Enterprise Risk Management Forthcoming in the Journal of Risk Management of Korea Volume 12, Number 1 Stephen P. D'Arcy Fellow of the Casualty Actuarial Society John C. Brogan Faculty Scholar in Risk Management and Insurance and Professor of Finance University of Illinois at Urbana-Champaign May 30, 2001 Contact Information: Address: Department of Finance 340 Wohlers Hall 1206 S. Sixth Street Champaign, IL 61820 U.S.A. Telephone: 217-333-0772 FAX: 217-244-3102 E-mail: [email protected] Enterprise Risk Management is a relatively new term that is quickly becoming viewed as the ultimate approach to risk management. Consultants are advertising their ability to perform enterprise risk management. Auditors are examining how to incorporate enterprise risk management approaches into company audits.1 Presentations are being made on this topic at many actuarial, risk management and other insurance meetings.2 Seminars devoted to this topic are being conducted to explain the process, provide examples of applications and discuss advances in the field. Papers on enterprise risk management are beginning to appear in journals and books on the topic are starting to be published.3 Some universities are even starting to offer courses titled enterprise risk management. It appears that a new field of risk management is opening up, one requiring new and specialized expertise, one that will make other forms of risk management incomplete and less attractive. This paper will explain what enterprise risk management is, why it has developed so quickly, how it differs from traditional risk management, what new skills are involved in this process and what advantages and opportunities this approach offers compared to prior techniques. 1 See the Institute of Internal Auditors website for an extensive list of references and discussion of enterprise risk management. 2 See the CAS website, and particularly the presentations by Friedel, Kawamoto, Miccolis, and Miccolis and Shah. 3 See Davenport and Bradley (2000), Deloach and Temple (2000), Doherty (2000), Guthrie, et al (1999), Lam (2000) and Shimpi (1999).2Definition of Enterprise Risk Management Enterprise risk management is, in essence, the latest name for an overall risk management approach to business risks. Precursors to this term include corporate risk management, business risk management, holistic risk management, strategic risk management and integrated risk management. Although each of these terms has a slightly different focus, in part fostered by the risk elements that were of primary concern to organizations when each term first emerged, the general concepts are quite similar. According to the Casualty Actuarial Society (CAS), enterprise risk management is defined as: "The process by which organizations in all industries assess, control, exploit, finance and monitor risks from all sources for the purpose of increasing the organization's short and long term value to its stakeholders." The CAS then proceeds to enumerate the types of risk subject to enterprise risk management as hazard, financial, operational and strategic. Hazard risks are those risks that have traditionally been addressed by insurers, including fire, theft, windstorm, liability, business interruption, pollution, health and pensions. Financial risks cover potential losses due to changes in financial markets, including interest rates, foreign exchange rates, commodity prices, liquidity risks and credit risk. Operational risks cover a wide variety of situations, including customer satisfaction, product development, product failure, trademark protection, corporate leadership, information technology, management fraud and information risk. Strategic risks include such factors as completion, customer preferences, technological innovation and regulatory or political impediments. Although there can be disagreement over which category would apply to3a specific instance, the primary point is that enterprise risk management considers all types of risk an organization faces. A common thread of enterprise risk management is that the overall risks of the organization are managed in aggregate, rather than independently. Risk is also viewed as a potential profit opportunity, rather than as something simply to be minimized or eliminated. The level of decision making under enterprise risk management is also shifted, from the insurance risk manager, who would generally seek to control risk, to the chief executive officer, or board of directors, who would be willing to embrace profitable risk opportunities (Kawamoto, 2001). Basically, though, enterprise risk management simply represents a return to the original roots of risk management, a field that was first developed in the 1950s by a group of innovative insurance professors. The first risk management text, presciently titled Risk Management and the Business Enterprise, was published in 1963, after six years of development, by Robert I. Mehr and Bob Hedges. As initially introduced in this text, the objective of risk management is, "to maximize the productive efficiency of the enterprise." The basic premise of this text was that risks should be managed in a comprehensive manner, and not simply insured. The initial focus of risk management was on what is now termed hazard risk. This specialty area developed its own terminology and techniques for addressing risk. Financial risks began to be addressed much later, and by a separate business segment of most organizations. This field also developed its own terminology and techniques for addressing risk, independently of those used in traditional risk management. Each specialty area also developed different methods for reporting the risks the organization4faced within each area. Since the hazard risk manager and the financial risk manager both generally reported to a common position, frequently the treasurer or chief financial officer of the firm, the different, and separate, approaches to dealing with risk created a problem. Potentially, each area could be expending resources to deal with a risk that, in aggregate, would cancel out within the firm. Also, the tolerance for risk applied in each area could be vastly different between hazard risks and financial risks. These discrepancies provided the impetus for developing a common terminology and common techniques for dealing with risk. In addition, this common approach could