CONTRIBUTIONS OF ERM RISK

Now we move into new territory, identifying the seven contributions of ERM. More than that, we develop a paradigm for enterprise risk management. We get close to the operational level where risk comes alive and managers deal with it on a day-to-day basis.

Contribution 1: Recognize the Upside of Risk

As already explained, the first contribution of ERM occurs when “risk opportunity” is incorporated into the definition of “risk.” This acknowledges the interaction among risks because an exposure does not occur in isolation.

HENRY FORD’S UPSIDE OF RISK

Henry Ford was manufacturing Model T automobiles in Detroit. Employees worked 10 hours a day for six days a week to earn $18 per week. Such a schedule did not leave time to drive automobiles or do much else. In 1914, Ford changed the nature of work in the United States when he paid workers $5 a day for five days’ work per week. He also shortened the workday to eight hours.

Other companies followed. People had time for activities other than paid work. A leisure society started. It became a fully developed consumer economy after World War II. By his action, Ford played two roles in the world of risk management:

Added Hazard Risk. Trucks and automobiles were a massive new exposure. People drove farther and faster, resulting in accidents insurance. They also needed safe driving lessons, better roads, and safer cars. A whole new risk management area arose.

Upside of Risk. People had more leisure time to conduct activities that did not involve the automobile. The reduction in working hours, accompanied by a rise in income, increased demand for his vehicles. It also allowed Americans to conduct new risky activities. This byproduct of Mr. Ford’s decision gave new impetus to risk management.

Contribution 2: Assign Risk Owners

The second contribution of ERM is to assign a risk owner for every category of risk. In an ERM structure, the “owner” has the knowledge, experience, and ability to manage the exposure and thus be accountable for it. As we will see in Part Three, some risks cannot be addressed with a single risk owner.

U.S. AIRWAYS RISK OWNERSHIP

U.S. Airways flight 1549 landed with no loss of life on the Hudson River in 2009. The landing, by pilot Chesley “Sully” Sullivan, was called the “Miracle on the Hudson.” Prior to 2009, U.S. Airways had a history of finishing at the bottom of customer service rankings. Maybe it learned something from the JetBlue incident. Maybe not. Whatever the case, U.S. Airways was ready to seize opportunity in a situation of risk. The airline had a program of conducting dry runs for incidents three times a year at every airport it served. A Care Team of gate agents, reservation clerks, and other employees could be dispatched on a moment’s notice to the scene of an incident. It created an 800 number that accepted toll-free calls so that families and friends could call for information.

When the incident occurred, everybody moved. Some 150 employees from the company headquarters in Arizona rushed to the airport and boarded a plane for New York. They had advance authorization to use their personal credit cards. Some individuals had suitcases filled with prepaid cell phones, sweat suits, and dry clothes. Someone brought a bag of cash.

Once on site, everyone went to work. Staff members escorted passengers to hotels set up with 24-hour buffets. Employees purchased medicines, toiletries, and other needed items. They arranged train tickets and rental cars for individuals who did not want to get back on a plane. They reached out to high-level executives at Hertz and Amtrak so that passengers would receive no hassle getting the tickets. They retained locksmiths to help passengers who had lost keys for their cars or homes.

Activities continued in the weeks after the incident. One follow-up action involved sending letters updating passengers after they arrived home. Another was to refund the airplane ticket and give each passenger $5,000 to replace lost possessions. Additional monies were promised to passengers where $5,000 did not cover losses.

Upside: U.S. Airways received millions of dollars of free publicity after the incident. Its reputation soared.

Contribution 3: Align Risk Accountability

A third contribution of ERM recognizes the importance of matching responsibility and accountability for risk management with the business model of the enterprise. This produces the least disruption of current successful practices while adding a new perspective on and capacity to understand business risk. Alignment occurs when risks are grouped together so that they can be managed by a single owner.

A business model includes several items. The first is a value to be created for customers or clients. Second is the architecture of the organization, which creates a hierarchy, partnerships, and other structures to deliver the value. Next is the network of employees, partnerships, and other relationships that create and deliver value. Finally, resources aligned with the structure provide the capital, assets, and people needed to generate sustainable profits and cash flows.

ERM can be fitted to the various units and levels of the business model. ERM is enhanced when key risks have risk owners while internal controls take care of “all” risks. Then we can use a structure of lower-level risks to drill down risk ownership into the entity.

Who are the risk owners in a business model? Functional staff members in production, marketing, and finance support the business model. Business units, including relatively autonomous regions and operations, are obvious risk owners. Finally, and not to be omitted, are key initiatives. These major activities reflect highly visible goals, cross unit lines, provide entrepreneurial opportunities, and solve major problems.

The final step is to match risk categories with risk owners. This enhances the chance that the risk alignment will work smoothly. Each risk owner is focused on his or her important risks. This limited list of perhaps five to eight exposures should be created at each hierarchical level. Risks handled by day-to-day organizational practices and internal controls are not part of the structure and are included only as exceptions if an internal control process breaks down.

FORD MOTOR COMPANY RISK ACCOUNTABILITY

Another Ford Motor Company story occurred in the late 1990s. The company recognized an exposure to price fluctuations in the rare metal palladium, an important component in catalytic converters. To reduce the risk, the purchasing department hedged the exposure by signing long-term contracts to purchase palladium at stable but high prices. Did the strategy work?

No. Ford’s Research and Development department recognized the same risk and redesigned catalytic converters requiring minimal palladium. In 2001, the price per ounce of palladium dropped from $1,500 to $400, causing Ford to suffer a loss of $1 billion.

Contribution 4: Create a Central Risk Function

A fourth contribution of ERM is to create a central risk function. This is an individual or unit responsible for the coordination of risk discussions across the entity. It should occupy a high position in the hierarchy and have access to senior executives. Its goal should be to facilitate efforts by risk owners to manage risk.

A central risk function can identify risks that might otherwise be missed by senior executives at the top of an organization (chief marketing officer, and so on, and business unit or key initiative executives). By facilitating the sharing of risks and strategies, it can manage and vet information. By influencing risk discussions, it can reduce the tendency for silos to refuse to share information and hide negative conditions. In some formulations of ERM, a central risk function takes on the perceived role of managing risk. It may even be responsible for insurance buying or loss control. This is not a good model because risk identification and risk sharing are fundamentally different from risk transfer or mitigation. Somebody other than the central risk function should buy insurance and ensure workplace safety. Organizations need a central activity that seeks out factors that are changing the business landscape. What is happening with markets, regulators, politics, competitors, and other sources of risk? What is happening inside the organization itself with cultural, management, leadership, human resources, and unit life cycle exposures? These are important issues. They deserve full attention.

WARREN BUFFETT’S CENTRAL RISK FUNCTION

The role of a central risk function is often played by the CEO or one of the senior executives of a company. Warren Buffett comes to mind. In 2003, he foresaw the signs of the 2008 financial crisis and sounded an alarm: “Charlie Munger [Buffett’s partner at Berkshire Hathaway]and I are of one mind in how we feel about derivatives and the trading activities that go with them. … We try to be alert to any sort of mega-catastrophe risk, and that posture may make us unduly apprehensive about the burgeoning quantities of long-term derivatives contracts and the massive amount of uncollateralized receivables that are growing alongside. … In our view, however, derivatives are financial weapons of mass destruction, carrying dangers that, while now latent, are potentially lethal.”

Contribution 5: Install a High-Tech Electronic Platform (HTEP)

A fifth contribution of ERM is the recommendation to create a risk management decision support system specifically designed to help understand risk. It is a tool to share identified risks and recognize the scope of each exposure. It provides a repository to show how a risk owner is evaluating each risk and allows sharing alternatives and recommendations. In Part Two, we will recommend features of such a high-tech platform, including these:

Risk Clusters. Risk categories should be built so that risk relationships can be understood quickly and without clutter. A risk cluster is a grouping of related risks showing the interaction of exposures. As an example, a fire causes loss of property but also has an impact on future business, earnings, and cash flows.

Risk Mitigation Details and Activities. The individual exposures should be linked to inherent risks and managed risks. All authorized risk owners can see the activities and mitigation strategies and make suggestions for improvements or cooperation.

AIG’s View of Risk

Early in 2008, Martin Sullivan, the CEO of AIG, became concerned that his company had a high degree of exposure to agreements whereby AIG guaranteed payment for losses. At the time, AIG had no ability to visualize the exposure using modern technology. He needed a system such as that shown in Figure 3-1. He would have been able to look right down the hierarchy, see the United Kingdom unit offering the guarantees, and view the exposure and mitigation efforts. Without the technology, he had to rely on the word of his subordinates. Based on what they said, he assured investors and others that AIG had no exposure in a declining market for home mortgages. If he had had the view in 2005, the world might have avoided the severe difficulties it faced as a result of the 2008 financial crisis.

Contribution 6: Involve the Board of Directors

A sixth contribution of ERM involves the fiduciary role of the board. Its members understand the importance of complying with Sarbanes–Oxley. They usually require periodic reports from internal audit. How can a board not also have independent reporting on enterprise risk?

The board has numerous options to obtain risk progress reports. Figure 3-2 shows a structure where the central risk function is reporting directly to the chief executive officer but also has a communications line directly to a committee of board members who oversee risk identification for other board members.

Figure 3-3 presents a different structure. The board has charged a single board member with responsibility to report on risk identification. This board member has a direct communications link with the central risk function.

Contribution 7: Employ a Standard Risk Evaluation Process

The seventh contribution of ERM encourages the use of a viable evaluation process to assess risk. It is essentially a problem-solving process that is used widely in planning and budgeting and that is modified to systematically approach decisions to retain, transfer, reduce, or avoid exposures. This is one version:

Identify the Risk. External risks are largely uncontrollable because they arise from the competitive environment, economic factors, acts of regulatory bodies, and other outside sources. Internal risks reflect the culture, value structure, management and leadership styles, subcultures, and relationships among employees, suppliers, customers, and others. Exposures exist from faulty business processes, internal controls, and weaknesses among workers and departments.

Assign an Owner or Owners. Establish clear accountability by matching every important risk with a functional area, business unit, or key initiative. Delegate accountability down a chain of command to co-owners in a direct reporting line with the risk owner.

Assess the Impact. What is the expected frequency of each risk? Is the chance of loss remote or likely? What are the levels of damage severity under different assumptions? Support assessments with both quantitative analysis and qualitative considerations.

Evaluate Mitigation Options. What choices are available? Can the risk be retained, avoided, reduced, or transferred? Recognize the trade-off between the cost of mitigating the risk and the benefits gained by accepting it.

Implement, Monitor, and Revise. Pick an option and implement it. Monitor the results so that adjustments can be made as needed. Ensure flexibility if conditions change or new information becomes available.

Conclusion

You don’t need to be a rocket scientist to understand the importance of enterprise risk management. You just have to get it right.

QUESTION:

According to the text, Enterprise Risk Management (ERM) has contributed seven factors to better manage risk. Briefly describe each one and how it brings value to the risk management effort.