Enterprise, or Opportunity Risk Management?

The Enterprise Risk Management (ERM) market seems to have been driven by the Finance & Banking (F&B) sector’s interpretation of what ERM means. They have taken their traditional risk methodology in the areas of Credit, Market and Operational risk management and extended that out to other areas of their businesses and called that ERM. But, for true ERM, the F&B institution’s methodology for managing risk is applying too much emphasis on backward-looking analysis of loss, as opposed to a more forward-looking speculation about potential loss (or risk) in future. Historical analysis of actual loss is of course a significant indicator of further loss in future, but only where defined losses are to be expected, such as in the areas of insurance or the provision of credit, or speculation into markets etc.

However, such a methodology doesn’t provide a sound analytical basis for those less frequent and possibly more drastic events, or those events where historical loss data doesn’t exist, which applies to the general operations of most businesses today.

So, in F&B, risk management has become very much a science, but for areas of risk outside the realms of credit, market and banking operations, and without the benefit of hindsight and a loss history, it is very much an art today.

Perhaps analyzing some of the more accepted definitions of risk will help us to figure out where and how we should be focusing our risk assessment efforts, acronyms aside:

Wikipedia by its very nature takes a broad view, not specifically in the context of business, and states simply that “risk is a concept that denoted the precise probability of specific eventualities”. Interestingly Wikipedia’s definition of risk continues by stating that risk can be defined as “the threat or probability that an action or event, will adversely or beneficially affect an organization’s ability to achieve its objectives” Hmmm, so immediately Wikipedia is recognizing that we have to tie our speculation of loss to our desire to achieve stated objectives; in other words, realizing our opportunities.

Corporate Integrity, a leading Global advisory on Governance, Risk and Compliance succinctly defines Risk as “the effect of uncertainty on business objectives”. Again, focusing on what a company is endeavouring to achieve through the realization of its opportunities.

So, how about substituting the word ENTERPRISE and replace it with OPPORTUNITY? After all, businesses are in business to profit from opportunities, and given that the above definitions of risk relate its management to the achievement of those objectives, it would seem that this has to be the basis of risk analysis.

However, this would provide us with ORM instead of ERM as an acronym for the management of risks in our business, but unfortunately, ORM is already generally accepted as meaning Operational Risk Management, which is a term well understood and accepted in the F&B world because it is a component part of the Basel II Capital Accord. This might explain the route cause of the problem!

F&B understands Operational Risk Management in Basel II terms and by extending that across the enterprise they assume it to be Enterprise Risk Management, but, as stated previously the methodology used is driven by the analysis of losses, not the analysis of risks to the achievement of objectives, goals or opportunities.

It is correct that loss analysis is an excellent way of predicting likely loss in future, but as noted earlier only if an extensive loss history exists. This is the key point. In most businesses the loss history does not exist or is very limited, and even in the F&B industry it is limited to the scope of Basel II, which does not cover business risks such as supply-chain, internal operations such as HR or reputational risks and many other risk areas.

So, whilst extensive loss history can help us to add some science to the art of risk management across the enterprise, the fact is that an extensive history of losses does not exist for most businesses, so the only viable methodology is to start with understanding a businesses strategy, its objectives, its opportunities, and trying to quantify what will prevent the company achieving those. i.e. what are the risks to the realization of opportunities.

Opportunity Risk Management (ORM).

3 thoughts on “Enterprise, or Opportunity Risk Management?

  1. We have quite knowledge and a lot of experience in serving clients with a methodology and a software in the area of opportunity and risk management.

    Are measurement systems available to measure tangibles and intangibles?
    How do we build in in aeffective way the knowledge we gain into a new business architecture?

  2. I assume your question relates to tangible or intangible risks and opportunities. If so, then we need to think of these individually. The definition of tangible is that something is real, definate, comprehensible and understandable, and of course intangible is the opposite. This prompts interesting debate I feel and is a matter of semantics. My view is that a tangible risk could be considered to be the impact you know to expect or are comfortable to suffer, therefore your risk apetite perhaps? But it could also be considered to be an issue or a loss, where a situation, event or circumstance has caused a loss or presented a risk or a number of risks. Clearly losses are measurable. Loss management is an essential part of a good ERM framework (see the earlier blog on this point) so that you can benefit from hindsight and predict loss based on ‘tangible’ experience. The loss experience of the past would also be the measurement metric to influence your risk apetite for the future.
    An intangible risk, as it is not definate, could be considered to be the inherent risk faced; the risk that exists implicitly, however it could also be considered to be effect of a threat, risk or loss; an intangible or unknown outcome of an event or situation. This would be far more difficult to measure, though there are sophisticated predictive modeling tools available that I am not qualified to describe or validate.
    If we apply the same tangible/intangible definitions to opportunities, a tangible opportunity could be regarded as one with a definate outcome or result. So a potential sale of a product is an opportunity for revenue with a tangible result if the sale is completed. There are plenty of technologies that can help there, from a simple spreadsheet to a complex CRM system. An intangible opportunity is much more interesreting to consider, and is where the outcome is not definate. Good opportunity management is what must be applied for intangible opportunities, and is a subject that needs more space than I have in this comment to discuss, but as a part of COSO, should be utilized in an ERM framework. Intangible opportunities will have measurements associated, including the positive impact(s) and associated probabilities, as well as the associated risks, controls, actions and potential losses that may result from the opportunity.
    As to your final question about taking advantage of the knowledge gained, this would demand a set of business processes that make sure strategic planning activities use the output from the ERM framework to influence and validate decisions.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s