A couple of weeks ago I participated in a long email chain of ERM enthusiasts discussing the definition of risk. The chain started:
The issue was whether risk should be defined, as it is in ISO 3100, as:
“Effect of uncertainty on outcomes” – which means that risk is two-sided including both favorable and unfavorable deviations from
Whether risk should be defined solely as potential for negative deviations – or one sided – including unexpected losses, but not unexpected gains.
There were impassioned arguments on each side.
What do you think?
Now this is an email thread, so there were strands all over the place. But one strand touched on whether risk is the appropriate term for enterprise risk managers to use.
In everyday terms, risk is a bad thing. Or at least it points to bad things. If you touch electric wires you risk electrocution. If you shun an umbrella on a cloudy day, you risk getting wet. If you don’t work hard, you risk getting laid off.
But a company shouldn’t use enterprise risk management solely to avoid overly risky situations. The textbook I just pulled off the shelf, The Essentials of Risk Management, (Crouhy, Galai, Mark) emphasizes that “risk management is not just a defensive activity.” The better a company understands its risk profile and its risk appetite, the more effectively it can be profitable.
So in the phraseology of the email above, risk in ERM is two-sided. It looks at risk and reward, or it is supposed to.
However, when I’ve been in the room with executives discussing risk management, they aren’t looking for rewards. They look at ERM as a way to control downside risk. Your experience may be different, of course. But when I hear an exec asks how this process can help drive profits, I’ll let you know.
Now there are lots of reasons that the C-suite acts that way, not the least of which is the history of ERM. The discipline came from banks trying to quantify how much they could possibly lose tomorrow, given their investment portfolio today. That is an exercise in examining the downside.
Compounding that, at least in insurance, is the importance of actuaries in ERM. Actuaries are intelligent and hard-working, but they have traditionally focused on the downside of insurance. Reserving actuaries set the claims reserve, the company’s largest liability. Pricing actuaries spend half their time, maybe more, estimating future losses.
We are experts in all the bad things that can happen. In the board room, the big bosses see people who tell them how bad things will be and, maybe, how to keep bad things from happening. That’s consistent with how they see ERM, which may explain why so many actuaries are stepping into the CRO job.
Then there’s the word risk itself. As I wrote in the email chain,
The word risk is associated with the downside. It comes from a Greek metaphor meaning “difficulty to avoid at sea.” It’s counterpart is reward. That’s why we talk about taking risk in order to earn reward. Risk and reward – risk is the bad thing, and reward is the good thing.
Now that’s the language that management and, heck, everyone else has used for 4,000 years. ERMers can try to get everyone to redefine the word, or they can use a different term. I know which path is easier.
Taken together, it means ERM is underutilized. There’s not enough time spent on seeing how the process can drive proactive decisions, like where to invest or which business units look profitable on a risk-adjusted basis.
So this email chain went on, with lots of interesting discussion. Then someone had a great idea – a fabulous idea. An idea that was so good, that – until I double-checked this afternoon – I thought I had come up with it:
Replace the word risk with the word opportunity everywhere in the discussion that it makes sense. Because when we direct someone to avoid a certain risk, we are implicitly asking them to properly embrace an opportunity.
And where I couldn’t replace the term risk, I’d eliminate it, except where it is absolutely necessary. Specifically mentioning it only confounds things. It focuses on one aspect of the tool – the risky aspect – while ignoring the other aspect – the opportunity.
I wouldn’t talk about risk appetite; I’d talk about appetite. I wouldn’t talk about risk controls; I’d talk about controls. I think the spectre of risk is properly embedded in the terms.
This would extend all the way to the name of the discipline – enterprise risk management. I’d call it enterprise opportunity management. I think that clearly states the purpose of what we now call ERM. It helps the company manage the various opportunities to make money, making sure that each opportunity is properly supported and reined in.
Heck, I’d drop the term enterprise and just call it opportunity management. I think the term defines itself, so well that the word enterprise becomes superfluous.
In the email thread, I endorsed profitability management, but as time passed, opportunity management just seemed to fit better. And that’s why I convinced myself that I came up with the term. It flows so naturally. It makes so much sense. Here’s what I wrote at the time, except then I used the term profitability. Now I use opportunity.
ERM tries to align the level of profits earned with the level of risk taken. The 2008 market meltdown resulted from companies that had posted tremendous profits in earlier years without understanding how much risk they bore.
It’s not unusual for companies to voluntarily reduce profits because they are concerned with risk. (Reinsurance is a classic example.) So managing risk is equivalent to managing opportunity.
And if you substitute the term opportunity where we currently say risk, explaining ERM gets a lot easier, I think.
You can try it yourself. Here’s a nugget I just concocted from an ERM text.
[Crouhy, et al. in an obvious rephrasing] Opportunity management is really about how firms actively select the type and level of profits that it is appropriate for them to assume.
I think the idea of risk is implied.
Hence enterprise risk managers could call themselves opportunity managers. ERM could become EOM (or just OM). And the designation could be a CORA.
It’s not unusual for a discipline to rename itself for clarity. Today’s human resources department used to be called personnel. And propaganda became publicity, which became public information, and now media relations. The names changed to better define the nature of the job. And I think ERM would do well to shed the term risk and embrace the term opportunity.
Try it. Ask someone what a department called “Opportunity Management” would do at their company. I think you’ll get an answer very close to what Enterprise Risk Management tries to do.
As any executive will tell you, if you focus too much on risk, you miss the opportunity.