What Is Enterprise Risk Management, and Why Should Financial Reporting Actuaries Care?
By Carol Marler, FSA, MAAA, Associate Actuary at GE Insurance SolutionsThe following article first appeared in September 2005 issue of The Financial Reporter: The Newsletter of the Life Insurance Company Financial Reporting Section. For more information, visit the CAS Web Site and the Joint Risk Management Task Force Web Page.
Risk management can be described as a systematic process of
Types of strategies that may be used range from risk acceptance or retention through risk reduction or risk transfer to risk avoidance (with associated opportunity cost).
- identifying events or circumstances that can have an impact on the achievement of business goals,
- quantifying these effects and the likelihood that they will occur,
- prioritizing the risks with greatest impact,
- developing strategies for monitoring and dealing with the top priority risks, and
- implementing these strategies and continually evaluating the whole process.
Actuaries will find nothing surprising in this process, and will probably agree with the person who observed, "This is exactly what I have been doing throughout my actuarial career."
Likewise, many of the metrics used to evaluate risks are very familiar to financial reporting actuaries. For example, asset duration (for fixed/yield investments) and the "Greeks"—delta, gamma, vega,* theta, and rho—(for equities) are measures of the sensitivity of asset values to various parameters such as discount rate, etc.
The riskiness of financial measures built on present values (of cash flows, book profits, distributable earnings, etc.) is frequently analyzed in terms of sensitivity to changes in assumptions. Another way of looking at riskiness is to determine the value of an implicit or explicit policyholder option, either by formula or by a stochastic model. Risk-based capital is another approach to quantifying riskiness, also by the use of standard formulas or through stochastic modeling and guidelines such as conditional tail expectation.
It is no wonder that the leaders of our profession want to see actuaries recognized as key players in the world of risk management. However, the inclusion of the key word "enterprise" gives a much broader perspective to the issue of risk management. The accounting profession recently issued a report entitled "Enterprise Risk Management—An Integrated Framework." This report, and the associated framework, is often identified by the acronym COSO. (A summary of the COSO article, a response to it from the American Academy of Actuaries, other background information, and much work that has been performed by the Society of Actuaries' Risk Management Task Force.)
The report defines enterprise risk management as follows:
Enterprise risk management is a process effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and to manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives (emphasis added).
This added emphasis is important to remember, for enterprise risk management does not limit itself to financial risks, although those are certainly included. Examples of other risks less subject to quantification and actuarial modeling include employee training, morale and motivation, competitor behavior and product initiatives, tax and regulatory changes, company reputation, and customer satisfaction. Even where numeric measures of these risks are available, it is far from clear how to integrate them into a common platform where they can be combined with measures of financial risk.
As actuaries, we are experts in dealing with the quantifiable risks, but we may be out of our comfort zone in dealing with the more qualitative risks. And our models can lead us astray, simply because the answers they give are clear and definite. We must be cautious to avoid falling into a trap, which my former co-worker dubbed illusory accuracy. After all, the results cannot be more accurate than the underlying data and assumptions.
Indeed, every model must have some simplifications and approximations in order to make it manageable. But "model risk" is a real risk. It is the possibility that, as a result of changed circumstances, previously acceptable simplifications/approximations no longer give results that match the real world.
In its response to the COSO framework mentioned above, the American Academy of Actuaries made this point:
Quantifying risk is a difficult yet critical aspect of the risk management process. Many of the risks to be considered in the quantification process have not yet occurred, happen so infrequently that there is little relevant data, or are not managed in an integrated manner.
The Academy recommends "a continuous comprehensive analysis of key risk types and their possible interactions." Such a dynamic process will not be easy to implement and it seems to me that we as actuaries and managers have our work cut out for us if we hope to accomplish this. The Academy response does acknowledge that many risks are difficult to evaluate and quantify. In addition, an enterprise-wide process will require actuaries to demonstrate the ability to communicate clearly and effectively with employees at various levels and with expertise in various functional areas of the business. This collaborative approach to risk management will be a test of our skills in communicating our technical expertise to a nontechnical audience. We as a profession need to find ways to improve our communication skills-both in terms of presentation skills and in our ability to listen.
Many of us could learn to be more effective listeners, especially when we are dealing with those whose expertise is in those areas that are more qualitative and harder to quantify. In any case, I think we have much to learn from people who view the world from a different perspective. Also, note that the COSO definition talks about an entity's risk appetite. This is a very hard thing to pin down, particularly with regard to nonfinancial risks, and the ability to listen to and understand the viewpoints of other people will be key to success in this endeavor.
Management fads may come and go, and the terminology of enterprise risk management may change and evolve. Nevertheless, the concept is here to stay, for the underlying concepts are important to each of us and to our employers and clients.
*Author's note: This metric is also sometimes called kappa or lambda. Whatever name it is given, it is a measure of the variability in the price of an option with respect to the volatility of the underlying instrument.
Copyright 2005 by the Society of Actuaries, Schaumburg, Illinois. Reprinted with permission.
