Conventional ERM systems are generally assessment based and, consequently, they typically report results via an assessment metric often based on three colors: red, amber, and green. The managerial usefulness of such systems is limited for a number of reasons: first, “assessment” as opposed to “measurement” is inherently subjective and not easily audited; second, an assessment metric cannot be aggregated to support important management techniques such as trend analysis, benchmarking, and ranking, and the comparison of actual usage against operating limits. To state the obvious, you can’t aggregate and compare colors.
The evolving risk landscape in which firms operate has undergone dramatic change in little more than a generation due to advances in science and technology and an ever-growing dependency on globally interconnected electronic data and information networks; globalization and geopolitical uncertainties leading to supply chain vulnerabilities; and the use of increasingly complex and sophisticated financial products to manage financial risks.
That has caused boards of directors, CEOs and other c-suite executives to become increasingly concerned with risk and its potential to trigger material unexpected losses which, as recent events such as the financial crisis of 2007-2008 demonstrate, can severely impact or even wipe out a firm’s capital.
Whereas accounting standards such as IFRS and GAAP are aimed at ensuring that enterprises present a fair view of their financial condition, there are no equivalent standards that apply to risk. In other words, a firm’s stakeholders — investors, regulators, customers, and auditors — receive little or no information on the risks firms accept absolutely or in comparison to others in order to create shareholder value.
The misalignment between finance and risk reporting is what academics have set out to resolve through their codification of the new accounting technique referred to as “risk accounting.” Risk accounting begins with the assertion that effective ERM must operate within a standardized system of risk measurement using a common risk metric that expresses all forms of risk. Accordingly, a unit of risk measurement unique to risk accounting has been created, the “risk unit,” or “RU.”
Analogous to financial accounting where profits are created through the sale of products and services, risk accounting assumes that exposure to risk is similarly correlated with revenue generation.For management reporting, transactions associated with the sale of products and services are tagged with codes that uniquely identify products, customers, business lines, organizational components, legal entities, and locations. For risk reporting, these same transactions are tagged with additional codes that are used in a calculation of each transaction’s risk-weighted value, that is, its exposure to risk in RUs.
The first step in risk accounting is to identify the primary risk types to which each industry is exposed. For example, in banking these are deemed to be operational, credit, market, liquidity, interest rate, and conduct risks.
Three sets of standardized tables provide the risk-weighted factors used in the calculation:
- Product Risk Table. Provides risk-weights according to the risk characteristics of each marketed product graded by criteria such as complexity, toxicity, rate of decomposition, method of distribution, and method of trading.
- Value Table. Used to convert revenue amounts according to accounting records into scaled value band weightings (VBWs).
- Best Practice Scoring Templates. Used to calculate the risk mitigation index (RMI) based on key risk indicators (KRIs) that reflect the operational status of each department and underlying process.
These risk-weighted factors are then used to calculate three core metrics for each risk type triggered by the product in question:
- Inherent Risk. The risk-weighted transaction value, expressed in RUs, that represents its maximum possible loss.
- Risk Mitigation Index (RMI). A dynamic measure on a scale of 1 to 100, where 100 is agreed-upon best practice, that represents, in percentage terms, the portion of Inherent Risk that is mitigated through the effective management and control of the firm’s operating environment.
- Residual Risk. The portion of a transaction’s Inherent Risk, also expressed in RUs, not covered by effective risk mitigation. This RU number represents the transaction’s probability of loss.
The pairing of accounting and risk values in a single source of controlled and audited accounting data at the transaction level enables the production of combined finance and risk reports and the computation of enterprise-wide risk and return metrics. Feedback loops give managers real-time or near real-time information on risk mitigation initiatives together with calculations of the associated improvement in RMIs and reduced residual RUs.
Given that risk accounting is an extension of management accounting, risk appetite can also be calibrated in RMIs and residual RUs and become an integral part of firms’ budgeting and planning cycles, thereby constituting a true ERM system. The RMI is the de facto measure of risk culture as it blends risk attributes from across the enterprise.
A more detailed description of risk accounting is available in a research working paper which is being published in the Journal of Risk Management in Financial Institutions. Whereas the theoretical models and worked examples included in the paper relate to banking, the method can be adapted for non-banks.
Peter Hughes is a chartered accountant, a former banker with JPMorgan Chase, a member of the advisory board of Durham University Business School’s banking, risk, and intermediation research group and a visiting research fellow at the Leeds University Business School.