ERM: The Next Step in the Evolution of Business Management Sim Segal, FSA, CERA, MAAA Adjunct Professor Columbia Business School Decision, Risk & Operations Shanghai Jiao Tong University EMBAs Asia-Pacific Development Society, Columbia University April 22, 2010 Agenda Drivers of ERM adoption ERM challenges Defining risk Defining ERM ERM approaches ERM and the financial crisis Appendices Contact information Copyright © SimErgy All rights reserved Drivers of ERM adoption Events • • • • Accounting fraud (e.g Enron) September 11th H1N1 pandemic Financial crisis Stakeholders • Rating agency scrutiny • SEC Feb 2010 disclosure rule Other • Technology • Increased risk savvy Copyright © SimErgy All rights reserved ERM challenges  Confusion over what ERM is – Providers jumping into the market, portraying traditional risk-related products and services as ERM o Consultants o Auditors o Insurance brokers o Technology firms  Full promise of ERM still not realized – Best practices not yet widely identified Copyright © SimErgy All rights reserved Defining risk  Uncertainty – Is anything 100% certain? Death and taxes?  Includes upside volatility – A bit unusual, but important for our purposes (all volatility impacts a company’s value, e.g., discount rate of future free cash flows)  Deviation from expected – Not just “loss” but loss above and beyond expected loss in Strategic Plan Copyright © SimErgy All rights reserved DEFINING ERM Copyright © SimErgy All rights reserved Basic definition of ERM “The process by which companies identify, measure, manage and disclose all key risks to increase value to stakeholders” Copyright © SimErgy All rights reserved ERM 10 key criteria 1) Enterprise-wide – all areas in scope 2) All risk categories – financial, operational & strategic 3) Key risks only – not hundreds of risks 4) Integrated – captures interactivity of 2+ risks 5) Aggregated – enterprise-level risk exposure/appetite 6) Decision-making – not just risk reporting 7) Risk-return mgmt – mitigation plus risk exploitation 8) Risk disclosures – integrates ERM information 9) Value impacts – includes enterprise value metrics 10) Primary stakeholder – not rating agency-driven Copyright © SimErgy All rights reserved ERM process cycle Risk Identification Risk Quantification Risk Messaging Risk DecisionMaking Copyright © SimErgy All rights reserved Benefits of ERM Shareholders • Increased likelihood company achieves strategy • Enhanced risk disclosures Board of directors • Assurance key risks well understood / managed • Compliance with SEC Feb 2010 disclosure rule C-Suite Management Rating agencies Regulators • Better stakeholder communications • Higher stock price • Stronger rating • Tools to manage exposure within appetite • Better risk-return decisions • Prospective information for better credit risk assessment • Lower systemic risk 10 Copyright © SimErgy All rights reserved Modified Case Study Modified case study: Other key metrics supplement enterprise value metrics “Pain Point” Likelihood Decrease in enterprise value of more than 10% 15% Ratings downgrade – one level 7% Falling short of Planned revenue growth by more than 200 basis points 11% Falling short of Planned earnings by more than 2Â per share 10% 27 Copyright â SimErgy All rights reserved 3) Integrating ERM into decision-making Traditional Approach Do metrics support decision-making? NO NO  Not for operational or strategic risks Value-Based Approach  Metrics for all risks YES  Only risk, not return  ΔValue = rigorous business case  Complex  Practical balance  Increases risk YES  Too many inputs Do ERM models work? Nimble enough for speed and changes  Slow run time  Violates “significant digits” rule  Apples-to-apples math  Corporate-driven Is there buy-in from business units? NO  Compliance-oriented Robust enough for decisions  Business unit input YES  Corporate for consistency  Supports business unit goals/initiatives 28 Copyright © SimErgy All rights reserved Case study – insurance company  Enhanced business segment buy-in / risk culture – Baseline scenario exercise – Risk scenario development exercises  Board sees ERM as “management decision-making tool”  S&P upgraded company’s rating – Ability to quantify diversification benefits – Robust ERM program generally  ERM goals into long-term bonus pool formula  ERM drove decision to increase strategic planning frequency from annual to quarterly 29 Copyright © SimErgy All rights reserved ERM is more than risk management Rather than the next step in risk management, ERM is the next step in business management 30 Copyright © SimErgy All rights reserved ERM AND THE FINANCIAL CRISIS 31 Copyright © SimErgy All rights reserved ERM 10 key criteria 1) Enterprise-wide – all areas in scope 2) All risk categories – financial, operational & strategic 3) Key risks only – not hundreds of risks 4) Integrated – captures interactivity of 2+ risks 5) Aggregated – enterprise-level risk exposure/appetite 6) Decision-making – not just risk reporting 7) Risk-return mgmt – mitigation plus risk exploitation 8) Risk disclosures – integrates ERM information 9) Value impacts – includes enterprise value metrics 10) Primary stakeholder – not rating agency-driven 32 Copyright © SimErgy All rights reserved ERM 10 key criteria – banking scorecard X 1) X 2) Enterprise-wide – “golden boys” out of scope All risk categories – overly-focused on financial 3) Key risks only X 4) Integrated – “silo” management / measurement X 5) Aggregated – no aggregate enterprise-level metrics 6) Decision-making X 7) Risk-return mgmt – metrics only support mitigation X 8) Risk disclosures – inappropriate even post-event X 9) Value impacts – only capital metrics X 10) Primary stakeholder – focus on ratings / regulators   33 Copyright © SimErgy All rights reserved ERM process cycle Risk Identification Risk Quantification Risk Messaging Risk DecisionMaking 34 Copyright © SimErgy All rights reserved ERM process cycle – banking scorecard Risk Identification X Lack of focus on non-financial risks Incentive compensation does not adjust for risk exposure X Risk Quantification Risk Messaging X Poor performance X Risk DecisionMaking Poor risk exposure metrics and poor model assumptions 35 Copyright © SimErgy All rights reserved Value-Based ERM Framework Risk Appetite Strategy Risk Mgmt Tactics Qualitative Assessment ERM Committee Scenario Development Value Impact Enterprise Risk Exposure 24 32 22 21 17 18 15 26 12 25 34 16 35 27 31 19 28 23 30 13 11 20 14 10 All Risks Likelihood Key Risk Scenarios Correlation Likelihood Severity 33 29 Mostly Objective X Enterprise Value FINANCIAL Market Credit … STRATEGIC 1+ events / sim Key Risks Strategy event / sim Mostly Subjective Execution … ERM Model Baseline Value ▪ ΔValue OPERATIONAL HR “Pain Point” Likelihood ΔValue ≤ -10% 15% ΔValue ≤ -20% 3% Individual Risk Exposures Enterprise Value Impact IT Risk Legislatiion Risk Process Loss of Critical EEs M&A Risk … Execution Risk International Risk Loss of Key Supplier Loss of Key Distributor IT Risk International Risk Union Negotiations Competitor Risk Consumer Relations Risk 0.0% -5.0% -10.0% -15.0% -20.0% -25.0% Identification Quantification Decision-Making Value-Based ERM Framework – banking scorecard 10 Strategy Qualitative Assessment 1) Risks not defined by source Risk Mgmt Tactics 22 17 18 15 26 12 25 34 19 28 13 11 Key Risk Scenarios 20 14 10 Likelihood Credit … STRATEGIC Correlation Mostly Objective FINANCIAL Market 3)Key Not analyzing multiple risks occurring together Risks Strategy 1+ events / sim Point” Likelihood 8) VaR“Pain metric hides ΔValue ≤ -10% 15% exposure beyond tail 3% Enterprise Value Impact IT Risk Legislatiion Risk Process Identification ΔValue ≤ -20% ▪ ΔValue HR ERM Model X Enterprise Value Baseline Individual Risk 6) Poor Value model assumptions Exposures … OPERATIONAL event / sim Mostly Subjective Execution … Enterprise Risk Exposure 23 30 All Risks 16 35 27 31 Value Impact Likelihood Severity 33 ERM Committee 9) No calculation of enterprise risk exposure 5) Overly complex correlations 24 32 21 10) No definition of risk appetite Scenario Development 29 Risk Appetite Loss of Critical EEs 2) Not using discrete scenarios for nonfinancial risks Quantification Decision-Making 7) Lack of enterprise value metrics M&A Risk Execution Risk International Risk Loss of Key Supplier Loss of Key Distributor IT Risk International Risk Union Negotiations Competitor Risk 4) Not measuring/reporting risk on pre-mitigation basis Consumer Relations Risk 0.0% -5.0% -10.0% -15.0% -20.0% -25.0% Some actions to prevent another crisis    Require companies to implement ERM, in a robust manner Require incentive compensation plans to reflect risk exposure (SEC rule) Require enhanced risk disclosures, including free cash flow projection – Baseline scenario (strategic plan) / key risk scenarios (defined by management )/ standard risk scenarios (defined by regulators) – Investors apply their own discount rates, and compare scenarios cross-sector  Replace capital requirements with pooled risk charges – Capital not there when needed anyway (must replace or be downgraded) – Government guarantee protects rating during rehab period to rebuild capital  Employ ERM principles at the country level (e.g., concentration risks) – Firms “too large to fail” (e.g., banks, auto companies) / supplier concentration (e.g., energy) / oligopolies (e.g., rating agencies, monoline insurers)  Employ ERM principles at the retail level (e.g., financial planning) – Holistic view of risks and solutions for individuals/families 38 Copyright © SimErgy All rights reserved APPENDICES 39 Copyright © SimErgy All rights reserved Appendix 1: Examples of operational and strategic risks Operational     HR risk (e.g., critical employees) Technology (e.g., data security) Disasters (e.g., pandemic) Etc Strategic       Strategy (e.g., wrong product set chosen) Execution (e.g., poor integration of acquisitions) Competitor (e.g., unexpected innovation by competitor) Supplier (e.g., sudden change in supplier capacity) External relations (e.g., negative publicity) Etc 40 Copyright © SimErgy All rights reserved Contact information Sim Segal, FSA, CERA, MAAA Adjunct Professor Columbia Business School Decision, Risk & Operations (917) 699-3373 Mobile ss3866@columbia.edu 41 Copyright © SimErgy All rights reserved ... reserved ERM is more than risk management Rather than the next step in risk management, ERM is the next step in business management 30 Copyright © SimErgy All rights reserved ERM AND THE FINANCIAL... Drivers of ERM adoption ERM challenges Defining risk Defining ERM ERM approaches ERM and the financial crisis Appendices Contact information Copyright © SimErgy All rights reserved Drivers of ERM. .. Corporate-driven Is there buy -in from business units? NO  Compliance-oriented Robust enough for decisions  Business unit input YES  Corporate for consistency  Supports business unit goals/initiatives