | | run simulations of limited sets of risks. |
| orientation toward risk data. | | | | Few, however, are designed to collect the |
| | | | requisite data in the first place. |
| For ERM programs to fulfill their potential, | | | | |
| the RMIS must focus on the risk financing | | | | Because the insurer can predefine its risk |
| needs and processes of the entire | | | | through coverage definitions, exclusions, |
| company-i.e., reporting based on its specific | | | | retentions, deductibles and limits, these |
| financial and operational dynamics. It cannot | | | | risk-limiting tools ultimately shape the |
| just tally the insurance companies' claims | | | | structure of today's RMIS. The risk manager, |
| and losses, as it does now. The system should | | | | however, cannot predefine risks and cannot |
| incorporate occurrence descriptions and | | | | describe every loss incident in terms of the |
| retained loss costs. It should support a | | | | coverage definitions intended to serve the |
| range of risk financing methods and the | | | | needs of the insurer. Risk managers need an |
| financial analysis and reporting needs of the | | | | information structure that extends beyond the |
| risk manager. | | | | insurers' boundaries. |
| | | | |
| The recommendations that follow do not | | | | Without standardized methods of management |
| describe a total ERM system. (Indeed, | | | | and analysis-and the technology to link the |
| building a separate ERM system would be like | | | | information together-it is difficult to |
| constructing an independent six sigma | | | | implement ERM programs and information |
| program. Both must be built into other | | | | systems. And the lack of information systems |
| enterprise processes to be effective.) | | | | to collect the loss experience data on |
| Rather, the recommendations that follow offer | | | | nontraditional risks prevents the development |
| suggestions for the next steps in the | | | | of ERM procedures and methodologies. The |
| evolution of RMIS design, which will, if | | | | absence of each element hinders the evolution |
| adopted, make RMIS an integral part of ERM | | | | of the other. |
| practices. | | | | |
| | | | Making ERM tractable will require a pioneer |
| ERM: Great Concept, Intractable | | | | effort to develop the intellectual tools, the |
| Implementation? | | | | prerequisite data standards and information |
| | | | systems that will let us achieve a real |
| Current professional and academic schools of | | | | breakthrough. Unfortunately, today's RMIS |
| thought dictate that ERM should achieve | | | | provides no support for this kind of |
| proper allocation of risk capital across | | | | analytics. And a lack of compelling market |
| three major risk categories-financial, credit | | | | demand for enterprise risk assessment tools |
| and operational risk. | | | | has failed to induce IT entrepreneurs to |
| | | | invest in the development of systems that |
| To this end, financial risk management is | | | | support ERM. |
| highly standardized. (This is possible | | | | |
| because of the extensive statistical data | | | | A Cost/Benefit Analysis |
| available from large, open markets-equity, | | | | |
| bond, currency, derivative and commodity | | | | Risk managers already use elements of |
| trading systems-and the traders' interest in | | | | enterprisewide risk management to improve the |
| any analytical systems that provide a | | | | efficiency of risk spending. They make |
| competitive advantage.) Credit risk | | | | estimates of the scope and size of risks |
| management methods are less developed than | | | | facing the firm and thus allocate risk |
| those for financial risk management, but they | | | | financing resources to bring the firm closer |
| are rapidly evolving. Operational risk is the | | | | to an optimal allocation of risk capital. The |
| least developed. | | | | estimates start with risk mapping-plotting |
| | | | the expected frequency and severity of each |
| Operational risk includes traditional | | | | risk (often displayed on an x-y coordinate |
| property/casualty risks, but it is also a | | | | chart). |
| catch-all term for any risk that is not | | | | |
| financial- or credit-related. This includes | | | | This is followed by scenario analysis, which |
| risks that are typically beyond the scope of | | | | stress-tests the potential loss amounts. A |
| the traditional risk manager: business | | | | low probability (95 percentile) sequence of |
| control risks, corporate governance risks and | | | | adverse outcomes is developed from the chain |
| capital-intensive project risks. For these, | | | | of events following a major loss event. The |
| we lack statistical data and validated | | | | total cost of the path associated with these |
| statistical methods to gauge the risks, and | | | | adverse outcomes is then calculated. |
| therefore few transfer markets have developed | | | | |
| for them. | | | | For example, an earthquake damages a key |
| | | | facility. This damage prevents delivery of |
| Though we have accurate data on the actuarial | | | | products, leading to disruption of contracts |
| dimensions of the frequency and severity of | | | | and revenue loss. The lost revenue |
| many risks, operational risks often are | | | | subsequently prevents wage increases, leading |
| multidimensional. Across an enterprise, risks | | | | to a labor union action, which further |
| have widely varying time horizons, degrees of | | | | disrupts production. Unreliable production |
| certainty and predictability. The nature of | | | | drives away potential new customers, further |
| an occurrence or event can vary widely (e.g., | | | | reducing future sales. |
| discrete versus continuous occurrences, | | | | |
| speculative versus fortuitous outcomes). And | | | | An initial event often has ripple effects. |
| the correlations between risks typically are | | | | The full cost of the loss extends far beyond |
| not well understood. | | | | the original damage to the facility. |
| | | | Stress-testing or scenario analysis allows |
| Operational risks frequently derive from | | | | the firm to paint a more complete picture of |
| specialized functions where evaluating the | | | | risks, and to gauge the extent of the firm's |
| risks requires experience and expertise | | | | exposure to catastrophic events. |
| (e.g., information systems security, | | | | |
| environmental health and safety, contractual | | | | To improve these analyses, the risk manager |
| risks). Within those business functions, | | | | needs to use RMIS to capture more data on the |
| specialists are often unwilling or unprepared | | | | downstream effects of the initial loss event. |
| to conform their risk assessment methods to a | | | | Invisible costs could be calculated and |
| broader system. So while we may be able to | | | | incorporated into the overall risk picture. |
| get their participation in creating | | | | This might include the cost of overtime hours |
| assessments, the assessments cannot be easily | | | | for recall and remediation of a defective |
| aggregated with other loss probability | | | | product, lost sales due to bad publicity, or |
| distributions across the organization. Even | | | | the added cost of debt service due to a |
| if we are somehow able to aggregate risk | | | | downgrade of the firm's financial rating. |
| assessments, the credibility of the results | | | | |
| may be questioned by the decision maker to | | | | Unlike financial risks or even most |
| whom it is presented because its method of | | | | traditional property/casualty risks, there is |
| calculation is not clear, or required | | | | virtually no statistical history on these |
| assumptions are disputed. | | | | kinds of costs. And yet, these are the costs |
| | | | that most often threaten the viability of a |
| All of this reflects a lack of commonly | | | | company in the wake of a catastrophe. |
| understood and accepted ERM principles, | | | | |
| concepts and standards around which to build | | | | Without more advanced RMIS technology, risk |
| business processes and systems. | | | | managers are limited to recording the |
| | | | company's loss experience or collecting other |
| Where Current Generation RMIS Falls Short | | | | firms' case histories and using techniques |
| | | | like modeling and Monte Carlo simulations. |
| Current generation RMIS technology was | | | | |
| designed primarily to support insurance | | | | So, would the cost of developing a robust, |
| claims processing, and it does this quite | | | | ERM-supportive RMIS exceed its benefits? The |
| well. It organizes data in a way that most | | | | costs are immediate and tangible; the benefit |
| closely resembles the claims processing | | | | is difficult to estimate or demonstrate. Risk |
| systems used by insurance companies. The | | | | managers already struggle with how to explain |
| basic data record is for an insurance claim, | | | | the value of a loss that is prevented or |
| meaning that incidents must at least be | | | | financed, particularly as measured by the net |
| potential insurance claims to be supported. | | | | present value of the improved capital |
| The data to fill these claims records are | | | | allocation. Even if the risk reduction is |
| normally provided by the insurer or third | | | | significant, it is a potential future |
| party administrator and loaded into the | | | | benefit, not an assured, immediate expense |
| database by the RMIS provider. In other | | | | reduction. |
| words, the system is primarily intended for | | | | |
| electronic storage and retrieval of | | | | Whether the risk assessments from RMIS are |
| traditional insurer loss runs. This is great | | | | likely to lead to enough marginal benefits to |
| if you are running a claims department, but | | | | offset the cost of data tracking and analysis |
| ERM requires much more. | | | | depends on the company's risk profile. Large |
| | | | firms stand to gain the most from refining |
| If the goal of ERM is to maximize the firm's | | | | the efficiency of risk capital allocation. |
| net income, then the fundamental premise of | | | | But as the cost of the computing tools needed |
| ERM is that risk decisions are capital | | | | to collect data and perform the sophisticated |
| allocation decisions. Risk managers strive to | | | | modeling and analyses continue to decrease, |
| assign the right amount of capital to a mix | | | | the benefits grow for all organizations. |
| of risk financing or mitigation methods to | | | | Ultimately, RMIS may pay for itself by |
| optimize results. To accomplish this, they | | | | empowering an organization to avoid or |
| need to understand their company's risk | | | | effectively finance that one catastrophic |
| tolerance in light of their organization's | | | | loss that would otherwise slash the company's |
| cash flows, debt position, credit rating and | | | | financial results. |