Jerry Miccolis summarizes the terminology common to companies that practice
ERM, which forms a large part the emerging global "language of risk."
One of the worthy goals of enterprise risk management (ERM) is the
establishment of a common risk vernacular throughout the organization. This
article summarizes the terminology that is coming into common usage among
companies that practice ERM, forming a large part the emerging global
"language of risk".
An important aspect of ERM is the strong linkage between measures of risk
and measures of overall organizational performance. Thus, this glossary begins
with a description of some key corporate performance measures, after which
successive elements of the ERM process (risk assessment, measurement, modeling,
management applications, monitoring, and oversight) are described.
As in prior articles in this series, we focus on publicly traded
corporations, and where industryspecific details are introduced, we focus on
the financial services industry (and, more specifically, the insurance
industry) for illustration. Where appropriate, certain terms are compared and
contrasted; and where some terms represent alternative approaches to a similar
issue, relative strengths and weaknesses are discussed.
Overall Corporate Performance Measures
 General Industry
 Return on equity (ROE)—net income divided by net
worth.
 Operating earnings—net income from continuing
operations, excluding realized investment gains
 Earnings before interest, dividends, depreciation, and
amortization (EBITDA)—a form of cash flow measure, useful for
evaluating the operating performance of companies with high levels of debt
(when the debt service costs may overwhelm other measures such as net
income).
 Cash flow return on investments (CFROI)—EBITDA divided
by tangible assets.
 Weighted average cost of capital (WACC)—the sum of the
required market returns of each component of corporate capitalization,
weighted by that component's share of the total capitalization.
 Economic value added (EVA)—a corporate performance
measure that stresses the ability to achieve returns above the firm's
cost of capital. It is often stated as net operating profits after tax less
the product of required capital times the firm's weighted average cost of
capital.
 Financial Services Industry


Return on riskadjusted capital
(RORAC)—a target ROE measure in which the denominator is
adjusted depending on the risk associated with the instrument or
project.
 Riskadjusted return on capital (RAROC)—a target ROE
measure in which the numerator is reduced depending on the risk
associated with the instrument or project.

Riskadjusted return on riskadjusted
capital (RARORAC)—a combination of RAROC and RORAC in which
both the numerator and denominator are adjusted (for different risks).
 Insurance Industry
 Economic capital—market value of assets minus fair
value of liabilities. Used in practice as a riskadjusted capital
measure; specifically, the amount of capital required to meet an explicit
solvency constraint (e.g., a certain probability of ruin).

RAROC—the expected aftertax return divided by
economic capital (thus, the more technically correct label is
RORAC but in the insurance industry, RAROC is the term commonly
used). RAROC is typically employed to evaluate the relative performance
of business segments that have different levels of risk; the different
levels of risk are reflected in the denominator. Evaluating financial
performance under RAROC calls for comparison to a benchmark return;
when the benchmark return is riskadjusted, the result is similar to
RARORAC, though the term RAROC is still applied.
 Embedded value—a measure of the value of business
currently on the books of an insurance company; it comprises adjusted net
worth (the market value of assets supporting the surplus) plus the
present value of expected future profits on inforce business. (Embedded
value differs from appraisal value in that the latter also includes the
value of future new business.) The performance measure is often expressed
in terms of growth (i.e., yearonyear increase) in embedded value.
 Risk Based Capital (RBC)—a specific regulatory
capital requirement promulgated by the National Association of Insurance
Commissioners (NAIC). It is a formuladerived minimum capital standard
that sets the points at which a state insurance commissioner is
authorized and expected to take regulatory action.
Risk Assessment
 Risk Assessment Activities
 Risk identification—the qualitative determination of
risks that are material, i.e., that potentially can impact the
organization's achievement of its financial and/or strategic
objectives. This is often done through structured interviews of key
personnel by internal (e.g., internal audit) or external experts. In some
cases, the organization's business process maps are used to guide the
risk assessment.
 Risk prioritization—the ranking of material risks on
an appropriate scale, such as frequency and/or severity (see also
"risk mapping").
 Risk mapping—the visual representation of risks (which
have been identified through a risk assessment exercise) in a way that easily
allows priorityranking them. This representation often takes the form of a
twodimensional grid with frequency (or likelihood of occurrence) on one
axis, and severity (or degree of financial impact) on the other axis; the
risks that fall in the highfrequency/highseverity quadrant are given
priority risk management attention.

Risk types—there are, in practice, a number of different
ways that risk types are categorized. Below are a few categories that are
commonly used:
 Market risk—exposure to uncertainty due to changes
in rate or market price of an invested asset (e.g., interest rates,
equity values).
 Credit risk—exposure to loss due to the default or
downgrade of a counterparty (e.g., bondissuer, reinsurer).
 Operational risk—exposure to uncertainty arising
from daily tactical business activities.
 Strategic risk—exposure to uncertainty arising from
longterm policy decisions.
 Liquidity risk—exposure to adverse cost or return
variation stemming form the lack of marketability of a financial
instrument at prices in line with recent sales.
 Hazard risk—exposure to loss arising from damage to
property or from tortious acts; typically includes the perils covered by
property/casualty insurance.

"Risk profile"—there
is no standard definition for this term; it is commonly used in a
conceptual sense to represent the entire portfolio of risks that constitute
the enterprise. Some companies represent this portfolio in terms of a
cumulative probability distribution (e.g., of cumulative earnings) and use
it as a base from which to determine the incremental impact (e.g., on
required capital) of alternative strategies or decisions.
Risk Measurement

Solvencyrelated measures—these measures concentrate on
the adverse "tail" of the probability distribution (see
"risk profile") and are relevant for determination of capital
requirements; they are of particular concern to customers and their
proxies, e.g., regulators and rating agencies:
 Probability of ruin—the percentile of the
probability distribution corresponding to the point at which capital is
exhausted. Typically, a minimum acceptable probability of ruin is
specified, and economic capital is derived therefrom.
 Shortfall risk—the probability that a random
variable falls below some specified threshold level. (Probability of ruin
is a special case of shortfall risk in which the threshold level is the
point at which capital is exhausted.)
 Value at risk (VaR)—the maximum loss an organization
can suffer, under normal market conditions, over a given period of time
at a given probability level (technically, the inverse of the shortfall
risk concept, in which the shortfall risk is specified, and the threshold
level is derived therefrom). VaR is a common measure of risk in the
banking sector, where it is typically calculated daily and is used to
monitor trading activity.
 Economic cost of ruin (ECOR)—an enhancement to the
probability of ruin concept (and thus shortfall risk and VaR) in which
the severity of ruin is also reflected. Technically, it is the expected
value of the shortfall. (In an analogy to bond rating, it is comparable
to considering the salvage value of a bond in addition to the probability
of default.) For insurance companies, the equivalent term is expected
policyholder deficit (EPD), and represents the expected shortage in the
funds due to policyholders in the event of liquidation.
 Tail Value at Risk (Tail VaR) or Tail Conditional Expectation
(TCE)—an ECORlike measure in the sense that both the
probability and the cost of "tail events" are considered; the
calculation differs from ECOR in such a way that it has a desirable
statistical property (i.e., coherence) that is beyond the scope of this
document to describe.

Performancerelated measures—these measures concentrate on
the midregion of the probability distribution (see "risk
profile") i.e., the region near the mean, and are relevant
for determination of the volatility around expected results; they are of
particular concern to owners and their proxies, e.g., stock analysts:
 Variance—the average squared difference between a
random variable and its mean.
 Standard deviation—the square root of the variance.
 Semivariance and downside standard
deviation—modifications of variance and standard deviation,
respectively, in which only unfavorable deviations from a specified
target level are considered in the calculation.
 Belowtargetrisk (BTR)—the expected value of
unfavorable deviations of a random variable from a specified target
level.
 Covariance—a statistical measure of the degree to which
two random variables are correlated. Related to correlation coefficient
(correlation coefficient is covariance divided by the product of the standard
deviations of the two random variables). A correlation coefficient of +1.0
indicates perfect positive correlation; 1.0 indicates perfect negative
correlation (i.e., a "natural hedge"); zero indicates no
correlation.
 Covariance matrix—a twodimensional display of the
covariances (or correlation coefficients) among several random variables; the
covariance between any two variables is shown at their crosssection in the
matrix.
Risk Modeling
Risk modeling refers to the methods by which the risk and performance
measures described above are determined.
 Analytic methods—models whose solutions can be
determined "in closed form" by solving a set of equations. These
methods usually require a restrictive set of assumptions and mathematically
tractable assumed probability distributions. The principal advantage over
simulation methods is ease and speed of calculation.
 Simulation methods (often called Monte Carlo
methods)—models that require a large number of computergenerated
"trials" to approximate an answer. These methods are relatively
robust and flexible, can accommodate complex relationships (e.g., socalled
path dependent relationships commonly found in options pricing), and depend
less on simplifying assumptions and standardized probability distributions.
The principal advantage over analytic methods is the ability to model
virtually any realworld situation to a desired degree of precision.

Statistical methods—models that are based on observed
statistical qualities of (and among) random variables without regard to
causeandeffect relationships. The principal advantage over structural
models is ease of model parameterization from available (often public)
data.
 Mean/variance/covariance (MVC) methods—a special
class of statistical methods that rely on only three parameters: mean,
variance, and covariance matrix.
 Structural methods—models that are based on explicit
causeandeffect relationships, not simply statistical relationships such as
correlations. The cause/effect linkages are typically derived from both data
and expert opinion. The principal advantages over statistical methods include
the ability to examine the causes driving certain outcomes (e.g., ruin
scenarios) and the ability to directly model the effect of different
decisions on the outcome.

Dynamic Financial Analysis (DFA)—the name for a class of
structural simulation models of insurance company operations, focusing on
underwriting and financial risks, designed to generate financial pro forma
projections. DFA models are typically used in
risk management applications.
Note: As a practical matter, the choice of modeling approach is typically
between statistical analytic models and structural simulation models.
CONTRAST BETWEEN MODELING
APPROACHES 
Representation of
Relationships 
Calculation Technique 
Examples 
Relative Advantages 
Statistical (based on observed statistical qualities without regard
to cause/effect) 
Analytic (closedform formula solutions) 

Simplicity, speed, use of publicly available data (well suited for
industry oversight bodies) 
Structural (based on specified cause/effect linkages; statistical
qualities are outputs, not inputs) 
Simulation (solutions derived from repeated "draws" from
the distribution) 
 DFA
 Many options pricing models

Flexibility, realism, accuracy, ability to examine scenario drivers
(well suited for individual companies) 

Optimization—the formal process by which decisions are
made under conditions of uncertainty. Components of an optimization
exercise include a statement of the range of decision options, a
representation of the uncertain conditions (usually in the form of
probability distributions), a statement of constraints (usually in the form
of limitations on the range of decision options), and a statement of the
objective to be maximized (or minimized). An example of an optimization
exercise is an
asset allocation study.
 Candidate analysis—a restricted form of optimization
analysis in which only a finite number of prespecified decision options are
considered, and the best set among those options is determined through the
analysis.
Risk Management Applications
The techniques, models, and measures explained above are used in various
combinations to assist management decisionmaking.
 Capital management:
 Capital adequacy—the determination of the minimum
amount of capital needed to satisfy a specified economic capital
constraint (e.g., a certain probability of ruin), usually calculated at
the enterprise level.
 Capital structure—the determination of the optimal
mix of capital by type (i.e., debt, common equity, preferred equity),
given the risk profile and performance objectives of the enterprise.

Capital attribution—the determination of the
assignment of enterprise level capital to the various business segments
(e.g., lines of business, regions, projects) that make up the
enterprise, in recognition of the relative risk of each segment, for
purposes of measuring segment performance on a risk adjusted basis
(e.g., to provide the denominator for a RORAC analysis by segment).
 Diversification credit—the recognition of the
"portfolio effect," i.e., the fact that the economic
capital required at the enterprise level will be less than the sum of
the capital requirements of the business segments calculated on a
standalone basis. The diversification credit is typically
apportioned to the business segments in a manner that attempts to
preserve the relative equity of the capital attribution process.
 Capital allocation—the actual deployment of capital
to different business segments.

Asset allocation—the
determination of the optimal mix of assets by asset class (usually to
maximize expected reward within risk constraints). In advanced
applications, the analysis reflects the nature and structure of both assets
and liabilities.
 Reinsurance/hedging strategy optimization—the
determination of the optimal reinsurance/hedging program, reflecting program
costs and risk reduction capability; usually conducted through candidate
analysis. The risk reduction capability manifests itself in terms of both
reduction in required economic capital and reduction in the cost of capital
or required riskadjusted rate of return
 Crisis management—the proactive response of an
organization to a severe event that could potentially impair its ability to
meet its performance objectives.
 Contingency planning—the process of developing and
embedding in the organization crisis management protocols in advance of
crisis conditions.
Risk Monitoring
 Risk dashboard—the graphical presentation of the
organization's key risk measures (often against their respective
tolerance levels); typically used in reports to senior management.
External Oversight
There are a number of regulatory, rating agency and corporate governance
guidelines and regulations that ERM programs and policies need to consider. The
more prominent of these are identified and categorized below.
 General Industry
 Cadbury Report, et al. (UK) corporate governance guidelines.
 Dey Report (Canada) corporate governance guidelines.
 Australia/New Zealand Risk Management Standard
 Financial Services Industry
 Basel Capital Accord
 Office of the Superintendent of Financial Institutions (OSFI)
supervisory framework (Canada)
 Financial Services Authority (UK) system of risk based
supervision
 Standard & Poor's Revised RiskBased Capital Adequacy Model
for Financial Products Companies
 Moody's Financial Institutions' Enterprise Risk
Management
 Insurance Industry
 A.M. Best's Enterprise Risk Model: A Holistic Approach to
Measuring Capital Adequacy
 Moody's One Step in the Right Direction: The New C3a RiskBased
Capital Component
 National Association of Insurance Commissioners (NAIC) Risk Based
Capital requirements.
 Australian Prudential Regulation Authority (APRA) reforms to the
regulation of general insurers.
Certain of these definitions were adapted from The Dictionary of Financial Risk Management, by
Gastineau and Kritzman, 1996, Frank J. Fabozzi Associates.
Additional details on the concepts covered in this article, as well as in
other articles in this series, may be found in the downloadable monographs
Enterprise
Risk Management: An Analytic Approach and RiskValueInsights™:
Creating Value Through Enterprise Risk Management—A Practical Approach for the
Insurance Industry 2002