Enterprise Risk Management in the Financial Services Industry: Still a Long
Way To Go
August 2000
The promise of ERM for financial services
managers is that it can help them systematically make business decisions that
contemplate all types of risk (e.g., event risks, operational risks, and financial
risks). But, how close is this industry to realizing the promise of ERM? A recent
Tillinghast-Towers Perrin survey reveals the answer.
by Jerry
Miccolis
Tillinghast-Towers Perrin
We began this series by saying that all businesses are now experiencing the
need to successfully practice enterprise risk management (ERM)—a rigorous approach
to assessing and addressing an organization's risks from all sources to increase
the value of the enterprise. But no industry feels that need more than the financial
services sector. In this article, we want to:
- Outline why the financial services industry especially has this need
- Assess where the industry is today in implementing ERM by sharing some
of the findings from our recent survey of one segment of the financial services
industry—insurers
- And then suggest how the members of this industry can fully implement
ERM
The Particular Need and Opportunity for Financial Services Firms
The need for ERM in the financial services sector, as with other business
sectors, is driven by external and internal pressures. Some of the external
pressures are common to all businesses—calls for corporate governance reforms
from stock exchanges, accounting bodies, institutional investors, and government
regulators in countries around the world. Other external pressures, especially
in the United States, are particular to the financial services sector. They
come from bank and insurer regulators and legislators who want to assure that
policyholders and customers—as well as the financial system as a whole—are protected
from unwarranted risks, even as the industry is deregulated.
The internal pressures come from business conditions and risks unique to
this industry—especially those that arise from operating in a more competitive
environment. First, financial services companies have a distinct, competitive
reason to get ERM right. They are in the business of taking on other people's
risks. Developing sophisticated tools to do that is their core competency. A
financial institution that can demonstrate that it has, in fact, mastered ERM
internally will make itself more credible in the marketplace, more likely to
attract and retain clients and customers.
Second, financial institutions are now experiencing industry-specific strategic
and operational problems that lend themselves to an ERM solution. Insurers,
for instance, today face decreasing margins, increasing competition from unconventional
sources, more demanding stakeholders, and—for many lines—too much capital pursuing
too little business. The industry is also in the midst of fundamental changes
in technology, distribution systems, and customer expectations that create new
risks and challenge high performance. Convergence of the banking and insurance
sectors brings additional uncertainties and levels of scrutiny.
In this riskier environment, financial institution managers—especially insurers—need
to get maximum value from their businesses by making good decisions about:
- Products/markets
- Investments/assets
- Operations
- Capital
- Hedging—which, for insurers, frequently means decisions about reinsurance.
Although managers usually treat these decisions—and their attendant risks—as
separate and distinct, they are, in fact, an interrelated mix of financial judgments
and operational judgments. For instance, foreign exchange fluctuation (a financial
risk) can be mitigated by buying source goods and services closer to the point
of sale of one's own products and services (an operational strategy). And that,
in turn, may reduce the need for a financial strategy, such as currency hedging.
The promise of ERM for financial services managers is that it can help them
systematically make such integrated decisions.
ERM in Financial Services Today
The question is, how close are members of the financial services industry
to realizing the promise of ERM? Based on responses to our survey, the answer
is they are not as close as they would like to be.
In principle, members of the financial services sector, represented by our
survey respondents, believe that ERM will help them address their major strategic
challenges—ranging from capital management and allocation, to earnings consistency,
to earnings growth, to mergers and acquisitions.
They also have a clear understanding of how ERM is supposed to do that: by
being a "rigorous approach to managing risks from all sources that threaten
strategic and financial objectives or represent opportunities for competitive
advantage," a definition of ERM that more than 90 percent use. That is, nearly
everyone in financial services understands that ERM is an integrated—or holistic—approach
to risk management. And nearly everyone believes that such an approach will
enable them to meet their strategic challenges.
Nonetheless, not everyone practices integrated risk management. Slightly
more than 80 percent do integrate risk considerations into their strategic,
operational, and financial planning—which is a start. But relatively few practice
integration across these planning segments—and risk sources—in the enterprise.
For instance, only 46 percent consider the interaction of risk sources from
the financial and operational sides of the enterprise when assessing and measuring
risk. Only 44 percent consider the interaction when weighing the benefits of
either product or distribution channel diversification. And only 50 percent
consider the interaction among risk sources when they develop risk mitigation
or risk financing strategies.
What does that mean in the real world of day-to-day decision-making? One
implication is that more than half the financial services companies could have
a well-crafted financial strategy blindsided by an operational risk they hadn't
even considered in developing the financial strategy. For example, the decision
to sell products and services to customers over the Internet creates, of course,
greater exposure to technology failure. That fact should affect capital allocation
and, perhaps, product mix. Our survey results suggest that only 44 percent of
the industry would take that interaction into account; 56 percent would not.
Those who do are far more likely to survive a technological surprise than those
who do not.
What might account for the relatively limited practice of integrated risk
management in the financial services sector? Based on the responses to our survey,
the reason could very well be the dissatisfaction of financial managers with
the tools, techniques, processes, and concepts they have available to them to
manage risk holistically. They are particularly dissatisfied with the tools
they have to manage operational risks.
For example, nearly two-thirds of our respondents are not satisfied with
their ability to measure people and intellectual capital risks, even though
they rate it an important risk. Nearly 40 percent are not satisfied with their
ability to measure the risks associated with distribution channels and technology—two
of the most important strategic issues facing CEOs in this industry, according
to the biannual Tillinghast-Towers Perrin survey of CEOs published earlier this
year. And about one-third of them are not satisfied with their ability to measure
the risks associated with products, with political and regulatory affairs, and
with managing their reputations and ratings.
More specifically, financial services managers in our survey were generally
dissatisfied with their ability to:
- Manage risk and capital management within a coherent framework
- Stochastically model financial risks
- Accurately model the impact of risks, and financial and operational
strategies, on financial results
- Optimize financial and operational strategies in light of risk and return
requirements
- Prioritize risks from disparate sources using a common metric
- Stochastically model important operational risks
- Consider operational risk in the determination of economic capital
Getting to Fully Implemented ERM in Financial Services
If the insurance industry is a bellwether for the financial services industry
as a whole—and we think it is—then the financial services sector is still a
long way from making enterprise risk management a broad-based operating reality.
The complexity of the industry's operations requires dynamic models and tools.
Our survey results suggest that many managers in this sector don't believe they
have them—or, perhaps, that they even exist.
As we argued in the first article in this series, we don't think that is
the case. We think it is possible for financial services managers to ground
ERM for their sector in a framework that can accommodate the complexity of their
businesses. We also believe that financial services managers can have at their
disposal tools to model and manage operational risks that are as powerful as
those they use to model and manage financial risks.
The framework, which we broadly sketched in the first article, takes as its
objective increasing enterprise value by: enhancing growth, increasing return,
and improving earnings consistency—all of which are enabled by first establishing
an appropriate level, structure, and allocation of capital.
To reach this objective, financial institutions first need to understand
and account for the full risk environment within which they operate. That means
understanding the external environment: economic conditions, social and legal
trends, the political and regulatory climate, natural catastrophes, customer
behavior, and competitor behavior. And it means understanding the enterprise's
internal environment: expansion and diversification aims and programs, the organizational
culture, distribution systems, the appetite for risk, people capabilities and
intellectual capital, work processes, and technology. These internal and external
environmental factors are the sources of financial risk—asset and liability,
and of operational risk—both business risk and event risk.
Then, financial institutions need to understand the complete set of strategies
available to them to manage these financial and operational risks. That includes
financial strategies: capital structure, investment strategy, pricing, product
mix, dynamic hedging, and reinsurance. And it includes operational strategies:
hiring and training, incentive programs, internal controls, M&A, technology,
customer service, market strategy, and distribution. It also includes an understanding
that both types of strategies (financial and operational) can embrace both types
of risk.
Finally, financial institution managers need to apply this comprehensive
knowledge holistically to manage their financial and operational risks by exploiting
the natural hedges and portfolio effects among the array of risks when they
are treated together and not in individual "silos."
That's a framework that we believe will enable financial institutions to
achieve their goal of integrated risk management. To make the framework a living
reality requires a disciplined management process---a process that employs specific
tools to model, measure, and manage risk.
As our survey suggests, financial services managers already have at their
command the tools to strategically manage financial risks: dynamic financial
analysis (DFA), asset/liability management (ALM), risk and capital management
(RCM), and dynamic solvency testing (DST) among them.
But what they do not have at their command, and may not even know about,
are the tools and techniques that can help them model operational risks with
the same rigor, including a causal modeling approach based on system dynamics.
That approach simulates the dynamics of a specific system—say the dynamics of
the captive agent and direct marketing distribution channels for insurers—to
model the impact of changes in the system—for example, the impact of introducing
an Internet distribution strategy on profit and market share.
By combining the financial tools and operational risk modeling tools in the
process dictated by the framework, financial services managers can, in fact,
achieve their objective of increasing enterprise value. Moreover, they can do
it in a way that makes sense to investors, regulators, and customers.
While we've devoted this article to ERM in the financial services sector,
what we've described also works in other business sectors. In our next article,
we'll describe in more detail the actual management process to implement ERM.
Opinions expressed in Expert Commentary articles are those of the author and are
not necessarily held by the author's employer or IRMI. Expert Commentary articles
and other IRMI Online content do not purport to provide legal, accounting, or other
professional advice or opinion. If such advice is needed, consult with your attorney,
accountant, or other qualified adviser.