Best Practices for Structuring ERM Within the Organization
Originally Published: September 01, 2005
Upon conducting in-depth interviews with risk managers in the investment banking industry, the authors find significant differences of opinion on how risk management should be structured within the business. Three main areas of focus emerged:
The role of modern portfolio management tools in risk
What the "independence" of enterprise risk management (ERM) really means
How much authority the risk management function should be given
Measurement Tools in Enterprise Risk Management
Risk management techniques have evolved significantly over the past 20 years. The development of sophisticated modeling tools to quantify risk has allowed firms to better control their risk exposures. The most prominent of these is Value at Risk (VaR).
Firms conduct stress tests on their VaR models in order to see what would happen to their portfolio under certain market conditions. In some firms, the stressed VaR becomes the basis for capital allocation and budget setting. This practice can be appropriate if the stressed scenarios are properly thought out and sufficiently elaborate. If they are not, the results of these stress tests will not yield useful insights.
Because of VaR's important roles in capital allocation and limit setting, only the risk management function should have the responsibility to conduct these tests. They must be given proper resources to conduct comprehensive, robust tests of the models employed.
It is fairly obvious that the risk management function of an organization should be independent. However, among those interviewed, there was little consistency on how independence is established. For example, in some firms, the risk management function reports to the CFO. In others, the risk team is a separate function reporting directly to the CEO.
Ideally, the risk management function should report directly to the CEO. This ensures that the risk function is given proper standing in the organization and does not get lost within the finance function. Also, it is imperative that risk managers have the respect of those outside the risk function so that their opinions will be heard. To ensure this, risk managers must be highly experienced and thoroughly understand their company's business.
The Risk Partnership
It can be difficult to balance exactly how much power to give the risk function in the firm. The risk team must be embedded throughout the organization, while still staying independent.
If given too little influence, the risk team's role is only to calculate VaR and generate reports. In that case, risk management becomes nothing more than a policeman, whose only purpose is to tell employees when they have done something wrong.
On the other hand, if given too much power, the risk management team can get caught up in the everyday transactions of the business. In this way, they become essentially just like business managers themselves and ignore their true purpose in the organization.
In practice, risk management should drive the processes of the business in collaboration with the business units. It is vital that the risk team has a deep understanding of the businesses needs, prospects, risk appetite, and budget goals. One problem in the current business environment is that risk managers do not have these skills or experience. However, once the firm establishes risk management as a priority, these skills will be developed over time.
Finally, the organization must have a holistic, well articulated risk statement that all employees read and understand. This is an important step in developing a strong risk culture.
Properly structuring the risk function in the organization helps ensure that risk management is entrenched throughout the business and is always taken into consideration when making decisions.