- Shopping Bag ( 0 items )
Praise for Enterprise Risk Management, Second Edition
“The concept that it takes a lifetime to build a company but that it takes moments to destroy it is a very valuable mantra for business leaders. The impact of the recent financial crisis brought that perspective into sharp and, for some, painful relief. Companies, however, need to innovate and grow and to take appropriate risks to do so. The joy of James Lam’s new book is that it recognizes the need forinnovation and growth but also acknowledges in a very ...
Praise for Enterprise Risk Management, Second Edition
“The concept that it takes a lifetime to build a company but that it takes moments to destroy it is a very valuable mantra for business leaders. The impact of the recent financial crisis brought that perspective into sharp and, for some, painful relief. Companies, however, need to innovate and grow and to take appropriate risks to do so. The joy of James Lam’s new book is that it recognizes the need forinnovation and growth but also acknowledges in a very practical waythe role of the ever-evolving risk framework around that growth. Thebook offers a credible and implementable nexus between growth andrisk control, and as such, will be a highly valued tool for boardsand management everywhere.”
—Rodger A. Lawson, Chairman of the Board of Directors, E*TRADE Financial, Member of the Board of Directors, UnitedHealth Group, Retired President, Fidelity Investments
“All too often, organizations focus on the process of riskmanagement at the expense of incorporating risk management principlesinto the governance, leadership, and management of their enterprises.James Lam is a long-time leader in risk management and hissubstantial experience has enabled him to produce a comprehensive andpractical guide for anyone committed to creating an organizationcapable of effectively evaluating risks versusreturns.”
—Matthew R. Feldman, President and Chief Executive Officer, FederalHome Loan Bank of Chicago
“A key success factor in any ERM program is practical andeffective implementation. In order to provide sustainable, long-termenterprise value, risk management must be integrated into anorganization’s governance model, business analytics, strategic andtactical decisions, and dashboard reporting. Based on his hands-onexperience, James Lam has very clearly outlined and articulated thebest practices and implementation requirements for ERM. I highlyrecommend this book to anyone who is engaged in ERM oversight andimplementation.”
—Paymon Aliabadi, Executive Vice President and Chief Risk Officer, Exelon Corporation
I took that job with the understanding that Fidelity wanted to improve its risk management practices, but not at the price of destroying the entrepreneurial spirit and product innovation that had made it the largest mutual fund company in the United States.
Fidelity was not alone then and is not alone now. Every business faces the parallel challenges of growing earnings and managing risks. A thriving business must identify and meet customer needs with quality services and products; recruit and retain talented people; and correctly make business and investment decisions that will lead to future profit opportunities. However, the pursuit of new profit opportunities means that a business must take on a variety of risks. All of these risks must be effectively measured and managed across the business enterprise.
Otherwise, today's promising business ventures may end up being tomorrow's financial disasters. As I am fond of telling audiences when speaking on the importance of risk management, over the longer term, the only alternative to risk management is crisis management-and crisis management is much more expensive, time consuming, and embarrassing. The majority of such audiences have experienced one or more crises in their time, so this is a message that rings true.
Every business decision involves an element of risk. There are risks involved in making investments, hedging with derivatives, or extending credit to a retail customer or business entity. There are also risks involved when developing and pricing new products, hiring and training new employees, aligning performance measurement and incentives with business objectives, and establishing a culture that balances revenue growth and risk management.
Over time, individual business decisions and risks collectively build up into a company's overall risk portfolio, which will have a unique risk pro-file. This risk profile will determine the company's earnings-and earnings volatility-over the business cycle. Some decisions will be winners and some will be losers. Some risks will offset each other, some risks will be unrelated to each other, and some will compound each other. In order to manage risk effectively, a business must address not only its underlying risks, but also the interrelationships between them.
As we will see from the numerous case studies discussed in this book, ineffective risk management can lead to reduced earnings or even bankruptcy. However, risk management means different things to different people. In this book, risk management is defined in its broadest business sense. Risk management is not just about using derivatives to manage interest rate and foreign exchange exposures-it is about using a portfolio approach to manage the full range of risks faced by an enterprise. Nor is risk management only about establishing the right control systems and processes-it is also about having the right people and risk culture. And although the term has come to bear some negative connotations, risk management is not only about reducing downside potential or the probability of pain, but also about increasing upside opportunity or the prospects for gain.
Individual investors managing their investments must be careful when it comes to the amount of risk that they take on. If they take on too much risk, perhaps by making aggressive investments, the losses could exceed their risk tolerance, or be too uncertain for comfort. On the other hand, if they fail to take on enough risk, by making conservative investments, they may earn returns that are stable, but inadequate for achieving the investor's financial objectives.
Striking an optimal balance between risk and return is not only important to the individual investor, it is also an imperative for business management. The concept of "no risk, no return" is widely accepted in the business world. A corollary to that concept is "higher risk, higher return," a positive relationship illustrated in Figure 1.1. This is how many people think about the trade-off between risk and return, and it has the virtue of simplicity. However, it is certainly not valid if risk is put into its proper perspective.
A better way to think about risk and return is illustrated in Figure 1.2. The focus is no longer on the relationship between risk and absolute return, but about the relative or risk-adjusted return. A company in zone 1 is not taking enough risk, and its capital is being underutilized. This company would be better off increasing risk through a growth or acquisition strategy, or reducing capital through higher dividends. In zone 3, however, the company is taking too much risk. This company's risk level is above and beyond its risk absorption capability in terms of capital, and/or its risk management capability in terms of people and systems.
In zone 2, the company has found the "sweet spot" that optimizes its risk/return profile. The problem is that most companies do not even have good information on enterprise-wide risk exposures (which is to say, where they are on the horizontal axis), let alone where they are on the risk-adjusted return curve. To make matters worse, the net present value and economic value-added models frequently used in strategic planning naturally favor higher-risk investments unless proper adjustments are made to account for risk. Over time, investments guided by these unadjusted models may inadvertently lead a company to drift into zone 3.
A principal message of this book is that a company should develop an integrated approach to measuring and managing all of its risks in order to optimize its risk/return profile. A key management requirement for risk/return optimization is to integrate risk management in the business processes of the company.
We've seen, then, that risk is an inescapable part of doing business and argued that a business should strive toward its optimal risk/return profile. However, there is another question that deserves examination: why manage risk? Indeed, why read this book?
A company could conceivably agree that it bears risks but feels it inappropriate to manage them, rather than simply live with them. Risk management may seem to be irrelevant, too costly, or not in accordance with the interests of the company's stakeholders. Some academics have argued positions close to these, as we will see. Certainly, before a company invests money and other valuable resources into risk management (and before the reader spends any more time reading this book), the "value proposition" of risk management needs to be clearly established.
Perhaps the best way to answer the question "why manage risk?" is to borrow a popular technique used by diet and other self-improvement programs. That simple but effective technique is to paint a clear picture of the gain of action along with an equally clear picture of the pain of inaction. In the next section, we'll paint the happy picture: the benefits of effective risk management in terms of the expected benefits and gains. In the section thereafter, we'll paint the dire picture of the severe negative consequences-the pain-that may be suffered if effective risk management is not in place.
THE BENEFITS OF RISK MANAGEMENT
Numerous academic papers have established the theoretical basis for managing risk, arguing that it can reduce taxes, reduce transaction costs, and improve investment decisions. However, beyond the theory there are at least four practical reasons why risk management should be of paramount importance to the management of a firm. In this practical context, risk management should be defined more broadly, to include internal controls as well as hedging.
Let's now take a look at these four reasons in turn.
Reason #1. Managing risk is management's job. One notion in modern finance theory is that managing risk, or more specifically hedging, is not necessary because an investor can reduce risk through a diversified investment portfolio. Regardless of what some theoreticians may argue, you will never in the real world hear a fund manager or individual investor tell a company's management, "Don't worry about managing risk or bankrupting the company-I have a large diversified portfolio."
Managing the risks of a business enterprise is the direct responsibility of its management, not of its shareholders. While modern portfolio theory is a major contributor to the theory and practice of finance and risk management today, the argument that the investor can better manage or diversify risks does not ring true in the real world. The average individual investor probably spends more time buying a new car than addressing the risks of his or her investment portfolio. Even the professional fund manager is several degrees away from the "insider knowledge" required for effective risk management, which includes:
* Historical data on risk/return results, volatilities, and correlations
* Current risk exposures and concentrations in the business
* Future business and investment plans that may alter the firm's risk profile
Given the complexity of the above information, as well as the lack of full transparency to outsiders, the shareholder cannot be expected to make optimal risk/return decisions. Measuring and managing enterprise-wide risks is a great challenge even for the enterprise's management, which has superior access to information and support from risk management professionals. The most that shareholders can do is to elect an independent and risk-astute board that will represent their interests, and walk away with their investment dollars if they are not happy with management's performance. In the meantime, it remains management's job to ensure that the company achieves its business objectives and is not exposed to excessive risks.
Reason #2. Managing risk can reduce earnings volatility. One of the key objectives of risk management is to reduce the sensitivity of a firm's earnings and market value to external variables. For example, the stock prices of companies that are more active in, say, market risk management should exhibit lower sensitivity to market prices. This is borne out by the empirical evidence. For example, a study published in 1998 by Peter Tufano of the Harvard Business School ranked gold producers in terms of the intensity of their hedging activities. The conclusion was that the stock prices of those in the top quartile were about 23 percent less sensitive to gold price changes than those of the bottom quartile. Companies exposed to interest rates, foreign exchange rates, energy prices, and other market variables can better manage earnings volatility through risk management. Managing earnings volatility today is more important than ever given that the stock market severely punishes stocks that fail to meet earnings expectations. At the same time, the Securities and Exchange Commission (SEC) and other regulatory bodies are cracking down on "earnings management" practices that use accounting techniques to smooth out earnings. In this business environment, management must pay more attention to managing the underlying risks of the business.
Reason #3. Managing risk can maximize shareholder value. In addition to managing earnings volatility, risk management can help a business enterprise to achieve its business objectives and maximize shareholder value. Companies that undertake a risk-based program for shareholder value management typically identify opportunities for risk management and business optimization that can add 20 to 30 percent or more to shareholder value. Such improvements can be achieved by ensuring that:
* Target investment returns and product pricing are established at levels that reflect the underlying risks.
* Capital is allocated to projects and businesses with the most attractive risk-adjusted returns, and risk-transfer strategies are executed to optimize portfolio risk and return.
* The company has the appropriate skills to manage all of its risks, in order to protect against large financial losses or damage to its reputation or brand.
* Performance metrics and incentives, at both the individual and business unit levels, are in congruence with the enterprise's business and risk objectives.
* Key management decisions, such as mergers and acquisitions and business planning, explicitly incorporate the element of risk.
Strategies for achieving these objectives, and case studies of how they work in practice, will be discussed in the main sections of the book.
A 1998 study by George Allayannis and James Weston of the University of Virginia has supported the notion that active risk management contributes to shareholder value. Allayannis and Weston compared the ratio of market value to book value for companies that were more or less active in market risk management between 1990 and 1995, as measured by their hedging activities. They found that the more active companies were rewarded with an average increase of 20 percent in market value. Risk management adds value not only to individual companies, but also supports overall economic growth by lowering the cost of capital and reducing the uncertainty of commercial activities.
Reason #4. Risk management promotes job and financial security. On an individual level, perhaps the most compelling benefit of risk management is that it promotes job and financial security, especially for senior managers. In the aftermath of the fall 1998 turmoil in financial markets, a significant number of chief executive officers (CEOs), chief operating officers, chief risk officers, and business group heads of financial institutions lost their jobs because of poor risk management performance. Senior executives in other industries have faced a similar fate in the wake of risk management problems. More recently, senior executives involved in corporate frauds and accounting scandals have appeared on national television being led away in handcuffs and face the potential of severe criminal sentences.
In addition to "career risks," senior executives with a significant portion of their wealth tied up in company stocks and options have a direct financial interest in the success and survival of the firm. These incentives, if structured appropriately, work to put the "skin in the game" for managers, resulting in a strong alignment between management and shareholder interests.
Excerpted from Enterprise Risk Management by JAMES LAM Copyright © 2003 by James Lam. Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Section One Risk Mangement in Context 1
Chapter 1 Introduction 3
The Benefits of Risk Management 6
Integration Adds Value 9
Cautionary Tales 12
Chapter 2 Lessons Learned 21
Lesson #1: Know Your Business 23
Lesson #2: Establish Checks and Balances 24
Lesson #3: Set Limits and Boundaries 25
Lesson #4: Keep Your Eye on the Cash 26
Lesson #5: Use the Right Yardstick 27
Lesson #6: Pay for the Performance You Want 27
Lesson #7: Balance the Yin and the Yang 28
Chapter 3 Concepts and Processes 31
Risk Concepts 32
Risk Processes 36
Risk Awareness 38
Risk Measurement 40
Risk Control 42
Risk Is a Bell Curve 48
Chapter 4 What Is ERM? 51
ERM Definitions 53
The Benefits of ERM 53
The Chief Risk Officer 57
Components of ERM 61
Section Two The Enterprise Risk Management Framework 67
Chapter 5 Corporate Governance 69
Codes of Conduct 71
Best Practices 72
Linking Corporate Governance and ERM 77
Chapter 6 Line Management 83
The Relationship Between Line and Risk Functions 84
Key Challenges 89
Best Practices 92
Chapter 7 Portfolio Management 99
The Theory of Active Portfolio Management 100
Benefits of Active Portfolio Management 102
Practical Applications of Portfolio Management 105
Chapter 8 Risk Transfer 111
A Brief History of ART 112
Advantages of ART 116
Pitfalls of ART 119
A Look to the Future 122
Case Study: Honeywell 124
Case Study: Barclays 124
Chapter 9 Risk Analytics 127
Risk Control Analytics 128
Risk Optimization Analytics 133
Market Risk Analytics 135
Credit Risk Analytics 138
Credit Portfolio Models 141
Operational Risk Analytics 142
GRC Systems 143
Chapter 10 Data and Technology 147
Early Systems 147
Data Management 149
Interface Building 151
Distributed Architectures 153
Key Factors for a Successful Implementation 154
Chapter 11 Stakeholder Management 157
Rating Agencies 166
Shareholder Service Providers 167
Business Partners 169
Section Three Risk Management Applications 173
Chapter 12 Credit Risk Management 175
Key Credit Risk Concepts 176
The Credit Risk Management Process 184
Basel Requirements 192
Best Practices in Credit Risk Management 196
Case Study: Export Development Corporation (EDC) 200
Chapter 13 Market Risk Management 209
Types of Market Risk 210
Market Risk Measurement 211
Market Risk Management 224
Best Practices in Market Risk Management 227
Case Study: Market Risk Management at Chase 230
Chapter 14 Operational Risk Management 237
Operational Risk—Definition and Scope 240
The Operational Risk Management Process 246
Best Practice in Operational Risk Management 257
Emerging IT Risks 259
Case Study: Heller Financial 264
Chapter 15 Business Applications 271
Stage I: Minimizing the Downside 271
Stage II: Managing Uncertainty 272
Stage III: Performance Optimization 274
The Further Evolution of Risk Management 275
Chapter 16 Financial Institutions 277
Industry Trends 278
Risk Management Requirements 283
Systemic Risk 287
A Look to the Future 289
Case Study: CIBC 292
Chapter 17 Energy Firms 297
Industry Trends 298
Risk Management Requirements 301
A Look to the Future 310
Lessons Learned from Enron 313
Lessons Learned from the BP Oil Spill 314
Chapter 18 Non-Financial Corporations 317
Risk Management Requirements 317
Best Practices in Corporate Risk Management 326
Case Study: Microsoft 333
Case Study: Ford 335
Case Study: Airbus and Boeing 336
Section Four A Look to the Future 339
Chapter 19 Predictions 341
The Profession of Risk Management 342
Technology and the Convergence of Risk Management 345
Ten Predictions 348
2013 Looking Back 353
Chapter 20 Everlast Financial 357
Section Five ERM Implementation 361
Chapter 21 ERM Implementation 363
Benefits of Corporate Governance and ERM Practices 364
ERM Implementation Requirements 366
ERM Maturity Model 373
Other ERM Maturity Models 377
Risk Culture 378
Chapter 22 Role of the Board 381
Board Oversight Requirements 381
Current Board Practices 383
Case Study: JP Morgan Chase 386
The Last Line of Defense 388
Chapter 23 Risk Assessment 399
Risk Assessment Methodology 401
Best Practice Case Studies in Risk Assessment 414
Appendix: Risk Assessment Self-Evaluation Checklist 415
Chapter 24 Risk-Based Decision Making 423
ERM Decisions and Actions 423
Creating Value through ERM 427
Case Study: Duke Energy 437
Chapter 25 Dashboard Reporting 439
Traditional versus Dashboard Reporting 441
General Dashboard Applications 442
ERM Dashboard Implementation 444
Evolving Best Practices 450