Enterprise Risk Management
Introduction
National Standard through Claxon Actuaries is well-positioned to provide advice and guidance to management and boards of directors of institutions in designing and implementing their ERM framework. The concept of Enterprise Risk Management (ERM) has existed for a number of years, with the practice of ERM gaining significant prominence in the aftermath of the 2008 global financial crisis. We encourage institutions of all shapes and sizes to take ERM as an integral component of the institution’s overall business strategy. We believe that this should be engrained in the institution’s culture.
The Risk Management Association defines ERM as “the management capability to manage all business risks in pursuit of acceptable returns.” management and boards of directors should use an ERM framework to answer relevant business questions pertaining to an institution’s risk appetite, business strategy and risk coverage, governance and policies, risk data and infrastructure, measurement and evaluation, control environment, response, and stress testing.
At the center of the ERM framework model is culture. If an institution lacks the right culture and strong leadership at the top, none of the other elements will materialize. We can state as a fact that institutions that comprehend and adopt ERM as a way of thinking typically outperform those that do not.
The Risk Management Association recognizes that, ultimately, an enterprise risk management strategy can provide answers to three basic business questions:
⦁ Should we do it (aligned with business strategy, risk appetite, culture, values, and ethics)?
⦁ Can we do it (people, processes, structure, and technology capabilities)?
⦁ Did we do it (assessment of expected results, continuous learning, and a robust system of checks and balances)?
ERM as a concept
The ERM framework applies regardless of the size of an institution or how an institution wishes to categorise its risks, with culture at the heart of the framework. The framework should help management and boards of directors answer these relevant business questions:
⦁ What are all the risks to our business strategy and operations (coverage)?
⦁ How much risk are we willing to take (risk appetite)?
⦁ How do we govern risk taking (culture, governance, and policies)?
⦁ How do we capture the information we need to manage these risks (risk data and infrastructure)?
⦁ How do we control the risks (control environment)?
⦁ How do we know the size of the various risks (measurement and evaluation)?
⦁ What are we doing about these risks (response)?
⦁ What possible scenarios could hurt us (stress testing)?
⦁ How are various risks interrelated (stress testing)?
ERM competencies
Below are descriptions of key components in a strong enterprise risk management framework:
⦁ Business strategy and risk coverage
Risk management must function in the context of business strategy and answer the basic question, “what is our business strategy and associated risks?”
Before an institution can articulate its risk appetite, it must first determine its goals and objectives, i.e., it’s business strategy. The institution must define what it wants to achieve in terms of markets, geographies, segments, products, earnings, and so on. From there, the institution assesses the risk implied in that strategy and determines the level of risk it is willing to assume in executing that strategy. Regardless of a specific business strategy, an institution is exposed to the following risks:
⦁ Credit
⦁ Liquidity
⦁ Strategic/business/reputation
⦁ Market/interest rate
⦁ Operational
⦁ Compliance/legal/regulatory
⦁ Financial
⦁ Capital adequacy
⦁ Risk appetite and tolerance
The concepts of risk appetite and risk tolerance are often used interchangeably, but they have distinct differences in meaning. Risk appetite represents the acceptance of volatility an institution is willing to assume in executing its business strategy. Risk tolerance refers to day-to-day operational limits developed within the context of an organisation’s stated risk appetite, for example, concentration limits.
It is important for management and the board of directors to understand the critical links among strategy, business plans, and risk. A risk appetite statement is one tool that facilitates this linkage. In this context, the risk management function is an integral part of the institution’s overall strategies and specific business objectives, which is an essential part of the institution’s success, returns, and value creation.
⦁ Culture, governance, and policies
Culture, governance, and policies collectively help an institution manage its risk-taking activities.
Culture can be described as “what people do when they are not being watched”, and it is the most important aspect of any good ERM competency. It is important for an institution to understand “what a good risk management culture looks like”, including governance and policies guided by board and management level governance committees to oversee risk taking activities.
Policies express the risk appetite of an institution to stakeholders. They describe to all stakeholders what the company is willing to do and not to do. The statement of risk appetite is executed through policies – what to do, and procedures – how to do them.
⦁ Risk data and infrastructure
Boards of directors and management accomplish their risk management responsibilities through a deep understanding of the company’s risk profile. The risk data and infrastructure refers to how the information is collected, integrated, analysed, and translated into a cohesive story. This area is probably the most challenging aspect of ERM as an institution can easily spend millions without yielding the appropriate business results. Any good risk management infrastructure requires a highly robust management information system. Data and systems challenges are what we have seen under risk based solvency regimes for insurance companies and banks, IFRS 9 for banks, and IFRS 17 for insurance companies.
⦁ Control environment
The internal control environment is one of the most important tools in the management toolbox for the management of risks. Internal controls help reduce the level of inherent risk to a level acceptable to management. The system of internal controls includes culture, governance, policies, preventive and detective controls, and scenario planning.
Management relies on internal controls to manage residual risk to an acceptable level. Residual risk is defined as the level of inherent risks reduced by internal controls. Building an effective internal control environment allows management to control what can be controlled.
⦁ Measurement and evaluation
At any given time, boards of directors and management must manage a portfolio of risks (from asset quality, liquidity, interest rate, to business continuity, information security, privacy, etc.). The science and art of measurement in ERM is about concluding which risks are significant and which ones are not, and where to invest time, energy, and effort. In order to accomplish the goal of measurement and evaluation, an institution may adopt a simple model of colour rating (green, yellow, and red) to a highly sophisticated risk adjusted return on capital (RAROC), or perhaps a middle-of-the-road failure mode and effects analysis (FMEA) model.
Regardless of method used, measurement and evaluation helps boards and management answer the question, “so what?”. The process of measurement and evaluation must include the system of internal controls and must determine how well the risks can be managed.
⦁ Scenario planning and stress testing
The art of ERM is the ability to answer the question, “what can go wrong” and, hence, create deviation from expected outcomes” In that pursuit, management must address known, knowable, and unknowable risks. Scenario planning and stress testing are tools that focus on the knowable and, perhaps, some unknowable risks. A robust scenario planning and stress testing discipline is a must from a capital planning perspective.
Our capabilities
Implementing a robust ERM framework is not a tick the box exercise but essential for any financial or non-financial institution. It encompasses all relevant risks an institution may face. A robust ERM framework, therefore, supports institutions to manage risks well, comprehensively, and with an understanding of the interrelationship/correlation among various risks. The successful institution incorporates a robust ERM capability and strategy as part of its culture by integrating what already exists to create a comprehensive and integrated view of the institution’s risk profile in the context of its business strategy. National Standard is well positioned to assist institutions in their ERM journey.
The material on this webpage has been sourced from the Risk Management Association website with some edits to reflect our own understanding and views on ERM. For more details, please visit https://www.rmahq.org/erm-framework