CREATING VALUE THROUGH ERM PROCESS
Balancing Rationality with Intention
Rational
Intention
embrace the best available information
leads to judgements
Rational ERM
decrease the impact of cognitive and motivational biases on risk assessments as much as possible
collect as much as possible relevant information
rely on structured, step-by-step risk analysis methods (e.g. scenario analysis)
assess and aggregate key risks
assess the effect of key risks on key metrics to identify interdependencies between risks
combine intuitive input (management judgement) with objective, data-based input where appropriate
increase transparency of decision criteria (make decisions reproducible)
apply rules which are known to analytically work (e.g. cause-effect analysis)
accept decisions that are mainly based on intuition where appropriate
Uncertainties in ERM
larger losses are accepted if the decision quality was high at the time the decision was taken
ERM Processes
Collect Risk Scenarios
Develop an Effective and Structured Risk Identification Approach
Risk identification is not linked to business objectives and created only for the sake of a risk inventory
Relevant key risks with a major impact on business objectives are not identified
Uncoordinated risk identification leads to higher costs and less credibility of the ERM programme.
Risk identification focuses too strong on operations and too less on strategy. This is the case only after management approved plans and strategies and made major decisions
Relevant stakeholders of ERM are not involved, leading to lower acceptance of overall ERM.
Best available sources for risk information are neglected.
Risk identification is focused on internal risks. A sound environmental scanning process does not exist
Identify Risks Enterprise-Wide
failure reasons
Profitable business unit
Excluded business unit
Missing strategic focus
Missing external focus
Financial risk focus
Treat Business and Decision Problems not as True Risks
Reputational Risk
Non-compliance: Reputation risk can be triggered from non-participation in regulatory trends. For example if unlawful conduct becomes publicly known. Such primary risks can be a breach of tax law, a financial accounting scandal or disregard for environmental regulations
Unethical practices: Violations of ethical and moral rules also trigger reputation risk. Such risks include fraud, corruption, and inhumane working conditions
Event risks: Finally, unforeseeable events can also impact a company’s reputation. For example, preceding risks can be a hostile takeover bid, restructuring, or occupational accidents
Management Assumptions
Understanding the business strategy and strategic risk
Collect all management assumptions
Use strategic tools to complement assumption analysis
Mission accomplished
One-on-one interviews with key stakeholders
Complement with Traditional Risk Identification
Assess risk and develop quantified key risk scenarios
Develop key risk
Exclude unrealistic, devastating risks
risks that are included in risk analysis
The risk is manageable to a certain degree
The risk is a realistic, but rare, scenario
The risk has a company-specific impact
The risk affects one product line only
Separate pure management action items
Avoid risk maps as selection criterion
Avoid expected values as selected criterion
Prefer impact over profitability
Distinguish between key and non-key risks
Develop quantitative key risk scenarios
Store Key Risks Scenario in a database
Support Decision Making
Overcome regulatory risk management approach
Differentiate between decisions and outcomes
Overcome the separation of risk analysis and decision making
Avoid pseudo-risk aggregation → too pragmatic risk aggregation techniques
Assess impact on relevant objectives
Develop useful risk appetite statements
Make uncertainties transparent and comprehensible
Exploit the full decision-making potential of ERM
Align ERM with business planning
Replace standard risk reporting
Disclose risks appropriately
Assess and Improve ERM Quality
Test ERM Effectiveness appropriately:
relevant risk categories are covered (no exclusive focus on financial risk)
risks are comprehensively assessed. We use quantitative scenario analysis, not stochastic black-box models.
risks are graphically prepared in such a way that they can be used for decision-making (no risk maps)
opportunities and risks have been assessed, not only the downside risk
individual risk exposures are compared with the defined risk appetite statements
key risk scenarios are communicated in a comprehensible way. Their impacts are linked to relevant key figures (company value, EBIT, cash flow, etc.)
ERM Maturity level:
Level 1—Informal ERM: The frst level is predominantly characterised by a missing (formal) commitment of the management for ERM
Level 2—Basic ERM: At this second stage, companies implemented a very basic, partial ERM. Usually, it is not harmonised with process steps and terminologies and only focuses on a limited amount of (risk) areas.
Level 3—Evolved ERM: In contrast to the two previous maturity levels, level 3 is characterised by a more formalised ERM process. We observe a well-defined and documented ERM process. This allows us to identify and assess all types of risks (i.e. strategic, operational and financial risks)
Level 4—Advanced ERM: For most companies, an upgrade from level 3 to level 4 is the largest hurdle. It requires a fundamental reconsideration of the ERM goals. The board is in charge to develop an appropriate risk policy
Level 5—Leading ERM: To achieve the highest maturity level of an ERM, it requires some more important optimisations. Compared to level 4, we need to do the following. Decisions driven by intuition need to be balanced with rational risk information. So, potential impacts flowing from decisions on company value or another key figure are assessed.