1. History of Enterprise Risk Management
Enterprise Risk Management is a relatively new term that is quickly becoming viewed as the ultimate approach to risk management. Consultants are advertising their ability to perform enterprise risk management. Seminars devoted to this topic are being conducted to explain the process, provide examples of applications and discuss advances in the field. Papers on enterprise risk management are beginning to appear in journals and books on the topic are starting to be published. Some universities are even starting to offer courses titled enterprise risk management. It appears that a new field of risk management is opening up, one requiring new and specialized expertise, one that will make other forms of risk management incomplete and less attractive.
2. Definition of Enterprise Risk Management
Enterprise risk management is, in essence, the latest name for an overall risk management approach to business risks. Precursors to this term include corporate risk management, business risk management, holistic risk management, and integrated risk management. Although each of these terms has a slightly different focus, in part fostered by the risk elements that were of primary concern to organizations when each term first emerged, the general concepts are quite similar. Enterprise risk management is defined as:
“The process by which organizations in all industries assess, control, exploit, finance and monitor risks from all sources for the purpose of increasing the organization’s short and long term value to its stakeholders.”
The types of risk subject to enterprise risk management are enumerated as hazard, financial, operational and strategic. Hazard risks are those risks that have traditionally been addressed by insurers, including fire, theft, windstorm, liability, business interruption, pollution, health and pensions. Financial risks cover potential losses due to changes in financial markets, including interest rates, foreign exchange rates, commodity prices, liquidity risks and credit risk. Operational risks cover a wide variety of situations, including customer satisfaction, product development, product failure, trademark protection, corporate leadership, information technology, management fraud and information risk. Strategic risks include such factors as competition, customer preferences, technological innovation and regulatory or political impediments. Although there can be disagreement over which category would apply to a specific instance, the primary point is that enterprise risk management considers all types of risk an organization faces.
A common thread of enterprise risk management is that the overall risks of the organization are managed in aggregate, rather than independently. The level of decision making under enterprise risk management is also shifted, from the insurance risk manager to the chief executive officer, or board of directors, who would be willing to address all forms of risk.
Basically, though, enterprise risk management simply represents a return to the original roots of risk management, a field that was first developed in the 1950s by a group of innovative insurance professors. The first risk management text, presciently titled Risk Management and the Business Enterprise, was published in 1963, after six years of development, by Robert I. Mehr and Bob Hedges. As initially introduced in this text, the objective of risk management is, to maximize the productive efficiency of the enterprise.” The basic premise of this text was that risks should be managed in a comprehensive manner, and not simply insured. But how did we get so far away from this premise?
3. Historical Development
Risk management has been practiced for thousands of years. One can imagine a proto-risk manager burning a fire at night to keep wild animals away thereby reducing the risk of attack. Very early on, lenders learned to reduce the risk of loan defaults by limiting the amount loaned to any one individual and by restricting loans to those considered most likely to repay them. Individuals and firms learned to manage the risk of fire through the choice of building materials and safety practices, or after the introduction of fire insurance in 1667, by shifting it to an insurer. However, it wasn’t until the 1960s that the field was formally named, principles developed and guidelines established. Robert Mehr and Bob Hedges, widely acclaimed as the fathers of risk management, enumerated the following steps for the risk management process:
- Identifying loss exposures
- Measuring loss exposures
- Evaluating the different methods for handling risk
- Risk assumption
- Risk transfer
- Risk reduction
Initially, the risk management process focused on what has been termed “pure risks.” Pure risks are those in which there is either a loss or no loss. Either something bad happens, or it doesn’t. A typical example of a pure risk is ownership of a house. Your house may burn down, be hit by an earthquake or be infested by insects. If none of these, or other, unfavorable developments occur, then you are in the no loss position. This is no better than where you started, but no worse either.
Pure risks were the initial focus of traditional risk management for several reasons. First, the field of risk management was developed by individuals who taught or worked in the insurance field, so the focus was on risks that insurers would be willing to write. In fact, some risk managers job duties have historically been limited to buying insurance, an unfortunate limitation since many other options are readily available and should be explored. Another reason for the focus on pure risks is that in many cases hazards represented the most serious short term threats to the financial position of an organization at the time this field was founded. A fire could quickly put a firm out of business. Efforts to reduce the likelihood of a fire occurring, or to minimize the damage a fire would cause, or to establish a contingency plan to keep the business going in the event of a fire, or to purchase an insurance policy to compensate the owners for the damages caused by a fire, were easily seen to be beneficial to the firm. Finally, there were simply not a lot of reasons or options for dealing with other types of risks.
Given the primary risks facing businesses were hazard risks, the initial focus of risk management was on these types of risks. Risks were quantified, the evaluation of different methods of dealing with risk was advanced and standardized, and an extensive terminology for managing risk was developed. Such terms as maximum possible loss (the largest loss that could occur) and maximum probable loss (the largest loss that is likely to occur) were introduced to help define risk exposure. Probability and statistical analysis were used to estimate the range of likely losses and the effect of adopting steps to mitigate these risks.
Risk managers did their job quite effectively. Firms almost universally handled their hazard risk in an appropriate manner. When they didn’t, such as the MGM Grand Hotel that found it was not adequately insured for liability coverage after a major fire, new methods of handling risk, in this case retroactive insurance, were developed (Smith and Witt, 1985). Rarely did companies face financial ruin as a result of failure to manage their hazard risks effectively.
Beginning in the 1970s, financial risk became an important source of uncertainty for firms and, shortly thereafter, tools for handling financial risk were developed. These new tools allowed financial risks to be managed in a similar fashion to the ways that pure risks had been managed for decades. Volatility in foreign exchange rates, prices and interest rates caused financial risk to become an important concern for institutions.
Although financial risk had become a major concern for institutions by the early 1980s, organizations did not begin to apply the standard risk management tools and techniques to this area. The reason for this failure was because risk managers had built a wall around their specialty, called pure risk, within which they operated. When a new risk area emerged, they did not expand to incorporate it into their domain. To do so would have required learning about financial instruments and moving away from the type of risks commonly covered by insurance. This would have been a bold move, but one that the innovative thinkers who developed risk management would have espoused. This failure was costly to organizations, and to the risk management field. With the emergence of enterprise risk management, traditional risk managers will be pushed into a wider arena of risk analysis, one that incorporates all other forms of risk analysis. Thus, the refusal to expand into other areas of risk does not prevent risk managers from having to learn about other forms of risk management, it has simply delayed it by a number of decades.
The basic rule of risk taking, whether it is hazard risk, financial risk, or any other form of risk, is that if you do not fully understand a risk, you do not engage in it. The same holds true for applying risk management. This basic rule, unfortunately, is violated by risk managers consistently with promises of impressive savings or returns. Regrettably, many individuals as well as corporations have fallen into this trap.
4. The Skills Required for Enterprise Risk Management
In assessing the potential losses an organization could experience, many items not covered under hazard risk must be considered. For example, the company could suffer a significant loss if the chief executive officer were to step down and an adequate replacement could not be found, or the reputation of one of the company’s key products could be tarnished by a serious loss (Firestone tires, for example), causing the company to incur significant monetary losses. If the firm is found liable for underpaying taxes by losing a tax dispute, the required payment could be extremely large. A labor dispute could severely impact a firm’s operations. A failed merger could have repercussions that put the firm into a worse financial position than it was in before the negotiations commenced.
To gain an appreciation of how a wider set of risks may impact an organization simply consider how flawed decisions based on incorrect, untimely, incomplete, or unreliable accounting information can impact an organization, or how corporate decision making can cause the inefficient or ineffective use of resources, or how fraudulent transactions or non compliance with relevant laws and regulations can cause financial loss and exposure. It is most probably impossible and actually not desirable to address all risks because the cost would be unjustifiable and extraordinary, but when management fails to address those that can cause irreparable damage, it is grossly mistaken. Therefore, identifying risks that pose the greatest consequences if not addressed should be accomplished and ways of transferring or reducing the risk should be sought, or accepted if the cost is unjustified. Clearly, traditional risk managers will need to obtain additional skills to be involved with enterprise risk management.
5. The Steps of Enterprise Risk Management
Enterprise risk management actually represents a return to the roots of risk management. However, gaining the ability to quantify exposures with a far less sophisticated approach than can be used for most hazard and financial risks presents new challenges. Although consideration of operational and strategic risk is important, the lack of data and the difficulty in predicting the likelihood of a loss or the financial impact if a loss were to occur make it hard to quantify many risks a firm faces. That in itself is the challenge that enterprise risk management provides. Nevertheless, the basic approach of identifying, measuring, evaluating, controlling and monitoring risk remains the same. The steps of enterprise risk management are quite familiar to traditional risk managers. Most commonly they are:
- Risk Identification – Identify risk on an enterprise basis
- Risk Analysis – Measure and report risk exposure
- Risk Response – Formulate strategies to limit risk
- Risk Control – Implement strategies
- Risk Monitoring – Monitor results
- And repeat…
Except for minor changes in wording, the steps of enterprise risk management are the same as those first enumerated by Mehr and Hedges in 1963. Enterprise risk management is risk management applied to the entire organization. The basic approach, the goals and the focus of enterprise risk management are the same as those that have worked so effectively for traditional risk managers since the field was first developed.
Enterprise Risk Management is not truly a new form of risk management; it is simply recognition that risk management means total risk management, not some subset of risks. It is important to understand that the process of addressing risks is not stagnant. Business risks increase and change as the operational environment changes. New technologies, fierce competition, decentralized accountability, external scrutiny, and cost reductions all present new risks and continually challenge solutions already implemented. The new focus on the concept of enterprise risk management provides an opportunity for risk managers to apply their well established and successful approaches to risk on a broader and more vital scale than previously. This is an excellent opportunity to advance the science of risk management.
AbouRizk, Simaan. “Risk and Uncertainty in Construction,” presented February 21, 2003.
D’Arcy, Stephen P. and Brogan, John C. (2001). “Enterprise Risk Management.” Journal of Risk Management of Korea, 12(1), pp. 207-228
Duff, Michael A. and Reid, David R. “Operational Risk Management: A Holistic Approach.” CFMA Building Profits, September-October 2001, pp. 20-30.
Enterprise Risk Management Committee of Casualty Actuarial Society. “Overview of Enterprise Risk Management.” Casualty Actuarial Society, Summer 2003, pp. 99-163.
Heil, Karl. “Risk Management.” Encyclopedia of Management.