Enterprise Risk—What's Up with That?
October 2000
The key idea behind enterprise risk management
(ERM) is to systematically identify the significant risks faced by a company.
ERM represents a very exciting opportunity for insurers to create new markets
for their products, if they can handle the challenging new exposures. This article
explains ERM and examines its relationship with insurance.
by Brent
Clark
Strategic Risk Solutions
There has been a lot interest lately in the concept of enterprise risk management
(ERM). The key idea is to systematically identify the significant risks faced
by a company. (One consulting firm has developed a list of 79 risks to use as
a guide in its enterprise risk consulting practice.)
The explicit recognition of risk helps a company manage its success by avoiding
mistakes and pitfalls. Understanding the company's risks often results in gaining
a deeper understanding of important strategic factors, which again contributes
to corporate success.
As in sports and law, the key to a good offense is often a good defense.
It also helps serve as a guide to the optimum capital structure of the firm
by providing a more refined view of the debt/equity ratio question.
In an effort to carry the notion of enterprise risk management forward, companies
have begun to appoint chief risk officers (CROs). These individuals are charged
with developing a comprehensive view of the company's key risks and helping
the company develop and implement appropriate risk management techniques.
Banks Led the Way
The CRO role has grown out of the risk management functions that are maintained
in large financial institutions. In these institutions, the term "risk management"
has had little to do with insurance or hazard risk. It originally addressed
the management of financial market risk associated with the institution's trading
operations, although over the years it has broadened to include operating risk
and, more recently, hazard risk.
After the banking and savings and loan (S&L) crises of the 1980s, banks began
to search for ways to manage risk in a more systematic way. Banks are highly
leveraged operations. They finance their purchase of assets, whether those assets
are loans or bonds, with borrowed money. The borrowed money comes from deposits,
notes issued by the bank, repurchase agreements, commercial paper, etc.
In fact, the major culprit in the 1980s was a failure by the banks and the
S&Ls to properly match their assets and liabilities (i.e., their funds borrowed
to finance the assets they held). Many assets were fixed assets with long maturates,
but these assets were financed with short-term borrowing. After interest rates
for deposits were deregulated, a spiral in interest rates in the 1970s and 1980s
drove the cost of borrowing dramatically higher than the yield being generated
by the assets (in the case of the S&Ls, mortgages). The crisis that ensued became
a powerful motivator for the surviving financial institutions to find better,
more reliable ways to mange interest rate risk.
Note that the current standards for a "well-capitalized" bank require only
that the bank have equity equal to 8 percent of it assets. What that means is
that the bank borrows an amount equal to 92 percent of its assets or, mathematically,
almost 12 times its equity capital. Thus, if left unhedged, a 10 percent drop
in the overall value of its assets would render the bank broke. In fact, most
banks seek ways to earn spreads from hedged or matched positions, and to otherwise
carefully control unhedged exposure, as when bond dealers purchase interest
rate futures to hedge overnight positions in their bond inventories.
Because of this degree of leverage, the banks have developed sophisticated
concepts for managing risk. The heart of these systems is processes for allocating
"risk adjusted capital" to the bank's activities. Typically, the capital allocated,
sometimes referred to as "value at risk," is based on an assessment of the potential
price volatility of the asset computed to a high level of statistical confidence,
usually 95 to 98 percent. The idea is to have enough capital set aside to maintain
a cushion against the foreseeable price volatility of the asset. (Note that
this is closely related the idea of equity capital as risk capital that I discussed
in my previous article, "Corporate Risk Finance and the
'Internal Economy' of a Company."
Banks use these capital allocation models to drive transaction selection
and pricing decisions. The general rule is that each transaction must deliver
an acceptable return on the allocated capital. This is a little different than
the approach suggested by classical financial management doctrine, where a higher
rate of return is required for riskier transactions. Rather than vary the hurdle
rate, the banks vary the amount of allocated capital. The result is essentially
the same--riskier investments require more profit, but the method of calculation
is different. The more sophisticated banks set the required rate of return on
risk-adjusted capital at 25 percent or more.
One interesting question is how do banks generate 25 percent returns when
they buy treasury bonds yielding 5 percent? The answer is that it's a combination
of leverage and hedging. As to leverage, remember that if you are leveraged
12-to-1, a half-percent change in price translates to a 6 percent gain. More
interesting is the effect of hedging. A hedged position attracts little or no
allocated capital; thus, any net profit on the position can generate a nearly
infinite return.
What's All This Have To Do with Enterprise Risk Management?
The main connection is that the people who are being given the chief risk
officer title typically come from this banking industry brand of risk management.
Furthermore, the concepts of value at risk and risk-adjusted return on capital
are the essential concepts of enterprise risk management. The CROs, and the
chief financial officers to whom they typically report, are more familiar and
comfortable with this method of viewing risk than they are with the language
and concepts of the insurance industry. Yet, hazard risk (and other "insurable
risks") is correctly viewed as just another form of risk. Also, insurance itself
is viewed as a useful risk financing technique, not only for traditional risks
but potentially for other operating or enterprise risks of the company as well.
This means that to be effective, practitioners of the insurance industry
brand of risk management must learn to understand the vocabulary of financial
risk management and be able to discuss hazard risk and insurance in those terms.
Enterprise Risk, Multiline Insurance, and Portfolio Effects
Another aspect of the ERM movement has been efforts directed at standardizing
the ways risk is quantified and analyzed. The trend is to express risk measurement
using a mixture of statistics, corporate finance, and capital market concepts.
Even concepts from insurance play a role, but mostly, it is insurance that is
being forced to adapt to a new language rather than vice versa.
An important question for many readers of this article is how insurance fits
into the world of enterprise risk management. One trend is that insurers are
seeking to broaden the range of risks that can be handled by insurance, moving
beyond traditional accident or hazard risk to financial, operating, and even
business risk. Another trend is the design of insurance programs that cover
a variety of risks, sometimes combining traditional insurance risks with nontraditional
risks. Here, the idea is that the combination of different and largely uncorrelated
risks into one insurance contract creates a portfolio effect, affording the
opportunity for the insured to purchase broader coverage for less money (more
on this shortly).
Thus, there are two main questions for the field of insurance in connection
with ERM.
- The extent to which insurance can be used to finance nontraditional
risk, and
- Whether the combination of diverse risk within a single insurance policy
adds value.
As to the second question, the combination of diverse risks into a single
policy has potential benefits arising from something known as portfolio effect.
Portfolio effect arises from the statistical principal that the joint probability
of two unrelated events occurring is less than the sum of the individual probabilities
of either event occurring. It is the concept of diversification--i.e., the risk
of holding a portfolio of risks (e.g., investments) has less overall risk than
holding a single risk.
It has been posited that an insurance contract which bundles a diverse portfolio
of risk creates better value for the insured because, among other things, it
presents the insured with a prepackaged diversified basket of risk. From the
insurer's point of view, the fact that the portfolio has less risk than the
individual risks should mean that the insurer can safely charge less premium,
making the policy a win-win for both the insurer and the insured.
Unfortunately, there are a couple flaws in this reasoning. The first arises
from the misconception that the portfolio effect changes the expected value
of the portfolio (expected value means the "average" outcome). It does not.
The expected value of a portfolio of independent risks is the sum of the expected
values for each individual risk. What changes is the volatility of the overall
portfolio. That is to say, as you add more risks to the portfolio, it becomes
increasingly likely that the actual outcome will be closer to the expected outcome.
This portfolio effect would only justify a reduction in insurance premium
if the insurer relied on diversification with the particular insurance contract
to determine its loads for volatility (risk of variability of outcome). In fact,
insurers already hold a diversified portfolio of risk, so that the risk presented
by a single policy does not have to offer an internally diversified portfolio.
Thus, the insurer can offer a premium that reflects the expected value, with
a volatility charge that is derived from its already diversified portfolio.
In fact, if the expected values have been accurately calculated, any risk
load should translate into profit over time as the long-term average experience
should revert to the portfolio's expected value. The real risk for insurers
is that the ability to accurately asses the true expected value is educated
guesswork. So, volatility premiums are needed to compensate for the risk that
the insurer often cannot reliably ascertain the true expected value of the portfolio.
This occurs because it can be hard to have a truly homogeneous portfolio of
risk, and there are too many variables to reliably model.
The second reasoning flaw has to do with the question of what value insurance
can add to the field of ERM. Insurance can only add value if the insurer is
able to reliably price the risk (thereby capturing the benefits of diversification
as discussed above). Of course, some would say insurance adds value when the
insurer makes a mistake and underprices the risk, but in reality, that tends
to be a short-lived benefit to the insured.
The flaw is that by asking a single insurer to underwrite a diverse basket
of unrelated risks, it becomes increasingly difficult for the insurer to knowledgeably
evaluate each risk in the basket. This increases the insurer's uncertainty about
the expected outcome, and therefore would cause the insurer to charge a greater
"uncertainty" premium. This is exactly counter to the stated purpose of presenting
the insurer with a basket of diversified risks in the first place, i.e., to
reduce the overall volatiltiy of the outcome.
Insurance can add value in the field of ERM when the insured faces a risk
that is too large for the insured to comfortably retain. Since insurance must
(should) be priced to cover the expected value of loss plus loading for other
expenses and profit, the only valid benefit insurance can afford is an economic
utility benefit--that is, the benefit of avoiding a large painful loss for a
much smaller pain of an insurance premium. Historically, this has worked where
insurers can gain an intimate knowledge of a type of risk, allowing it to offer
premiums that minimize its uncertainty and give the insured the benefit of the
insurer's diversified portfolio of relatively homogeneous risk exposures.
The real question for insurers trying to tackle nontraditional risk in a
way that adds value for the customer, aside from offering underpriced insurance,
boils down to the following key principles of insurability:
- Knowledge of the Risk: Does the insurer
know at least as much about the risk as the insured? (Ideally, the insurer
should know more.) If the insured understands the risk better than the insurer,
then the insured tends to buy only if the insurer underprices the risk or,
conversely, the insurer wants to charge an uncertainty premium that the
insured thinks is unreasonable. The issue with ERM is that often the risk
in question will be unique to the insured, so the insured will know considerably
more about it than the insurer.
- Control of the Risk: Many enterprise risks
are actually fundamental business risks of the company. As such, the outcomes
can be either under the control or heavily influenced by the actions of
the insured. For example, oil exploration companies have the fundamental
risk of "dry holes." If they could buy insurance against dry holes, the
risk is that they could become more reckless in taking on riskier projects,
knowing they can fall back on the insurance if there is no oil. While there
have been efforts to create an insurance product to cover corporate profits
generally, it is very hard to accomplish because the insured can exercise
so much control over the outcome.
- Utility Benefits: The insurer must be
able to offer enough limits to be able to provide a meaningful level of
protection to the company for the risk in question. If the company has a
$1 billion enterprise risk, it does not do much good if the insurer can
only offer $100 million of coverage.
These three principles are interrelated; insurers are only able to muster
large capacity when they believe they have adequate knowledge of the risk and
the outcomes don't rest within the insured's control.
Conclusion
ERM represents a very exciting opportunity for insurers to create new markets
for their products. However, handling these new exposures presents some real
challenges for insurers. Whether insurers can successfully rise to the challenge
will be a dominant question for the industry in this decade.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.