Risk management has become increasingly important in today's business climate and at the same time, more difficult to assess. With the enactment of the Sarbanes-Oxley Act of 2002, more stringent reporting and record-keeping demands have been placed on already over-burdened organizations. The field of enterprise (or enterprise-wide) risk management (ERM) is evolving to fill organizations' needs. Currently, three different industries and professions have provided the models that are in general use: energy and financial services; auditing; and insurance.
In the energy and financial services industries, organizations sought to manage risk because of volatility in the financial and commodities markets and the need to have a more consistent means to calculate revenue and profits. The term enterprise risk management was most likely used first in these industries. Initially this sector used high-level statistical science and mathematics to help solve the volatility risks they face in the markets. The energy and financial services industries soon realized that similar techniques could be applied to manage credit risk as well. These predictive models provided the invaluable analytical means necessary to assess the most effective hedging methods needed to manage these specific risks.
From a historical perspective, the energy and financial services industries developed a bottom-up approach to ERM called Operations Risk Management that attempts to identify and document every negative risk event (or loss) in the organization and also identify, document and quantify the cost of every control (or risk management activity) in the organization through the aggregation of historical losses and operations risk costs. This assessment methodology results in capturing costs associated with operations risks, but does not measure any other types of risk or those risks that could be associated with volatile markets.
The auditing profession also developed methods of ERM to manage the risks not controlled by analysis of pure financial data. Traditional sampling methods, in most cases, did not dig deep enough to get results and auditors found that they did not always find all the relevant information and could miss events like fraud in a corporation. To resolve this problem, auditors utilized a control-based audit method with risk as the best determinate of control sampling to assess the internal controls of the organization. The auditors could then assess what modifications to controls must be put into place to ensure the effective management of the risks. This method is referred to as business risk management, as well as ERM. While the auditing profession has developed a version of ERM to assess and manage the risks associated with the practices and procedures used in an organization, this ERM process still does not include real dollars risk quantification or a means to measure ERM effectiveness.
The third to develop ERM was the insurance industry. For those who buy and sell insurance, risks can be difficult to assess. Insurance company actuaries learned that by applying actuarial modeling to the whole, rather than peril-by-peril, total expected losses were lowered, resulting in the emergence of integrated insurance policies. The insurance industry found that bundling low or negatively correlated risks would lower the overall cost of risk because the risks offset one another to some degree. This approach, while managing the risks associated with hazards or perils, does not provide information for risks that cannot be insured by traditional mechanisms.
ERM has been generally defined as a process that focuses on identifying, measuring and responding to anything that could affect the achievement of objectives. It puts risk and the assessment of risk at the heart of decision-making for an organization. While it can improve audit effectiveness or internal controls, it also serves as a methodology to structure and improve the overall efficiency and effectiveness of an organization or a particular process within an organization. Since the enactment of the Sarbanes-Oxley Act of 2002, ERM has become even more important as a business process because it can be used to assess the effectiveness of internal controls.
The next step to making organizations effective in the optimal sense is Strategic Risk Management (SRM). SRM is a measurable, multi-dimensional process that is integrated through all of an organization's planning, budgeting and decision making processes. It uses the fundamental approach of ERM of identifying, measuring and responding to risk and creates value through its effective and practical application as a fully integrated process of the organization. In Effect, SRM applies ERM tools and methods strategically thereby enabling an organization to generate measurable value from its adoption.
Three distinct risk management options exist for measuring and quantifying historical risks and risk-related activity in a business setting.
First, the Total Cost of Risk (TCOR) model addresses a narrow spectrum of risk events, including those risks that are insured or hedged. The TCOR method provides a means of organizing and measuring the impact of risks based on information available for those that are well-defined, including perils, hazards, liabilities and other risk events. The TCOR model organizes risk information into three categories: administrative activities, premiums/spreads, and risk retention. This method is commonly used to assist professional insurance buyers in assessing their personal risk management performance and the effectiveness of their insurance programs.
The TCOR method, however, has several disadvantages. This method is limited to a well-defined, measured set of insurable or hedge-able risks. The TCOR method fails to address the effect of positive risk opportunities and fails to measure the impact of lost positive risk opportunities. It also makes no connection between risk and performance or the ability to achieve objectives. Finally, this method does not provide a means to measure SRM/ERM performance.
A second method of measuring risk involves the aggregation of historical losses and operations risk costs and is commonly called Operations (or Operational) Risk Management or Operations (or Operational) Risk Quantification. This bottom-up approach, commonly used in the financial services and energy industries, attempts to identify and document all negative risk events or losses in an organization. This method identifies, documents and quantifies the cost of every control, or risk management activity, as well as attempting to quantify all of the risks that fall into the broad category of operations risk.
Because it uses a detailed bottom-up methodology, the Operations Risk Management approach is quite labor-intensive and costly. It also can not guarantee that it includes all risks in its measurements. For example, it does not address the effect of positive risk opportunities and, like the TCOR method, does not measure the impact of lost positive risks. Further, this method is limited to those risks that are defined as operations type risks and does not correlate the measurement of risk with performance or an ability to achieve objectives. This type of measurement does not provide a methodology to measure and manage continuous improvement. Finally, this method does not provide a means to measure SRM/ERM performance.
A third method of measuring risk is at risk technology. This method can have many different names, depending on the variable for which risk is being measured. This method calculates the value of aggregate risk events by measuring volatility, or the change in risk over time. This method can be applied in the calculation of the maximum expected loss, or value at risk, of specific assets or any other regularly measured corporate value. The at risk value used in this method is equivalent to one standard deviation of historical actual events over a more than 24 month period or equivalent data points of time.
This third method presents several problems in practical application. First, it fails to incorporate the cost of managing risk. Second, it makes no connection between risk and performance or ability to achieve objectives. Third, it fails to determine the effectiveness or optimization of SRM/ERM activity. This method is also difficult to benchmark and does not fully incorporate the commonly accepted ERM definition of risk.
Therefore, there is a need for a method of assessing and managing risk that can manage risk while making a connection to performance and ability to achieve objectives. This method should also measure all types of risk, including positive risk activities or opportunities, provide a means to measure SRM/ERM performance, incorporate the accepted ERM definition of risk, and optimize the ability to benchmark goals.