The previous section explained a particular RM process, risk control, which comprises actions such as risk mitigation actions and risk assessment actions. These actions have been developed individually, according to the risk types in the organisations. RM employees developed skills in risk control for the risk market, or operational risk or any other risk; however, financial institutions have seen the need in their risk management practices to evolve to a holistic view of risk management given some improper past experiences (examples shown in the introduction). This integral view of all these risks introduced the concept of Enterprise Risk Management (ERM). Therefore, the implementation of ERM includes management concepts that apply to the enterprise risk, not individual risks, but the risk analysed for the whole organisation which includes all risk exposures. Dickinson (2001) defined ERM as: “a systematic and integrated approach to the management of the total risks that a company faces.”
Moreover, Dickinson (2001) presented ERM as a dynamic risk management process across the company, with concepts in evolution and applications in development. ERM was born because of the past big losses and the influence of the shareholder value models. However, the core of ERM is the study of Enterprise Risk (ER) where ERM is just the process to manage the ER aligned to shareholders‟ objectives. The organisation of ERM in financial institutions connects different types of risk and markets through enterprise policies as is shown in the example of Figure 2-4.
Figure 2-4 Example of Enterprise Risk Management framework at Royal Bank Canada (Source RBC Annual Report 2009)
Additionally, Dickinson (2001) brought to the ERM analysis the difference between insurable and financial risks because this is crucial in order to understand risk management practice. The difference of practice in hedging risks and buying insurance has created some practices that are not uniform in the tools used or in the process used to achieve protection. However, such as, in treasury and in assets management, there are similarities in risk analysis methods. What is more important in ERM is to analyse ER with common criteria; for example, profit reduction, and the support of the operation by practices that can be transferred from one group to another.
Thus, the purpose of insuring and hedging is the reduction of potential losses or failures of the strategy. ERM needs to align with the integral analysis of the potential variation of the outcomes of the corporate strategy and those specified in the corporate objectives.
The balance between risk retention and risk transfer, through insurance and derivatives, should be estimated based on an impact scale for the strategy results. This impact on the bottom line includes risk analysis of business processes and the review of the capacity of actions to mitigate and control risk.
The integration requires definition, clarity and reviews relating to the many attributes of risks, especially for some risks where quantification is not possible. Moreover, there is a lack of clarity in the meaning of identifying risks, extension, scope and metrics in the context of ER. The ER can be seen differently whether or not the market risks and corporate objectives are aligned. There is no evidence of what the dynamic of risk management is for the integral treatment of risk for the whole organisation and how the new ways of risk control include another group of risks to analyse.
To transform RM into ERM is a strategic step in RM, and as Lam (2003) said: “As a topic, strategic or enterprise risk management... is really just plain, good risk management practise suited up... risk management didn‟t arrive on the scene as a holistic practice.
Rather it lapped up on our shores in waves.” This step needs to identify a practice under the same philosophical principles in the risk management processes from risk identification to risk control (McCarthy and Flynn, 2004).
Furthermore, the creation of value in an organisation, according to Galloway and Funston (2000), is related to the ERM practice because it is seen as a means to create a competitive advantage (See Figure 2-5). This advantage supports a balance in managing the basics: innovation, integrity and simplicity. Equally, Walker et al. (2003) express the view that the selection of tools and disciplines that help in the holistic organisation in risk analysis has contributed to the strengthening of the corporate governance.
2
Figure 2-5 Summary of ERM contribution to the organisation (From the author)
Even though there are benefits to achieve using ERM concepts, at the same time, there are organisational issues to solve. Lam (2003) indicates that even having a good RM practice per risk, there are many difficulties in consolidating information and supplying guidelines to the board and senior management in order to answer strategic questions.
Lam (2003) notes that benefits of ERM are based on the concept of integration:
integration of risk organisation, integration of risk transfer practices and integration of risk practices to the business processes. Besides, he indicates that, based on the preparation of the organisation for ERM, the expected benefits are “... increased organisational effectiveness, better risk reporting, and improved business performance.”
There are ERM benefits from the strategic view to an operational level. Abrams et al.
(2007) indicate that: “There are large potential synergies in terms of both risk identification and assessment with respect to adopting appropriate responses to specific risks.” Organisation actions and performance need an everyday decision making process that includes risk as a factor to bring to any business discussion (Matyjewicz and D‟Arcangelo, 2004). This means to develop standards for risk assessment, create a culture of risk analysis embedded in resource allocation, reporting capacity, change management, communication and knowledge sharing.
Bowling and Rieger (2005) indicate ERM benefits, such as the support to the governance process, better administration of RM costs, and “[t]hrough increased communication, ERM leads to broader understanding and recognition of risks” and many others related to the reduction of risk profile. However, there is not a clear identification of specific fields, activities or resources where ERM can provide value. This study introduces the potential value through better data management, better knowledge creation in modelling processes and better communication among and within teams. In summary, there is a research interest in discovering how ERM provides value as a blend of people, methodologies and resources.
The above points are complemented by Nocco‟s and Stultz‟s (2006) work which shows that the ERM value is perceived differently by different stakeholders and is different from a macro or micro view inside the organisation. The macro view includes benefits associated with continuity, sustainability and the strategic capacity of the organisations.
The micro view refers to the management risk return relationship, assigning responsibilities and accountabilities to areas and people related to risk existence, and the development of operational capacity to manage risk properly. Also, Peterson (2006) indicates that the benefits of ERM are associated with supporting difficulties to integrate and manage scope and scales of RM areas, data collection and operational risk.
However, there are some additional points that need to be analysed in ERM as a good practice, and as a means of overcoming the problem of silo culture in order to implement the ERM program. One of these is to consider ERM not only as a top-down process, but also a bottom-up process. In ERM it is not enough to know the risk policies; it is important to know the relationship of the implementation, feedback and experience to the strategy.
This is crucial to develop risk analysis and control. Knowledge, experience and feedback in an organisation flow in both directions: top-down and bottom-up. ERM requires a policy from the top-down direction, but it also requires developing and implementing the ERM processes from the bottom-up in order to identify ER and to establish an accurate solution of risk mitigation (Lam, 2003).
Finally, ERM targets for implementation the risk mitigation of different risk types (Oldfield and Santomero, 1997; Cumming and Hirtle, 2001; Degagne et al., 2004). This means going further than the limited view of silos and the traditional analysis that has been focused only on casualty and property risks, life risks, work compensation losses, the reduction of costs and the management of disasters (Froot et al.,1994; Banhan, 2004).
Thus, the main difference between RM and ERM (Baranoff, 2004c) is in the enterprise strategic view of risk analysis for the whole organisation that is complemented by other differences presented in Table 2-2:
Differential attributes between Risk Management and Enterprise Risk Management (Meulbroek 2002; Lam 2001; Cumming and Hirtle 2001; Dickinson 2001)
Risk Management (RM) Enterprise Risk Management (ERM)
Silo, individual view of risk
Specific risk analysis
Tactic orientation
Related to control and minimization
Organisation specific, department or business unit.
Concentrated on business events
Disaggregated methods for risk analysis
Responsibility on the functional managers
Performance evaluation concentrated on the particular problem solved
Protection of adverse financial effects of bad events.
Earnings volatility protection from the source
Reactive
Specific control on section or division expenditures
Individual risk analysis
The priority is in the portfolio and individual sources
Global, holistic view of risk
Risk performance evaluation enterprise wide and based on risk
Organisation stability protection. Decision making process based on risk
Under this perspective of differentiation between RM and ERM, the ERM analysis includes a cycle that starts in risk identification and ends in risk answers. Shaw (2005) exemplifies this cycle through the Ford Motor Co. and indicates that risk answers the need of reviewing and analysing given the possible changes in the business conditions and processes across the organisation. Each division could provide solutions, but a lack of an integral view, not an ERM approach, resulted in a big loss for the company.
In conclusion, ERM is an integral practice of RM across an organisation based on the strategy that requires integrating the insurable and non-insurable risk analyses. ERM, according to COSO (2004), requires the processes and a solid governance structure to accomplish the tasks that are required. ERM involves different areas, different people, different backgrounds, and as has been mentioned, different ways to deal with risk threats. In an ERM program, RM has a more strategic and holistic view concept, where communication among groups, work coordination, and interaction of people seem to be factors that influence an adequate policies implementation. The wider view of ERM has some benefits and challenges (Galloway and Funston, 2000) that need support to achieve the benefits and overcome the barrier. One of these tools is the Risk Management Information System (RMIS) that is introduced in the next section.
2.2.6. Risk Management Information System
In order to support the risk management processes and to achieve the ERM benefits, a risk management information system (RMIS) is required. Crouhy et al. (2000) identify the requirement of some technology attributes in order to build the RMIS: “The risk management information system needs to be supported by an information technology architecture that is employed in all of the company‟s information processing.” This is further complemented by Crouhy et al. (2000): “Banks have many business units, which are engaged in different activities and support different products.”
The requirements that Crouhy et al. (2001) propose include managing data globally using distributed database technology. These authors indicate that a “risk management system approach is not simply an aggregate of applications, data, and organisation;
instead, it is born out of an IT vision.” The architecture for risk management needs to