Think of putting these risks into a single package: The possibilities that your company’s brand name will be tarnished; that an earthquake will level its plants; and that interest-rate swings will hurt its bond investments.
Think, in fact, of measuring all your company’s perils with a common denominator and funding them in a coordinated way, and you’ve got the idea of enterprise risk management (ERM).
It’s a notion that has long had a powerful appeal for senior financial executives, especially for the obvious cost efficiencies it offers.
ERM methods can reveal “natural hedges” within a corporation to help it minimize risk. A company imperiled by high heating bills during a cold Northeastern winter, for instance, may choose to boost its mitten- manufacturing operations to hedge the chill’s effects.
ERM also offers the benefits of coordinated risk financing. An organization with a big appetite for risk in its investments may discover that it has an inconsistently cautious approach to buying insurance and choose to spend less on coverage.
Despite its advantages, however, ERM hasn’t really taken off in a big way. At first, it was a product-driven idea, steered by insurers and brokers who sought, without great success, to sell big-ticket, multi-year, multi-line policies.
While ERM sounded great to many executives, few were willing to do the analytical grunt work needed to form truly integrated programs.
But that seems to be changing. A recent survey of 200 senior finance and risk management executives in North America, Europe, and Asia found that 41percent are managing risk on “a formal ERM basis.” Thirty-two percent of the respondents are CFOs.
Nineteen percent of the respondents plan to implement ERM within one year, and 13 percent plan to have a program in place in two to five years. The survey was done by the Economist Intelligence Unit (EIU) and MMC Enterprise Risk, a unit of Marsh & McLennan Companies. (Like CFO.com, the EIU is a member of The Economist Group.)</.
While the ERM numbers are impressive, corporate efforts aren’t especially sweeping, however. Only 15 percent of companies aggregate risk across the entire organization.
Bob Khanna, chief executive officer of MMC Enterprise Risk, says that developing an ERM program is a three-step process: Making sure what the five to 10 critical risks to shareholder value are across the firm, finding a way to quantify the risks, and developing solutions for them.
While many companies are developing risk lists, few are grappling with quantifying their exposures and finding solutions, Khanna says.
A prime difficulty in measuring and modeling all of a company’s risks together, it seems, is finding one risk metric that can spread across radically different exposures.
In fact, the “intellectual skill and resources and data” needed for such an effort can be costly, says Michael Hofmann, chief risk officer of Wichita, Kans.-based Koch Industries.
Koch, reportedly the second-biggest privately held U.S. company, approaches the problem by assessing all its risks with a single, broadly applied yardstick, while modeling as a unit those risks that naturally go together.
Koch’s broad measurement tool is capital-at-risk. In managing all its risks, the company tries to determine how much capital it would take to fund a certain level of risk, Hofmann explains.
For instance, Koch, a diversified company involved in oil, gas, and asphalt production that also trades in equities and energy-related commodities, might ask how much capital it would need to retain its credit rating if a negative event occurred, Hofmann tells CFO.com.
For all of its areas of exposure, Koch also uses “stress tests,” applying worst-case scenarios to learn what would happen if a catastrophe occurred, Hofmann says.
The company, for example, runs a test to learn the effect of a Persian Gulf war on crude-oil prices on a given day, he adds.
On a more specific level, Koch models its market and credit risks together, says Hofmann. At the same time, it handles the information about catastrophic risks—such as a tornado or oil-refinery fire—in a largely separate bucket.
The reason for the separation is the vastly different time frames across which probability is figured for the two risk categories, according to Hofmann.
“If you have a trading risk,” he notes, “you can have that change second by second.”
Similarly, “credit risk can change at least on a daily basis,” he adds.
But Koch’s hazard risks, which can include “everything from natural disasters to product liability,” have, however “a much larger time horizon,” he says.
For its credit and market exposures, Koch uses the value-at-risk (VaR) metric. VaR enables companies to gauge potential market losses within a set short time frame, most often between 1 and 10 days, the EIU/MMC survey report says.
With abundant data on hand about swings in the financial markets, companies can use VaR to make risk estimates with a high probability of accuracy within a short period.
In measuring the company’s credit and market risks, Hofmann says he can say, for example, that “I am 98 percent confident that I will not lose [more than] ‘x’ amount of capital from our trading positions over a certain period of time.”
For low-probability hazard risks, however, Koch can’t use the same technique, Hofmann says.
“You can’t do the same thing when you’re talking about an earthquake [occurring] in San Francisco,” he adds. While that could be an event with very severe consequences, its probability is hard to gauge, the CRO suggests.
Describing the evolution of his department, as well as his own role as CRO, he says: “Our experience is that it’s better to figure out the methodology of how we look at risk and then increase the universe of risk that [we're] considering.”
After using VaR for market risk in different business units since the mid-1990′s, Koch installed “a consistent approach” in early 1998, says Hofmann. In early 1999, the company combined market and credit risk management, adding the hazard responsibility to Hofmann’s department in early 2000.
At that point, Hofmann’s department took over insurance buying. The CRO did not want to reveal Koch’s levels of insurance and self- insurance. However, he says, Koch’s hazard risk management isn’t driven by insurance concerns.
Hofmann thinks some companies are installing enterprise risk management programs because they think they will save in insurance premiums.
However, he says, “I don’t think there’s a big enough savings in insurance to justify it” alone. “The process itself is important in understanding the risk,” he adds. “Whether we buy insurance is secondary.”
Hofmann, who has an accounting background, was previously chief market-risk officer for Koch, reporting to the company’s CFO, Sam Solimon. As CRO, he now reports to the president, Joseph W. Moeller, and board chairman Charles G. Koch on all risk-related matters.
In fact, Hofmann now evaluates the risks of the CFO’s investment decisions, the CRO says. “If we have a disagreement on the risk, we work to understand what causes the difference of the opinion so we can learn more about the risk,” Hofmann adds.
“In terms of risk estimates [on investments], the numbers my team comes up with are the controlling numbers,” he says, and are used to determine risk-adjusted return.
For some executives, it seems, the tough tasks of putting together an ERM program can provide a nifty way up the corporate ladder.