Embed Size (px)
Citation preview
Trim Size: 6in x 9in Lam f00.tex V1 - 02/16/2017 11:29am Page i�
� �
�
ImplementingEnterprise Risk
Management
Trim Size: 6in x 9in Lam f00.tex V1 - 02/16/2017 11:29am Page ii�
� �
�
Founded in 1807, John Wiley & Sons is the oldest independent publishingcompany in the United States. With offices in North America, Europe, Aus-tralia and Asia, Wiley is globally committed to developing and marketingprint and electronic products and services for our customers’ professionaland personal knowledge and understanding.
The Wiley Finance series contains books written specifically for financeand investment professionals as well as sophisticated individual investorsand their financial advisors. Book topics range from portfolio managementto e-commerce, risk management, financial engineering, valuation and finan-cial instrument analysis, as well as much more.
For a list of available titles, visit ourWeb site at www.WileyFinance.com.
Trim Size: 6in x 9in Lam f00.tex V1 - 02/16/2017 11:29am Page iii�
� �
�
ImplementingEnterprise Risk
Management
From Methods to Applications
JAMES LAM
Trim Size: 6in x 9in Lam f00.tex V1 - 02/16/2017 11:29am Page iv�
� �
�
Copyright © 2017 by James Lam. All rights reserved.
Published by John Wiley & Sons, Inc., Hoboken, New Jersey.
Published simultaneously in Canada.
No part of this publication may be reproduced, stored in a retrieval system, or transmitted inany form or by any means, electronic, mechanical, photocopying, recording, scanning, orotherwise, except as permitted under Section 107 or 108 of the 1976 United States CopyrightAct, without either the prior written permission of the Publisher, or authorization throughpayment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Webat www.copyright.com. Requests to the Publisher for permission should be addressed to thePermissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030,(201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.
Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their bestefforts in preparing this book, they make no representations or warranties with respect to theaccuracy or completeness of the contents of this book and specifically disclaim any impliedwarranties of merchantability or fitness for a particular purpose. No warranty may be createdor extended by sales representatives or written sales materials. The advice and strategiescontained herein may not be suitable for your situation. You should consult with aprofessional where appropriate. Neither the publisher nor author shall be liable for any lossof profit or any other commercial damages, including but not limited to special, incidental,consequential, or other damages.
For general information on our other products and services or for technical support, pleasecontact our Customer Care Department within the United States at (800) 762-2974, outsidethe United States at (317) 572-3993 or fax (317) 572-4002.
Wiley publishes in a variety of print and electronic formats and by print-on-demand. Somematerial included with standard print versions of this book may not be included in e-books orin print-on-demand. If this book refers to media such as a CD or DVD that is not included inthe version you purchased, you may download this material at http://booksupport.wiley.com.For more information about Wiley products, visit www.wiley.com.
Library of Congress Cataloging-in-Publication Data is Available:
ISBN 9780471745198 (Hardcover)ISBN 9781118221563 (ePDF)ISBN 9781118235362 (ePub)
Cover Image: © canadastock/ShutterstockCover Design: Wiley
Printed in the United States of America
10 9 8 7 6 5 4 3 2 1
Trim Size: 6in x 9in Lam f00.tex V1 - 02/16/2017 11:29am Page v�
� �
�
For my father, and best friend, Kwan Lun Lam
Trim Size: 6in x 9in Lam f00.tex V1 - 02/16/2017 11:29am Page vi�
� �
�
Trim Size: 6in x 9in Lam ftoc.tex V1 - 02/16/2017 11:29am Page vii�
� �
�
Contents
Preface xiii
Acknowledgments xix
PART ONEERM in Context
CHAPTER 1Fundamental Concepts and Current State 3
Introduction 3What Is Risk? 4What Does Risk Look Like? 8Enterprise Risk Management (ERM) 11The Case for ERM 13Where ERM Is Now 18Where ERM Is Headed 19Notes 20
CHAPTER 2Key Trends and Developments 21
Introduction 21Lessons Learned from the Financial Crisis 21The Wheel of Misfortune Revisited 26Global Adoption 34Notes 37
CHAPTER 3Performance-Based Continuous ERM 41
Introduction 41Phase Three: Creating Shareholder Value 43Performance-Based Continuous ERM 44Case Study: Legacy Technology 56Notes 59
vii
Trim Size: 6in x 9in Lam ftoc.tex V1 - 02/16/2017 11:29am Page viii�
� �
�
viii CONTENTS
CHAPTER 4Stakeholder Requirements 61
Introduction 61Stakeholders Defined 62Managing Stakeholder Value with ERM 79Implementing a Stakeholder Management Program 80Appendix A: Reputational Risk Policy 83Notes 87
PART TWOImplementing an ERM Program
CHAPTER 5The ERM Project 93
Introduction 93Barriers to Change 93Establish the Vision 95Obtain Buy-In from Internal Stakeholders 97Assess Current Capabilities against Best Practices 100Develop a Roadmap 104Appendix A: ERM Maturity Model 108Appendix B: Practical Plan for ERM Program
Implementation 111
CHAPTER 6Risk Culture 115
Introduction 115Risk Culture Success Factors 117Best Practice: Risk Escalation 130Conclusion 130Notes 131
CHAPTER 7The ERM Framework 132
Introduction 132The Need for an ERM Framework 132ERM Framework Criteria 136Current ERM Frameworks 138An Update: The Continuous ERM Model 145Developing a Framework 150Conclusion 153Notes 153
Trim Size: 6in x 9in Lam ftoc.tex V1 - 02/16/2017 11:29am Page ix�
� �
�
Contents ix
PART THREEGovernance Structure and Policies
CHAPTER 8The Three Lines of Defense 157
Introduction 157COSO’s Three Lines of Defense 158Problems with This Structure 160The Three Lines of Defense Revisited 164Bringing It All Together: How the Three Lines Work
in Concert 172Conclusion 173Notes 173
CHAPTER 9Role of the Board 175
Introduction 175Regulatory Requirements 176Current Board Practices 179Case Study: Satyam 180Three Levers for ERM Oversight 181Conclusion 189Notes 189
CHAPTER 10The View from the Risk Chair 191
Introduction 191Turnaround Story 191The GPA Model in Action 192Top Priorities for the Risk Oversight Committee 192Conclusion 196Notes 197
CHAPTER 11Rise of the CRO 198
Introduction 198History and Rise of the CRO 199A CRO’s Career Path 201The CRO’s Role 202Hiring a CRO 206A CRO’s Progress 208Chief Risk Officer Profiles 212Notes 225
Trim Size: 6in x 9in Lam ftoc.tex V1 - 02/16/2017 11:29am Page x�
� �
�
x CONTENTS
CHAPTER 12Risk Appetite Statement 227
Introduction 227Requirements of a Risk Appetite Statement 228Developing a Risk Appetite Statement 233Roles and Responsibilities 239Monitoring and Reporting 242Examples of Risk Appetite Statements and Metrics 246Notes 250
PART FOURRisk Assessment and Quantification
CHAPTER 13Risk Control Self-Assessments 255
Introduction 255Risk Assessment: An Overview 255RCSA Methodology 256Phase 1: Setting the Foundation 259Phase 2: Risk Identification, Assessment, and Prioritization 262Phase 3: Deep Dives, Risk Quantification, and Management 267Phase 4: Business and ERM Integration 270ERM and Internal Audit Collaboration 272Notes 273
CHAPTER 14Risk Quantification Models 274
Introduction 274Market Risk Models 275Credit Risk Models 278Operational Risk Models 281Model Risk Management 283The Loss/Event Database 288Early Warning Indicators 289Model Risk Case Study: AIG 289Notes 290
Trim Size: 6in x 9in Lam ftoc.tex V1 - 02/16/2017 11:29am Page xi�
� �
�
Contents xi
PART FIVERisk Management
CHAPTER 15Strategic Risk Management 295
Introduction 295The Importance of Strategic Risk 296Measuring Strategic Risk 299Managing Strategic Risk 301Appendix A: Strategic Risk Models 310Notes 312
CHAPTER 16Risk-Based Performance Management 314
Introduction 314Performance Management and Risk 316Performance Management and Capital 317Performance Management and Value Creation 319Summary 323Notes 324
PART SIXRisk Monitoring and Reporting
CHAPTER 17Integration of KPIs and KRIs 327
Introduction 327What Is an Indicator? 327Using Key Performance Indicators 329Building Key Risk Indicators 330KPI and KRI Program Implementation 335Best Practices 337Conclusion 338Notes 339
CHAPTER 18ERM Dashboard Reporting 340
Introduction 340Traditional Risk Reporting vs. ERM Dashboard Reporting 344General Dashboard Requirements 348
Trim Size: 6in x 9in Lam ftoc.tex V1 - 02/16/2017 11:29am Page xii�
� �
�
xii CONTENTS
Implementing ERM Dashboards 351Avoid Common Mistakes 357Best Practices 358Notes 361
CHAPTER 19Feedback Loops 362
Introduction 362What Is a Feedback Loop? 363Examples of Feedback Loops 364ERM Performance Feedback Loop 366Measuring Success with the ERM Scorecard 368Notes 371
PART SEVENOther ERM Resources
CHAPTER 20Additional ERM Templates and Outlines 375
Introduction 375Strategic Risk Assessment 375CRO Report to the Risk Committee 376Cybersecurity Risk Appetite and Metrics 378Model Risk Policy 380Risk Escalation Policy 382Notes 385
About the Author 386
Index 387
Trim Size: 6in x 9in Lam fpref.tex V1 - 02/16/2017 11:29am Page xiii�
� �
�
Preface
Confucius said: “I hear and I forget. I see and I remember. I do and I under-stand.”Indeed, the value of knowledge is not in its acquisition but in its applica-
tion. I am grateful that I have had opportunities to apply risk managementin a wide range of roles throughout my 30-year career in risk management.As a consultant, I’ve worked with clients with different requirements basedon their size, complexity, and industry. As a risk manager, I’ve implementedenterprise risk management (ERM) programs while overcoming data,technical, and cultural challenges. As a founder of a technology start-up,I’ve worked with customers to leverage advanced analytics to improvetheir risk quantification and reporting. In the past four years, as a boardmember and risk committee chair, I’ve worked with my board colleaguesto provide independent risk oversight while respecting the operating role ofmanagement.
These experiences have taught me that knowledge of ERMbest practicesis insufficient. Value can be created only if these practices are integrated intothe decision-making processes of an organization. The purpose of this bookis to help my fellow risk practitioners to bridge the gap between knowledgeand practical applications.
In my first book, Enterprise Risk Management—From Incentives toControls (Wiley, 1st edition 2003, 2nd edition 2014), the focus was on thewhat questions related to ERM:
■ What is enterprise risk management?■ What are the key components of an ERM framework?■ What are best practices and useful case studies?■ What are the functional requirements for credit, market, and opera-tional risks?
■ What are the industry requirements for financial institutions, energyfirms, and non-financial corporations?
In this companion book, the focus is on the how questions:
■ How to implement an ERM program?■ How to overcome common implementation issues and cultural barriers?
xiii
Trim Size: 6in x 9in Lam fpref.tex V1 - 02/16/2017 11:29am Page xiv�
� �
�
xiv PREFACE
■ How to leverage ERM in all three lines of defense: business and opera-tional units, risk and compliance, and the board and internal audit?
■ How to develop and implement specific ERM processes and tools?■ How to enhance business decisions and create value with ERM?
The publication of my first ERM book was one of the most gratifyingprofessional experiences of my career. The book has been translated intoChinese, Japanese, Korean, and Indonesian. It has been adopted by lead-ing professional associations and university programs around the world.On Amazon.com, it has ranked #1 best-selling among 25,000 risk man-agement titles. In a 2007 survey of ERM practitioners in the United Statesand Canada conducted by the Conference Board of Canada, the book wasranked among the top-10 in ERM books and research papers. In addition,the book has brought me countless consulting and speaking opportunitiesinternationally.
In my travels, risk professionals most often request practical approachesand case studies, as well as best-practice templates and examples that canassist them in their ERMprograms. Based on this feedback, I have structuredthis book to focus on effective implementation of ERM.
OVERVIEW OF THE BOOK
This book is organized into seven parts. Part One provides the overall con-text for the current state and future vision of ERM:
■ Chapter 1 introduces the notion that risk is a bell curve. It also laysout the fundamental concepts and definitions for enterprise risk man-agement. We also discuss the business case for, and current state of, thepractice of ERM.
■ Chapter 2 reviews the key trends and developments in ERM since the2008 financial crisis, including lessons learned and major changes sincethat time.
■ In Chapter 3, a new performance-based continuous model for ERMis introduced. This new model is more fitting for global risks that arechanging at an ever faster speed (e.g. cybersecurity, emerging technolo-gies). As part of this discussion, seven specific attributes for this newERM model are provided.
■ In addition to the board and management, other stakeholders suchas regulators, institutional investors, and rating agencies are increas-ingly focused on ERM. Chapter 4 discusses their requirements andexpectations.
Trim Size: 6in x 9in Lam fpref.tex V1 - 02/16/2017 11:29am Page xv�
� �
�
Preface xv
ERM is a multi-year effort that requires significant attention and resources.As such, Part Two focuses on ERM program implementation:
■ Chapter 5 lays out the scope and objectives of an ERMproject, includingthe need to set a clear vision, obtain buy-in, and develop a roadmap.This chapter also provides an ERM Maturity Model and an illustrative24-month implementation plan.
■ One of the key success factors in ERM is addressing change managementand risk culture. Chapter 6 describes risk culture success factors andthe cognitive biases and behavior obstacles that risk professionals mustovercome.
■ Given the wide range and complexity of risks, having a structuredand organizing ERM framework is essential. Chapter 7 provides anoverview of several published frameworks and an ERM frameworkthat I’ve developed to support performance-based continuous ERM.
The next four parts provide deep dives into the key components of the ERMframework. Part Three focuses on risk governance and policies:
■ Chapter 8 discusses two versions of the “three lines of defense” model-the conventional model and a modified model that I’ve developed toreflect better the role of the board.
■ Chapter 9 goes further into the important role of the board in ERM,including regulatory requirements and expectations, current board prac-tices, and three key levers for effective risk oversight.
■ Chapter 10 describes my first-hand experience as an independentdirector and risk committee chair at E*TRADE Financial. This casestudy discusses our turnaround journey, the implementation of ERMbest practices, and the tangible benefits that we’ve realized to date.
■ As expected, the rise of the chief risk officer (CRO) is correlated tothe adoption of ERM. Chapter 11 discusses the evolution in the roleof the CRO, including key responsibilities, required skills, and desiredattributes. The chapter also provides professional profiles of six promi-nent current or former CROs.
■ Chapter 12 focuses on one of the most important risk policies: riskappetite statement. This chapter provides practical steps and keyrequirements for developing an effective risk appetite statement.
Risk analytics provide useful input to business and risk leaders. Risk assess-ment and quantification is the focus of Part Four:
■ Chapter 13 discusses the implementation requirements, common pitfalls,and practical solutions for developing a risk-control self-assessmentprocess.
Trim Size: 6in x 9in Lam fpref.tex V1 - 02/16/2017 11:29am Page xvi�
� �
�
xvi PREFACE
■ What gets measured gets managed, so it is not enough only to identifyand assess risks. Chapter 14 provides a high-level review of risk quantifi-cation models, including those designed to measure market risk, creditrisk, and operational risk.
ERM can create significant value only if it supports management strategies,decisions, and actions. Part Five focuses on risk management strategies thatwill optimize an organization’s risk profile:
■ The integration of strategy and ERM, also known as strategic risk man-agement, is covered in Chapter 15. The chapter outlines the processesand tools to measure and manage strategic risk, including M&A anal-ysis and risk-based pricing. Case studies and examples of strategic riskmodels are also provided.
■ Chapter 16 goes further into risk-based performance management anddiscusses other strategies to add value through ERM, such as capitalmanagement and risk transfer.
Board members and business leaders need good metrics, reports, and feed-back loops to monitor risks and ERM effectiveness. Part Six focuses on riskmonitoring and reporting:
■ Chapter 17 discusses the integration of key performance and risk indi-cators, including the sources and characteristics of effective metrics.
■ Once these metrics are developed, they must be delivered to the rightpeople, at the right time, and in the right way. Chapter 18 providesthe key questions, best-practice standards, and implementation require-ments of ERM dashboard reporting.
■ Once an ERMprogram is up and running, how dowe know if it is work-ing effectively? Chapter 19 answers this critical question by establishinga quantifiable performance objective and feedback loop for the overallERMprogram. An example of a feedback loop based on earnings-at-riskanalysis is also discussed.
Chapter 20 in Part Seven provides additional ERM templates and outlinesto help readers accelerate their ERM initiatives.
Throughout this book, specific step-by-step implementation guidance,examples, and outlines are provided to support risk practitioners in imple-menting ERM. They are highlighted below:
■ Example of a reputational risk policy (Chapter 4, Appendix A)■ ERM Maturity Model and benchmarks (Chapter 5, Appendix A)
Trim Size: 6in x 9in Lam fpref.tex V1 - 02/16/2017 11:29am Page xvii�
� �
�
Preface xvii
■ Practical 24-month plan for ERM program implementation (Chapter 5,Appendix B)
■ 10-step process for developing a risk appetite statement, includingexamples of risk metrics and tolerance levels (Chapter 12)
■ Implementation of the RCSA process, including common pitfalls andbest practices (Chapter 13)
■ Example of a strategic risk assessment (Chapter 20)■ Structure and outline of a CRO report to the risk committee(Chapter 20)
■ Example of a cybersecurity risk appetite statement and metrics(Chapter 20)
■ Example of a model risk policy (Chapter 20)■ Example of a risk escalation policy (Chapter 20)
SUGGESTED CHAPTERS BY AUDIENCE
Given its focus on ERM implementation, this book does not necessarilyneed to be read in its entirety or in sequence. Readers should select the rel-evant chapters based on the implementation phase and ERM maturity attheir organizations. In general, I would suggest the following chapters bythe seniority of the reader:
■ Board members and senior corporate executives should read Chapters 1,3, 6, 9, 10, 12, 15, and 19.
■ Mid- to senior-level risk professionals, up to a CRO, should read theabove chapters plus Chapters 4, 5, 7, 8, 11, and 16.
■ Students and junior-level risk professionals should read the entirebook.
Trim Size: 6in x 9in Lam fpref.tex V1 - 02/16/2017 11:29am Page xviii�
� �
�
Trim Size: 6in x 9in Lam flast.tex V1 - 02/16/2017 11:29am Page xix�
� �
�
Acknowledgments
Iwould like to thank the Enterprise Risk Management team at Workivafor contributing to this book through excellent research and editorial sup-
port. In particular, I would like to thank Joe Boeser, Melissa Chen, AdamGianforte, Garrett Lam, Jay Miller, Diva Sharma, Rachel Stern, and ZachWiser. I want to especially thank Mark Ganem and Neil O’Hara for theiroutstanding editorial support. This book was the result of a collaborativeteam effort and it was truly my pleasure to work with such a great team.
I would also like to extend my appreciation to Paymon Aliabadi, MattFeldman, Susan Hooker, Merri Beth Lavagnino, Bob Mark, and Jim Vincifor sharing their stories and experiences as chief risk officers across dif-ferent industry sectors. Their experiences in ERM implementation provideuseful and practical insights. They also offer good advice to risk profession-als who aspire to become a CRO. Their compelling stories are featured inChapter 11. I am confident that risk professionals, regardless of where theyare in their careers, will be inspired by their stories and benefit from theiradvice. I know I have.
Finally, I would like to thank Bill Fallon and Judy Howarth from JohnWiley & Sons for their patience and assistance throughout the book produc-tion process.
xix
Trim Size: 6in x 9in Lam flast.tex V1 - 02/16/2017 11:29am Page xx�
� �
�
Trim Size: 6in x 9in Lam flast.tex V1 - 02/16/2017 11:29am Page xxi�
� �
�
ImplementingEnterprise Risk
Management
Trim Size: 6in x 9in Lam flast.tex V1 - 02/16/2017 11:29am Page xxii�
� �
�
Trim Size: 6in x 9in Lam p01.tex V1 - 02/16/2017 11:29am Page 1�
� �
�
PART
OneERM in Context
Trim Size: 6in x 9in Lam p01.tex V1 - 02/16/2017 11:29am Page 2�
� �
�
Trim Size: 6in x 9in Lam c01.tex V1 - 02/16/2017 11:27am Page 3�
� �
�
CHAPTER 1Fundamental Concepts and
Current State
INTRODUCTION
In October 1517, FerdinandMagellan requested an investment of 8,751,125silver maravedis from Charles I, King of Spain. His goal: to discover a west-erly route to Asia, thereby permitting circumnavigation of the globe. Theundertaking was extremely risky. As it turned out, only about 8 percentof the crew and just one of his four ships completed the voyage aroundthe world. Magellan himself would die in the Philippines without reach-ing home.
What would motivate someone to undertake this kind of risk? After all,Magellan stood to gain only if he succeeded. But those long-term rewards,both tangible and intangible, were substantial: not only a percentage of theexpedition’s revenues, but also a 10-year monopoly of the discovered route,and numerous benefits extending from discovered lands and future voyages.What’s more, he’d earn great favor with a future Holy Roman Emperor, notto mention fame and the personal satisfaction of exploration and discovery.
But I doubt that even all of these upsides put together would have con-vinced Magellan to embark on the voyage if he knew that it would costhim his life. As risky as the journey was, most risks that could arise likelyappeared manageable. Magellan already had a great deal of naval experienceand had previously traveled to the East Indies. He raised sufficient fundingand availed himself of the best geographic information of the day.1
All in all, Magellan’s preparations led him to the reasonable expecta-tion that he would survive the journey to live in fame and luxury. In otherwords, by limiting his downside risk, Magellan increased the likelihood thathe would reap considerable rewards and concluded that the rewards wereworth the risk.
3
Trim Size: 6in x 9in Lam c01.tex V1 - 02/16/2017 11:27am Page 4�
� �
�
4 ERM IN CONTEXT
Whether taking out a loan or driving a car, we all evaluate risk in asimilar way: by weighing the potential upsides and trying to limit the down-sides. Like Magellan, anyone evaluating risk today is taking stock of whatcould happen if things don’t go as planned. Risk measures the implicationsof those potential outcomes. In our daily lives, risk can cause deviation fromour expected outcome and keep us from accomplishing our goals. Risk canalso create upside potential. We will use a similar definition to define risk inbusiness.
The purpose of this book is to provide the processes and tools to helpcompanies optimize their risk profiles, but first we must have the necessaryvocabulary for discussing risk itself. Then we can begin to construct a work-ing model of an enterprise risk management (ERM) program, which we willflesh out over the course of this book. This chapter will cover the fundamen-tal concepts and summarize ERM’s history and current state of the art.
But first, some definitions.
WHAT IS RISK?
Risk can mean different things to different people. The word evokeselements of chance, uncertainty, threat, danger, and hazard. These conno-tations include the possibility of loss, injury, or some other negative event.Given those negative consequences, it would be natural to assume thatone should simply minimize risks or avoid them altogether. In fact, riskmanagers have applied this negative definition for many years. Risk wassimply a barrier to business objectives, and the object of risk managementwas to limit it. For this reason, risk models were designed to quantifyexpected loss, unexpected loss, and worst-case scenarios.
In a business context, however, risk has an upside as well as a downside.Without risk there would be no opportunity for return. A proper definitionof risk, then, should recognize both its cause (a variable or uncertain factor)and its effect (positive and negative deviation from an expected outcome).Taken thus, I define risk as follows:
Risk is a variable that can cause deviation from an expected out-come, and as such may affect the achievement of business objectivesand the performance of the overall organization.
To understand this definition more fully, we need to clarify seven keyfundamental concepts. It is important not to confuse any of these with riskitself, but to understand how they influence a company’s overall risk profile:
1. Exposure2. Volatility
Trim Size: 6in x 9in Lam c01.tex V1 - 02/16/2017 11:27am Page 5�
� �
�
Fundamental Concepts and Current State 5
3. Probability4. Severity5. Time Horizon6. Correlation7. Capital
Exposure
Risk exposure is the maximum amount of economic damage resulting froman event. This damage can take the form of financial and/or reputational loss.All other factors being equal, the risk associated with that event will increaseas the exposure increases. For example, a lender is exposed to the risk that aborrower will default. The more it lends to that borrower, the more exposedit is and the riskier its position is with respect to that borrower. Exposuremeasurement is a hard science for some risks—those which result in directfinancial loss such as credit and market risk—but is more qualitative for oth-ers, such as operational and compliance risk. No matter how it is measured,exposure is an evaluation of the worst–case scenario. Magellan’s exposureconsisted of the entire equity invested by King Charles I, his own life, andthe lives of his crew.
Volatility
Volatility is a measure of uncertainty, the variability in potential outcomes.More specifically, volatility is the magnitude of the upside or downsideof the risk taken. It serves as a good proxy for risk in many applications,particularly those dependent on market factors such as options pricing.In other applications it is an important driver of the overall risk in terms ofpotential loss or gain. Generally, the greater the volatility, the greater therisk. For example, the number of loans that turn bad is proportionatelyhigher, on average, in the credit card business than in commercial realestate. Nonetheless, real estate lending is widely considered to be riskier,because the loss rate is much more volatile. Lenders can estimate potentiallosses in the credit card business (and prepare for them) with greatercertainty than they can in commercial real estate. Like exposure, volatilityhas a specific, quantifiable meaning in some applications. In market risk,for example, it is synonymous with the standard deviation of returns andcan be estimated in a number of ways. The general concept of uncertainoutcomes is useful in considering other types of risk as well: A spike inenergy prices might increase a company’s input prices, for example, oran increase in the turnover rate of computer programmers might negativelyaffect a company’s technology initiatives.
Trim Size: 6in x 9in Lam c01.tex V1 - 02/16/2017 11:27am Page 6�
� �
�
6 ERM IN CONTEXT
Probability
The more likely an event—in other words, the greater its probability—thegreater the risk it presents. Events such as interest rate movements or creditcard defaults are so likely that companies need to plan for them as a matterof course. Mitigation strategies should be an integral part of the business’songoing operations. Take the case of a modern data center. Among potentialrisks are cyberattack and fire, with the probability of the latter consider-ably lower than that of the former. Yet should the data center catch fire, theresults would be devastating. Imagine that the company maintains backupdata as part of its cybersecurity program. Simply housing that data in a sep-arate, geographically remote facility would address both risks at a cost onlyincrementally greater than addressing just one. As a result, the company canprepare for the highly unlikely but potentially ruinous event of fire.
Severity
Whereas exposure is defined in terms of the worst that could possiblyhappen, severity, by contrast, is the amount of damage that is likely tobe suffered. The greater the severity, the greater the risk. Severity is thepartner to probability: If we know how likely an event is to happen, andhow much we are likely to suffer as a consequence, we have a pretty goodidea of the risk we are running. Severity is used to describe a specific turnof events, whereas exposure is a constant which governs an entire riskscenario. Severity is often a function of other risk factors, such as volatilityin market risk. For example, consider a $100 equity position. The exposureis $100, since the stock price could theoretically drop all the way to zeroand the whole investment could be lost. In reality, however, it is not likelyto fall that far, so the severity is less than $100. The more volatile the stock,the more likely it is to fall a long way—so the severity is greater and theposition riskier. In terms of a credit risk example, the probability of defaultis driven by the creditworthiness of the borrower, whereas loss severity(i.e., loss in the event of default) is driven by collateral, if any, as well as theorder of debt payment.
Time Horizon
Time horizon refers to the duration of risk exposure or how long it wouldtake to reverse the effects of a decision or event. The longer an exposure’sduration, the greater its risk. For example, extending a one-year loan isless risky than extending a 10-year loan to the same borrower. By the sametoken, highly liquid instruments such as U.S. Treasury bonds are generallyless risky than lightly traded securities such as unlisted equity, structured
