We encounter risks each and every day as we pursue our daily activities—crossing the road, missing an important meeting, making a purchase. While we cannot completely eliminate any potential risk, we can adopt appropriate proactive measures to help mitigate each risk, for example by purchasing insurance or having regular medical examinations. The way in which we view and control these risks varies from individual to individual—each of us has adopted our own philosophy or attitude towards risk-taking and decided, usually in an implicit way, our appetite to take on risk.
Further, our individual risk mitigation plans tend to be dynamic, changing regularly to reﬂect our current priorities, longer term goals and the dependencies which are implicit between risks. We automatically rank the risks which are most important to us and work to mitigate them as a priority.
The same concepts apply to the ﬁnancial services industry. Enterprisewide risk management (ERM), the process by which organisations identify, assess, control, exploit, ﬁnance and monitor ﬁnancial and non-ﬁnancial risks from all sources for the purposes of increasing the organisation’s short and long-term value to its stakeholders, has arrived. But why now? And why is ERM here to stay?
The carrot and stick: two essential motivators
Many hypothetical models and theories in the ﬁnancial world, such as the Modigliani-Miller theorem of corporate ﬁnance, suggest that a ﬁrm’s value is not affected by capital structure choices or corporate risk management. However, ﬁrms are run by human beings and we are ‘bundles of desires and fears’.
These emotions are fairly easy to manipulate in an organisational setting and the drive to develop an effective ERM framework is influenced by both push and pull factors.
Evolving and escalating levels of regulation
ERM is not a new form of risk management, it is simply a recognition that risk management means total risk management, not simply a subset of risks. This, in itself, is not a new concept. Risk needs to be viewed as a holistic group-wide issue with upside beneﬁts and downside consequences. Financial institution regulations issued over the past decade or so reﬂect this.
It was back on June 3, 1999, that the Basel Committee on Banking Supervision issued a consultative proposal for Basel II. The proposal outlined a regulatory regime based on three mutually reinforcing pillars that allowed banks and supervisors to properly evaluate the various risks faced by banks.
"The economic events that occurred between the first draft of Solvency II in 2007 and the present day have accelerated and amplified regulatory interest in firms' attitudes towards risk-taking."
Around the same time Basel II was ﬁrst published in 2004 following its consultative period, the UK ﬁnancial services regulator, the Financial Services Authority (FSA), introduced its Individual Capital Adequacy Standards (ICAS) framework for insurers. Under this framework, which has obvious similarities to the three pillar approach of Basel II, insurers and reinsurers were required to formally assess their risk management practices and the level and quality of capital they needed to survive potentially signiﬁcant events and to pay liabilities as they fall due.
Further, the European financial regulatory institution for insurers, the Committee of European Insurance and Occupational Pensions Supervisors (CEIOPs), was also discussing a version of Basel II for insurers and reinsurers with operations in the EU. It became known as Solvency II. The first draft of this regime was published in July 2007.
These examples indicate that the concept of ERM and regulators’ interest in ﬁrms demonstrating their own capital adequacy have been on the horizon for some time. However, the economic events that occurred between the ﬁrst draft of Solvency II in 2007 and the present day have accelerated and ampliﬁed regulatory interest in ﬁrms’ attitudes towards risk-taking, and the adequacy of the practices they adopt in managing, their risks.
Putting the regulatory reform pieces together
The initial urgency of regulatory reform on both sides of the Atlantic has given way to a ‘hurry up and wait’ interlude, leaving the industry unable to prepare deﬁnitively for new rules yet to come.
Global ﬁnancial crisis
The continuing global ﬁnancial crisis has highlighted the negative repercussions associated with ﬁnancial industry interconnectedness. Not surprisingly, G20 leaders pushed to introduce a uniform global regulatory framework. This early vision, however, is now being superseded by the threat of a double-dip recession, resulting in nationallevel regulations being implemented with different timelines.
While the actual regulations may be implemented inconsistently, what has clearly emerged is a new reality in which regulators globally are engaging in more coordinated and intensive oversight than ever before.
Globally, restrictions on risk-taking are rising in many areas, including proprietary trading and swaps and derivatives trading. This in turn affects hedge funds, securities companies and private equity ﬁrms. Internationally, bank proﬁtability is being impacted by greater controls on overdraft charges, interchange fees and other consumer fees, while Basel III will further restrict capital availability.
As a result, even without a common global regulatory framework, ﬁnancial services organisations need to operate as though a common regulatory requirement exists due to the coordination arising from the so-called colleges of regulators who oversee their activities.
A further fallout from the onset of the 2007–2010 ﬁnancial crisis is an increase in the requirement to demonstrate accountability for risk management and control on the part of boards of directors, senior executives and senior management.
The Financial Crisis Inquiry Commission in the US concluded in its February 2011 report that one of the contributing factors to the crisis was a “systemic breakdown in accountability and ethics”. The report continues: “It was the failure to account for human weakness that is relevant to this crisis” and “we clearly believe the crisis was a result of human mistakes, misjudgments, and misdeeds that resulted in systemic failures …”
The report places special responsibility with the public leaders charged with protecting the ﬁnancial system, those entrusted to run the regulatory agencies, and the chief executives of companies whose failures drove the crisis. These individuals sought and accepted positions of signiﬁcant responsibility and obligation.
Ultimately the tone at the top with respect to risk-taking is perhaps the most crucial issue facing ﬁnancial institutions, and regulators now have a keen interest in holding individuals accountable for their actions.
The consequences of failing to adhere to the onerous regulatory and internal policy compliance requirements can be severe, including regulator-imposed capital ‘add-ons’, directives to strengthen a ﬁrm’s governance controls, business restrictions, sanctions and ﬁnes. To thrive in this signiﬁcantly more rigorous regulatory environment, ﬁnancial institutions can no longer afford either to surprise regulators, or to be surprised by them.
"Risk is a part of God's game, alike for men and nations." -- Warren Buffett
To avoid a serious breakdown intrust, leading organisations have begun to appoint managers at the most senior levels to head up their regulatory affairs functions and build stronger communication and working relationships with regulators across the board. They are also setting up systems that allow them to manage regulatory requirements and demands in an efficient and coordinated fashion, which further supports the argument for an ERM framework.
While implementing a strong and effective ERM framework is now a business imperative, there are other justifying factors; these are potentially as attractive as the push factors are essential.
The New Zealand men’s national rugby union team (the All Blacks) is, arguably, the most successful sports team of all time. Among their accolades, the All Blacks have won a record 75 percent-plus of all rugby matches they have played since 1903 and were named the International Rugby Board (IRB) Team of the Year in 2005, 2006, 2008, 2010 and a record ﬁfth time in 2011.
For a team to be so successful, some basic elements must be established. For example:
• Team members must understand their common goal and vision;
• Team members must have a clear understanding of their role and the roles of others in the team. This in turn increases credibility and accountability;
• There must be good communication; and
• There must be a commitment to excellence. The operating culture, particularly with respect to risk, is set by the ‘tone at the top’.
These elements form the broad structure of Deloitte’s Nine Fundamental Principles of a Risk Intelligence Program. A strong ERM framework embeds the foundations for a successful, cohesive team which achieves its goals and objectives and is able to support sustained growth. This adds to the argument for investment in an effective ERM framework.
As companies grow and expand, clear communication, consistent reporting and a common language become vital. This is particularly important when operations span different countries or industries resulting in the transnational or trans-operational circulation of ideas, languages, and business culture.
Global companies cannot be efficiently managed in silos. A strong, truly global ERM framework supports the achievement of common understanding.
Further, as a result of the ﬁnancial crisis, there is now increasing pressure from regulators to maintain sufﬁcient capital in the jurisdiction which is most exposed to risk. It is not uncommon for regulators to require companies to transfer capital from their parent entity, often at short notice, in order to address any perceived shortfall (either in level or quality) of capital to meet local regulatory capital adequacy requirements.
In this new world where capital is less plentiful, business units will be required to compete for capital allocations. An effective ERM can help to ensure consistent reporting between entities, clear transparency regarding where capital is allocated and justification for executive decisions based on appropriate measure of capital performance.
Firms make money by being able to deliver higher quality, more innovative or faster-to-market goods, products and services than others in the market. To succeed companies need to build and sustain a competitive advantage.
Risk is why insurance and reinsurance companies exist. However, the challenge for them is to maximise the potential upside of risk-taking while minimising the potential downside. This realisation, coupled with the recent advancements in organisations’ abilities to manage and evaluate the cost of individual risks, allows boards and senior executives better to appreciate the link between informed risk-taking and competitive advantage.
Data are a key part of any ERM framework. Collating vast quantities of data and ensuring consistency, completeness and accuracy is a signiﬁcant task. Indeed, in Deloitte’s 2011 Solvency II survey, the majority of insurance company participants listed data management and data quality as a key priority over the next six months. However, there has been considerable advancement in the development of software platforms that have the ability to handle data across front, middle and back ofﬁce systems. The affordability of these platforms is improving, meaning that the seamless ﬂow of data through the organisation is becoming a reality.
Risk varies inversely with knowledge
ERM is all about making strategic and day-to-day business decisions across the entire enterprise with full awareness of the potential risks and opportunities. Leaders must recognise that the pursuit of value inevitably means exposure to risk and with it opportunities, but also responsibility. In this context, ERM is a set of interconnected capabilities to help enable growth while at the same time facilitating compliance with ever-growing regulatory requirements. The challenge is for ﬁrms to use risk to help achieve a competitive advantage.
Leon Bloom is partner, enterprise risk management at Deloitte, Canada. He can be contacted at: email@example.com
Stephen Kuzyk is principal, enterprise risk services at Deloitte, Bermuda. He can be contacted at: firstname.lastname@example.org
Liz Cunningham is senior manager, actuarial and insurance solutions services at Deloitte, Bermuda. She can be contacted at: email@example.com
Brett Henshilwood is senior manager, enterprise risk services at Deloitte, Bermuda. He can be contacted at: firstname.lastname@example.org