Understanding The Enterprise Risk Management Process Casualty Actuarial Society Special Interest Seminar San Francisco, April 3, 2001 Through The Risk Manager’s Eyes
Robert Wolf - Principal
William M. Mercer Inc./MMC Enterprise Risk - Chicago
Laurie Champion - Manager, Corporate Insurance
Ford Motor Company - Treasurer’s Office - Dearborn
Ken Zignorski - Managing Director
MMC Enterprise Risk - New York
ERM Trends - What’s Going On?
Integrated Risk Management Programs - What Does this Mean?
Risk Manager Response - Industry Examples
Risk Manager Response - Ford Motor
ERM Evolution Actuarial Evolution
Evaluating Hazard/Financial Risk in a silo
Determine what to charge in order to meet profits targets (Ratemaking)
What to set aside to meet future obligations of past events (Reserving)
What to budget in order to pay for self-insured obligations and premiums
What to set aside to meet future obligations of retained risk
Continuing Evolution Actuarial Evolution
Evolving Demands for Risk Integration
Holistic Evaluation of Assets and Liabilities (Dynamic Financial Analysis (DFA))
Optimum Capital Structure
Realization of Business Plan
Optimum Risk Financing
What risks to retain/insure - captives, retros, large deductibles
..but still only Hazard and Financial Risk
ERM Evolution Actuarial Evolution
All sectors of Corporate America
Not merely Insurance Companies and their Customers
Evolution of Risk Management
As the quantification/approach to measuring/handling risk evolves, so too does our job description.
From Insurance Buyer to Integrated/Consolidated Risk Strategy
Traditional: Evaluate Hazard/Financial Risk
Evolution: DFA (Insurance Companies)/ ERM
Why the Evolution of ERM
E-Commerce, Market/Book Values
New Risk Products
Merger of Insurance and Financial Institutions
Realization that Silo-Based Approaches are Flawed
Ignores inherent hedges and correlation
Increased Management Accountability
New Regulations requiring corporate governance
Why the Evolution of ERM
In short, because Society Demands it
Computer and Information Age
We couldn’t do what we are doing today if we needed to use slide-rules or abacus.
Focus Optimize Shareholder Value
How Does Risk Manifest Itself? Cost Overruns Accounting irregularities Manage- ment ineffective- ness Supply Chain Issues Competitive Pressure M&A Integration Problems Mis- aligned Products Customer Pricing Pressure Loss of Key Customer Supplier Problems R&D Delays Customer Demand Shortfall % of top 100 Regulatory Problems Strategic Operational Financial Hazard Foreign Macro- Economic Issues Interest Rate Fluct- uation High Input Comm- odity Price Law- suits Natural Disasters Primary Cause of Stock Drop (# of Companies) Source: Compustat, Mercer Management Consulting analysis - Period Examined was June 1993 to May 1998 Note: There were also 5 stock drops for which the primary cause could not reliably be determined. These 5 stock drops are not depicted. Fortune 1000 Group Analysis 10% of the Fortune 1000 companies suffered a loss of over 25% of shareholder value within one month
Two Ways to Interpret Graph
Hazard and Financial Risk is Not Important
Hazard and Financial Risk has been and continues to be managed well
Testimonial for risk managers, actuaries, brokers, and financial analysts.
We need to continue the process
…The opportunity now is to work on the left side of the graph.
Risk Managers and Senior Executives Are Hearing More and More About Risk Management
What is Enterprise Risk Management? - EIU Survey
“ ERM assesses and manages all risks while looking for upsides in identifying risks.”
“ The goal of Enterprise Risk Management is to understand all of the risks on a quantitative and intuitive level and to manage them through a central risk area - to take advantage of the synergies of managing risk in one area.”
“ Enterprise Risk Management is about information and capital management.”
“ Good risk management is reflected in share price indirectly, but the market is not giving a premium for ERM yet, it’s still too new.”
“ The ultimate goal of Enterprise Risk Management is preservation of shareholder value.”
“ Managing risk enterprise wide means two things: bringing all the pieces of the enterprise together to add the exposures, and using the whole enterprise to manage risk - making sure at the corporate level that all the different oversight departments are working together.”
“ The job of Enterprise Risk Management is figuring out where the edge of the cliff is, and making sure the risk takers know where it is.”
Selected views of ERM by Senior Management:
Enterprise Risk Management Enterprise Risk Management is a process for identifying and prioritizing critical risks facing an organization, quantifying their impact on financial and strategic objectives, and implementing financial and organizational solutions to address them. 1. Risk management is a systematic, critical-risk focused activity 2. Risk is quantified to make informed business decisions 3. Risk management is an integral part of strategic planning and budgeting 4. Pricing, capital allocation, performance measures consider potential risk as well as returns 5. Risk is not automatically avoided, but weighed against opportunity to optimize risk versus return 6. Risk mitigation/financing focuses on events and volatilities that could compromise financial and strategic objectives
Economist Intelligence Unit ERM Study
Economist Intelligence Unit ERM Study Plan To Plan To
Some Candidate Models - Random Walk & Mean Reverting
Comparison of Price Paths Random Walk vs. Mean Reverting Process RW: lnS t - lnS t-1 = e t MR: lnS t - lnS t-1 = .10 [ln100 - lnS t-1 ] + e t Comparison of Sample Price Paths Random Walk vs. Mean Reverting Process 0 50 100 150 200 250 1 3 5 7 9 11 13 15 17 19 21 23 25 27 29 31 33 35 37 39 41 43 45 47 49 51 Week Price Random Walk Mean Reverting Process
Volatility Around Annual Expected Cost
Diversification / covariance effect captured through integration of financial risks
Reduces capital required to manage volatility
All Risks Currency $(43)M Currency $700m -$500m
D E V I A T I O N F R O M M E A N Mean $10m $500m - $10m - $100m -$700m Combined Total Effect of Integrating $764M Combined Risks (1 to8) Integrated Risks (1 to 8) Risk 4 Risk 3 Risk 5 Risk 2 Risk 6 Risk 7 99% 10% 90% 1% $132M $115M $332M $1M $173M Risk 1 Risk 8 Mean values Individual Risks $2.4B Summed Total $1.6B Separate Treatment $4B $433M $434M $4B $4B
Over insurance/hedging of non-correlated and negatively correlated risks
Under insurance/hedging of positively correlated risks
Higher than understood exposure to event risk
Missed opportunities to place risks in different markets
Often leads to a sub-optimal enterprise result: Risk N Risk 3 Risk 2 Risk 1 . . . DECISION RETAIN PREMIUM + Enterprise Total Risk Retained Risk “ unknown” Premium “ unknown”
Silo Risk Management as a Portfolio of Interrelated Decisions Risk N Risk 3 Risk 2 Risk 1 . . . Enterprise Total Risk DECISION RETAIN PREMIUM + Retained Risk “ known” Premium “ known” Some risks should stay in silos Some risks should be split out from silos in which they currently reside Some risks should be combined in larger portfolios And, “ Overlay” decisions may be necessary to produce the desired result.
Managing Risk Financing Strategies on a Portfolio of Risk Basis Risk N Risk 3 Risk 2 Risk 1 . . . Enterprise Total Risk DECISION RETAIN PREMIUM + Retained Risk “ known” Premium “ known”
Understanding Current Risk Management Systems Decisions & Responses Strategic/Tactical Operating Financial Results
What information and performance measures are used to make decisions? How are decisions made? Who manages what risk and how do they relate?
Chief Risk Officer, ERM Councils, Global Director of Risk Management
Rise of, and Partnership with, Internal Audit
Corporate governance issues and perspectives
Rise of, and Partnership with, Treasury
Financial Management perspectives and insights
Rise of Board Audit Committees
Evolving Skill Base for Risk Managers
Enterprise Risk Management Can Mean All These Things Corporate Governance “ Never in all history have we harnessed such formidable technology. Every scientific advancement known to man has been incorporated into its design. The operational controls are sound and foolproof.” Crisis Management Integrating Hazard and Financial Risks into a Single Contract Establishing a Chief Risk Officer E.J. Smith Captain, H.M.S. Titanic
Financial Services Institution Company / Title ERM Perspectives, Roles & Responsibilities Reporting Structure Mutual Fund Company Chief Risk Officer Source: EIU Study , 2000 CRO only responsible for financial and operational risks. Ensures that Company’s financial risks are well integrated. CRO reports to CFO. Risk Group, consisting of risk, audit, compliance, & security, meets regularly. CRO functions as advisor regarding business risks, with decision responsibility falling solely on business units. Market and credit risks are isolated in specific areas of the business, whereas operational risks are inherent in all business processes. Metrics used include VaR, cash flow volatility, claims exposures and notional exposure amounts; earnings-at-risk is not used due to high day-to-day volatility of amounts of exposure and earnings. CRO views risks broadly but is weary of trying to reduce them to too few metrics because “you lose track of the numbers.” All categories of risk are managed by senior line executives, supported by control specialists. Market and credit risk specialists are traditional risk managers with analytical expertise and industry expertise. Operational control team includes auditors, contingency planners, security specialists, compliance experts and traditional risk managers. Strategy is to make ERM even more nimble – company has formed a horizontal, cross functional, rapid-response team to quickly evaluate risks of e- business initiatives across the units. CRO does not believe that risks should be “run high up in the company.” Also, past experience with one CFO resulted in too much focus on controller type risks. CRO has spent a lot of energy trying to defuse issues of clout, turf, etc. while trying to make risk management an automatic, not too complicated part of ongoing business practices.
Power & Energy Industry Company / Title ERM Perspectives, Roles & Responsibilities Reporting Structure Large company that markets energy services and products throughout North America. Business also includes a Gas and Electric Company that delivers natural gas and electricity service to one in every 20 Americans. Chief Financial Officer Risk Manager Source: EIU Study , 2000 CFO has enterprise risk management responsibility, and the Risk Manager reports to him. The firm takes a portfolio approach via “profit at risk” and they do analyze correlations across commodities, but they haven’t found correlations in other areas such as cash-flow volatility vs. other kinds of risks. They do much to offset or manage risks across business units (e.g., determining how to handle being long power and short gas without artificially limiting what the power and gas sides can do). The risks they manage include commodity, foreign exchange, interest rate and credit risk, and they believe that most of their risks are quantifiable They are also focused on bringing top management to a fundamental agreement on “profit at risk.” Then they will consider plans to take positions at holding company level to balance the risks in the business units. Risk Manager faces cultural hurdles, spending lots of time teaching managers who grew up in a regulated environment about risk. CFO is creating a broad conceptual framework to help traders think about risk, to evolve the company away from micro-management. CFO is ERM champion with support from Risk Manager, who reports directly.
Chemical/Agricultural Industry Company / Title ERM Perspectives, Roles & Responsibilities Reporting Structure Company’s ERM goal is to maximize shareholder value while minimizing capital outlays. They’re not at the point of measuring correlations, domino effects etc. Large global producer & marketer of agricultural products, operating in nearly 70 countries worldwide ERM Manager Source: EIU Study , 2000 ERM Manager reports to the CEO and is viewed as the equivalent of a CRO. ERM Manager thinks good risk management is indirectly reflected in share price, but thinks it’s too early for the market to give premiums for ERM. To determine company risks, ERM group meets – twice a year for major units and once a year for smaller units -- with the line manager of each unit, along with direct reports, and identifies the processes having a major effect on shareholder value (major is defined as accounting for 10% or more of capital earnings for the unit). Then they examine how sound the decision-making tools are behind each process. They do scenario-based planning: identify four events that could affect each unit’s value; quantify the likely impact on cash flows; and, develop action plans to manage the risk(s). Senior managers are evaluated on action plan implementation. They would like to begin compensating senior management on risk-adjusted returns. They tie compensation to EVA for now. They hope ERM will help reduce volatility in earnings. Other metrics include cash flow volatility, VAR with their debt profiles due, and interest rate volatility. ERM group considers whether various risks need to be managed in coordination among various units or among different levels of the corporation. They have an intranet application that lets everyone see the various risks throughout the company and explains how they’re being managed. One major challenge in implementing ERM is the lack of other companies that are doing it well – few examples for comparison.
Information Technology Industry Company / Title ERM Perspectives, Roles & Responsibilities Reporting Structure A key challenge in risk management is getting accurate data. Large Computer Manufacturer Risk Manager Board responsible for looking at risks across activities, with CFO ultimately responsible for risk management. Risk Management function reports to CFO RM claims not to believe in enterprise risk management or in CRO roles. RM’s opinion is that company is happy managing risks in boxes—they have 12 different groups having something to do with risk management. But, in practice company is working to integrate too. RM has, for instance, started something called Riskweb, where every department having anything to do with risk can post information, contacts, etc; they are even putting some outside consultants on the site. RM emphasizes that company’s Board, with delegated responsibility to the CFO, has always looked at risk across its activities. RM states that under the new CEO company is getting much less conservative and much more interested in taking more risk. Part of this shift involves stopping attempts to mitigate risk down to a zero tolerance. Company plans to micro-manage less, particularly as they move more to third party suppliers (micro-managing them loses the savings of moving to them in the first place). Company is very concerned about e-commerce risks. Two main facets: They are concerned about security risks as they use e-commerce increasingly in their supply chain. They are setting up and investing in new dotcoms.
Consumer Brands Company Company / Title ERM Perspectives, Roles & Responsibilities Reporting Structure Company believes that explicitly identifying risk is Enterprise Risk Management. Firm has a major risk identification process that is similar to ERM. The primary variable monitored is impact on earnings. UK based international hospitality and leisure group focusing on hotels, leisure retail and branded drinks. Director of Risk Management The Director of Risk Management reports to the Corporate Secretary, who is a member of the executive Board. Twice a year, a summary of significant risks is presented to the audit committee. Risk management is implicit in firm’s strategic planning process, financial planning and budgeting process, and pre- and post-investment appraisal process. They bring together senior management from each branch of the business with the senior risk manager identifying risk. Company officers are interviewed and asked what other areas they can identify as being vulnerable to risk. The expense of a given risk is ranked on a scale of one to five and multiplied by a similar measure of probability, also ranked on a scale of one through five. Risk is then examined on a gross basis and on a net basis (current exposure). Twice a year, a summary of significant risks is presented to the audit committee. This is extended into an action plan, the progress of which is monitored throughout the year. Crisis management skills, continuity planning and business continuity skills are all managed centrally by the risk management group. Future risk management, within firm, must evolve towards providing management with greater analysis of how to treat risk on an integrated basis. Director of risk management is anxious to see risk insurance policies that cover a broad range of possibilities. He believes that risk management will “manage down” impact and probability operationally.
Ford Motor Company
Risk Management At Ford
External Service Providers
What Risk Management Services is Ford Expecting in the Future
Risk Management at Ford
Ford’s approach to risk management in general
Ford’s Approach to Hazard Risk Management
Ford’s use of external service providers
What external service providers does Ford see now?
What does Ford value?
Ford’s requirements for the future
Ford Risk Management - Purpose, Statement and Vision
To improve the business’ ability to understand manage and mitigate global corporate risk in real time,
In such a way that we make better risk/return decisions and manage capital more efficiently,
So that shareholder value materializes and unforeseen risks do not.
Hazard Risk Management at Ford
Centralized, global, “consistent”
Matrix approach (Legal, Safety, Facilities, HR, Business Ops, Finance)
Risk retention vs. transfer
Risk management practices
External Service Providers
What external service providers does Ford see now?
Insurance and Reinsurance Companies
Risk Management Consulting Firms
Big 5 Accountants
Integrated Risk Management
External Service Providers
What does Ford value?
Execution – Speed and Quality of analysis, solution development and delivery
Focus - Relevance
Value – solutions and information
Value - Measurement
Future Requirements at Ford
Profiling – business focused, timely and relevant
Benchmarking / databases
Solutions – design and execution
Analytics - span risk factors and functions
Ford’s Future Requirements
Management risk information
Creative use of Insurance Products
Broader view of integrated risk management
Understanding The Enterprise Risk Management Process Casualty Actuarial Society Special Interest Seminar San Francisco, April 3, 2001 Through The Risk Manager’s Eyes Questions & Answers