The Case of Enterprise Risk Management


Published on

The evils of a single point estimate.

Traditionally, when estimating costs, project value, equity value or budgeting, one number is
generated – a single point estimate. There are many problems with this approach. In budget
work this point is too often given as the best the management can expect, but in some cases
budgets are set artificially low generating bonuses for later performance beyond budget

Published in: Economy & Finance
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

The Case of Enterprise Risk Management

  1. 1. - Strategy @ Risk - -The Case of Enterprise Risk ManagementPosted By S@R On April 19, 2010 @ 10:39 am In Balance sheet simulation, P&L simulation | NoCommentsTable of contents for A short presentation of S@RA short presentation of S@R [1]1.The Case of Enterprise Risk Management2.The underlying premise of enterprise risk management is that every entity exists toprovide value for its stakeholders. All entities face uncertainty and the challenge formanagement is to determine how much uncertainty to accept as it strives to growstakeholder value. Uncertainty presents both risk and opportunity, with the potentialto erode or enhance value. Enterprise risk management enables management toeffectively deal with uncertainty and associated risk and opportunity, enhancing thecapacity to build value. (COSO, 2004)The evils of a single point estimateEnterprise risk management is a process, effected by an entity’s board of directors,management and other personnel, applied in strategy setting and across theenterprise, designed to identify potential events that may affect the entity, andmanage risk to be within its risk appetite, to provide reasonable assurance regardingthe achievement of entity objectives. (COSO, 2004)Traditionally, when estimating costs, project value, equity value or budgeting, one number isgenerated – a single point estimate. There are many problems with this approach. In budgetwork this point is too often given as the best the management can expect, but in some casesbudgets are set artificially low generating bonuses for later performance beyond budget. Thefollowing graph depicts the first case.[2]Here, we have based on the production and market structure and on the managementsassumptions of the variability of all relevant input and output variables simulated the probabilitydistribution for next years EBITDA. The graph gives the budgeted value, the actual result and theexpected value. Both budget and actual value are above expected value, but the budgeted valuewas far too high, giving with more than 80% probability a realized EBITDA lower than budget. Inthis case the board will be mislead with regard to the company’ ability to earn money and allsubsequent decisions made based on the budget EBITDA can endanger the company.The organization’s ERM system should function to bring to the board’s attention themost significant risks affecting entity objectives and allow the board to understandand evaluate how these risks may be correlated, the manner in which they mayaffect the enterprise, and management’s mitigation or response strategies. (COSO,Strategy @ Risk » The Case of Enterprise Risk Management » Print of 4 19.04.2010 12:47
  2. 2. 2009)It would have been much more preferable to the board to be given both the budget value and theaccompanying probability distribution allowing it to make independent judgment about thepossible size of the next years EBITDA. Only then will the board – both from the shape of thedistribution, its localization and the point estimate of budget EBITDA – be able to assess the riskand opportunity facing the company.Will point estimates cancel out errors?In the following we measure the deviation of the actual result from both from the budget valueand from the expected value. The blue dots represent daughter companies located in differentcountries. For each company we have the deviation (in percent) of the budgeted EBITDA (bottomaxis) and the expected value (left axis) from the actual EBITDA observed 1 ½ year later.If the deviation for a company falls in the upper right quadrant the deviation are positive for bothbudget and expected value – and the company is overachieving.If the deviation falls in the lower left quadrant the deviation are negative for both budget andexpected value – and the company is underachieving.If the deviation falls in the upper left quadrant the deviation are negative for budget and positivefor expected value – the company is overachieving but has had a to high budget.With left skewed EBITDA distributions there should not be any observations in the lower rightquadrant that will only happen when the distributions is skewed to the right – and then there willnot be any observations in the upper left quadrant.The graph below shows that two companies have seriously underperformed and that the budgetprocess did not catch the risk they were facing. The rest of the companies have done very well,some however have seriously underestimated opportunities manifested by the actual result. Froman economic point of view, the mother company would of course have preferred all companies(blue dots) above the x-axis, but due to the stochastic nature of the EBITDA it have to accept thatsome always will fall below. Risk wise, it would have preferred the companies to fall to the rightof the y-axis but will due to budget uncertainties have to accept that some always will fall to theleft. However, large deviations both below the x-axis and to the left of the y-axis add to thecompany risk.[3]A situation like the one given in the graph below is much to be preferred from the board’s point ofview.Strategy @ Risk » The Case of Enterprise Risk Management » Print of 4 19.04.2010 12:47
  3. 3. [4]The graphs above, taken from real life – shows that budgeting errors will not be canceled outeven across similar daughter companies. Consolidating the companies will give the mothercompany a left skewed EBITDA distribution. They also show that you need to be prepared fordeviations both positive and negative – you need a plan. So how do you get a plan? You make asimulation model! (See Pdf: Short-presentation-of-S@R#2 [5])SimulationThe Latin verb simulare means to “to make like”, “to create an exact representation” or imitate.The purpose of a simulation model is to imitate the company and is environment, so that itsfunctioning can be studied. The model can be a test bed for assumptions and decisions about thecompany. By creating a representation of the company a modeler can perform experiments thatare impossible or prohibitively expensive in the real world. (Sterman, 1991)There are many different simulation techniques, including stochastic modeling, system dynamics,discrete simulation, etc. Despite the differences among them, all simulation techniques share acommon approach to modeling.Key issues in simulation include acquisition of valid source information about the company,selection of key characteristics and behaviors, the use of simplifying approximations andassumptions within the simulation, and fidelity and validity of the simulation outcomes.Optimization models are prescriptive, but simulation models are descriptive. A simulation modeldoes not calculate what should be done to reach a particular goal, but clarifies what could happenin a given situation. The purpose of simulations may be foresight (predicting how systems mightbehave in the future under assumed conditions) or policy design (designing new decision-makingstrategies or organizational structures and evaluating their effects on the behavior of the system).In other words, simulation models are “what if” tools. Often is such “what if” information moreimportant than knowledge of the optimal decision.However, even with simulation models it is possible to mismanage risk by (Stulz, 2009):Over-reliance on historical dataUsing too narrow risk metrics , such as value at risk—probably the single most importantmeasure in financial services—have underestimated risksOverlooking knowable risksOverlooking concealed risksFailure to communicate effectively – failing to appreciate the complexity of the risks beingmanaged.Not managing risks in real time, you have to be able to monitor changing markets and,respond to appropriately – You need a planBeing fully aware of the possible pitfalls we have methods and techniques’ that can overcomethese issues and since we estimate the full probability distributions we can deploy a number ofStrategy @ Risk » The Case of Enterprise Risk Management » Print of 4 19.04.2010 12:47
  4. 4. risk metrics not having to relay on simple measures like value at risk – which we actually neveruses.COSO, (2004, September). Enterprise risk management — integrated framework. Retrieved from, (2009, October). Strengthening enterprise risk management for strategic advantage.Retrieved from, J. D. (1991). A Skeptic’s Guide to Computer Models. In Barney, G. O. et al. (eds.),Managing a Nation: The Microcomputer Software Catalog. Boulder, CO: Westview Press, 209-229.Stulz, R.M. (2009, March). Six ways companies mismanage risk. Harvard Business Review (TheMagazine), Retrieved from in series [1]Article printed from Strategy @ Risk: http://www.strategy-at-risk.comURL to article: in this post:[1] A short presentation of S@R:[2] Image:[3] Image:[4] Image:[5] Short-presentation-of-S@R#2: © 2009 Strategy @ Risk. All rights reserved.Strategy @ Risk » The Case of Enterprise Risk Management » Print of 4 19.04.2010 12:47