Good enterprise risk management needs everyone in an organisation to have a consensus on the subject. This is about much more than producing a risk glossary. Its about developing a framework that improves the overall management of the business and then linking this with the business model, says John Bielski
3 OCTOBER 2013 | JOHN BIELSKI
Integrating risk into business decisions isn't easy. The first challenge is often to establish a common language, as there is no standard risk terminology and different stakeholders have different perspectives. Actuaries often focus upon a detailed categorisation of financial, insurance and other quantifiable risks. Decision-makers, however, also spend a lot of time considering strategic and emerging risks, and the organisation's risk appetite and strategy. So what is needed is a framework that captures and distinguishes between these different types of 'risk'. To be really effective, the risk framework needs to link to the way the business operates in practice.
Risk profile
An organisation's risk profile can be defined as all the events that might result in losses now or in the future. Given the wide range of potential risks it helps to split these into three groups:
Immediate risks are usually set out in a risk categorisation document with a two- or three-level hierarchy, corresponding to the risk capital model. For example, financial markets risk may be broken into equity, property and interest rate risks, each of which is then further broken down depending upon the materiality of the risk. This should also include risks that are not always easily quantifiable, such as operational or liquidity risks.
Strategic risks might include the impact of competitor activity, changes to regulation, or the wider economy. Emerging risks might include events such as a cure for cancer or technological developments, which then become strategic or immediate risks if they were to materialise. Due to their uncertainty and longer-term nature, strategic and emerging risks are often captured individually and crudely ranked rather than being quantified in a risk capital model.
Risk appetite and strategy
Risk appetite is commonly used to define the acceptable amount of risk to key measures of success such as solvency, earnings and reputation. For example, solvency risk appetite is often defined in terms of a target credit rating or maintaining solvency under a certain level of stress.
The term 'risk appetite' can also be used in the other ways such as setting out desired types of risks, rather than the amount of risk as above. Furthermore, risk appetite might be defined at lower levels of an organisation, for example, the number of system errors an IT department is comfortable with. Allowing risk appetite to be used in all these ways can lead to confusion and can be avoided through restricting the term to the core board-level statements.
Replacing these other uses of 'risk appetite' with their own distinct terms provides useful clarity. This is particularly true for statements relating to the desired types of risks, which we will call 'risk strategy'. This is developed allowing for factors including perceived core risks, diversification, expertise and competition. It may take the form of a target risk profile or a number of statements on which risks the organisation wishes to increase, accept or reduce exposure to.
Business model
Just as risk management starts with understanding the organisation's risk profile, management of an organisation requires understanding of business opportunities. While 'upside risk' is a term found in risk management, 'opportunities' has wider connotations and is more commonly used. Business opportunities are often articulated within a SWOT (strengths, weaknesses, opportunities and threats) analysis.
As with risk appetite, the term 'business model' can have as many interpretations but at a high level can be thought of as containing two key elements:
Bringing it all together
An organisation's risk profile, risk strategy and risk appetite are central elements of a wider risk framework. The risk profile could be thought of as capturing input risks, risk appetite as capturing output risks,
and the risk strategy as the process that converts one into the other. This approach can also be applied to the business model elements,
to produce the following:
This approach enables the business model and the risk framework to be developed and updated together. Indeed, developing a risk framework may help to articulate the business model more clearly. Each element of the business model relates to that of the risk framework:
? Identified business opportunities and threats should be consistent with immediate, strategic and emerging risks
? The business strategy and risk strategy should be developed together to ensure that the mix of risks arising from the products sold are acceptable
? The risk appetite should be framed in terms of key business objectives
Of course, the flow is never purely left-to-right. An organisation can adjust its risk profile through reinsurance, hedging, adjusting product-mix or other techniques. It might also adjust its business strategy in order to meet its business objectives, or its risk strategy to ensure the overall level of risk remains within its risk appetite.
Consider a general insurance company that spots an opportunity to branch out into home insurance, in line with the company's strategy to seek profitable new lines of business. Doing so would increase catastrophe risks (from windstorms) whereas the company's risk strategy is to reduce an already heavy exposure to catastrophe risk. In addition, the new line of business would increase the volatility of the company's earnings beyond its risk appetite. To tackle this, the company could investigate obtaining catastrophe reinsurance cover, which would reduce profitability but bring catastrophe risk into line with its risk strategy and earnings volatility within its risk appetite.
Conclusion
Getting everyone in an organisation talking about risk in the same way is about much more than defining risks captured in a capital model. It needs a holistic approach encompassing the risk framework and the business model. Successful implementation needs energy and drive from the risk function and chief risk officer, combined with engagement and support from right across the business.
It also takes time, as the development of a consistent risk framework and business model is likely to be an iterative process that will be refined over a number of business-planning cycles. However, the benefits will be simpler, clearer and improved decision-making, and a solid foundation for meeting future regulatory requirements.