Board of directors
The board of directors is ultimately responsible for the risk management process. The board needs to understand important risks faced by the enterprise and needs to provide guidelines on the enterprise’s risk appetite and risk management process. The board is responsible to continuously ensure that adequate risk management processes are in place. However, the actual risk management activities must be delegated to the risk management function.
Risk management environment
The risk management environment involves matters associated with people such as culture, philosophy, how people are trained and developed, how appropriate behaviour of employees is incentivized, reinforced and compensated.
Culture is an important part of the risk management environment. Endorsement of the appropriate risk management culture by all levels of management within the organization is vital for successful risk management processes. Such endorsement should be evident from management’s attitude as well as from resource allocation. The values of an organization need to reflect that risk management is important. Buy-in (acceptance) from all employees with regards to the importance of risk management is necessary. Accountability should be assigned to business units, divisions and employees for their required input into the risk management process.
Performance of employees should be aligned with risk management objectives. Only this way will employees will be enticed to bring their utmost effort in executing their contribution to ensure appropriate risk management. Adequate performance with regard to risk management objectives should contribute to rewards for the employee.
Enterprise risk management involves a process consisting of establishing the following:
- appropriate infrastructure
- different kinds of structure established within an enterprise such as organizational structure, different kinds of systems such as information system which refer to how information is collected, used and shared, determination of accountability, responsibility, methodologies to be used, control procedures
- involves matters associated with people such as culture
- operating philosophy
- refers to command and control or empowering (centralized or decentralised), how people are trained and developed, how appropriate behaviour of employees are incentivized, reinforced and compensated)
Enterprise risk management provides organizations with knowledge which allows them to systematically manage risks in an enhanced manner.
Enterprise risk management infrastructure
ERM infrastructure refers to a type of structure within an organization which is required for a successful risk management process. It refers to different tools that risk management process can use to ensure its success and includes the following:
- An organizational structure
- Risk management systems
- An example of a risk management system is the information system which meets informational risk management needs throughout the enterprise. Information systems should be designed and managed in a way which ensures that the system is flexible, meaning that the way in which information presented will allow various users within the enterprise to use it for their specific informational needs. The information system must also be user friendly. This will ensure that employees within the enterprise can obtain the maximum value from the system. Information systems should allow for fast recording, evaluation, summary, consolidation and sharing of information. The informational system should also be efficient. This refers to the necessity for the system to be designed in an efficient way to ensure that no tasks are unnecessarily duplicated throughout the enterprise as well as to make sure that no unnecessary activities are performed
- Determination of accountability and responsibility
- Methodologies and techniques to be used in risk management:
- Established control procedures
- Risk management unit which is at the center of risk management within the organization
- Risk management policies and procedures – refers to the set of rules of how risk management is undertaken within the enterprise. A top-down approach should be used to develop risk management policies and procedures. A top-down approach will ensure consistency and alignment with the risk appetite (how much of risk the company wants to accept) and business strategy. Risk management policies and procedures must be developed with input from all levels of the management from all areas of the business to ensure their alignment as well as to incorporate their knowledge about specific risks faced by their areas. Risk management policies and procedures should also be understood by all employees
- Reporting on risk management process – the addressee of the reports on risk management process performance should be in close proximity to the risks to be able to take timely action.
Below we describe types of risks:
Inflation risk – refers to risk that money today will not worth as much tomorrow, or in a year. Many safe investments, such as fixed deposits offered by banks do not keep pace with inflation.
Opportunity risk – risk that a safe investment that is undertaken will lead to the loss of additional return that could have been earned if money were placed into a better investment.
Concentration risk – risk of putting entire funds into one investment such as an investment in one’s own business or investment in shares of a specific company. If such an investment will not yield the return that was expected than there is no other investment that could make up for such loss.
Interest rate risk – risk that interest rates will fluctuate with adverse effects on the company. For example, an adverse effect those changes in interest rates can have on servicing debt.
Marketability risk – refers to risk that marketability of the investment may turn out to be low. It refers to the chance that if the need arose to sell the investment in a timely manner, there will be no ready market to sell it to.
Credit risk – refers to possibility that the borrower will not be able to meet its obligations as it comes due.
By linking consolidation of risk to improved performance of the organization, value is created. By consolidating risks, organizations obtain information which allows to undertake evaluation, analysis and management of risk more effectively.
Enterprise risk management (ERM) establishes the foundation which improves decision making with regards to risk, return and growth. The foundation consists of assessment tools, common language, determined risk tolerances and strategies, all of which are encouraged by enterprise risk management.
ERM allows identifying internal and external best practices from which all enterprises can benefit. As a result of enterprise risk management, organizations better manage risk profiles (with the help of tools such as RAROC), reduce unacceptable risks, strategic errors and undertake more timely and adequate corrective actions.
Risk management strategies create value by trying to avoid unacceptable losses, encourage using the core competencies of an organization and managing variability of performance.
To achieve connection between risk management and enhanced performance of the enterprise, we need to measure how performance is affected by changes in the risk profile which occur due to the implementation of risk management strategies.
Risk-adjusted performance measures allow to measure risks and returns of investments to be able to rank investments systematically.
Risk-adjusted return on capital (RAROC) is an example of a risk-adjusted performance measure. RAROC was introduced and popularized by Bankers Trust in the late 1970s and 1980s as an enhancement of return on capital (ROC).
RAROC is often measured as a ratio. To find risk-adjusted return on capital (RAROC) we need to take expected revenue less expected expenses less expected losses (losses expected over the measurement period) and risk free rate of return divided by capital to be invested.
RAROC discount riskier cash flows against less risky cash flows.
When risk is quantified with the use of approaches such as Value at Risk (VaR), one of the ways to use quantified risk information is to evaluate the value of business activities versus their risk profiles. Two businesses with the same income but different risk levels have different value.
RAROC evaluates the risk of business activity and associated expected return from business activity. RAROC allows to evaluate how much more of the expected return is required for each degree of risk and whether there is enough funds available to cover potential risks.
To quantify risk we use probability distributions of return obtained from historical records. This should be consistent with Value at Risk (VaR) and other statistical models. The goal is to consolidate risk, price risk and allocate capital based on expected returns.
RAROC allows to evaluate risk, return and to compare the performance of various enterprise’s units and activities each of which will have different risk portfolios. This will allow creating benchmarks. RAROC determines limits on different business activities such as trading or investing by adjusting return on an investment that accounts for capital at risk. RAROC allows comparing returns on a variety of projects with diverse levels of risk.
RAROC is a way to measure profitability in light of the degree of risk of the business activity.
Value at Risk (VaR) is a summary, statistical measure of total normal market risk of loss (total value that can be lost) on a certain portfolio of financial instruments at a certain confidence level. It measures how large could be potential likely losses due to “normal” movements in the market. The technique is one of the most recent techniques and was developed at JP Morgan.
Value at Risk (VaR) results is structured as follows:
“with X% certainty, company will not lose more than $V in the next N days.”
Value at Risk (VaR) is a snapshot of a current risk level. The Value at Risk (VaR) is a floor for potential loss that can be incurred, not a ceiling. The potential loss can be VaR or higher. VaR is used to make sure that the company can handle potential losses. The potential losses cannot necessarily be prevented or, in some cases, potential losses should not necessarily be prevented due to risk/return relationship.
The results of Value at Risk (VaR) analysis are expressed as a single number $V (VaR number) which is determined based on two parameters namely X% which refers to confidence level and N days which refers to the time horizon. $V refers to the maximum potential loss which will occur with X% certainty over N days which is number of days in the risk period under consideration. For example, with 1% certainty over a 5 days period.
Value at risk limits can be established for specific asset categories such as foreign exchange or real estate. The limits can also be set for various levels within an enterprise such as business unit level and overall company level.
The hurdle rate is also called minimum acceptable rate of return (abbreviated MARR) or break-even yield. It refers to the minimum rate of return that is required before any project can be undertaken. The hurdle rate is used in the capital budgeting and is the same as the required rate of return in the discounted cash flow analysis of long-term investment opportunities. It is a discount rate used when different investment alternatives are considered.
If the expected return on the proposed investment is below the hurdle rate, than the investment is not acceptable and vice versa. Sometimes the hurdle rate also refers to the minimum internal rate of return (IRR) for the project to be undertaken.
The hurdle rate should be equal to the marginal cost of capital, which is also referred to as the incremental cost of capital. The hurdle rate is also a rate of return which is necessary to maintain market value of the firm. The market value of the firm refers to the firm’s current market price of shares.
Organizations use hurdle rates to evaluate long-term investment projects using discounted cash flow techniques (capital budgeting). This allows assessing potential projects more systematically. Such evaluation allows having better confidence that selected long-term investments will at least have returns equal to the marginal cost of capital.
Hurdle rates should be set for each project or at least for each business unit or division to account for differences in risk profiles across the enterprise.
Consolidated risk management, which is also called enterprise-wide risk management, refers to synchronized management of total pool of risk in the enterprise. Consolidation of risks became possible due to advances in financial engineering and information technology.
Consolidation of risks is important for 5 main reasons:
- Consolidation of risks allows management to see the big picture of risk. Management able to see what is happening to the total pool of risk in the enterprise. Management can analyze if risks are increasing or decreasing and why such changes occur. Moreover, management is able to compare how such changes relate to the risk tolerance level of the enterprise.
- Since management is able to see the big picture, it is in a better position to make decisions on risk management which lead to improved performance of the enterprise risk management process.
- Improved performance of the enterprise risk management process leads to improved performance of the enterprise and enhanced owner’s wealth maximization, which is the ultimate objective of the enterprise.
- Consolidation of risks involves letting go of some particulars and allows to present risks in a straightforward and uncomplicated manner which facilitates effective management throughout the enterprise.
- Consolidation of risks involves analysis of the relationships between different risks. Thereafter, risks are categorized. This enhances quality of risk reporting, which in turn improves decisions associated with allocation of capital.
Approaches to consolidation of risks
Risks should be categorized into appropriate categories. If risks have the same drivers than risks are positively or negatively correlated. If risks do not have the same drivers than such risks are uncorrelated.
When risks are categorized, appropriate methods should be chosen to manage each category. Methods for managing categories of consolidated risks include:
- Managing it as a portfolio of risks
- Obtaining insurance for entire category or for each individual risk within category, whichever is less costly. Transfer costs for entire category will be more cost effective in cases when risks have low or negative correlation and high when risks have positive correlation.
- Using “natural hedges”. As an example, in 1984 a German airline Lufthansa signed a contract with American Boeing committing company to buy aircraft for $3 billion. The organization took forward contract for half of the amount (1.5 billion) to hedge itself against possible currency fluctuations. However, what was not taken into account is that Lufthansa’s cash flow was also essentially dollar-denominated. Therefore, Lufthansa had a “natural hedge” in this situation. Incidentally, the dollar depreciated by 30 percent in 1985 and Lufthansa incurred sizable foreign-exchange loss due to the forward contract which was unnecessary due to “natural hedge” that company had and which was overlooked.
Techniques to undertake risk monitoring include external and internal audits, appraisal of an enterprise’s risk management strategies, policies and procedures, and physical inspections.
Target outcome of risk monitoring
The target outcome of risk monitoring is to determine if the risk management objectives were achieved and which improvements can be made to enhance the risk management process. A number of questions should be answered during the risk monitoring stage:
- Is the risk profile of the organization altered?
- Are assumptions on which the risk management strategy were determined are still relevant?
- Is the risk management process effective and efficient?
- Does the risk management strategy still comply with government laws and regulations (if changes in laws and regulations occurred)?
- How does the risk management process contribute to the ultimate objective of the enterprise, which is wealth maximization of the shareholders?
Risk monitoring of the risk management environment includes monitoring of environmental risks and operational risks.
- Environmental risks refer to risks which occur in the external environment and over which the enterprise has no control. For example, if an unexpected adverse event occurs, management needs to re-evaluate the situation and adjust the organization’s risk management strategy and risk management implementation plan. This will ensure that unfortunate incidents do not evolve into a crisis.
- Operational risks refer to risks which occur in the internal environment of the enterprise and over which enterprise has control.
Ongoing risk monitoring of the enterprise risk management (ERM) process allows enterprises to identify new risks in a timely manner. As an example a new risk, such as new regulatory requirements, can be identified and attended to in a timely manner. It allows maintaining an up to date organizational risk profile. Potential opportunities and threats are also paid attention to. It also makes possible to identify risk management practices that are inefficient or inappropriate, which must be followed by suitable adjustments. This allows decreasing costs of such practices.
Further, risk monitoring allows confirming if assumptions and analysis underlying risk management strategies and implementation plans were correct. If not, timely adjustments must be made, which will lead to further improvements in the efficiency of the process. Questioning every assumption may be too time consuming. In such case, a list of key assumptions must be compiled and monitored.
One of the ways to improve the risk management process is by using benchmarking methodology. Benchmarking refers to comparing certain performance indicators of the business to those of the competitors. It also can refer to comparing certain performance indicators between business units within the same enterprise. This methodology can be expensive and time consuming. Therefore, focusing on the crucial areas for success of the risk management process may be most appropriate.
Risk management training should also be undertaken to ensure employees’ improvement in risk management abilities, skills, knowledge and awareness, and to further enhance quality of risk monitoring.