Research Paper:

Topic: Why did the traditional financial risk approaches, methods, and tools fail in the financial market meltdown of 2008 - 2009?

Discuss questions

DQ #1: How has fair value accounting challenged leveraged instruments?

DQ #2: What are the fair value standards that need to be followed in the U.S. under GAAP and internationally under IFRS?

DQ #1: How is credit risk changing with the implosion of the financial credit markets in 2008 and 2009?

DQ #2: Identify as least 10 important risks that need to be considered in an overall risk assessment.

DQ #3: Has the COSO ERM Framework been successful?

Discuss the challenges of VaR approaches in valuing risk. Value at Risk.

DQ #2: How does portfolio risk assessment differ from a single asset?s risk assessment?

DQ #3: How do managers typically load balance a portfolio?

THE COURSE: FINANCIAL RISK MANAGEMENT

Enterprise Risk Management Integrated Framework Executive Summary September 2004 Copyright 2004 by the Committee of Sponsoring Organizations of the Treadway Commission. All rights reserved. You are hereby authorized to download and distribute unlimited copies of this Executive Summary PDF document, for internal use by you and your firm. You may not remove any copyright or trademark notices, such as the , TM, or symbols, from the downloaded copy. For any form of commercial exploitation distribution, you must request copyright permission as follows: The current procedure for requesting AICPA permission is to first display our Website homepage on the Internet at www.aicpa.org, then click on the "privacy policies and copyright information" hyperlink at the bottom of the page. Next, click on the resulting copyright menu link to COPYRIGHT PERMISSION REQUEST FORM, fill in all relevant sections of the form online, and click on the SUBMIT button at the bottom of the page. A permission fee will be charged for th e requested reproduction privileges. Committee of Sponsoring Organizations of the Treadway Commission (COSO) Oversight Representative COSO Chair John J. Flaherty American Accounting Association Larry E. Rittenberg American Institute of Certified Public Accountants Alan W. Anderson Financial Executives International John P. Jessup Nicholas S. Cyprus Institute of Management Accountants The Institute of Internal Auditors Frank C. Minter Dennis L. Neider William G. Bishop, III David A. Richards Project Advisory Council to COSO Guidance Tony Maki, Chair Partner Moss Adams LLP James W. DeLoach Managing Director Protiviti Inc. John P. Jessup Vice President and Treasurer E. I. duPont de Nemours and Company Mark S. Beasley Andrew J. Jackson Professor Senior Vice President of North Carolina State University Enterprise Risk Assurance Services American Express Company Tony M. Knapp Senior Vice President and Controller Motorola, Inc. Jerry W. DeFoor Vice President and Controller Protective Life Corporation Douglas F. Prawitt Professor Brigham Young University Steven E. Jameson Executive Vice President, Chief Internal Audit & Risk Officer Community Trust Bancorp, Inc. PricewaterhouseCoopers LLP Author Principal Contributors Richard M. Steinberg Former Partner and Corporate Governance Leader (Presently Steinberg Governance Advisors) Miles E.A. Everson Partner and Financial Services Finance, Operations, Risk and Compliance Leader New York Frank J. Martens Senior Manager, Client Services Vancouver, Canada Lucy E. Nottingham Manager, Internal Firm Services Boston FOREWORD Over a decade ago, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued Internal Control - Integrated Framework to help businesses and other entities assess and enhance their internal control systems. That framework has since been incorporated into policy, rule, and regulation, and used by thousands of enterprises to better control their activities in moving toward achievement of their established objectives. Recent years have seen heightened concern and focus on risk management, and it became increasingly clear that a need exists for a robust framework to effectively identify, assess, and manage risk. In 2001, COSO initiated a project, and engaged PricewaterhouseCoopers, to develop a framework that would be readily usable by managements to evaluate and improve their organizations' enterprise risk management. The period of the framework's development was marked by a series of high-profile business scandals and failures where investors, company personnel, and other stakeholders suffered tremendous loss. In the aftermath were calls for enhanced corporate governance and risk management, with new law, regulation, and listing standards. The need for an enterprise risk management framework, providing key principles and concepts, a common language, and clear direction and guidance, became even more compelling. COSO believes this Enterprise Risk Management - Integrated Framework fills this need, and expects it will become widely accepted by companies and other organizations and indeed all stakeholders and interested parties. Among the outgrowths in the United States is the Sarbanes-Oxley Act of 2002, and similar legislation has been enacted or is being considered in other countries. This law extends the long-standing requirement for public companies to maintain systems of internal control, requiring management to certify and the independent auditor to attest to the effectiveness of those systems. Internal Control - Integrated Framework, which continues to stand the test of time, serves as the broadly accepted standard for satisfying those reporting requirements. This Enterprise Risk Management - Integrated Framework expands on internal control, providing a more robust and extensive focus on the broader subject of enterprise risk management. While it is not intended to and does not replace the internal control framework, but rather incorporates the internal control framework within it, companies may decide to look to this enterprise risk management framework both to satisfy their internal control needs and to move toward a fuller risk management process. Among the most critical challenges for managements is determining how much risk the entity is prepared to and does accept as it strives to create value. This report will better enable them to meet this challenge. John J. Flaherty Chair, COSO Tony Maki Chair, COSO Advisory Council v Executive Summary EXECUTIVE SUMMARY The underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders. All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value. Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity's objectives. Enterprise risk management encompasses: Aligning risk appetite and strategy - Management considers the entity's risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks. Enhancing risk response decisions - Enterprise risk management provides the rigor to identify and select among alternative risk responses - risk avoidance, reduction, sharing, and acceptance. Reducing operational surprises and losses - Entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses. Identifying and managing multiple and cross-enterprise risks - Every enterprise faces a myriad of risks affecting different parts of the organization, and enterprise risk management facilitates effective response to the interrelated impacts, and integrated responses to multiple risks. Seizing opportunities - By considering a full range of potential events, management is positioned to identify and proactively realize opportunities. Improving deployment of capital - Obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation. These capabilities inherent in enterprise risk management help management achieve the entity's performance and profitability targets and prevent loss of resources. Enterprise risk management helps ensure effective reporting and compliance with laws and regulations, and helps avoid damage to the entity's reputation and associated consequences. In sum, enterprise risk management helps an entity get to where it wants to go and avoid pitfalls and surprises along the way. 1 Executive Summary Events - Risks and Opportunities Events can have negative impact, positive impact, or both. Events with a negative impact represent risks, which can prevent value creation or erode existing value. Events with positive impact may offset negative impacts or represent opportunities. Opportunities are the possibility that an event will occur and positively affect the achievement of objectives, supporting value creation or preservation. Management channels opportunities back to its strategy or objective-setting processes, formulating plans to seize the opportunities. Enterprise Risk Management Defined Enterprise risk management deals with risks and opportunities affecting value creation or preservation, defined as follows: Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives. The definition reflects certain fundamental concepts. Enterprise risk management is: A process, ongoing and flowing through an entity Effected by people at every level of an organization Applied in strategy setting Applied across the enterprise, at every level and unit, and includes taking an entitylevel portfolio view of risk Designed to identify potential events that, if they occur, will affect the entity and to manage risk within its risk appetite Able to provide reasonable assurance to an entity's management and board of directors Geared to achievement of objectives in one or more separate but overlapping categories This definition is purposefully broad. It captures key concepts fundamental to how companies and other organizations manage risk, providing a basis for application across organizations, industries, and sectors. It focuses directly on achievement of objectives established by a particular entity and provides a basis for defining enterprise risk management effectiveness. 2 Executive Summary Achievement of Objectives Within the context of an entity's established mission or vision, management establishes strategic objectives, selects strategy, and sets aligned objectives cascading through the enterprise. This enterprise risk management framework is geared to achieving an entity's objectives, set forth in four categories: Strategic - high-level goals, aligned with and supporting its mission Operations - effective and efficient use of its resources Reporting - reliability of reporting Compliance - compliance with applicable laws and regulations. This categorization of entity objectives allows a focus on separate aspects of enterprise risk management. These distinct but overlapping categories - a particular objective can fall into more than one category - address different entity needs and may be the direct responsibility of different executives. This categorization also allows distinctions between what can be expected from each category of objectives. Another category, safeguarding of resources, used by some entities, also is described. Because objectives relating to reliability of reporting and compliance with laws and regulations are within the entity's control, enterprise risk management can be expected to provide reasonable assurance of achieving those objectives. Achievement of strategic objectives and operations objectives, however, is subject to external events not always within the entity's control; accordingly, for these objectives, enterprise risk management can provide reasonable assurance that management, and the board in its oversight role, are made aware, in a timely manner, of the extent to which the entity is moving toward achievement of the objectives. Components of Enterprise Risk Management Enterprise risk management consists of eight interrelated components. These are derived from the way management runs an enterprise and are integrated with the management process. These components are: Internal Environment - The internal environment encompasses the tone of an organization, and sets the basis for how risk is viewed and addressed by an entity's people, including risk management philosophy and risk appetite, integrity and ethical values, and the environment in which they operate. Objective Setting - Objectives must exist before management can identify potential events affecting their achievement. Enterprise risk management ensures that 3 Executive Summary management has in place a process to set objectives and that the chosen objectives support and align with the entity's mission and are consistent with its risk appetite. Event Identification - Internal and external events affecting achievement of an entity's objectives must be identified, distinguishing between risks and opportunities. Opportunities are channeled back to management's strategy or objective-setting processes. Risk Assessment - Risks are analyzed, considering likelihood and impact, as a basis for determining how they should be managed. Risks are assessed on an inherent and a residual basis. Risk Response - Management selects risk responses - avoiding, accepting, reducing, or sharing risk - developing a set of actions to align risks with the entity's risk tolerances and risk appetite. Control Activities - Policies and procedures are established and implemented to help ensure the risk responses are effectively carried out. Information and Communication - Relevant information is identified, captured, and communicated in a form and timeframe that enable people to carry out their responsibilities. Effective communication also occurs in a broader sense, flowing down, across, and up the entity. Monitoring - The entirety of enterprise risk management is monitored and modifications made as necessary. Monitoring is accomplished through ongoing management activities, separate evaluations, or both. Enterprise risk management is not strictly a serial process, where one component affects only the next. It is a multidirectional, iterative process in which almost any component can and does influence another. Relationship of Objectives and Components There is a direct relationship between objectives, which are what an entity strives to achieve, and enterprise risk management components, which represent what is needed to achieve them. The relationship is depicted in a three-dimensional matrix, in the form of a cube. 4 E C N IA TI CO EP R M O PL R AT I R PE O N N O IC G AT E R ST Internal Environment Objective Setting Event Identification Risk Assessment Risk Response Control Activities SUBSIDIARY BUSINESS UNIT DIVISION ENTITY-LEVEL The four objectives categories - strategic, operations, reporting, and compliance - are represented by the vertical columns, the eight components by horizontal rows, and an entity's units by the third dimension. This depiction portrays the ability to focus on the entirety of an entity's enterprise risk management, or by objectives category, component, entity unit, or any subset thereof. G S Executive Summary Information & Communication Effectiveness Monitoring Determining whether an entity's enterprise risk management is \"effective\" is a judgment resulting from an assessment of whether the eight components are present and functioning effectively. Thus, the components are also criteria for effective enterprise risk management. For the components to be present and functioning properly there can be no material weaknesses, and risk needs to have been brought within the entity's risk appetite. When enterprise risk management is determined to be effective in each of the four categories of objectives, respectively, the board of directors and management have reasonable assurance that they understand the extent to which the entity's strategic and operations objectives are being achieved, and that the entity's reporting is reliable and applicable laws and regulations are being complied with. The eight components will not function identically in every entity. Application in small and mid-size entities, for example, may be less formal and less structured. Nonetheless, small entities still can have effective enterprise risk management, as long as each of the components is present and functioning properly. Limitations While enterprise risk management provides important benefits, limitations exist. In addition to factors discussed above, limitations result from the realities that human judgment in decision making can be faulty, decisions on responding to risk and establishing controls need to consider the relative costs and benefits, breakdowns can occur because of human failures such as simple errors or mistakes, controls can be circumvented by collusion of two or more people, and management has the ability to override enterprise risk management decisions. These limitations preclude a board and management from having absolute assurance as to achievement of the entity's objectives. 5 Executive Summary Encompasses Internal Control Internal control is an integral part of enterprise risk management. This enterprise risk management framework encompasses internal control, forming a more robust conceptualization and tool for management. Internal control is defined and described in Internal Control - Integrated Framework. Because that framework has stood the test of time and is the basis for existing rules, regulations, and laws, that document remains in place as the definition of and framework for internal control. While only portions of the text of Internal Control - Integrated Framework are reproduced in this framework, the entirety of that framework is incorporated by reference into this one. Roles and Responsibilities Everyone in an entity has some responsibility for enterprise risk management. The chief executive officer is ultimately responsible and should assume ownership. Other managers support the entity's risk management philosophy, promote compliance with its risk appetite, and manage risks within their spheres of responsibility consistent with risk tolerances. A risk officer, financial officer, internal auditor, and others usually have key support responsibilities. Other entity personnel are responsible for executing enterprise risk management in accordance with established directives and protocols. The board of directors provides important oversight to enterprise risk management, and is aware of and concurs with the entity's risk appetite. A number of external parties, such as customers, vendors, business partners, external auditors, regulators, and financial analysts often provide information useful in effecting enterprise risk management, but they are not responsible for the effectiveness of, nor are they a part of, the entity's enterprise risk management. Organization of This Report This report is in two volumes. The first volume contains the Framework as well as this Executive Summary. The Framework defines enterprise risk management and describes principles and concepts, providing direction for all levels of management in businesses and other organizations to use in evaluating and enhancing the effectiveness of enterprise risk management. This Executive Summary is a high-level overview directed to chief executives, other senior executives, board members, and regulators. The second volume, Application Techniques, provides illustrations of techniques useful in applying elements of the framework. Use of This Report Suggested actions that might be taken as a result of this report depend on position and role of the parties involved: x Board of Directors - The board should discuss with senior management the state of the entity's enterprise risk management and provide oversight as needed. The board should ensure it is apprised of the most significant risks, along with actions 6 Executive Summary management is taking and how it is ensuring effective enterprise risk management. The board should consider seeking input from internal auditors, external auditors, and others. Senior Management - This study suggests that the chief executive assess the organization's enterprise risk management capabilities. In one approach, the chief executive brings together business unit heads and key functional staff to discuss an initial assessment of enterprise risk management capabilities and effectiveness. Whatever its form, an initial assessment should determine whether there is a need for, and how to proceed with, a broader, more in-depth evaluation. Other Entity Personnel - Managers and other personnel should consider how they are conducting their responsibilities in light of this framework and discuss with moresenior personnel ideas for strengthening enterprise risk management. Internal auditors should consider the breadth of their focus on enterprise risk management. Regulators - This framework can promote a shared view of enterprise risk management, including what it can do and its limitations. Regulators may refer to this framework in establishing expectations, whether by rule or guidance or in conducting examinations, for entities they oversee. Professional Organizations - Rule-making and other professional organizations providing guidance on financial management, auditing, and related topics should consider their standards and guidance in light of this framework. To the extent diversity in concepts and terminology is eliminated, all parties benefit. Educators - This framework might be the subject of academic research and analysis, to see where future enhancements can be made. With the presumption that this report becomes accepted as a common ground for understanding, its concepts and terms should find their way into university curricula. With this foundation for mutual understanding, all parties will be able to speak a common language and communicate more effectively. Business executives will be positioned to assess their company's enterprise risk management process against a standard, and strengthen the process and move their enterprise toward established goals. Future research can be leveraged off an established base. Legislators and regulators will be able to gain an increased understanding of enterprise risk management, including its benefits and limitations. With all parties utilizing a common enterprise risk management framework, these benefits will be realized. 7 Enterprise Risk Management Forthcoming in the Journal of Risk Management of Korea Volume 12, Number 1 Stephen P. D'Arcy Fellow of the Casualty Actuarial Society John C. Brogan Faculty Scholar in Risk Management and Insurance and Professor of Finance University of Illinois at Urbana-Champaign May 30, 2001 Contact Information: Address: Department of Finance 340 Wohlers Hall 1206 S. Sixth Street Champaign, IL 61820 U.S.A. Telephone: 217-333-0772 FAX: 217-244-3102 E-mail: s-darcy@uiuc.edu Introduction Enterprise Risk Management is a relatively new term that is quickly becoming viewed as the ultimate approach to risk management. Consultants are advertising their ability to perform enterprise risk management. Auditors are examining how to incorporate enterprise risk management approaches into company audits.1 Presentations are being made on this topic at many actuarial, risk management and other insurance meetings.2 Seminars devoted to this topic are being conducted to explain the process, provide examples of applications and discuss advances in the field. Papers on enterprise risk management are beginning to appear in journals and books on the topic are starting to be published.3 Some universities are even starting to offer courses titled enterprise risk management. It appears that a new field of risk management is opening up, one requiring new and specialized expertise, one that will make other forms of risk management incomplete and less attractive. This paper will explain what enterprise risk management is, why it has developed so quickly, how it differs from traditional risk management, what new skills are involved in this process and what advantages and opportunities this approach offers compared to prior techniques. 1 See the Institute of Internal Auditors website for an extensive list of references and discussion of enterprise risk management. 2 See the CAS website, and particularly the presentations by Friedel, Kawamoto, Miccolis, and Miccolis and Shah. 3 See Davenport and Bradley (2000), Deloach and Temple (2000), Doherty (2000), Guthrie, et al (1999), Lam (2000) and Shimpi (1999). 1 Definition of Enterprise Risk Management Enterprise risk management is, in essence, the latest name for an overall risk management approach to business risks. Precursors to this term include corporate risk management, business risk management, holistic risk management, strategic risk management and integrated risk management. Although each of these terms has a slightly different focus, in part fostered by the risk elements that were of primary concern to organizations when each term first emerged, the general concepts are quite similar. According to the Casualty Actuarial Society (CAS), enterprise risk management is defined as: "The process by which organizations in all industries assess, control, exploit, finance and monitor risks from all sources for the purpose of increasing the organization's short and long term value to its stakeholders." The CAS then proceeds to enumerate the types of risk subject to enterprise risk management as hazard, financial, operational and strategic. Hazard risks are those risks that have traditionally been addressed by insurers, including fire, theft, windstorm, liability, business interruption, pollution, health and pensions. Financial risks cover potential losses due to changes in financial markets, including interest rates, foreign exchange rates, commodity prices, liquidity risks and credit risk. Operational risks cover a wide variety of situations, including customer satisfaction, product development, product failure, trademark protection, corporate leadership, information technology, management fraud and information risk. Strategic risks include such factors as completion, customer preferences, technological innovation and regulatory or political impediments. Although there can be disagreement over which category would apply to 2 a specific instance, the primary point is that enterprise risk management considers all types of risk an organization faces. A common thread of enterprise risk management is that the overall risks of the organization are managed in aggregate, rather than independently. Risk is also viewed as a potential profit opportunity, rather than as something simply to be minimized or eliminated. The level of decision making under enterprise risk management is also shifted, from the insurance risk manager, who would generally seek to control risk, to the chief executive officer, or board of directors, who would be willing to embrace profitable risk opportunities (Kawamoto, 2001). Basically, though, enterprise risk management simply represents a return to the original roots of risk management, a field that was first developed in the 1950s by a group of innovative insurance professors. The first risk management text, presciently titled Risk Management and the Business Enterprise, was published in 1963, after six years of development, by Robert I. Mehr and Bob Hedges. As initially introduced in this text, the objective of risk management is, "to maximize the productive efficiency of the enterprise." The basic premise of this text was that risks should be managed in a comprehensive manner, and not simply insured. The initial focus of risk management was on what is now termed hazard risk. This specialty area developed its own terminology and techniques for addressing risk. Financial risks began to be addressed much later, and by a separate business segment of most organizations. This field also developed its own terminology and techniques for addressing risk, independently of those used in traditional risk management. Each specialty area also developed different methods for reporting the risks the organization 3 faced within each area. Since the hazard risk manager and the financial risk manager both generally reported to a common position, frequently the treasurer or chief financial officer of the firm, the different, and separate, approaches to dealing with risk created a problem. Potentially, each area could be expending resources to deal with a risk that, in aggregate, would cancel out within the firm. Also, the tolerance for risk applied in each area could be vastly different between hazard risks and financial risks. These discrepancies provided the impetus for developing a common terminology and common techniques for dealing with risk. In addition, this common approach could then be applied to other risks, such as operational and strategic risks, that could adversely affect the organization. This common approach to dealing with all risks that a firm faces is the heart of enterprise risk management, and represents an encompassing application of Mehr and Hedges objective," to maximize the productive efficiency of the enterprise." Historical Development Risk management has been practiced for thousands of years.4 One can imagine a proto-risk manager burning a fire at night to keep wild animals away. Early lenders must have quickly learned to reduce the risk of loan defaults by limiting the amount loaned to any one individual and by restricting loans to those considered most likely to repay them. Individuals and firms could manage the risk of fire through the choice of building materials and safety practices, or after the introduction of fire insurance in 1667, by shifting it to an insurer. However, it wasn't until the 1960s that the field was formally named, principles developed and guidelines established. Robert Mehr and 4 For an excellent overview of the treatment of risk through the ages, see Bernstein (1996). 4 Bob Hedges, widely acclaimed as the fathers of risk management, enumerated the following steps for the risk management process: 1. 2. 3. 4. 5. Identifying loss exposures Measuring loss exposures Evaluating the different methods for handling risk Risk assumption Risk transfer Risk reduction Selecting a method Monitoring results Initially, the risk management process focused on what has been termed "pure risks." Pure risks are those in which there is either a loss or no loss. Either something bad happens, or it doesn't. The states of possible outcomes in a pure risk situation do not allow for any outcome more favorable than the current position. A typical example of a pure risk is owning a house. Your house may burn down, be hit by an earthquake or be infested by insects. If none of these, or other, unfavorable developments occur, then you are in the no loss position. This is no better than where you started, but no worse either. The other classification of risk is "speculative risk." In a speculative risk, there is the possibility of a gain. For example, investing in the stock market generates the possibility of a loss (the stock could go down in value), the possibility that the value would not change (the stock price remains where you bought it), and the possibility of a gain (the stock price could increase). Traditional risk management has focused on pure risks for several reasons. First, the field of risk management was developed by individuals who taught or worked in the insurance field, so the focus was on risks that insurers would be willing to write. In fact, some risk managers job duties are limited to buying insurance, an unfortunate 5 limitation since many other options are readily available and should be explored. Another reason for the focus on pure risks is that in many cases these represented the most serious short term threats to the financial position of an organization at the time this field was founded. A fire could quickly put a firm out of business. Efforts to reduce the likelihood of a fire occurring, or to minimize the damage a fire would cause, or to establish a contingency plan to keep the business going in the event of a fire, or to purchase an insurance policy to compensate the owners for the damages caused by a fire, were easily seen to be beneficial to the firm. Finally, there were simply not a lot of reasons or options for dealing with financial risks such as interest rate changes, foreign exchange rate movements or equity market fluctuations, when this field was first developing. At the time the field of risk management first emerged, interest rates were stable, foreign exchange rates were intentionally maintained within narrow bands and inflation was not yet a concern to most corporations. Thus, financial risks were not a major issue for most businesses. Indeed, the field of finance was primarily institutional at the time. Although Markowitz had proposed portfolio theory (Markowitz, 1952), the Capital Asset Pricing Model had not yet been developed. The mathematics for quantifying financial risk were not sufficient to put these risks in the same framework as most pure risks. The primary risks of the time were hazard risks: the risk of fire, windstorm or other property damage, or liability. Environmental risks had not yet developed into significant losses. Pensions were, at this point, neither guaranteed nor regulated. Given the primary risks facing businesses were hazard risks, the initial focus of risk management was on these types of risks. Risks were quantified, the evaluation of 6 different methods of dealing with risk was advanced and standardized, and an extensive terminology for managing risk was developed. Such terms as maximum possible loss (the largest loss that could occur) and maximum probable loss (the largest loss that is likely to occur) were introduced to help define risk exposure. Probability and statistical analysis were used to estimate the range of likely losses and the effect of adopting steps to mitigate these risks. Risk managers did their job quite effectively. Firms almost universally handled their hazard risk in an appropriate manner. When they didn't, such as the MGM Grand Hotel that found it was not adequately insured for liability coverage after a major fire, new methods of handling risk, in this case retroactive insurance, were developed (Smith and Witt, 1985). Rarely did companies face financial ruin as a result of failure to manage their hazard risks effectively. Beginning in the 1970s, financial risk became an important source of uncertainty for firms and, shortly thereafter, tools for handling financial risk were developed. These new tools allowed financial risks to be managed in a similar fashion to the ways that pure risks had been managed for decades. In 1972 the major developed countries ended the Bretton Woods agreement which had kept exchange rates stable for three decades. The result of ending the Bretton Woods agreement was to introduce instability in exchange rates. As foreign exchange rates varied, the balance sheets and operating results of corporations engaging in international trade began to fluctuate. This instability affected the performance of many firms. Also during the 1970s, oil prices began to rise as the Organization of Petroleum Exporting Countries (OPEC) developed agreements to reduce production to raise prices. Later in the same decade, a policy 7 shift by the U. S. Federal Reserve to focus on fighting inflation (a result of oil price increases) instead of stabilizing interest rates led to a rapid rise, and increasing volatility, of interest rates in the United States, and had a spillover effect in other nations as well. Thus, volatility in foreign exchange rates, prices and interest rates caused financial risk to become an important concern for institutions. Although financial risk had become a major concern for institutions by the early 1980s, organizations did not begin to apply the standard risk management tools and techniques to this area. The reasons for this failure were based on the artificial categorization of risk into pure risk and speculative risk (D'Arcy, 1999). Since fixed income assets, investments denominated in foreign currency and operating results that were affected by inflation or foreign exchange rates all had the possibility of a gain, they represented speculative risk. Risk managers had built a wall around their specialty, called pure risk, within which they operated. When a new risk area emerged, they did not expand to incorporate it into their domain. To do so would have required learning about financial instruments and moving away from the type of risks commonly covered by insurance. This would have been a bold move, but one that the innovative thinkers who developed risk management would have espoused. This failure was costly to organizations, and to the risk management field. With the emergence of enterprise risk management, traditional risk managers will be pushed into a wider arena of risk analysis, one that incorporates financial risk management and other forms of risk analysis. Thus, the refusal to expand into financial risks did not prevent risk managers from having to learn about financial risk management, it simply delayed it by a few decades. 8 A Primer in Financial Risk Management The basic tools of financial risk management are forwards, futures, swaps and options (Smithson, 1998). These contracts are all termed derivatives, since their values are derived from some other instrument's value. Forwards are contracts entered into today in which the exchange will take place at some future date. The terms of the contract, the price, the date and the specific characteristics of the underlying asset, are all determined when the contract is established, but no money changes hands when the contract is initiated. At the specified date, each party is obligated to consummate the transaction. Since each forward contract is individually negotiated between the two parties, there is considerable flexibility regarding the terms of the contract. However, since forwards are contracts between the two parties, the risk of failure to perform exists, in the same manner that credit risk is a factor in any loan. In financial markets, this risk is termed counterparty risk. Also, since the contracts are specialized agreements between two parties, the contract is not liquid and can be very hard to terminate prior to the specified date if conditions were to change for one or both of the parties. Futures contracts were developed to address the credit risk and liquidity concerns of forward contracts. Similar to forwards, futures are entered into today for an exchange that will take place at some future date. The terms of the contract are determined when the contract is entered into and no money changes hands when the contract is initiated. However, there are several significant differences between forward and futures. First, a clearinghouse (a firm that guarantees the performance of the 9 parties in an exchange-traded derivatives transaction - Hull, 2000) serves as an intermediary to the contract. Each party is contracting with the clearinghouse, not with the other party. Thus, the risk of nonperformance is significantly reduced. Next, in order to reduce the risk of default, several financial requirements are introduced. Each party must post collateral, termed margin, with its broker. The amount of the margin that must be posted initially is determined for each futures contract (initial margin). Also, each day futures contracts are "marked-to-market" with cash payments flowing from one party to the other based on changes in the value of the futures contract. Thus, if the price of a futures contract increases by $500, then the party that is short the contract (has sold the asset) pays $500 to the party that is long the contract (has bought the asset). These funds come out of, and flow into, the respective margin accounts. If the margin account, falls below a predetermined value (maintenance margin), then a deposit must be made into the margin account to restore it to the initial margin level. Swaps are agreements between two parties to exchange a series of cash flows based on a predetermined arrangement. Early swaps were based on exchanging a series of payments based on different currencies. For example, one company would pay a predetermined sum in Korean won and the other party would pay in US dollars each quarter for several years. Often the value of the exchanges would be netted (the respective values of each payment would be determined, and one party would pay the counterparty the difference in values). The most common swap today is an interest rate swap in which one party pays a fixed interest rate and the other pays a floating interest rate based on a set index such as the London Interbank Offer Rate (LIBOR). However, swaps can also be based on commodity prices or equity values. Similar to forwards 10 and futures, swaps do not involve a payment by either party went the transaction is initiated. The final basic tool of financial risk management is an option. An option provides the right, but not the obligation, to engage in a financial transaction at a predetermined price in the future. The owner of the option has the choice about consummating the transaction. The seller of the option is required to fulfill the contract if the buyer chooses. Since an option represents one sided risk, there is an initial cost to purchasing an option, which is termed the option premium. Options can be based on equities, bonds, interest rates, commodities, foreign exchange rates, or any other financial variable. A call option provides the right to buy the underlying asset at the predetermined price; a put option provides the right to sell the underlying asset. Although all options have these general characteristics, many specialized forms of options have been generated to produce a wide variety of different payoffs. Introduction of Financial Risk Management Forwards, futures and options had all been traded based on non-financial assets long before they were adapted to deal with financial risk. Swaps were not introduced until 1981, when the first currency swap was announced (Smithson, 1998). However, it did not take long after financial risk began to affect institutions for a wide array of financial risk management products to be generated to help corporations deal with financial risk. Foreign exchange futures were first offered in May, 1972. Interest rate futures began trading in October, 1975. Options on U.S. Treasury bonds were introduced in October, 1982. Options on foreign exchange rates were introduced in 11 December, 1982. Additional futures, swaps and options, as well as combination products, quickly followed. These tools allowed financial institutions and other corporations to manage financial risk in the much the same fashion that they used for pure risks. Unfortunately, these tools were not always used wisely or effectively. Since financial risk management was generally not handled by the traditional risk management department, many of the standards for managing risk were not followed in this area. In 1994 alone, due to an unexpected rise in interest rates, the following losses from derivatives occurred (Smithson, 1998): Codelco, Chile's national copper trading company, lost $207 million Gibson Greetings lost $20 million Procter and Gamble lost $157 million Mead lost $7 million Air Products lost $60 million Federal Paper lost $19 million Caterpillar lost $13 million Even more serious losses from the misuse of derivatives include (Jorion, 2001, Holton, 1996): Barings Bank went bankrupt in 1995 as a result of $1.3 billion in losses in futures and options trading based on the Nikkei 225 and Japanese bonds Metallgelsellschaft lost $1.3 billion on oil futures contracts Orange County lost $1.8 billion in 1994 from leveraged interest rate contracts Daiwa lost $1.1 billion from unauthorized derivatives trading Sumitomo lost $1.8 billion from concealed trading in copper and derivatives on copper by the head trader In many cases, these losses occurred due to the failure to follow common risk management practices, such as not having transactions verified by an independent authority, not setting limits to potential losses or failure to understand the risks to which 12 the organization was exposed. Managers and boards of directors were, in some cases, reluctant to question individuals who were providing, or at least reporting, impressive profits in a new area of financial transactions, and were willing to provide authority to these individuals without adequate oversight. The fear was that the normal level of oversight, if exercised in these areas, would drive a person with extraordinary talent away from their firm. Thus, they were lured into risk areas they neither understood nor would have accepted. Imagine the approach that would have been taken if a traditional risk manager, newly hired by a firm, claimed to be able to provide insurance coverage through a selffunding strategy at half the price that the current providers were charging. What if this risk manager wanted to take control of the funds for managing risks and wanted to be the person in charge of handling, and reporting, all monetary transactions involving this fund, but would not provide details about the fund to the company? Despite the apparent cost savings, I doubt that any firm would be foolish enough to disregard its oversight process in this situation, or to provide this person with performance bonuses based on the apparent cost savings. Traditional risk management has developed a series of checks and balances to prevent such obvious abuses. Financial risk management did not initially have this level of expertise. One reason for this failure is because traditional risk managers abdicated the area of speculative risk, exposing many organizations to disastrous losses. The basic rule of risk taking, whether it is hazard risk, financial risk or any other form of risk, is that if you do not fully understand a risk, you do not engage in it, regardless of what profits are claimed or reported. This basic rule is, unfortunately, 13 violated by individuals consistently. Promises of impressive returns entice many individual investors to participate in fraudulent investment schemes. Unfortunately, many corporations fell into this trap as well. The losses of the mid-1990s led organizations to realize the importance of financial risk management. The financial instruments that were developed to deal with financial risk were complex, and often only understood by those in the financial areas of the firm. Thus, the use of these tools to manage financial risk was generally not coordinated with the approach used to manage other risks. This lack of coordination resulted in a number of problems, including the development of a different terminology from that used in traditional risk management, different measures of risk and different goals. For example, traditional risk managers frequently focus on the probable maximum loss, the largest loss that could reasonably be expected to occur. If that loss exceeds the ability of the firm to cope with, then steps are taken to manage that risk, by transferring some of the risk to other parties, by reducing loss severity through loss control steps or other standard practices. Instead of adopting this approach, financial risk managers developed a measure termed the Value-at-Risk (VaR). This value indicates the loss that the firm would expect to have occur over the selected time interval (for example, daily) the selected percentage of the time. Thus, the daily VaR at the 1% level is the loss that can be expected to occur once every 100 days. This is not the largest loss that is likely to occur, so it does not provide the same level of information as probable maximum loss. The daily VaR at the 5% level, which is expected to occur once every 20 days, is smaller than the 1% value. VaR indicates what losses to expect, not what losses could occur. Even the time frame is different, as 14 the traditional risk manager is likely dealing with loss probabilities over an annual basis, or over the term of an insurance contract, while VaR is often based on daily or weekly price movements. Another difference between hazard risk and financial risk is the degree of independence among separate elements. In hazard risk management, risks are frequently independent of each other. Thus, the calculation of the number of accidents that a pool of vehicles is likely to be involved in during a year is determined by assuming that each accident is independent of every other accident. Financial risks, on the other hand, are not considered to be independent. In many cases, the correlation between different financial transactions forms the basis of the risk management strategy. Financial risk management considers the relationships among different financial variables to construct hedges. For example, a firm exposed to long term interest rate risk might use futures on short term instruments, due to the high correlation between short and long term interest rates, to hedge their interest rate exposure. Financial risk management approaches can lead to difficulty when the historical relationships between financial variables shifts. For example, the hedge fund Long Term Capital Management lost 92 percent its value (approximately $4.5 billion) in 1998 when historical patterns between variables, including yields on U.S. and Russian bonds, changed significantly. Thus, the Board of Directors and other managers that are determining the overall risk management strategy of the firm are likely to receive different types of information on financial risk and on hazard risk. The risks are different, the terminology is different and the measures of risk are different. This makes the task of coordinating the firm's overall exposure to risk more difficult. In addition to desiring a common approach to 15 hazard and financial risks, these decision makers have also envisioned incorporating other forms of risk, including strategic and operational, into the same approach. It is this vision that has led to the creation of enterprise risk management. Other Factors Leading to Enterprise Risk Management A number of other factors have also contributed to the development of enterprise risk management. Recent advances in computing power provide the powerful modeling tools necessary to perform sophisticated risk analysis for hazard risks, such as catastrophes, for financial risks, such as interest rate movements, and for other risks. Also, the availability of extensive data bases of financial and other information allows users to examine historical information to determine trends, correlations and other relationships among variables that is essential to enterprise risk management. Insurers are also developing an expertise in, and a focus on, financial risk management. Some insurers are beginning to provide policies that coordinate financial and pure risk. One insurer has offered a policy that provides protection against foreign currency losses within it insurance coverage (Banham, 1999). Another insurer provided protection for a utility in which the amount of coverage is a function of rainfall, which affect utility income (Taylor, 2001). Insurers are beginning to utilize the financial markets themselves through the securitization on insurance risk. Several types of insurance securitization have been developed (ISO, 1999). The first was the use of exchange traded derivatives. Both futures and options on catastrophe risk have been traded on the Chicago Board of 16 Trade. Trading in futures began in 1992 based on an index of catastrophe losses paid by a number of insurers reporting to ISO. In 1995 the index was changed to catastrophe losses reported by Property Claim Services, and trading in options was instigated. Although neither of these instruments is traded currently, their existence provided an impetus for insurers to learn about financial risk management tools and encouraged subsequent development of other approaches. The second approach is through contingent capital. One form of this is termed a Cat-E-Put, or catastropheequity-put. Under this contract, an insurer purchases a contract under which the counterparty agrees to purchase equity in the firm, at a predetermined price, in the event of a catastrophe as defined in the contract. This is, essentially, a put option that is triggered by a catastrophe. A third type of securitization is termed risk capital, in which an insurer, through an intermediary, issues debt on which the repayment of interest and principal is dependent on catastrophe loss experience. The debt is not fully repaid if a certain level of catastrophic losses occur. As a result of these innovations, insurers have been able to tap the capital markets to help spread catastrophic losses. The successes in this area are encouraging additional growth into the financial risk management field. Insurers and risk managers have a significant role to play in the field of financial risk management. From the point of view of the firm, the risk of a fire that costs the firm $1 million has the same impact on the firm's financial position as a loss in its bond portfolio of $1 million. Protection is available against both of these risks. A coordinated approach to an organization's risk would be preferable to a segmented approach. 17 After the shocks of mismanaged financial risks, the failed investments in interest rate derivatives, Nikkei 225 stock index futures, and the later success that financial risk management has had in reducing such exposure, corporations have begun to question whether other risks can be handled in a similar, integrated approach. The Skills Required for Enterprise Risk Management Although enterprise risk management represents a return to the roots of risk management, in order to be involved with enterprise risk management, traditional risk managers will need to obtain some additional skills. The starting point is to learn the terminology of finance and financial risk management. Due to their importance as potential investments and the growing use of this form of financing, often involving insurance guarantees, the role of asset backed securities should be given special attention. Although new instruments for financial risk management are constantly being generated, they can generally be broken down into their basic components of forwards, futures, swaps and options to be more easily understood. Traditional risk managers also need to learn about VaR in order to engage any comprehensive risk management process. Knowledge of portfolio theory as a method for dealing with correlated risks is also critical. Simulation and modeling are also important aspects of enterprise risk management. The ability to locate, and exploit natural hedges, those conditions that affect different aspects of an organization in offsetting ways, is vital as well. For example, telephone companies have a natural hedge against major disasters (Molnar, 2000). When a disaster strikes, the company will suffer a loss to its property, but the higher volume of telephone traffic that typically follows a major disaster will help 18 offset this loss. However, the basic approach of identifying, measuring, evaluating, selecting and monitoring risk remains the same. The primary challenge to traditional risk managers is to examine all risks that an organization faces, and not just focus on those that are insurable. Since enterprise risk management involves so many different aspects of an organization's operations, and integrates a wide variety of different types of risks, no one person is likely to have the expertise necessary to handle this entire role. In most cases, a team approach is used, with the team drawing on the skills and expertise of a number of different areas, including traditional risk management, financial risk management, management information systems, auditing, planning and line operations. The use of a team approach, though, does not allow traditional risk managers to remain focused only on hazard risk. In order for the team to be effective, each area will have to understand the risks, the language and the approach of the other areas. Also, the team leader will need to have a basic understanding of all the steps involved in the entire process and the methodology used by each area. In assessing the potential losses an organization could experience, many items not covered under hazard risk or financial risk emerge. The company could suffer a significant loss if the chief executive officer were to step down and an adequate replacement could not be found. If the reputation of one of the company's key products is tarnished by a serious loss (Firestone tires, for example), the company could incur significant monetary losses. If the firm is found liable for underpaying taxes by losing a tax dispute, the required payment could be extremely large. A labor dispute could severely impact a firm's operations. A failed merger could have repercussions that puts 19 the firm into a worse financial position than it was in before the negotiations commenced. Although these risks are both present and significant, the ability to quantify such exposures is far less sophisticated than the approach that can be used for most hazard and financial risks. The lack of data and the difficulty in predicting the likelihood of a loss or the financial impact if a loss were to occur make it hard to quantify many risks a firm faces. One feature of enterprise risk management is the consideration of offsetting risks within a firm. Catastrophe losses are one example. A major hurricane increases the losses of an insurer, but after most disasters people are more likely to purchase insurance against future catastrophes. Thus, future earnings increase, which can offset, on an enterprise risk management approach, the increase in losses the firm has to pay. The steps of enterprise risk management are quite familiar to traditional risk managers. Shawna Ackerman, a consultant at MHL/Paratus Consulting, lists these steps as (Ackerman, 2001): Identify the question(s) Identify risks Risk measurements Formulate strategies to limit risk Implement strategies Monitor results And repeat... Another consulting firm lists the steps as (ARI 2001): Identify risk on an enterprise basis Measure it Formulate strategies and tactics to limit or leverage it Execute those strategies and tactics 20 Monitor process The steps of enterprise risk management are the same, expect for minor changes in wording, as those first enumerated by Mehr and Hedges in 1963. Enterprise risk management is risk management applied to the entire organization. The basic approach, the goals and the focus of enterprise risk management are the same as those that have worked so effectively for traditional risk managers since the field was first developed. Conclusion The impetus for enterprise risk management arose when the traditional risk manager and the financial risk manager began reporting to the same individual in a corporation, commonly the treasurer or chief financial officer. Each risk management specialty had its own terminology, its own methodology and its own focus. However, each dealt with risk the firm was facing. It quickly became apparent that a common approach to risk management would be preferable to an individual approach and an integrated approach preferable to a separatist approach. The evident success of first hazard risk management and later financial risk management has encouraged managers to try to include these and other forms of risk in an overall risk management strategy. Whether this approach succeeds will depend on the ability of those involved in the separate risk categories to develop an integrated approach and extend it to other areas of risk. This is not truly a new form of risk management, it is simply a recognition that risk management means total risk management, not some subset of risks. The new focus on the concept of enterprise risk management provides an opportunity for 21 risk managers to apply their well established and successful approaches to risk on a broader and more vital scale than previously. This is an excellent opportunity to advance the science of risk management. 22 References Ackerman, Shawna. 2001. The Enterprise in Enterprise Risk Management. Casualty Actuarial Society Enterprise Risk Management Seminar. ARI Risk Management Consultants. 2001. Enterprise Risk Management: The Intersection of Risk and Strategy. http://www.riskadviser.net/Cases/case.htm Banham, Russ. 1999. Understanding the Skepticism about Enterprise Risk Management. CFO Magazine. April 1, 1999. Bernstein, Peter L. 1996. Against the Gods: The Remarkable Story of Risk. John Wiley and Sons, Inc. New York. Casualty Actuarial Society Websites: http://www.casact.org/research/ermsurv.htm http://www.casact.org/CONEDUC/specsem/erm/2001/handouts/handouts.htm D'Arcy, Stephen P. 1999. Don't Focus on the Tail: Study the Whole Dog! Risk Management and Insurance Review. 2(2):iv-xiv. Davenport, Edgar W. and L. Michelle Bradley. 2000. Enterprise Risk Management: A Consultative Perspective. Casualty Actuarial Society Discussion Paper Program p. 2342. Deloach, James and Nick Temple. 2000. Enterprise-Wide Risk Management: Strategies for Linking Risk and Opportunity. Financial Times Management. Doherty, Neil A. 2000. Integrated Risk Management. McGraw-Hill New York. Friedel, Wolfgang F. 2001. Enterprise Risk Management - Fad or Fact? Casualty Actuarial Society Enterprise Risk Management Seminar. Guthrie, Vernon H., David A. Walker and Bert N. Macesker. 1999. Enterprise Risk Management. 17th International System Safety Conference. ABS Group Inc. Risk & Reliability Division and United States Coast Guard Research and Development Center (vguthrie@abs-group.com; dawalker@abs-group.com; bmacesker@rdc.uscg.mil). Holton, Glyn A. 1996. Enterprise Risk Management. Contingency Analysis. (http://www.contingencyanalysis.com/_frame/frameerm.htm) Hull, John C. 2000. Options, Futures, and Other Derivatives (Fourth Edition). Prentice Hall. Upper Saddle River, NJ. Insurance Services Office. 1999. Financing Catastrophe Risk: Capital Market Solutions. 23 Institute of Internal Auditors. 2001. Risk Management Readings (http://www.theiia.org/ecm/guide-ia.cfm?doc_id=1604) Jorion, Philippe. 2001. Value at Risk (Second Edition) McGraw-Hill New York. Kawamoto, Brian. 2001. Issues in Enterprise Risk Management: From Theory to Application. Casualty Actuarial Society Spring Meeting. Lam, James. 2000. Enterprise-Wide Risk Management and the Role of the Chief Risk Officer. Erisk March 25, 2000. Erisk.com Markowitz, Harry M. 1952. Portfolio Selection. Journal of Finance 7:77-91. Mehr, Robert I. and Bob A. Hedges. 1963. Risk Management in the Business Enterprise. Richard D. Irwin, Inc. Homewood, IL Miccolis, Jerry and Samir Shah. 2000. Enterprise Risk Management: An Analytic Approach. Tillinghast - Towers Perrin Monograph. Molnar, Michele. 2000. More Companies Embrace Enterprise Risk Management. Office.com. Shimpi, Prakash A. 1999. Integrating Corporate Risk Management. Swiss Re New Markets Smith, Michael L. and Robert C. Witt. 1985. An Economic Analysis of Retroactive Liability Insurance. Journal of Risk and Insurance 52:379-401. Smithson, Charles W. 1998. Managing Financial Risk: A Guide to Derivative Products, Financial Engineering, and Value Maximization (Third Edition) McGraw-Hill New York. Taylor, Gary. 2001. New Developments in Enterprise Risk Management in the Energy Industry With a Specific Focus on the Weather Risk Management Market. Casualty Actuarial Society Spring Meeting. 24 TYPES OF POLICIES All businesses need property/casualty insurance coverage. The \"property\" component protects against damage to or loss of the business's property. The \"casualty\" or liability component provides protection against legal liability for damages caused to other people or their property. A wide variety of lines of business fall into these broad categories. (See Standard Lines/Commercial Insurance) for financial data on the major property/casualty insurance lines.) PACKAGE