Managing risk information successfully has become a priority for European companies. Graham Buck asks what a risk information system needs to be effective for everyone within the organisation
Enterprise risk management became more than just a buzz phrase many years back. But since the onset of the credit crunch, ensuring that employees at all levels of the organisation have awareness and understanding of risk has accelerated its climb up the corporate priorities list.
At the start of 2009, broker Aon issued its latest survey of UK risk managers, asking them to name the most important challenges faced in the year ahead. The group found that ‘embedding ERM in the culture of the organisation’ was the single issue named more than any other, being cited by 70% of respondents.
‘The risk management landscape across Europe varies from country to country, but even in the less developed regions there is a great desire to learn more,’ says Stephen Roberts, head of the strategic risk practice at Marsh Risk Consulting.
He highlights three key drivers behind this interest: firstly the focus on credit ratings; secondly, the ability of organisations to use ERM in demonstrating the robustness of their business management, and thirdly the fact that shareholders are paying increasing attention to the quality of corporate risk management.
‘Any form of additional spending on ERM is not a concessionary spend,’ Roberts adds. ‘Companies are allocating money and resources in order that they can weather the economic storm and still move forward.
‘The areas in which the risk manager was typically deployed used to be risk assessment and risk profiling. Now he or she must ask questions such as “how do we trade through the downturn?” and “what are our key resources?”’
By embedding ERM in the corporate culture, these issues can be more effectively addressed. A successful ERM system implies a valuable flow of inward and outward information. However, it needs to be carefully structured to be effective for all of the organisation’s employees, not just those at managerial level.
The need for comprehensive risk information at all levels is driven by several factors. The modern economy and the goals of increasing profit, expansion and globalisation mean that organisations, individuals and nations are no longer confined to the risk of local or domestic markets only, observes Michael Porteous, a senior consultant for Aon Global Risk Consulting.
As global economies become interlinked, risk exposures and impacts can shift from one environment to another with alarming speed. The latest financial crisis materialised so quickly that it caught most experts off guard, while its impact on the world economy was, in most cases, underestimated. ‘How, after more than 10 years of investment in complying with a myriad of regulations and standards, can we get it so wrong?’ asks Porteous.
A question of assessment
Despite the absence of a single common definition of what constitutes ERM, it is generally agreed that it involves the process of enabling business risk to be assessed across the company.
The overall objective is to put the entire spectrum of risk into perspective and to judge the company’s ability to measure each risk, says Peter Hacker, a partner of JLT Risk Solutions and head of its global technology and communications group. It also enables a company to assess how much capital needs to be reserved for and allocated to certain risks, before deciding whether to retain the risk or allocate it to the capital markets.
As part of this process, a distinction will be made between fortuitous risks, which the insurance market is generally willing to assume, and non-fortuitous risks, which shareholders believe the company is duty bound to absorb and which have to be allocated for.
‘If you are able to manage risk, you see a paradigm shift as a result,’ says Hacker. ‘By gaining the total picture, the company and its management can best deploy what are limited resources through the most cost-efficient allocations.’
He says that the degree to which ERM has been established within the corporate culture largely depends on which particular industry a company operates within. In the technology sector it appears to have made considerable progress, although many possibly thought likewise of the financial services sector until relatively recently.
‘Many companies are doing very good exercises from a quantitative viewpoint and capturing risk through clearly defined processes,’ Hacker adds. ‘But others struggle with the total cost of the approach to risk and determining its cost and severity. The difficulty is that many risks are intangible.’
He suggests that where progress is most lacking is in devising a means of transferring risk such as intellectual property from the balance sheet to third parties. But provided that risk can be quantified, transfer should be feasible.
The tougher regulatory regime in the US introduced through Sarbanes-Oxley (SOX) has forced companies there to tackle the issues involved in embedding ERM, Hacker suggests. Although in some of Europe’s main economies, such as Germany, specific ERM requirements also apply, other countries on this side of the Atlantic lag behind.
SOX is not the only reason for the differential. In the US, risk management reports directly to treasury, but in Europe the two departments are typically separate. Also, the US does not have the differentiation between corporate risk management and insurance commonly found in Europe. As the roles are often separate on this side of the Atlantic, insurance tends to be the department of security, which means that non-fortuitous risk is not included.
However, Ed Wrazen, VP product management and strategy for Trillium Software, believes that Basle II has acted as a driver for risk-based systems on this side of the Atlantic and points out that its principles are also being deployed in the US.
‘Europe is now more advanced in its compliance as a result. Risk departments have to take ownership of the data, not just assume that it’s OK, and the risk management team seeks assurance that the information is correct.’ And the financial crisis, far from hindering, has accelerated the process, as there is greater interest in data quality.
Across the spectrum
So how can European risk managers improve performance when tackling their information needs?
“Todayâ€™s organisations must increase their ability to systematically identify, measure, consolidate, prioritise, report and respond to all types of risk.
Porteous believes that the quality of risk information has been insufficient to allow effective foresight, planning and decision making.
‘No longer is it sufficient for organisations to consider or focus on one or a few types of risk alone, such as financial, manufacturing or political,’ he says.
‘Rather, all companies need to expand their appreciation of where risks may be manifesting and how these exposures could be linked. Risk works in mysterious and very unpredictable ways!’
So while regulations and shareholder activism have made organisations more aware of risks, truly effective risk management will remain unachievable unless high quality risk information can be efficiently produced and used responsibly.
Many of the problems being experienced stem from the data element and absorbing that data, says Bart Patrick, head of insurance at software group SAS UK. Risk decisions are made at group level, but as different units within the group apply differing standards, effective action is severely limited.
‘A lot of operational risk is still carried out at various levels through spreadsheets, which doesn’t help with either risk assessment or the introduction of benchmarking data,’ observes Patrick. ‘So the functional elements in the risk process impede the risk manager in getting an overall view of risk.’
And despite the increasing focus on credit ratings, there appears to be no one true model that can be applied to credit scoring and protecting against credit risk-type losses.
Patrick adds that the company needs accurate, clean data that is ‘fit for purpose’. The company may have an extensive data warehouse, but (as is often the case) it may not be specifically risk data. The information needs to be in a form that helps with the calculation of risk.
‘A clean data set doesn’t necessarily give you a clear picture of actual or potential fraud, for example. Certain things may be missed in the data that is available,’ he says. ‘You need an amount of apparently superfluous information to ensure that you are looking at risk from every angle.’
Data intelligence and governance is essential for preserving financial capital, suggests Ed Wrazen. Missing or inaccurate data can directly lead to a breakdown of business processes for determining risk or achieving compliance. Inability to demonstrate a provable risk model results from this, increasing the company’s exposure but also causing it to set aside capital reserves that may be well in excess of actual needs.
Wrazen says that determining capital reserve requirements is typically done by building assumptions on conservatively chosen data values to plug holes. Consequently, they can be under or overstated.
‘This introduces incredible risk into the equation, because decisions for capital reserves and preservation have an element of guesswork in them rather than being based on accurate, provably-correct information,’ he adds. ‘Risk managers are forced to make allocation decisions in the dark.’
The benefits of recession
So how can risk managers ensure that ERM is truly embodied – and provide the framework necessary for the free flow of information? Roberts suggests there are a number of key pragmatic best practice considerations to include in any plan:
• The platform must be uniformly accessible and understood by everyone across the organisation.
• The platform needs to have high usability across the organisation.
• The package must allow the risk manager to capture the proximate cause of risk.
• The package must be amenable to the production of risk maps, which are an effective and graphic means of communicating the risk register.
To this list needs to be added software that allows for the measuring of inherent and residual risk, so that risk can be assessed both before controls are introduced and after, and an information system that allocates roles and responsibility for tackling risk.
Roberts adds a note of caution, however: ‘Many organisations produce their own risk management software, but there are also a significant number that go out and buy at too early a stage. As a result it often becomes a bit of a lame duck.
‘The recession might actually help in preventing companies from acting too hastily. They won’t go out and buy until they know what tool is required and until the risk management system has first been embedded through training.’
To sum up – today’s organisations must increase their ability to systematically identify, measure, consolidate, prioritise, report and respond to all types of risk, says Michael Porteous.