When banking regulators looked around at the financial institutions that fared less poorly during the financial crisis, one of the common themes that distinguished them was their dedication to internal transparency regarding their risks and risk management activities.
- The executives in central roles at those firms had constant access to the best information available.
- Those banks tended to react faster when their aggregate level of risk looked like it was headed above their risk tolerance.
- They also seemed to get into less trouble with risk concentration caused by people in different parts of the firm unintentionally piling onto similar and likely highly correlated risks.
Transparency is just not expected from traditional risk management activities. Business managers are taught to concentrate on sales and profits, with a third focus on expenses. Risk management is viewed as the fourth or lower priority of the business.
When middle managers inherit risk
Middle managers are most often charged with handling risk, and they get that responsibility sometimes as a (possibly private) inheritance from their predecessor. It may not even be included in their job description. Executive management may not know and seldom asks about risk as long as sales and profits are meeting expectations and expenses are within budget.
In those traditional risk management situations, the degree to which risk is tightly controlled or loosely allowed is often a personal decision made by the middle manager who “inherited” the responsibility for a particular risk. That person may make the best decision based on full knowledge of the nature of the risk and the availability and cost of mitigation of the risk, or they might just choose an approach based on poor or even inaccurate information because that is the best that they can find with the time they can spare.
Enterprise risk management (ERM) is a commitment to executive and board attention to the important risks of the firm. In a fully realized ERM, the risk profile of the firm and the plans to change or maintain that profile from one year to the next—while exploiting, managing, limiting or avoiding various risks that are tied to their general business strategy—are shared among the management team and with the board.
In the best programs, it is not only shared, it is a topic of debate and challenge. These firms realize that a dollar of profit usually has the exact same value as a dollar of loss, so they conclude that risk management, well-chosen and executed, can be as important to success as marketing.
Transparency and company executive management
Generally executives are aware of the firm’s risks, but until ERM comes along and forces an actual discussion of risk, there is rarely a spontaneous agreement on priorities.
In a firm without ERM, the top executives would likely not even have the same list in mind for the company’s top 10 risks. And different executives would have different Borel points.
With the transparency that comes from an ERM risk identification and prioritization exercise, the executives will come to agreement on the list of risks that will be the priority as well as the firm’s agreed upon Borel point.
As risk transparency becomes common practice, management discussions can shift from simple risk avoidance and minimization to risk reward trade-offs and cost benefit alternatives of different risk mitigations. Management can also exploit the development of expertise in detecting and assessing shifts in the risk environment.
Transparency and the board
Transparency of risk information is highly desirable to the board. They do not want to know the details of a hundred risks, but they do want to know before the next board meeting that someone is attending to the risks that might end the company.
When I was in the room for a board presentation of management’s proposal for risk tolerance, their only required change to the red-yellow-green system that was being proposed was to ask that some of the green zone be changed to yellow. They want to know when the company is “at risk” of exceeding the tolerance. This is a part of an aggregate risk management process.
We usually recommend that management highlight 5 or 6 risks that are board-level concerns, the risks to the “enterprise.” These most significant risks of the firm would all have the potential to cripple the enterprise either financially, operationally or reputationally. Management would then regularly keep the board apprised as to:
- the level of exposure to these risks
- the success or failure of risk mitigation activities
- the gains or losses associated with these risk exposures
These discussions of aggregate risk and the top enterprise risks should go through the normal management control cycle discussion of plans, execution, success or failure, reactions to changing conditions, and new plans.
Transparency and staff
Transparency of risk information is important if a company wants to “get everyone involved” in risk management. For over 20 years, some companies have practiced open-book management (OBM), sharing detailed information about their financial statements and business plans.
But financial statements rarely provide actionable information about risk. Therefore, even in the OBM firms, there is generally a lack of knowledge about risk.
With the transparency of risk and risk management information that comes from ERM, risk communication can become a part of the “Open Book.”
There may be a paternalist urge to protect employees from scary information about risk, but ERM provides a language for talking not just about bad things that can happen, but also about what is being done about it. By including more employees in the risk discussion, there is also an increased chance that the firm will become aware of critical changes in the risk environment and possibilities for enhancing mitigation activities to better achieve the firm objectives with less disruption from unexpected adverse events.
Transparency outside the firm
In the U.S., publically traded firms have long been required to disclose the company’s risks in securities financial filings. But conventional wisdom holds that it is too risky to disclose anything about risk management. So, the reader of the financial statement is left wondering whether management is doing anything at all about the sometimes dozens of risks that are noted in the 10K.
Other disclosures about very specific risk management activities such as hedging and reinsurance are included, but few, if any, U.S. firms will actually publically describe their risk management activities.
The story is completely different outside the U.S. With the development of ERM, large global insurers and reinsurers have been telling the story of their ERM programs for over 10 years. It is not uncommon for the largest non-U.S. insurers and reinsurers to disclose 10 to 40 pages of discussion of their risk management program. One reinsurer even discloses its risk limits and risk positions compared to those limits for a dozen major perils.
There also seems to be an emerging standard for insurers to provide a clear tabular exposition of their top risks, along with their main risk mitigation activities regarding each risk. These firms frequently have the Chief Risk Officer delivering presentations to investors, and joining the CEO and CFO in presenting quarterly financial results where the risk and capital position is considered to be one of the key financial results.
This transparency outside of the firm provides valuable information to investors who might be concerned with the risks retained by an insurer they invest in. Time will tell whether the insurers with better disclosure of risk management actually end up experiencing fewer or less severe losses and better return for risk retained.
Transparency is part of the best defense
The adage “the best defense is a strong offense” may apply to some board games but its applicability to sports seems to be disproven almost every season when the team with the best defense often wins the championship. Enterprise risk management is the defense of an insurance company and transparency is a key part of a strong ERM program.