Enterprise Risk Management: Hollow Tree or Giant Redwood? Midwestern Actuarial Forum Chicago March 7, 2008 Rick Gorvett, FCAS, MAAA, ARM, FRM, PhD Director, Actuarial Science Program State Farm Companies Foundation Scholar in Act. Sci. University of Illinois at Urbana-Champaign MAF
Agenda ERM in general Observations from the CAS ERM Online Course Issues in advancing ERM –ERM as complex systems analysis –ERM as an evolutionary process –ERM as subject to behavioral patterns Conclusion
“Who am I? Why am I here?” - Admiral Stockdale, 1992 Currently –Director, Actuarial Science Program –State Farm Companies Foundation Scholar in Actuarial Science –Professor, Depts. of Mathematics, Statistics & Finance –University of Illinois at Urbana-Champaign Prior –Senior Vice President –Director of Internal Audit & Risk Management Internal Audit Corporate Investigations Risk Management Enterprise Risk Management Business Continuity
ERM – General Thoughts
Steps in the Risk Management Process Determine the corporation’s objectives Identify the risk exposures Quantify the exposures Assess the impact Examine alternative risk management tools Select appropriate risk management approach Implement and monitor program
Pre-FRM Post-FRM
An Initial ERM Comment You don’t become a famous writer by… –Reading a book –Reading about other authors –Watching someone else write Similarly, you don’t become an “Enterprise Risk Manager” by… –Reading a book –Taking a course –Listening to a presentation
Rather, ERM is… A complex process… … involving broad-based and in-depth knowledge and understanding… … requiring an appropriate corporate culture,… … and creativity… … born of a variety of experiences… … and insatiable curiosity.
Enterprise Risk Management Or “Enterprise Risk and Assurance Management” or… What is ERM? –Concerned with a broad financial and operating perspective –Recognizes interdependencies among corporate, financial, and environmental factors –Strives to determine and implement an optimal strategy to achieve the primary objective: maximize the value of the firm
Other Possible Goals of ERM Create and increase company value Ensure business continuity Stabilize earnings Enhance opportunities for the company to achieve its objectives Make risk management more cost-efficient
Evolution of ERM Historically: “risk silo” mentality Mid-1990s: –First “Chief Risk Officer” –First use of ERM terminology Late-1990s: –Risk-related regulatory requirements (e.g., Turnbull) –Earnings protection insurance debuts 2001: –September 11 –Corporate scandals –Beginning of efforts to improve corporate governance
Current State Findings from various surveys –An acknowledged need to improve risk management –A recognition that a holistic approach is appropriate and preferable –ERM can improve overall capital management and thus enhance corporate value and competitiveness –A variety of approaches to improving risk management –There are still problems to overcome
A Paradigm Shift Traditional Risks managed in silos Concentrates on physical hazards and financial risks Insurance orientation Ad hoc / one-off projects Emerging Centralized mgt., with exec-level coordination Integrated consideration of all risks, firm-wide Opportunities for hedging, diversification Continuous and embedded
Types of Risks Operational –Hazard –Physical Strategic –Capital / resource allocation –Industry / competitors Technological –Databases –Security –Confidential information Stakeholder Legal –Compliance –Regulatory Financial –Capital markets –Credit risks –Taxes Human capital –Retention –Training Reputational
Issues in ERM Implementation Different corporate cultures require different ERM approaches Who is going to be the ERM champion within the company –Among senior executives –Among departments / functions How to embed a risk management culture and responsibilities throughout the firm
Components of the ERM Process Determine corporate objectives Risk identification –Goal: comprehensiveness –E.g., self-assessment Risk measurement –Volatility measures –Value at Risk (VaR) Impact Likelihood Size of loss Likelihood
Components of ERM (cont.) Assessing the impact –Stress or scenario testing –Stochastic simulation Examine and select alternative risk management tools and techniques –Traditional risk transfer –Natural hedging / diversification –Integration of risks E.g., “dynamic financial analysis”
Keys to Success in ERM Senior management commitment and sponsorship Embed a “risk management culture” in the corporation at the operational level Provide for accountability, both specific and widespread Clearly defined responsibilities for coordination and maintenance Adequate communication
ERM Tries to Avoid… “A failure of imagination.” - Frank Borman, in testimony to Congress, responding to a question regarding the real cause of the Apollo 1 fire and the resulting three astronaut deaths, as dramatized in HBO’s series From the Earth to the Moon
Observations from the CAS ERM Online Course
CAS Online Courses Originally, four modules in a Financial Risk Management series Newest course: “Intro to ERM” –First offering: October 2006 –Fourth offering: January 2008 Course components: –12 lectures (PPT with voiceovers) –Readings, and case studies –Discussion forum –“Final exam”
Titles of Lectures 1)Introduction to ERM 2)ERM in Context 3)ERM in Practice 4)ERM Framework 5)Hazard Risk 6)Financial Risk 7)Operational Risk 8)Strategic Risk 9)Risk Metrics 10)Application of ERM 11)COSO Pros and Cons 12)Conclusion
Some Preliminary Observations Significant But Most Difficult Risk to Quantify Reputational risk –Quantification suggestions – e.g., “event study” Human capital Operational risk Strategic risk
Some Preliminary Observations (cont.) Status of ERM at Company Many companies have moved in the direction of ERM Some are well along –CROs, risk committees Some have a long way to go –Still some silo mentality –Focus on more immediate issues (e.g., SOX) –Question ERM’s staying power
Some Preliminary Observations (cont.) Risk Measures – Alternatives to VaR Economic capital Measures relating risk and return (e.g., RAROC) Probability of ruin A few thought VaR and TVaR are reasonable and serviceable
Some Preliminary Observations (cont.) Greatest Risks Faced Hazard risks (particularly catastrophe and terrorism risks) Reputational risks Operational risks Pricing – reserving risks Financial risks Strategic risks
Issues in Advancing ERM
(1) Complex Adaptive System A system of individual “agents” which interact and adapt / evolve to changing conditions Characteristics –Not reducible –Self-organized emergence, exhibiting nonlinearities –Bottom-up rather than top-down Some examples –Economies –Ecologies –Consciousness –Organizations
Complex Social Systems “One must study the laws of human action and social cooperation as the physicist studies the laws of nature.” - Human Action, Ludwig von Mises, 1949
Historical Recognition “He intends only his own gain, and he is in this, as in many other cases, led by an invisible hand to promote an end which was no part of his intention.” - An Inquiry into the Nature and Causes of the Wealth of Nations, Adam Smith, 1776
(2) Evolutionary Process There are several important parallels between economic systems and biological evolutionary theory –Complex systems –Self-organized agents / individuals –Adaptation / natural selection –Emergence of “order” –Understanding the historical process helps to explain behavior
Biology and Economics “The precise mathematical relationship which describes the link between the frequency and size of the extinction of companies, for example, is virtually identical to that which describes the extinction of biological species in the fossil record. Only the timescales differ.” - Why Most Things Fail: Evolution, Extinction & Economics, Paul Ormerod, 2005
(3) Behavioral Concerns Various well-documented “fallacies” can cause inaccurate or biased estimates of values, probabilities, etc. E.g., –Anchoring fallacy: bias toward an initial value –Inattentional blindness: concentrating in one area can induce blindness to other events –Availability fallacy: immediately-available examples have a perhaps undue influence on our estimates
Evaluating Probabilities “The information provided by advocacy groups is blunt. “Y-Me states that breast cancer is ‘the overall leading cause of death in women between the ages of 40 and 55.’ It adds: ‘In the United States, 1 in 8 women will develop breast cancer in her lifetime. This year, breast cancer will be newly diagnosed every three minutes and a woman will die of breast cancer every 13 minutes.’ “CapCure, the organization founded by Michael Milken to fight prostate cancer, states similar statistics: ‘In 2002, an estimated 189,000 men will be diagnosed with prostate cancer. This represents one new case every three minutes.’ “While the figures are accurate, some medical researchers are concerned by the messages they convey. Such statements, they say, may lead people to exaggerate their chances of getting and dying from a fearsome disease.” - “Experts Strive to Put Diseases in Proper Perspective,” by Gina Kolata, New York Times, 7/2/02
Evaluating Probabilities (cont.) “Even concerns about real dangers, when blown out of proportion, do demonstrable harm. Take the fear of cancer. Many Americans overestimate the prevalence of the disease, underestimate the odds of surviving it, and put themselves at greater risk as a result. Women in their forties believe they have a 1 in 10 chance of dying from breast cancer, a Dartmouth study found. Their real lifetime odds are more like 1 in 250. Women’s heightened perception of risk, rather than motivating them to get checkups or seek treatment, can have the opposite effect. A study of daughters of women with breast cancer found an inverse correlation between fear and prevention: the greater a daughter’s fear of the disease the less frequent her breast self- examination. Studies of the general population-both men and women- find that large numbers of people who believe they have symptoms of cancer delay going to a doctor, often for several months. When asked why, they report they are terrified about the pain and financial ruin cancer can cause as well as poor prospects for a cure….” - The Culture of Fear: Why Americans are Afraid of the Wrong Things, Barry Glassner, 2000, Basic Books
Research New undergraduate research initiative at the University of Illinois Current research projects –Agent-based modeling –Predator – prey models –Power laws and their applications –Neuroeconomics and behavioral economics
Conclusion
ERM Predictions – Lam* 1.ERM will become an industry standard 2.CRO position will be prevalent 3.Audit committees will become risk committees 4.Economic capital will replace VaR 5.Enterprise-level transfer of risk 6.Impact of advanced technology 7.Measurement standard for operational risk 8.Mark-to-market accounting 9.Risk education will grow 10.Salary gap between risk professionals will widen *Enterprise Risk Management: From Incentives to Controls, James Lam, 2003
Personal Conclusions ERM is a giant redwood However, let’s not underestimate how big a challenge it is –Even in a “frictionless” world, quantifying and codifying a holistic approach to risk management is an enormous task –Real-world realities make it even more difficult But it’s worth the effort
Concluding Quotation “The revolutionary idea that defines the boundary between modern times and the past is the mastery of risk” - Peter Bernstein, Against the Gods