Enterprise Risk Management in the Financial Services Industry: Still a Long Way to Go

The Particular Need and Opportunity for Financial Services Firms

The need for ERM in the financial services sector, as with other business sectors, is driven by external and internal pressures. Some of the external pressures are common to all businesses—calls for corporate governance reforms from stock exchanges, accounting bodies, institutional investors, and government regulators in countries around the world. Other external pressures, especially in the United States, are particular to the financial services sector. They come from bank and insurer regulators and legislators who want to assure that policyholders and customers—as well as the financial system as a whole—are protected from unwarranted risks, even as the industry is deregulated.

The internal pressures come from business conditions and risks unique to this industry—especially those that arise from operating in a more competitive environment. First, financial services companies have a distinct, competitive reason to get ERM right. They are in the business of taking on other people's risks. Developing sophisticated tools to do that is their core competency. A financial institution that can demonstrate that it has, in fact, mastered ERM internally will make itself more credible in the marketplace, more likely to attract and retain clients and customers.

Second, financial institutions are now experiencing industry-specific strategic and operational problems that lend themselves to an ERM solution. Insurers, for instance, today face decreasing margins, increasing competition from unconventional sources, more demanding stakeholders, and—for many lines—too much capital pursuing too little business. The industry is also in the midst of fundamental changes in technology, distribution systems, and customer expectations that create new risks and challenge high performance. Convergence of the banking and insurance sectors brings additional uncertainties and levels of scrutiny.

In this riskier environment, financial institution managers—especially insurers—need to get maximum value from their businesses by making good decisions about:

• Products/markets
• Investments/assets
• Operations
• Capital
• Hedging—which, for insurers, frequently means decisions about reinsurance.

Although managers usually treat these decisions—and their attendant risks—as separate and distinct, they are, in fact, an interrelated mix of financial judgments and operational judgments. For instance, foreign exchange fluctuation (a financial risk) can be mitigated by buying source goods and services closer to the point of sale of one's own products and services (an operational strategy). And that, in turn, may reduce the need for a financial strategy, such as currency hedging. The promise of ERM for financial services managers is that it can help them systematically make such integrated decisions.

ERM in Financial Services Today

The question is, how close are members of the financial services industry to realizing the promise of ERM? Based on responses to our survey, the answer is they are not as close as they would like to be.

In principle, members of the financial services sector, represented by our survey respondents, believe that ERM will help them address their major strategic challenges—ranging from capital management and allocation, to earnings consistency, to earnings growth, to mergers and acquisitions.

They also have a clear understanding of how ERM is supposed to do that: by being a "rigorous approach to managing risks from all sources that threaten strategic and financial objectives or represent opportunities for competitive advantage," a definition of ERM that more than 90 percent use. That is, nearly everyone in financial services understands that ERM is an integrated—or holistic—approach to risk management. And nearly everyone believes that such an approach will enable them to meet their strategic challenges.

Nonetheless, not everyone practices integrated risk management. Slightly more than 80 percent do integrate risk considerations into their strategic, operational, and financial planning—which is a start. But relatively few practice integration across these planning segments—and risk sources—in the enterprise.

For instance, only 46 percent consider the interaction of risk sources from the financial and operational sides of the enterprise when assessing and measuring risk. Only 44 percent consider the interaction when weighing the benefits of either product or distribution channel diversification. And only 50 percent consider the interaction among risk sources when they develop risk mitigation or risk financing strategies.

What does that mean in the real world of day-to-day decision-making? One implication is that more than half the financial services companies could have a well-crafted financial strategy blindsided by an operational risk they hadn't even considered in developing the financial strategy. For example, the decision to sell products and services to customers over the Internet creates, of course, greater exposure to technology failure. That fact should affect capital allocation and, perhaps, product mix. Our survey results suggest that only 44 percent of the industry would take that interaction into account; 56 percent would not. Those who do are far more likely to survive a technological surprise than those who do not.

What might account for the relatively limited practice of integrated risk management in the financial services sector? Based on the responses to our survey, the reason could very well be the dissatisfaction of financial managers with the tools, techniques, processes, and concepts they have available to them to manage risk holistically. They are particularly dissatisfied with the tools they have to manage operational risks.

For example, nearly two-thirds of our respondents are not satisfied with their ability to measure people and intellectual capital risks, even though they rate it an important risk. Nearly 40 percent are not satisfied with their ability to measure the risks associated with distribution channels and technology—two of the most important strategic issues facing CEOs in this industry, according to the biannual Tillinghast-Towers Perrin survey of CEOs published earlier this year. And about one-third of them are not satisfied with their ability to measure the risks associated with products, with political and regulatory affairs, and with managing their reputations and ratings.

More specifically, financial services managers in our survey were generally dissatisfied with their ability to:

• Manage risk and capital management within a coherent framework
• Stochastically model financial risks
• Accurately model the impact of risks, and financial and operational strategies, on financial results
• Optimize financial and operational strategies in light of risk and return requirements
• Prioritize risks from disparate sources using a common metric
• Stochastically model important operational risks
• Consider operational risk in the determination of economic capital

Getting to Fully Implemented ERM in Financial Services

If the insurance industry is a bellwether for the financial services industry as a whole—and we think it is—then the financial services sector is still a long way from making enterprise risk management a broad-based operating reality. The complexity of the industry's operations requires dynamic models and tools. Our survey results suggest that many managers in this sector don't believe they have them—or, perhaps, that they even exist.

As we argued in the first article in this series, we don't think that is the case. We think it is possible for financial services managers to ground ERM for their sector in a framework that can accommodate the complexity of their businesses. We also believe that financial services managers can have at their disposal tools to model and manage operational risks that are as powerful as those they use to model and manage financial risks.

The framework, which we broadly sketched in the first article, takes as its objective increasing enterprise value by: enhancing growth, increasing return, and improving earnings consistency—all of which are enabled by first establishing an appropriate level, structure, and allocation of capital.

To reach this objective, financial institutions first need to understand and account for the full risk environment within which they operate. That means understanding the external environment: economic conditions, social and legal trends, the political and regulatory climate, natural catastrophes, customer behavior, and competitor behavior. And it means understanding the enterprise's internal environment: expansion and diversification aims and programs, the organizational culture, distribution systems, the appetite for risk, people capabilities and intellectual capital, work processes, and technology. These internal and external environmental factors are the sources of financial risk—asset and liability, and of operational risk—both business risk and event risk.

Then, financial institutions need to understand the complete set of strategies available to them to manage these financial and operational risks. That includes financial strategies: capital structure, investment strategy, pricing, product mix, dynamic hedging, and reinsurance. And it includes operational strategies: hiring and training, incentive programs, internal controls, M&A, technology, customer service, market strategy, and distribution. It also includes an understanding that both types of strategies (financial and operational) can embrace both types of risk.

Finally, financial institution managers need to apply this comprehensive knowledge holistically to manage their financial and operational risks by exploiting the natural hedges and portfolio effects among the array of risks when they are treated together and not in individual "silos."

That's a framework that we believe will enable financial institutions to achieve their goal of integrated risk management. To make the framework a living reality requires a disciplined management process---a process that employs specific tools to model, measure, and manage risk.

As our survey suggests, financial services managers already have at their command the tools to strategically manage financial risks: dynamic financial analysis (DFA), asset/liability management (ALM), risk and capital management (RCM), and dynamic solvency testing (DST) among them.

But what they do not have at their command, and may not even know about, are the tools and techniques that can help them model operational risks with the same rigor, including a causal modeling approach based on system dynamics. That approach simulates the dynamics of a specific system—say the dynamics of the captive agent and direct marketing distribution channels for insurers—to model the impact of changes in the system—for example, the impact of introducing an Internet distribution strategy on profit and market share.

By combining the financial tools and operational risk modeling tools in the process dictated by the framework, financial services managers can, in fact, achieve their objective of increasing enterprise value. Moreover, they can do it in a way that makes sense to investors, regulators, and customers.

While we've devoted this article to ERM in the financial services sector, what we've described also works in other business sectors. In our next article, we'll describe in more detail the actual management process to implement ERM.