Enterprise Risk Management: Theory and Practice

The Chief Risk Officer of Nationwide Insurance teams up with a distinguished academic to discuss the benefits and challenges associated with the design and implementation of an enterprise risk management program. The authors begin by arguing that a carefully designed ERM program—one in which all material corporate risks are viewed and managed within a single framework—can be a source of long‐run competitive advantage and value through its effects at both a “macro” or company‐wide level and a “micro” or business‐unit level. At the macro level, ERM enables senior management to identify, measure, and limit to acceptable levels the net exposures faced by the firm. By managing such exposures mainly with the idea of cushioning downside outcomes and protecting the firm's credit rating, ERM helps maintain the firm's access to capital and other resources necessary to implement its strategy and business plan. At the micro level, ERM adds value by ensuring that all material risks are “owned,” and risk‐return tradeoffs carefully evaluated, by operating managers and employees throughout the firm. To this end, business unit managers at Nationwide are required to provide information about major risks associated with all new capital projects—information that can then used by senior management to evaluate the marginal impact of the projects on the firm's total risk. And to encourage operating managers to focus on the risk‐return tradeoffs in their own businesses, Nationwide's periodic performance evaluations of its business units attempt to refl ect their contributions to total risk by assigning risk‐adjusted levels of “imputed” capital on which project managers are expected to earn adequate returns. The second, and by far the larger, part of the article provides an extensive guide to the process and major challenges that arise when implementing ERM, along with an account of Nationwide's approach to dealing with them. Among other issues, the authors discuss how a company should assess its risk “appetite,” measure how much risk it is bearing, and decide which risks to retain and which to transfer to others. Consistent with the principle of comparative advantage it uses to guide such decisions, Nationwide attempts to limit “non‐core” exposures, such as interest rate and equity risk, thereby enlarging the firm's capacity to bear the “information‐intensive, insurance‐ specific” risks at the core of its business and competencies.     

Enterprise Risk Management and the Cost of Capital

Enterprise risk management (ERM) is a process that manages all risks in an integrated, holistic fashion by controlling and coordinating any offsetting risks across the enterprise. This research investigates whether the adoption of the ERM approach affects firms' cost of equity capital. We restrict our analysis to the U.S. insurance industry to control for unobservable differences in business models and risk exposures across industries. We simultaneously model firms' adoption of ERM and the effect of ERM on the cost of capital. We find that ERM adoption significantly reduces firm's cost of capital. Our results suggest that cost of capital benefits are one answer to the question how ERM can create value.     

Incorporating Strategic Risk into Enterprise Risk Management: A Survey of Current Corporate Practice

Since ERM is a relatively recent activity and has yet to be fully implemented in most companies, there has been little academic research about its accomplishments and about the obstacles to further progress. In particular, very little has been published about corporate attempts to identify and manage corporate strategic risks while integrating them into a corporate‐ wide ERM framework. This article uses responses collected from a survey of 271 risk and financial executives in North American and European companies to address the following questions: What forces are behind this push for a more organized and integrated management of significant risks? What challenges are companies encountering as they implement implement ERM? Once fully in place, how does ERM affect the company's ability to implement its strategy? The primary drivers of ERM are said to be corporate governance requirements and other regulatory pressures, and management and investor demand for greater understanding of strategic and operating risks. The benefits of full ERM implementation are increased management accountability and better governance practices, greater managerial understanding of and consensus about corporate strategy, and, in some cases, higher credit ratings and hence a lower cost of capital. The tools and techniques to measure the impact of strategic risks appear to vary, depending on the stage of ERM implementation. For advanced ERM companies, the most frequently used tools and techniques are key risk indicators, self‐assessments, and scenario analysis.     

UNIVERSITY OF GEORGIA ROUNDTABLE ON: Enterprise‐Wide Risk Management

For many years, MBA students were taught that there was no good reason for companies that hedge large currency or commodity price exposures to have lower costs of capital, or trade at higher P/E multiples, than comparable companies that choose not to hedge such financial price risks. Corporate stockholders, just by holding well‐diversified portfolios, were said to neutralize any effects of currency and commodity price risks on corporate values. And corporate efforts to manage such risks were accordingly viewed as redundant, a waste of corporate resources on a function already performed by investors at far lower cost. But as this discussion makes clear, both the theory and the corporate practice of risk management have moved well beyond this perfect markets framework. The academics and practitioners in this roundtable begin by suggesting that the most important reason to hedge financial risks—and risk management's largest potential contribution to firm value—is to ensure a company's ability to carry out its strategic plan and investment policy. As one widely cited example, Merck's use of FX options to hedge the currency risk associated with its overseas revenues is viewed as limiting management's temptation to cut R&D in response to large currency‐related shortfalls in reported earnings. Nevertheless, one of the clear messages of the roundtable is that effective risk management has little to do with earnings management per se, and that companies that view risk management as primarily a tool for smoothing reported earnings have lost sight of its real economic function: maintaining access to low‐cost capital to fund long‐run investment. And a number of the panelists pointed out that a well‐executed risk management policy can be used to increase corporate debt capacity and, in so doing, reduce the cost of capital. Moreover, in making decisions whether to retain or transfer risks, companies should generally be guided by the principle of comparative advantage. If an outside firm or investor is willing to bear a particular risk at a lower price than the cost to the firm of managing that risk internally, then it makes sense to lay off that risk. Along with the greater efficiency and return on capital promised by such an approach, several panelists also pointed to one less tangible benefit of an enterprise‐wide risk management program—a significant improvement in the internal corporate dialogue, leading to a better understanding of all the company's risks and how they are affected by the interactions among its business units.     

UNIVERSITY OF GEORGIA ROUNDTABLE ON ENTERPRISE-WIDE RISK MANAGEMENT

For many years, MBA. students were taught that there was no good reason for a company that hedged a large currency exposure to trade at a higher P/E than an otherwise identical company that chose not to hedge. Corporate stockholders, simply by holding well‐diversified portfolios, were said to neutralize any effects of interest rate and currency risk on corporate values. And thus corporate efforts to manage risk were thought to be “redundant,” a waste of corporate resources on a function that was already accomplished by investors at far lower cost. But the theory underlying this “perfect markets” framework has changed in recent years to focus on ways that corporate risk management can add value. The academics and practitioners who participated in this roundtable began by discussing in general terms how risk management can be used to support a company's strategic plan and investment policy. At Merck, for example, where R&D spending was determined as a percentage of earnings, a policy of hedging foreign currency exposure to reduce earnings volatility was viewed as adding value by “protecting” the firm's R&D. The panelists also agreed that a well executed risk management policy can increase corporate debt capacity and, in so doing, reduce the cost of capital by lowering the likelihood of financial distress. For example, companies with debt covenants might undertake a risk management program to lower earnings volatility and ensure a minimum level of earnings for debt compliance purposes. But one of the clear messages of the roundtable is that risk management and earnings management are not the same thing, and that companies that view risk management as primarily a tool for smoothing reported earnings have lost sight of its real economic functions. Moreover, in making decisions to retain or transfer risks, companies should generally be guided by the principle of comparative advantage. That is, if there is an outside firm or investor willing to bear a particular risk at a lower price than the cost to the firm of managing that risk internally, then it makes sense to lay off that risk. In addition to the cost savings and higher return on capital promised by such an approach, a number of the panelists also pointed to a less tangible benefit of an enterprise‐wide risk management program—namely, a marked improvement of the internal corporate dialogue, leading to a better understanding of all the firm's risks and how they are affected by the interactions among the firm's business units.     

Structuring an Enterprise Risk Assessment Protocol: Traditional Practice and New Methods

In a world that has become increasingly complex, enterprise risk management (ERM) has emerged as a practice for identifying reasonably foreseeable hazards that pose risks to an organization, both its physical and human assets. Due to the breadth and depth of factors that can impact an organization's risk portfolio, it is incumbent that the underlying risk assessment process that supports ERM embodies a holistic and systematic approach. This is easier said than done, however, as much of the effort in self‐acclaimed ERM programs remain entrenched in compartmentalized parts of the organization or ignore threats that are “outside of the box” of the operating environment to which management is accustomed. This environment therefore creates opportunities for key risks to go unnoticed. The authors propose a comprehensive, yet flexible framework for overcoming this challenge, an approach that can be utilized by both the public and private sector. A sample application is provided, using a free, web‐based tool developed as part of the initiative.     

Lessons from the Financial Crisis on Risk and Capital Management: The Case of Insurance Companies

This article proposes that risk management be viewed as an integral part of the corporate value‐creation process— one in which the concept of economic capital can provide companies with the financial cushion and confidence to carry out their strategic plans. Using the case of insurance and reinsurance companies, the authors discuss three main ways that the integration of risk and capital management creates value:

• 1 strengthening solvency (by limiting the probability of financial distress);
• 2 increasing prospects for profitable growth (by preserving access to capital during post‐loss periods); and
• 3 improving transparency (by increasing the “information content” or “signaling power” of reported earnings).

Insurers can manage solvency risk by using Enterprise Risk Management (ERM) models to limit the probability of financial distress to levels consistent with the firm's specified risk tolerance. While ERM models are effective in managing “known” risks, we discuss three practices widely used in the insurance industry to manage “unknown” and “unknowable” risks using the logic of real options—slack, mutualization, and incomplete contracts. Second, risk management can create value by securing sources of capital that, like contingent capital, can be used to fund profitable growth opportunities that tend to arise in periods following large losses. Finally, the authors argue that risk management can raise the confidence of investors in their estimates of future growth by removing the “noise” in earnings that comes from bearing non‐core risks, thereby making current earnings a more reliable guide to future earnings. In support of this possibility, the authors provide evidence showing that, for a given level of reported return on equity (ROE), (re)insurers with more stable ROEs have higher price‐to‐book ratios, suggesting investors' willingness to pay a premium for the stability provided by risk management.     

Is ERM Legally Required? Yes for Financial and Governmental Institutions,No for Private Enterprises

We examine whether enterprise risk management (ERM) is legally required for financial institutions (e.g., banks, securities brokerage firms, insurance, hedge funds and mutual funds), government entities, publicly traded companies, and private enterprises. We find that ERM is legally required for U.S. financial institutions and for some government‐sponsored enterprises. Legally required means required by U.S. statutes, federal case law, or U.S. regulatory agencies (e.g., Securities and Exchange Commission [SEC]). ERM is an important factor for rating organizations (e.g., Standard & Poor's [S&P]), but not legally required. We found no U.S. statutes or federal court cases requiring an ERM framework for private enterprises, although ERM is accepted as a value‐contributing best practice, and elements of ERM are practiced by some private enterprises. For publically traded companies, elements of ERM are required by federal statute, by the SEC, and by S&P. We suggest that if a private enterprise is sued in U.S. federal court alleging breach of a legal duty to practice ERM, the suit will likely be dismissed. We trace the development of ERM from a traditional risk management (TRM) base. Fortunately, ERM is recognized as a value‐contributing best practice in corporate governance even when legal standards do not require it.     

The Theory and Practice of Corporate Risk Management*

The financial crisis of 2008 and the resulting recession caught many companies unprepared and, in so doing, provided a stark reminder of the importance of effective risk management. While academic theory has long touted the benefits of risk management, companies have varied greatly in the ways and extent to which they put theory into practice. Drawing on a global survey of over 300 CFOs of non‐financial companies, the authors report that while most CFOs felt that their risk management programs have significant benefits, the risk management function in general needs more attention. A large percentage of the finance executives surveyed acknowledged that the most important corporate risks extend far beyond the CFO's direct reports, and that risk‐based thinking is not incorporated into everyday business activities or corporate strategies. A large majority of executives also said they were seeking a more widespread understanding of risk throughout their organizations—and many confessed their firms' inability, or lack of interest, in evaluating their own risk management functions. At the same time, the efforts of most companies to develop enterprise‐wide risk management (ERM) programs were said to fall well short of the comprehensive and highly coordinated programs envisioned by the proponents of such programs. Three areas of opportunity were clearly identified as having potential to improve corporate risk management in ways that increase firm value over an entire business cycle:

• ? Incorporate risk management thinking into the strategic planning process. Line executives, and not just technicians, need to be sensitive to risks, thereby building flexibility into the firm's business plan and its execution.
• ? Clearly define the objectives of the risk management function, in part by developing appropriate benchmarks. The risk management process should be subject to the same rigorous evaluation process that is used when measuring risks throughout the business.
• ? Instill a risk management culture throughout the organization. While an effective risk management function is necessary, only when employees at all levels of the company embrace risk management as part of their daily operations will the firm get maximum value from risk management.

     

ENTERPRISE RISK MANAGEMENT: THE CASE OF UNITED GRAIN GROWERS

Enterprise risk management (ERM) refers to the identification, quantification, and management of all of a company's risks within a unified framework. This approach is much more comprehensive than traditional risk management practice, where different types of risk are managed by different people using different tools. The authors evaluate the advantages and disadvantages of ERM and then describe how United Grain Growers (UGG), a major farm service provider in Western Canada, established such an approach.
Extensive risk identification and measurement indicated that the volatility of UGG's earnings was driven to a large extent by changes in the volume of its grain shipments, which in turn were principally due to variation in weather. After first considering the use of weather derivatives to hedge the risk, the company ended up purchasing an insurance contract, bundled with its traditional insurance coverage, that pays UGG if its grain volume is unexpectedly low. The potential for moral hazard that can make insurance an expensive proposition was limited by basing payoffs on industry grain shipments rather than the company's shipments. The bundled approach served to expand and integrate UGG's insurance coverage, while eliminating redundant coverage.
Besides economizing on insurance costs, another valuable aspect of enterprise risk management is as a source of information about the operations of the firm. By providing managers with a better understanding of their business and events that can undermine the firm's strategic objectives, ERM can lead to better operating decisions as well as a more efficient approach to risk retention and risk transfer.     

Optimal Capital Allocation Principles

This article develops a unifying framework for allocating the aggregate capital of a financial firm to its business units. The approach relies on an optimization argument, requiring that the weighted sum of measures for the deviations of the business unit's losses from their respective allocated capitals be minimized. The approach is fair insofar as it requires capital to be close to the risk that necessitates holding it. The approach is additionally very flexible in the sense that different forms of the objective function can reflect alternative definitions of corporate risk tolerance. Owing to this flexibility, the general framework reproduces several capital allocation methods that appear in the literature and allows for alternative interpretations and possible extensions.     

The Determinants of Enterprise Risk Management: Evidence From the Appointment of Chief Risk Officers

Enterprise risk management (ERM) has captured the attention of risk management professionals and academics worldwide. Unlike the traditional "silo-based" approach to corporate risk management, ERM enables firms to benefit from an integrated approach to managing risk that shifts the focus of the risk management function from primarily defensive to increasingly offensive and strategic. Despite the heightened interest in ERM, little empirical research has been conducted on the topic. This study provides an initial attempt at identifying the determinants of ERM adoption. We construct a sample of firms that have signaled their use of ERM by appointing a Chief Risk Officer (CRO) who is charged with the responsibility of implementing and managing the ERM program. We use a logistic regression framework to compare these firms to a size- and industry-matched control sample. While our results suggest a general absence of differences in the financial and ownership characteristics of sample and control firms, we find that firms with greater financial leverage are more likely to appoint a CRO. This finding is consistent with the hypothesis that firms appoint CROs to reduce information asymmetry regarding the firm's current and expected risk profile.     

Risk and capital transfer in insurance groups

The aim of this paper is to analyze the effect of capital and risk transfer instruments (CRTIs) on a financial group's risk situation. In this respect, we extend previous literature by accounting for the conglomerate discount on firm value, which is a reduction in shareholder value due to diversification within the group. In general, CRTIs between parent and subsidiaries have a substantial effect on the diversification of risks, economic capital requirements, and default risk, which we study in detail for different types of CRTIs, including intra-group retrocession and guarantees. One main finding is that diversification effects within the group are much lower when taking into account conglomerate discount effects. We believe this aspect to be an important issue in the ongoing discussion on group solvency regulation and enterprise risk management.     

Optimal Contracting,Corporate Finance,and Valuation with Inalienable Human Capital

A risk‐averse entrepreneur with access to a profitable venture needs to raise funds from investors. She cannot indefinitely commit her human capital to the venture, which limits the firm's debt capacity, distorts investment and compensation, and constrains the entrepreneur's risk sharing. This puts dynamic liquidity and state‐contingent risk allocation at the center of corporate financial management. The firm balances mean‐variance investment efficiency and the preservation of financial slack. We show that in general the entrepreneur's net worth is overexposed to idiosyncratic risk and underexposed to systematic risk. These distortions are greater the closer the firm is to exhausting its debt capacity.     

Risk Management—the Revealing Hand

Many believe that the recent emphasis on enterprise risk management function is misguided, especially after the failure of sophisticated quantitative risk models during the global financial crisis. One concern is that top‐down risk management will inhibit innovation and entrepreneurial activities. The authors disagree and argue that risk management should function as a “revealing hand” that identifies, assesses, and mitigates risks in a cost‐efficient way. In so doing, risk management can add value by allowing companies to take on riskier projects and strategies. But to avoid problems encountered in the past, particularly during the recent crisis, risk managers must overcome deep‐seated individual and organizational biases that prevent managers and employees from thinking clearly and analytically about their risk exposures. In this paper, the authors draw lessons from seven case studies about the ways that a corporate risk management function can foster highly interactive dialogues to identify and prioritize risks, help to allocate resources to mitigate such risks, and bring clarity to the value trade‐offs and moral dilemmas that often must be addressed in decisions to manage risks. Developing an effective risk management system requires, first, an agreement about a company's objectives, values, and priorities; second, a clear formulation and communication of the firm's “risk appetite”; and, third, continuous monitoring of a firm's risk‐taking behavior against its declared risk limits. Quantitative risk models should not be the sole—or even the most important—basis for decision‐making. They cannot replace management judgment and are best used to trigger in‐depth discussions among managers and employees about the most important risks faced by the firm and the best ways to respond to them.     

Enterprise risk management and firm performance: A contingency perspective

In recent years, a paradigm shift has occurred regarding the way organizations view risk management. Instead of looking at risk management from a silo-based perspective, the trend is to take a holistic view of risk management. This holistic approach toward managing an organization’s risk is commonly referred to as enterprise risk management (ERM). Indeed, there is growing support for the general argument that organizations will improve their performance by employing the ERM concept. The basic argument presented in this paper is that the relation between ERM and firm performance is contingent upon the appropriate match between ERM and the following five factors affecting a firm: environmental uncertainty, industry competition, firm size, firm complexity, and board of directors’ monitoring. Based on a sample of 112 US firms that disclose the implementation of their ERM activities within their 10Ks and 10Qs filed with the US Securities and Exchange Commission, empirical evidence confirms the above basic argument. The implication of these findings is that firms should consider the implementation of an ERM system in conjunction with contextual variables surrounding the firm.     

The impact of enterprise risk management on the marginal cost of reducing risk: Evidence from the insurance industry

We test the hypothesis that practicing enterprise risk management (ERM) reduces firms’ cost of reducing risk. Adoption of ERM represents a radical paradigm shift from the traditional method of managing risks individually to managing risks collectively allowing ERM-adopting firms to better recognize natural hedges, prioritize hedging activities towards the risks that contribute most to the total risk of the firm, and optimize the evaluation and selection of available hedging instruments. We hypothesize that these advantages allow ERM-adopting firms to produce greater risk reduction per dollar spent. Our hypothesis further predicts that, after implementing ERM, firms experience profit maximizing incentives to lower risk. Consistent with this hypothesis, we find that firms adopting ERM experience a reduction in stock return volatility. We also find that the reduction in return volatility for ERM-adopting firms becomes stronger over time. Further, we find that operating profits per unit of risk (ROA/return volatility) increase post ERM adoption.     

Inalienable Customer Capital,Corporate Liquidity,and Stock Returns

We develop a model in which customer capital depends on key talents' contribution and pure brand recognition. Customer capital guarantees stable demand but is fragile to financial constraints risk if retained mainly by talents, who tend to quit financially constrained firms, damaging customer capital. Using a proprietary, granular brand‐perception survey, we construct a firm‐level measure of the inalienability of customer capital (ICC) that captures the degree to which customer capital depends on talents. Firms with higher ICC have higher average returns, higher talent turnover, and more precautionary financial policies. The ICC‐sorted long‐short portfolio's spread comoves with financial constraints factor.     

The Characteristics of Firms That Hire Chief Risk Officers

We examine the characteristics of firms that adopt enterprise risk management (ERM) and find support for the hypothesis that firms adopt ERM for direct economic benefit rather than to merely comply with regulatory pressure. Using chief risk officer (CRO) hires as a proxy for ERM adoption we find that firms that are larger, more volatile, and have greater institutional ownership are more likely to adopt ERM. In addition, when the CEO has incentives to take risk, the firm is also more likely to hire a CRO. Finally, banks with lower levels of Tier 1 capital are also more likely to hire a CRO.