Enterprise Risk Management:
Hollow Tree or Giant Redwood?
Midwestern Actuarial Forum
Chicago
March 7, 2008
MAF
Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD
Director, Actuarial Science Program
State Farm Companies Foundation Scholar in Act. Sci.
University of Illinois at Urbana-Champaign
Regarding the title of this talk
I certainly have nothing against
hollow trees…
E
C
D
E
xcessive
C
ookie
D
isorder
Agenda
• ERM in general
• Observations from the CAS ERM Online
Course
• Issues in advancing ERM
– ERM as complex systems analysis
– ERM as an evolutionary process
– ERM as subject to behavioral patterns
• Conclusion
“Who am I? Why am I here?”
- Admiral Stockdale, 1992
• Currently
– Director, Actuarial Science Program
– State Farm Companies Foundation Scholar in Actuarial
Science
– Professor, Depts. of Mathematics, Statistics & Finance
– University of Illinois at Urbana-Champaign
• Prior
– Senior Vice President
– Director of Internal Audit & Risk Management
•
•
•
•
•
Internal Audit
Corporate Investigations
Risk Management
Enterprise Risk Management
Business Continuity
ERM – General Thoughts
Steps in the
Risk Management Process
•
•
•
•
•
•
•
Determine the corporation’s objectives
Identify the risk exposures
Quantify the exposures
Assess the impact
Examine alternative risk management tools
Select appropriate risk management approach
Implement and monitor program
Likelihood
Impact of Financial Risk Management
on Cash Flow Volatility
Post-FRM
Pre-FRM
Cash Flow
An Initial ERM Comment
• You don’t become a famous writer by…
– Reading a book
– Reading about other authors
– Watching someone else write
• Similarly, you don’t become an “Enterprise
Risk Manager” by…
– Reading a book
– Taking a course
– Listening to a presentation
Rather, ERM is…
A complex process…
… involving broad-based and in-depth
knowledge and understanding…
… requiring an appropriate corporate culture,…
… and creativity…
… born of a variety of experiences…
… and insatiable curiosity.
Enterprise Risk Management
• Or “Enterprise Risk and Assurance
Management” or…
• What is ERM?
– Concerned with a broad financial and operating
perspective
– Recognizes interdependencies among corporate,
financial, and environmental factors
– Strives to determine and implement an optimal
strategy to achieve the primary objective:
maximize the value of the firm
Other Possible Goals of ERM
• Create and increase company value
• Ensure business continuity
• Stabilize earnings
• Enhance opportunities for the company to
achieve its objectives
• Make risk management more cost-efficient
Evolution of ERM
• Historically: “risk silo” mentality
• Mid-1990s:
– First “Chief Risk Officer”
– First use of ERM terminology
• Late-1990s:
– Risk-related regulatory requirements (e.g., Turnbull)
– Earnings protection insurance debuts
• 2001:
– September 11
– Corporate scandals
– Beginning of efforts to improve corporate governance
Current State
• Findings from various surveys
– An acknowledged need to improve risk
management
– A recognition that a holistic approach is
appropriate and preferable
– ERM can improve overall capital management
and thus enhance corporate value and
competitiveness
– A variety of approaches to improving risk
management
– There are still problems to overcome
A Paradigm Shift
Traditional
Emerging
• Risks managed in silos
• Concentrates on
physical hazards and
financial risks
• Insurance orientation
• Ad hoc / one-off
projects
• Centralized mgt., with
exec-level coordination
• Integrated consideration
of all risks, firm-wide
• Opportunities for
hedging, diversification
• Continuous and
embedded
Types of Risks
• Operational
– Hazard
– Physical
• Strategic
– Capital / resource allocation
– Industry / competitors
• Technological
– Databases
– Security
– Confidential information
• Stakeholder
• Legal
– Compliance
– Regulatory
• Financial
– Capital markets
– Credit risks
– Taxes
• Human capital
– Retention
– Training
• Reputational
Issues in ERM Implementation
• Different corporate cultures require different
ERM approaches
• Who is going to be the ERM champion within
the company
– Among senior executives
– Among departments / functions
• How to embed a risk management culture and
responsibilities throughout the firm
Components of the ERM Process
• Determine corporate objectives
Likelihood
• Risk identification
– Goal: comprehensiveness
Impact
– E.g., self-assessment
– Volatility measures
– Value at Risk (VaR)
Likelihood
• Risk measurement
Size of loss
Components of ERM (cont.)
• Assessing the impact
– Stress or scenario testing
– Stochastic simulation
• Examine and select alternative risk
management tools and techniques
– Traditional risk transfer
– Natural hedging / diversification
– Integration of risks
E.g.,
“dynamic
financial
analysis”
Keys to Success in ERM
• Senior management commitment and
sponsorship
• Embed a “risk management culture” in the
corporation at the operational level
• Provide for accountability, both specific and
widespread
• Clearly defined responsibilities for
coordination and maintenance
• Adequate communication
ERM Tries to Avoid…
“A failure of imagination.”
- Frank Borman, in testimony to Congress,
responding to a question regarding the real
cause of the Apollo 1 fire and the resulting
three astronaut deaths, as dramatized in
HBO’s series From the Earth to the Moon
Observations from the CAS
ERM Online Course
CAS Online Courses
•
•
Originally, four modules in a Financial
Risk Management series
Newest course: “Intro to ERM”
–
–
•
First offering: October 2006
Fourth offering: January 2008
Course components:
–
–
–
–
12 lectures (PPT with voiceovers)
Readings, and case studies
Discussion forum
“Final exam”
Titles of Lectures
1) Introduction to ERM
7) Operational Risk
2) ERM in Context
8) Strategic Risk
3) ERM in Practice
9) Risk Metrics
4) ERM Framework
10) Application of ERM
5) Hazard Risk
11) COSO Pros and Cons
6) Financial Risk
12) Conclusion
Some Preliminary Observations
Significant But Most Difficult Risk to Quantify
•
Reputational risk
–
•
•
•
Quantification suggestions – e.g., “event study”
Human capital
Operational risk
Strategic risk
Some Preliminary Observations (cont.)
Status of ERM at Company
•
•
Many companies have moved in the
direction of ERM
Some are well along
–
•
CROs, risk committees
Some have a long way to go
–
–
–
Still some silo mentality
Focus on more immediate issues (e.g., SOX)
Question ERM’s staying power
Some Preliminary Observations (cont.)
Risk Measures – Alternatives to VaR
•
•
•
•
Economic capital
Measures relating risk and return (e.g.,
RAROC)
Probability of ruin
A few thought VaR and TVaR are
reasonable and serviceable
Some Preliminary Observations (cont.)
Greatest Risks Faced
•
•
•
•
•
•
Hazard risks (particularly catastrophe and
terrorism risks)
Reputational risks
Operational risks
Pricing – reserving risks
Financial risks
Strategic risks
Issues in Advancing ERM
(1) Complex Adaptive System
• A system of individual “agents” which interact
and adapt / evolve to changing conditions
• Characteristics
– Not reducible
– Self-organized emergence, exhibiting nonlinearities
– Bottom-up rather than top-down
• Some examples
–
–
–
–
Economies
Ecologies
Consciousness
Organizations
Complex Social Systems
“One must study the laws of human action
and social cooperation as the physicist
studies the laws of nature.”
- Human Action, Ludwig von Mises, 1949
Historical Recognition
“He intends only his own gain, and he is in
this, as in many other cases, led by an
invisible hand to promote an end which was
no part of his intention.”
- An Inquiry into the Nature and Causes of
the Wealth of Nations, Adam Smith, 1776
(2) Evolutionary Process
• There are several important parallels between
economic systems and biological evolutionary
theory
–
–
–
–
–
Complex systems
Self-organized agents / individuals
Adaptation / natural selection
Emergence of “order”
Understanding the historical process helps to
explain behavior
Biology and Economics
“The precise mathematical relationship which
describes the link between the frequency and
size of the extinction of companies, for
example, is virtually identical to that which
describes the extinction of biological species in
the fossil record. Only the timescales differ.”
- Why Most Things Fail: Evolution, Extinction &
Economics, Paul Ormerod, 2005
(3) Behavioral Concerns
• Various well-documented “fallacies” can cause
inaccurate or biased estimates of values,
probabilities, etc. E.g.,
– Anchoring fallacy: bias toward an initial value
– Inattentional blindness: concentrating in one area
can induce blindness to other events
– Availability fallacy: immediately-available
examples have a perhaps undue influence on our
estimates
Evaluating Probabilities
“The information provided by advocacy groups is blunt.
“Y-Me states that breast cancer is ‘the overall leading cause of death in
women between the ages of 40 and 55.’ It adds: ‘In the United States,
1 in 8 women will develop breast cancer in her lifetime. This year,
breast cancer will be newly diagnosed every three minutes and a
woman will die of breast cancer every 13 minutes.’
“CapCure, the organization founded by Michael Milken to fight prostate
cancer, states similar statistics: ‘In 2002, an estimated 189,000 men
will be diagnosed with prostate cancer. This represents one new case
every three minutes.’
“While the figures are accurate, some medical researchers are concerned
by the messages they convey. Such statements, they say, may lead
people to exaggerate their chances of getting and dying from a
fearsome disease.”
- “Experts Strive to Put Diseases in Proper Perspective,” by Gina Kolata, New York Times, 7/2/02
Evaluating Probabilities (cont.)
“Even concerns about real dangers, when blown out of proportion, do
demonstrable harm. Take the fear of cancer. Many Americans
overestimate the prevalence of the disease, underestimate the odds of
surviving it, and put themselves at greater risk as a result. Women in
their forties believe they have a 1 in 10 chance of dying from breast
cancer, a Dartmouth study found. Their real lifetime odds are more like
1 in 250. Women’s heightened perception of risk, rather than motivating
them to get checkups or seek treatment, can have the opposite effect. A
study of daughters of women with breast cancer found an inverse
correlation between fear and prevention: the greater a daughter’s fear of
the disease the less frequent her breast self-examination. Studies of the
general population-both men and women-find that large numbers of
people who believe they have symptoms of cancer delay going to a
doctor, often for several months. When asked why, they report they are
terrified about the pain and financial ruin cancer can cause as well as
poor prospects for a cure….”
- The Culture of Fear: Why Americans are Afraid of the Wrong Things, Barry Glassner,
2000, Basic Books
Research
•
•
New undergraduate research initiative at
the University of Illinois
Current research projects
–
–
–
–
Agent-based modeling
Predator – prey models
Power laws and their applications
Neuroeconomics and behavioral economics
Conclusion
ERM Predictions – Lam*
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
ERM will become an industry standard
CRO position will be prevalent
Audit committees will become risk committees
Economic capital will replace VaR
Enterprise-level transfer of risk
Impact of advanced technology
Measurement standard for operational risk
Mark-to-market accounting
Risk education will grow
Salary gap between risk professionals will widen
*Enterprise Risk Management: From Incentives to Controls, James Lam, 2003
Personal Conclusions
•
•
ERM is a giant redwood
However, let’s not underestimate how big
a challenge it is
–
–
•
Even in a “frictionless” world, quantifying
and codifying a holistic approach to risk
management is an enormous task
Real-world realities make it even more
difficult
But it’s worth the effort
Concluding Quotation
“The revolutionary idea that defines the
boundary between modern times and the past
is the mastery of risk”
- Peter Bernstein, Against the Gods