Last month ERM experts Alice Underwood and Dave Ingram suggested that enterprise risk management can be broken into four distinct approaches. I’d like to lay out their ideas, then give some of my reactions:
They called these four approaches fabrics:
- Diversification – where you reduce risk by buying a bunch of additional stuff or doing additional things. Underwood and Ingram note that rebalancing a portfolio is a classic diversification strategy.
- Loss controlling – where you explicitly limit your exposure to potential losses. Internal audit limits losses for most companies. Property insurers use computer models to cap their exposure to catastrophes.
- Risk trading – When you find you’ve borne too much risk, you slough it off, usually by buying insurance. (Insurers are pure risk traders, taking on risk by writing policies and trading it to other companies through reinsurance.)
- Risk steering – Here, companies “incorporate risk considerations” into a comprehensive plan. I’ll unpack that a bit: A company creates a budget. That budget allocates resources for the next year. That budget determines how the company plans to maximize its value – risks it plans to take and how it will manage the ones it wants to avoid.
All companies engage in one of the four; the most successful use them all, to a greater or lesser degree. The best ERM systems, they contend, use all four approaches, tailoring them to the company’s own situation. The authors cite operational risk, the risk of encountering problems in the way a company is run. No market exists in operational risk, so it is best handled through loss control.
And sometimes the approaches are tailored to a particular circumstance. My example: As a hurricane approaches, a company may try to hedge its exposure through risk trading: buying reinsurance in the live cat market. (Live cat treaties pay the buyer of a treaty if a particular storm’s industry insured losses exceed a set amount. Think of it as a bet over the insured losses the storm will generate.)
The authors suggest that each company should weave the four fabrics into its own unique, rich tapestry.
I think this article helps explain how ERM is not really a new discipline. Instead, ERM adapts some powerful tools that companies already use. One important adaptation is bringing the ‘fabrics,’ if you will, from different departments and finding ways to compare them, apples to apples.
The most obvious measurement device is money – one strategy will save $1,000, another saves $1 million. A better one, in most cases, would be a risk-adjusted rate of return, taking into account the likelihood and the size of an extreme event. Once you project that department X will return 10% risk-adjusted, with a 1% chance of a $1 million loss and department Y will return 15% with a 0.5% chance of $10 million loss, you have given management some important tools to understanding the trade-off between department X and department Y.
Still, I struggle with the taxonomy, maybe because I’m slow to understand the article.
For example, I don’t believe the four fabrics are distinct. The fourth fabric, risk steering, really seems to be a process wherein the company determines which of the other three ‘fabrics’ it will adopt. And it’s hard to see the need for risk trading unless you’ve performed loss control.
It seems to me that risk steering is just what it says it is – a device to help executives direct a company. The direction could be to diversify, to exercise loss control or to rebalance riskiness through open market trades, but until the execs know where they want to go, they’ll have a hard time figuring out how to get there.
A budget process that properly weighs risk and reward seems to be the heart of risk steering. Once you’ve developed that, you can decide to address issues by diversification, loss control or risk trading.
Within the scope of the overall article, though, that’s not a big deal. It is always helpful to find a way to explain ERM.