Many enterprise risk management (ERM) practitioners speak with evident pride about their risk inventories, heat maps, and risk rankings. However, it is often an uphill battle for ERM to sell itself as a value add or at least something other than the “department of No.” Well-meaning, but misguided, efforts at internal marketing have included metaphors of automobiles, guard rails, and brakes.
The reality is that no one but the risk manager likely cares about any of these ideas!
If ERM does not manage the “upside” of risk, is not a strategic decision tool, or struggles from a perception problem, the underlying cause is often poorly chosen risk metrics - i.e., what we typically refer to as impact estimates, exposure measures, key risk indicators, key performance indicators, etc.
James Lam, often referred to as the nation’s first chief risk officer, suggests, “As with other aspects of ERM development, it is important to start with a clear understanding of the company’s business objectives…To help determine if a metric is necessary, teams should take care to address the following questions: 1) How does this metric contribute to key decisions? 2) Is this metric truly necessary to support decision-making? and 3) Can we build an ongoing means of measuring it?”
Lam’s criteria suggest metrics which are Decision oriented in the spirit of (1), are Essential as in (2), and are Measurable, in the operational sense of (3). As a shorthand, we refer to these characteristics as “D”, “E”, and “M”, respectively.
Clearly, a metric should address a need of one or more ERM stakeholders, and we’ll refer to this as the Stakeholder (or “S”) characteristic. The qualities D, E, M, and S are considered as “required” for all risk metrics in a framework. We now look at two qualities which only apply to a subset of the metrics, but it is necessary that some metrics meet these criteria.
A thematic goal of ERM is “portfolio” or Organizational perspective of risk and reward. This necessitates some risk metrics:
ERM is meant, in part, to serve as an early warning system and detect levels of risk exposure in a forward-looking manner. For this reason, some metrics must have the quality of being Leading indicators (referred to as “L”).
We have the metric selection “mantra” MODELS:
M Measurable: on a recurring basis
O Organizational view: across all lines of business (LOBs) and functional areas
D Decision oriented: informs management action and risk response
E Essential: for one or more of the company’s decision processes
L Leading indicator: assesses forward-looking impact and/or probability of risk exposures
S Stakeholder relevance: to one or more ERM stakeholders
As mentioned, D, E, M, and S are required for all metrics, while O and L must be met by some of the metrics.
Public companies care about, among other things, achieved earnings and company value, i.e., some type of company valuation. Metrics related to these “end results” will likely resonate with management, the Board, and key decision makers across the organization and include:
LOBs will often not think directly in terms of such metrics but will typically track and report many quantities which drive such metrics. The ERM function may facilitate a risk interview with LOB subject matter experts (SMEs) where quantities the business typically employs are used to describe impacts in a particular risk scenario. Then the risk manager and SMEs, with the help of finance or actuarial, convert that information into impacts on earnings, company value, ROE, etc.
As an example, IT SMEs describe a data breach scenario in terms data type, number of records breached, expected cost in remediation and credit monitoring, reputation affect etc. The ERM function converts these items to impacts on the high-level metrics such as company value, earnings, etc. The SMEs sign off or indicate their approval of the modeling approach and its conclusions.
As the Third Line of Defense, internal audit is a natural partner for ERM and the two functions often collaborate on risk-based audits. The ideas of inherent and residual risk lead to a metric which is very useful to internal audit and risk-based audit planning.
Consider a risk exposure which is described as having a high inherent risk and a low residual risk, based either on a) impact measured in dollar amounts, or 2) a system using a 1-10 score which is “soft” in that it doesn’t use detailed quantification. Using (numerical) inherent impact (“I”) and residual impact (“R”) values, we may define a metric, “perceived mitigation value” (PMV), as: 100 * (1 – R/I). It is assumed that the mitigation’s perceived benefit makes R < I so that PMV can be a value between 0 and 100, with 100 representing a mitigation thought to eliminate risk entirely.
When a risk significant at the enterprise level (at least on an inherent basis) and its associated mitigation suggest a large PMV value, this is an indication that the exposure must be further examined. If the mitigation is susceptible to typical audit practices, then internal audit can lead the effort. Other cases should be examined by the ERM function.
This type of analysis is also of primary concern to the Board in light of their risk control oversight responsibilities.
The recent publication of the updated COSO Framework touted ERM's role in management of upside risk and performance.
An intuitive, highly relevant approach to risk assessment is to consider uncertainty of achieving the Plan by: 1) developing a financial statement oriented model, which reflects the Plan, 2) allows for certain income statement and balance sheet items to be shocked or tweaked, and 3) has dynamic accounting/actuarial logic to reflect the shocks from (2). Once accomplished, almost any risk scenario or performance driver can be analyzed to gauge its possible impact and likelihood.
Strategic execution is a primary focus of management, the Board, and investors alike. The ERM function can facilitate a session which identifies key drivers of success for a particular business goal and the main factors responsible for uncertainty in execution.
It is then a simple matter to rate, on a monthly basis, the current risk exposures, progress on key sub-goals, and the state of the other conditions or risk factors which put goal attainment at risk or help drive success. A score reflecting these ideas (e.g., a weighted average) might produce a metric called “strategic objective at risk” and can assess progress and chance of success at any measurement date. Examples of metrics include:
ERM’s traditional defensive role should not preclude the selection metrics which help a company realize its strategic vision. In “Growth in Stock Price as the ERM Linchpin” (found here), a hypothetical insurer illustrates how management of uncertainties around stock price appreciation serve as the nucleus of an ERM framework. The approach aligns with the goals of ERM stakeholders including management, Board, and investors.
Some decisions viewed as beneficial to a company may not look “good” in terms of the impact to (short-term) earnings. However, company value should show a benefit coming from (a successful) “loss leader” approach, or a long-term value play such as ensuring future client acquisitions or eliminating competitors by possibly over-paying to acquire some “asset” they need. Metrics which use a company value concept include:
Correct metric selection may enable another ERM “holy grail”, optimal risk-reward trade-off in strategic decisions, as described in “Enterprise Risk-Reward Optimization: Two Critical Approaches."
The whitepaper describes two optimizations for the enterprise, one based on maximizing return on economic capital and the other based on a mean-semivariance efficient frontier from the investor point of view. The metrics employed meet all of the MODELS criteria.
As an organization’s size, strategy, goals, and risk profile evolve, so too must its ERM framework. In addition to this natural need to adapt, technology is reshaping risk management in particular, and the business world in general.
The complexity and rapidly changing characteristics of cyber risks in combination with limited resources to combat these threats makes a strong case for quantitative risk assessment. Metrics should assess the potential economic benefit from improved mitigation so that management can make informed cyber risk management decisions in light of cost-benefit considerations.
There has been much discussion of “Big Data”, “Data Analytics”, and “AI”. While some of it is hype, there are almost certainly many game-changing concepts floating in this ocean of thought. The company that adapts its risk and business approaches to this new environment will secure a clear advantage over its competitors.
Subscribe to Focal Point's Risk Rundown below - a once-a-month newsletter with templates, webinars, interesting white papers, and news you may have missed. Thousands of your colleagues and competitors have signed up! You can unsubscribe at any time.