Kellog Corporate Governance Conference I
Remarks by David Ingram
I have been asked to start off the program by describing to you what I think that Enterprise Risk Management means.
ERM is a term that is used by many people to mean many very different things. In my experience, some would say that ERM is an extension of Sarbanes Oxley. Some would say that it is the process that got banks into trouble by forcing them to make decisions with faulty models. Others would say that ERM is just a compliance exercise or the latest management consultant buzz word.
All that is a shame. Because ERM has the potential to be so much more useful than any of that. ERM can be the systematic process that a business uses to ensure that the it has the resilience to survive. You see I believe that a business has three overarching goals: Sales, Profits and Survival. Businesses have long had organized processes to achieve those first two goals. ERM is just the process that a business uses to achieve that third overarching goal – Survival.
In business, with all the adversity both from competitors and from the all the other adverse possibilities in the rest of the world, you need to be either lucky or careful to survive.
People commonly confuse the two. Lucky Lindbergh was extremely careful. The popular story was that he dashed off with two sandwiches in a sack. But he readily admitted that he also had five days of army rations that he thought he could survive on for much longer. Lindbergh was careful.
Careful does not mean that you do not take risks. It means that you take them with your eyes open and with preparation.
So, I want to explain what I think ERM is by telling you about five important things about a risk management program that are needed to make it work.
- It is about the future.
- Know what you want.
- Pay attention and communicate.
- Empower someone to take actions in response to risk situations.
- Best results from ERM if you can align your risk attitude and risk strategy with the risk environment
ERM is about the Future
ERM is about the future and it is about making sure that there is a future. Studies tell us that in an average 5 years period, about 80% of firms in the S&P 500 will continue on the S&P 500, about 7% will fail or be acquired and about 13% will drop off the S&P 500.
Risk management is about your future and the possibility that your firm could be one of the 400 S&P 500 firms continue in the S&P 500. Not the 100 x S&P 500.
One of the disconcerting things about the future is that you do not know what is going to happen. That means that one of the key management tricks that you have learned for management, the trick of boiling everything down to just the one most important number will not work. If you have heard discussions of how VaR was the problem – the problem was the one number approach, not the one number that was used. When you are talking about success, you may well be able to represent that with just one number. But failure can come from any direction. So because risk management is about the future, a very different management approach is needed.
In fact, I wrote a paper entitled Risk and Light that explains how using a one number approach to risk is likely to lead to unexpected accumulations of risks that you are not paying attention to.
So risk management is about looking out for ALL of the future things that could put your firm into the 100 x S&P list. And making plans to deal with those things. It is not primarily about preventing the reoccurrence of the last problem.
Know what you want
Now studies show that about 50% of the firms that are trying to do risk management do not have an objective for their risk management. That objective is called a risk appetite. Risk Appetite is the amount of risk that a firm is willing to take consciously. From my personal experience at S&P listening to about 200 firms, I would say that the correct number is more like 75%.
I just said that on the average, S&P 500 firms have a 7% chance of failing or being merged out of existence and a 13% chance of falling off the S&P 500. I would call those statistics the average effective risk appetite of the S&P 500 firms. That effective risk appetite is the degree of riskiness of the firm in actuality.
When I was an analyst at S&P, they had an estimate for effective risk appetite of all of the rated firms. Those estimates varied by credit quality. There is a 1% to 14% chance of defaulting and a 10% to 15% chance of downgrade.
Many people say that they do not have a risk appetite because it is too difficult to come up with some top of the house combined estimate of risk. I am not suggesting that you use S&P’s estimate, just pointing out that is can be done and perhaps you can do a better job yourself.
Knowing what you want means that you know what risk you are taking and what risk you want to be taking.
Pay Attention and Communicate
To get to the point where you can choose a risk appetite you need to be well aware of your effective risk appetite over several years and the sensitivity of the ERA to your management decisions and the variability of your risk environment.
And you will need to continue to pay attention and communicate about your risk position and potential changes. That will likely require assigning some resources.
Empower someone to act
When I was at S&P, I saw quite a number of insurers who had developed great risk monitoring systems, they had appointed a Chief Risk Officer. They had established risk committees and risk charters. But when I asked what they did when confronted with an indicated risk problem, they talked about doing studies and holding emergency meetings and presenting findings.
I called those the Risk Management Entertainment Systems. Because they never spoke of actually DOING anything as a result of their risk management program.
It is only really risk management if someone is empowered to do something.
But maybe that never happens because those actions will often fall into the category of “taking away the punchbowl just when the party gets going” as William Martin former Federal Reserve chairman said (and Greenspan famously never, ever did.)
Best results from ERM if you can align your risk attitude and risk strategy with the risk environment
Well, I have been told that you are all well aware of all of what I have just said. You have an ERM program that looks ahead to the future, you have set your risk appetite, you pay attention and communicate your changing risk positions and you have empowered someone to act.
But I suspect, that even if you are doing those four things, you still may not be happy with your ERM system. That may be because you did not know that you have to choose the risk management strategy that fits your situation.
The choices for risk strategy are:
– Loss Controlling – Prevent Defense
– Risk Trading – Cost Benefit Approach to Risk on a risk by risk basis
– Risk Steering – Risk Selection based upon risk and reward
– Diversification – Spread your risk exposures
If someone built you a risk management system they may not have even asked you what approach you wanted. They may have believed that the approach that they favored was the “right” way to do ERM and therefore that is the way that you should do ERM.
You will be unhappy with your ERM system if it does not fit your risk attitude. Your risk attitude is your belief about the risk environment.
You may believe that the risk environment is
– Bust – high risk/loss
– Boom – Low risk/high gains
– Moderate – Some risk / manageable gains & losses
– Uncertain – unpredictable risk and reward
So your best chance of Success is if there is alignment
– your belief about risk environment – your Risk Attitude
– your approach to risk management – your Risk Strategy
Fits with the
– Actual Risk Environment
We have been calling this idea of alignment Rational Adaptability. It means working to understand the risk environment, and to tailor your risk management strategy to the environment. Sounds simple minded. But it is actually fairly difficult and rarely achieved for a variety of reasons.
- The risk environment may be different for different risks that you are exposed to and your strategy can be varied for each different risk.
- Often a shift in the risk environment that management does not pick up and adjust to quickly enough is a reason for change of management.
- A risk management system that follows a risk strategy that is not aligned with the risk environment will be ignored.
- A risk attitude that is not aligned with the risk environment will lead to sub optimal risk decisions.
So in a nutshell, that is my explanation.
ERM means being careful, looking at the future, knowing what risk you want, paying attention, communicating but all in the context of a risk strategy – your risk strategy – not one out of the ERM box.