Why Sustainability is Integral to Enterprise

Risk Management
Enterprise risk management (ERM) has long been a growing priority of corporate executives and
boards — not a surprise since political, economic and social change can occur quickly. But a
study issued by the business reporting firm Workiva suggests sustainability-related risks should
be part of a company’s core ERM analysis. Climate is an obvious reason, as many businesses
learned after Hurricane Sandy two years ago. But other factors, from supply chain management
to confronting water scarcity, are behind why the study’s authors insist businesses need to take
sustainability seriously if they are to remain viable for the long term.

Sustainability is more than highlighting environmental and social risks, however. The Workiva
report insists that in order for sustainability to be part and parcel of a company’s risk
management plan, buy-in has got to start at the top, board- and executive-level, with a solid
corporate governance structure. And before those groans start coming out of the boardroom, it’s
important to remember that many reports already out there prove that a company focused on
being sustainable and socially responsible is one that also enjoys an improved financial
performance.

But how should sustainability-related challenges be implemented and monitored?

A study conducted earlier this year by the Investor Responsibility Research Center (IRRC) and
the Sustainable Investments Institute revealed that two-thirds of large companies who monitor
sustainability at the board level do so via the public affairs or governance committees. But a
successful integration of sustainability and ERM would be more likely to occur if such
responsibilities were tasked to an audit or risk committee—yet only 11 percent of large
companies (as in those ranked by Standard & Poor’s) do so. It is these senior managers who are
best tasked with the daily monitoring of sustainability performance can set goals and key
performance indicators, whether they are related to water, carbon or social responsibility within a
supply chain.

Naturally, any plan to enmesh sustainability awareness throughout a company’s structure will
require the breakdown of silos. While chief financial officers are focused on numbers,
procurement on the supply chain and sales on product reliability, all departments have got to
focus on how sustainability affects their day-to-day performance. Some companies have
succeeded with this “all hands on deck” approach, such as Microsoft, which involved all
departments when the company declared it would become carbon neutral two years ago.

Above all, a robust risk management strategy incorporating sustainability is about more than
being compliant. Knowing how sustainability can affect a company’s prospects can become an
effective management tool. Insurance companies, for example, can develop new products related
to climate change. Bottling companies such as PepsiCo can save money and improve their brand
reputation by assessing water risks. And Unilever’s assessment of its supply chain correlates
with its improved sales in recent years. Knowing your risks is about more than protecting your
company; understanding threats can also lead to new business opportunities...

Enterprise Risk Management: A Definition

Anonymous. The RMA Journal; Philadelphia Vol. 88, Iss. 6,  (Feb 2006): 18-20.

Abstract
Translate

"All material risks" are any risks large enough to threaten the success of the enterprise in any
material way. Some institutions reserve the term enterprise resource management (ERM) for the
management of those risks that have to be managed at the enterprise level. To be truly
"methodical," risk management has to be based on some foundation concepts, incorporate some
basic practices and processes, include creation of a risk culture, be supported by appropriate
tools, and be driven and overseen by committed enterprise leadership. The definition of ERM --
the methodical management of all material risks -- is a deceptively simple one. The fact that it
refers to "all" material risks makes it comprehensive, and the built-in requirement that an
institution adopting ERM should manage its risks "methodically" means it must meet high
standards in defining, implementing, and governing a comprehensive risk management
framework.

Full Text
Translate

Although the components that make up the discipline of enterprise risk management (ERM) are
familiar enough, the concept itself is quite new. It is therefore important to come up with a good
definition sooner rather than later. At this stage in the evolution of a discipline, a definition can
be quite influential, especially if it becomes commonly accepted and widely understood, as we
hope the RMA definition will be.

A good definition is one that is easy to communicate and remember. At the same time, it should
be flexible enough to accommodate legitimate differences in approach among institutions, as
well as any shifting nuances as the discipline develops in the years ahead.

So with those criteria in mind, our definition of ERM is:

"The methodical management of all material risks."

Understanding the Definition: "All Material Risks"

To start with, what are "all material risks"? These are any risks large enough to threaten the
success of the enterprise in any material way.

Some institutions reserve the term "ERM" for the management of those risks that have to be
managed at the enterprise level. They would, for example, view market risk management in a
trading operation not as a part of ERM, but rather as a complementary, lower-level activity. They
are likely to set the bar quite high for what counts as a "material" risk.

Other institutions use the term to go more deeply-to include the management of specific risks in
particular activities. We prefer to interpret the definition this way, so it embraces all levels of risk
management. By implication, we set the bar of "materiality" quite low and consider any risk
"material" if it threatens the success of any significant part of the enterprise. But we do
acknowledge that reasonable people can differ in what they consider material, and we have no
objection to the definition being used in different ways by different institutions.

What kinds of risks are we including? In any financial institution we should include not only
market, credit, and operational risks, but also ALM and liquidity risks. When it comes to
reputational, business, and strategic risks, many institutions would include them, but some would
not. Once again, RMA prefers the broader definition, including these three types of risk as
covered by ERM, but we do acknowledge that reasonable people could have different, equally
valid opinions.

Understanding the Definition: "Methodical Management"

To be truly "methodical," risk management has to be based on some foundation concepts,

incorporate some basic practices and processes, include creation of a risk culture, be supported
by appropriate tools, and be driven and overseen by committed enterprise leadership.

Concepts. The five planks of the conceptual framework are 1) a risk language, 2) a risk culture,
3) a portfolio approach, 4) capital, and 5) a risk-return trade-off. How important these are
depends on the institution. For smaller institutions, risk language and culture are the important
ones. For larger institutions, they all matter.

A common language is an important part of any risk management discipline, especially ERM.
Everyone who needs to know should be aware of the basic risk types, what is meant by risk
appetite and profile, what a risk threshold is and its implications, the difference between
"intrinsic risk" and "residual risk," what "loss given default" and "probability of default" mean,
and so on.

A common language is a prerequisite for a common risk culture, a set of shared values and
beliefs that governs attitudes toward risk-taking, care, and integrity, and which determines how
openly risks and losses are reported and discussed.
A portfolio approach means treating an institution as though it is a portfolio of interconnected
risks. It means an approach to risk management in which the impact of any one risk is managed
with knowledge of how changes in the likelihood or severity of one risk will affect others. It is
often expressed in statistical or mathematical terms as co-variance or correlation among risks,
but it does not have to be, and indeed sometimes such precision is impossible. Still, thinking
about risks in relation to one another is a hallmark of ERM.

Economic capital, the common denominator of all residual risks, is the capital sufficient to
absorb loss with a certain level of confidence. Usually, it is set at a 99.9% or a 99.7% level of
confidence over a one-year holding period for a particular portfolio or activity. Economic capital
can be estimated for credit and market risk with reasonable accuracy in most institutions. In
larger institutions, it often can be estimated for operational and liquidity risk, too, but this is
difficult and, for the moment at least, the resulting estimates are a good deal less precise and
reliable. Although capital cannot be estimated for most other kinds of risk in practice, it is, in
principle, a universal measure of risk and consequently it has a place near the center of ERM as a
common conceptual link between all kinds of businesses, activities, and risks.

Finally, the idea of a risk-return trade-off is central to the implementation of ERM. When risks
are well managed, they nonetheless increase as returns increase, and pursuit of higher returns
almost always involves taking on more inherent risks. Institutions may be willing to tolerate
higher-than-average levels of risk, provided they are associated with higherthan-average returns.
When this is the case, one can think of a large part of ERM as the management of this trade-off
between risk and return along the riskreturn frontier. For this purpose, many institutions use tools
and processes, such as risk-adjusted return on capital (RAROC), where they have sufficient data
and the investment in sophistication is worthwhile.

Practices and processes. As for all kinds of risk management, ERM processes start with the
familiar steps of identifying, assessing, managing, and mitigating risks. In the ERM context,
identification has to be very broad, and assessment has to use a common yardstick for the same
kind of risk wherever it arises, be it economic capital or some other measure of probability and
severity.

Management involves avoiding unacceptable risks and, where the costs of those strategies are
too great, managing down the impact of risks, either by reducing the likelihood or severity in
advance of an event, or by reducing the impact if an event occurs by proactively managing the
consequences.

Where risks are accepted, common practices for managing risk impacts down include setting
limits and thresholds, escalating risks or losses from one level of management to another when
thresholds are breached, hedging so that the adverse market impact in one part of the portfolio is
offset by a favorable impact in another, and preparing for mishaps through contingency and
business resumption planning.

Risk mitigation consists of buying insurance or setting aside capital so that residual risks can be
absorbed without threatening the ongoing viability of the enterprise.
Creating a risk culture. Methodical risk management also includes the creation and maintenance
of the risk culture. Techniques for creating a culture include the clear assignment of risk
ownership, strong controls, and the creation of incentives-both monetary and non-monetary, for
prudent risk-taking. The allocation of economic capital can be a major incentive for middle
management since it affects performance measures based on rates of return, and that in turn can
often affect compensation and recognition.

Finally, methodical management requires the attention of management ?Λ. all levels regularly,
when risks change, and in a crisis. It also requires the allocation of sufficient resources-people,
technology, and capital-to risk management. These may seem like elementary points to make,
but they are where ERM can fail most quickly.

Tools. To support this integrated management of risk across an institution, most use a variety of
analytical frameworks, guides, libraries, surveys, and databases. Today, many of these are
automated to some degree and available as software tools. The wise use of tools is an integral
part of methodical risk management.

Making Sure It Happens

The previous two sections define "material risks" and "methodical management." But something
is still missing from the ERM definition: The full meaning is greater than the sum of the parts.

The missing component is leadership. Effective ERM requires a senior management and a board
that are committed to every aspect of ERM. This leadership has to set an example first by giving
risk management sufficient attention and resources. ERM requires attention regularly, as well as
when circumstances change significantly and during a crisis. It also requires resources and the
implementation of sound risk management practices. These may seem like elementary points;
however, when they are neglected, ERM becomes nothing more than an empty slogan.

Leadership then must set an example of openness, clarity, care, and integrity, and must recognize
and reward risk-taking that reflects the institution's risk appetite and is in accord with the
institution's risk culture.

Of course, leadership is also about anticipating threats and opportunities, and an intrinsic
characteristic of ERM is that it should be forward looking. It should influence and facilitate
business strategy and shape the development and execution of business plans. And in larger
institutions it should contribute to, and be evaluated against, definite targets for earnings
volatility and bond ratings.

Finally, to make ERM work requires appropriate governance and oversight. Senior management
has to create the right environment for risk management throughout the institution, as well as
define and implement the risk management framework-the descriptions of risk and the practices
and processes we have just described-using policies, procedures, incentives, and supervision.
The board of directors has to understand the risks the enterprise takes on, approve the
framework, agree on the policies and procedures, and verify through independent audit that what
management says is happening is, in fact, really happening. All these elements of good
governance are part and parcel of ERM, just as they are of any kind of risk management.

Conclusion

Our definition of ERM-the methodical management of all material risks-is a deceptively simple
one. The fact that it refers to "all" material risks makes it comprehensive, and the built-in
requirement that an institution adopting ERM should manage its risks "methodically" means it
must meet high standards in defining, implementing, and governing a comprehensive risk
management framework.

There remains plenty of legitimate scope for different interpretations of ERM in different
institutions. And ERM is a young discipline, so, undoubtably, new challenges will emerge, new
approaches will be developed, and our notions of what constitutes ERM will evolve over time.
Still, our hope is that the RMA definition will prove helpful to financial institutions of all kinds
and sizes for some time to come.

Sidebar

Enterprise Risk Management

Definition:

The methodical management of all material risks.

Supporting Definitions:

Material Risks

A potentially significant threat to the success of the enterprise.

Include credit, market, operational, ALM, liquidity, reputational, business, and strategic risks.

Methodical Management

Based on five concepts: risk language, risk culture, portfolio approach, capital, and risk-return
trade-off.

Includes four basic processes: identifying, assessing, managing, and mitigating risks.

Involves creating a risk culture through assigning risk ownership, leadership by example, and
incentives.

Supported by appropriate tools.

Senior management provides leadership through:

* sufficient attention to risk management-routinely, in change situations, and during crises.

* sufficient allocation of resources to risk management.

* creating the right environment.

* defining the risk management framework and managing its implementation.

* ensuring that the board understands the risks, approves the framework, and corroborates what
management tells it through independent audit.

Word count: 1890

Copyright Robert Morris Associates Feb 2006