Enterprise Risk Management An emerging model for building shareholder value Assurance and Advisory Contents Introduction The current environment: How risk management is evolving How organisations are deploying ERM: Tools and techniques in use today An emerging model for deriving value from risk management 10 Implications and opportunities 17 Conclusion 18 Appendix I: Interviews with leading risk management specialists 19 Endnotes 27 Contacts 28 Introduction As business leaders seek new ways to build shareholder value, they have begun to think in new ways about how risk management is tied to value creation Across industries and organisations, many are recognising that risks are no longer merely hazards to be avoided but, in many cases, opportunities to be embraced “Risk in itself is not bad,” asserts Suzanne Labarge, chief risk officer at Royal Bank of Canada “What is bad is risk that is mismanaged, misunderstood, mispriced, or unintended.”1 Indeed, many are realising that risk creates opportunity, that opportunity creates value, and that value ultimately creates shareholder wealth How best to manage risks to derive that value has become the critical question ERM has the potential to provide organisations with a new competitive advantage In this context, enterprise risk management (ERM) has emerged as an important new business trend ERM is a structured and disciplined approach aligning strategy, processes, people, technology, and knowledge with the purpose of evaluating and managing the uncertainties the enterprise faces as it creates value “Enterprise-wide” means the removal of traditional functional, divisional, departmental, or cultural barriers A truly holistic, integrated, future-focused, and process-oriented approach helps an organisation manage all key business risks and opportunities with the intent of maximising shareholder value for the enterprise as a whole Leaders face a variety of new challenges in their drive to maximise value Globalisation, e-business, new organisational partnerships, and the increasing speed of business activity are rapidly changing and expanding the risks organisations face One significant result is that risk management must now extend well beyond traditional financial and insurable hazards to encompass a wide variety of strategic, operational, reputation, regulatory, and information risks As a means of identifying, prioritising, and managing such risks across an enterprise or division—and linking them to value creation—ERM has the potential to provide organisations with a new competitive advantage Most organisations, however, are uncertain about how, exactly, to translate the concept of ERM into concrete action steps that will help them enhance shareholder value Leaders agree that as important as ERM might be in theory, it will never be valuable in practice unless it enables organisations to use risk information to drive business value in a way they could not otherwise This white paper describes ERM as it has begun to evolve today, emphasising that organisations may be able to benefit more fully from their ERM efforts than they may have done thus far It addresses how leaders should seek to analyse their critical risks—balancing them with their objectives for improved returns—and then use that information to drive business value To that end, this document outlines a new ERM model, one that can provide organisations with new action steps they may use to enhance business decision-making and, potentially, shareholder value The current environment: How risk management is evolving As risks change and proliferate, managers in a variety of industries are seeking to ensure that they are taking both the right risks as well as the right amount of risk—compared with their own organisations’ risk tolerance or “appetite” and benchmarked against others in their markets and industries An organisation determines its risk appetite, and its capacity for taking on additional risks, in much the same way individual investors balance their own tolerance for various risks against their desire for greater returns and use that knowledge to diversify the portfolio of stocks, bonds, and other financial instruments they hold (see box below) Defining Risk Appetite An organisation’s “appetite” or tolerance for risk will vary with its strategy as well as evolving conditions in its industry and markets Each organisation’s risk tolerance is unique, and it will vary according to organisational culture as well as external factors A critical aspect of management’s responsibility is to determine which risks, and how much of each of them, the organisation should take and then to re-evaluate those choices as circumstances change Unlike Total Quality Management (TQM), which tolerates no failures, ERM maintains that a defined number of failures can be tolerated if the cost of guarding against them is more expensive than the risks they impose Consider the perspectives of a government buying computer chips for use in cruise missiles and a computer manufacturer buying the same chips for use in personal computers Both entities have high standards for the quality and integrity of the computer chips, but widely differing tolerances for failures in them The cruise missile manufacturer can tolerate no chip failures The likelihood of such failures may be low, but the magnitude of the consequences is too high for all organisational stakeholders That manufacturer must thus test every chip to ensure that it fully meets the high standards the organisation has established The PC manufacturer, on the other hand, need not test all its chips because it can, in fact, tolerate a few failures It can bank on the limited likelihood of such failures, because the magnitude of the consequences is considerably lower than with chip failures in cruise missiles This difference in risk appetite will drive differences in resource allocations and other management choices “Globalisation has completely changed both the risks organisations face and their management of those risks When you’re no longer making things in Lancaster, Pennsylvania, for example, but in Bangladesh, or Marissa, or Hong Kong, you’ve got risks, along with opportunities, along the entire value chain A large portion of our product is sourced overseas, so as with all retailers, we have to work hard to be sure that working conditions are what they should be What the plants look like, and we own them? How we ensure that they are safe and humane and that workers are appropriately compensated? Failing to pay close attention to the risks related to those issues can result in tremendous liabilities, not the least of which is degradation of the brand.”2 Vice President Financial Operations Specialty Retailer Thus, risk management is moving well beyond the tradition of risk mitigation (using controls to limit exposure to problems) toward risk portfolio optimisation (determining the organisation’s risk appetite and capacity among a group of risks across the enterprise, seizing opportunities within those defined parameters, and capitalising on the rewards that result) As a consequence, risk management is beginning to be perceived as a new means of strategic business management, linking business strategy to day-to-day risks Enterprise risk management is evolving in this context It is an important means of identifying the critical risks the organisation faces—for example, reputation, ethics, e-business, or health, safety, and environmental risks (not just financial or insurable hazards) It is also important for managing and optimising that portfolio of risks in a way that realises financial rewards Interpretations of ERM vary widely by industry and among organisations Consequently, definitions of ERM also vary widely—but many agree that it is a top-down approach, based on and supportive of organisational strategy, that is focused on new ways to manage and optimise the risks of highest importance to the board and management Depending on how they perceive ERM, organisations are using it in a variety of ways, with varying results, as described in the next section How organisations are deploying ERM: Tools and techniques in use today Intrigued by ERM, organisations are using risk management concepts to consider a number of questions: ■ What risks am I facing, and how they compare to those of my peers or competitors? ■ How are these risks changing based on changes in my business environment? ■ What level of risk should I take? ■ How should I manage those risks? To help answer these questions, many organisations are collecting and analysing risk information using a variety of basic tools such as one or more of those described below: ■ Identification/Assessment tools enable a management team to collectively identify and assess the risks facing the organisation These tools also enable the team to evaluate each risk according to its “likelihood” (that is, the probability that the risk will occur) and its “magnitude” (the impact the risk would have if it did occur) (See Figure 1.) Figure 1: Business Risk Matrix 95% ce du Re Risk Te rm ina te Extreme Likelihood 75% Ac cep t High 50% Moderate Re Co duce ntr ol 25% Low Pa ss On 5%