Enterprise risk management experts, and surely even many neophytes, are fairly adept at identifying exposures and events that can impede their organizations. What is much more difficult is measuring the potentially adverse impact of risks, making this the biggest X factor in the ERM process.
Consequently, it is quite challenging to determine how much risk exposure an organization can "tolerate"--that is, the extent of adverse risk impact a company can absorb so that the attainment of its goals will not be jeopardized.
It is equally difficult to assess a company's "threshold" to absorb these risk consequences--that is, the cross-over points beyond which significant strategic and operational changes need to be made.
As a result, it is likely that many organizations are exposed to risks that would materially compromise not only their current course but their very existence. In fact, the events of the last two years have dramatically highlighted this exposure, and many firms have been greatly harmed. Just ask AIG and Lehman Brothers.
Measurement of risk impact--both quantitative and qualitative--is clearly the most critical endeavor to perform accurately in determining an organization's tolerance for risk.
It is possible for each element of the risk measurement and reporting process to be flawed, as they are often performed in a vacuum--the result can be too narrow and theoretical in scope.
The quantifying component of risk measurement is built upon mathematics and modeling, utilizing:
o A series of approximations and assumptions.
o Identification of elements/variables to measure.
o Determination of the relationship between the various risk factors and the outcomes they might jeopardize.
The qualifying component, however, is often built on psychology--its effect on decision-making and the "emotional intelligence" of the individuals making judgments on risk. Consider the following:
o People work on problems they think they can solve, and they avoid those they don't think they can solve--due to complexity or political reasons. Elements in the latter category won't be addressed.
o They are slow and cautious in reacting to new information and reluctant to admit ignorance or mistaken assumptions. Solutions to risk mitigation may exist, but might not be implemented without inordinate study--paralysis by analysis.
o They look at fewer as opposed to more perspectives, possibly missing a better solution.
o They often place greater value on what they themselves have created than on what others have done, and may well miss out on higher-order thinking generated by a group and on the critical perspectives of others. Further, they are inclined to blame others for poor results, as opposed to studying the causes for their own mistaken conclusions and fixing them.
To make matters worse, risk measurement findings are commonly explained poorly to decision-makers seeking to use this information, and often not integrated into the organization's strategic thinking. This dynamic has created a somewhat broad impression that enterprise risk management isn't a valuable part of the management process--an unfortunate and potentially very dangerous perspective.
So then how should risk managers go about creating and executing successful ERM strategies?
Strategy is defined in a number of ways. One definition is "the approach companies take to win business by outmaneuvering their competitors."
It is therefore a plan of attack, comprised of a number of components, including products, distribution, marketing, finance, asset management, service and many others.
As executives and managers pursue their strategies to "earn" business, they are confronted with a number of prospective situations that can waylay their business growth plans--namely risks. When confronted by these scenarios, they are continually evaluating whether these situations are minor disturbances or business-threatening events.
How material are they, and are they mountains or molehills? Can the organization shrug them off, or might they cripple or seriously impair the organization, or worse, bring it to its proverbial knees?
To address these issues, ERM (and its various components) should be fully integrated into strategy and planning.
Strategies are pursued with peril if there are risks that can arise and cause serious damage to their implementation. The measurement of the risks and their potential adverse consequences is one litmus test that can provide a barometer of strategic success.
What are the practical questions to ask in determining risk tolerances and thresholds?
Question: What business activities being conducted at your company and what external events have elements of risk that could cause adverse consequences relative to your company's tolerance, or thresholds for risk, too often for comfort (be it 1 percent or 20 percent of the time)?
Answer: This question assumes that the average result (expected value) of those activities is acceptable (if it were not, the activities wouldn't be pursued in the first place), but that a certain amount of the time the outcome is too negative and unacceptable--tail risk is a much less frequent but a far more severe example of this concept.
If there was a 1 percent chance that a certain strategy would fail due to a particular set of risks, management most likely would pursue it, assuming it could protect itself in that very unlikely adverse circumstance.
Were there a 20 percent chance of failure, however, management would undoubtedly take a much more proactive stance, modify some aspect of the strategy/business plan, or perhaps abandon it completely.
Question: Who are the arbiters determining when the company is disadvantaged in a materially unacceptable way?
Answer: Management, particularly top management, is responsible for the day-to-day operations and long-term strategy for the organization, and as such is charged with managing the enterprise's risk and all of its various manifestations.
Can management act unilaterally in the oversight of risk for its organization? Decidedly not! There are many constituencies--namely the company's stakeholders--who have a powerful voice in the ultimate management of its risk, given that their vested interests in the company can be significantly affected.
A number of stakeholders have a considerable say over the many decisions a company makes about its business activities and outcomes it experiences.
Key stakeholder groups include customers, producers, board directors, investors/shareholders, rating agencies, regulators, counterparties, financial and business partners, supply chain, executives, management and critical staff.
Besides being quantified and qualified in absolute and relative terms, risk thresholds/tolerances also need to be considered in light of the impact on the various stakeholder groups whose interests would be affected.
Further, it must be noted that individuals and entities, either within a particular stakeholder group or across groups, may respond differently to the adverse consequences of risk.
Given that these groups may well react differently and that their actions will have varying impacts on the company, it can be concluded that the smallest unacceptable risk impact triggering a materially undesirable reaction by any stakeholder group becomes the threshold.
For example, the loss of a certain amount of capital will lead a rating agency to downgrade a company before it leads to other stakeholder groups reacting in an undesirable manner. (See the accompanying sidebar for additional scenarios.)
Michael A. Cohen is principal of Cohen Strategic Consulting in Yardley, Pa. For more information, go to www.cohenstrategicconsulting.com.