Enterprise Risk Management


Nov 9, 2013 (3 years and 5 months ago)


Enterprise Risk Management

, 2010

A.V. Vedpuriswar


We had 20 people on the beach looking at grains of sand with microscopes
when the tsunami came along and wiped everybody out.

Cleaning up DRCM was, in the words of one UBS employee, like mopping up
spilt milk on the deck of the Titanic.

FT April 20, 2008




Understanding risk

Getting the big picture

Taking a holistic view

Recognising human infallibilities

Being clear about our priorities



Enterprise Risk Management: Theory and Practice, Brian W. Nocco, and
René M. Stulz, Journal of Applied Corporate Finance, Fall 2006

Strategic Risk Taking, Aswath Damodaran

The Black Swan, Nassim Nicholas Taleb

Integrated Risk Management for the Firm: A Senior Manager’s Guide,
Working paper by Lisa K. Meulbroek

Kenneth Froot, David Scharfstein & Jeremy Stein, “ A famework for risk
management”, Harvard Business Review, Nov

Options, futures and Derivative Securities, John C Hull

Risk Management and Financial Institutions, John C Hull

FRM Body of Knowledge


Ice breaker

What are the fundamental laws of Physics?

What are the fundamental laws of Economics?

What about Financial Economics?


A problem which took 160 years to solve

Luca Pacioli, an Italian monk framed a famous problem.

Two gamblers are playing a best
five dice game.

They are interrupted after three games with one gambler
leading 2 to 1.

What is the fairest way to divide the pot between the two
gamblers, taking into account the current status of the

Blaise Pascal and Pierre de Format solved the problem after
about 160 years.

How? Assume all the 5 games are played.


Another teaser

I give you two options

Take Rs. 50

I toss a coin. Heads you get Rs. 100 and tails you get 0

Which will you choose?

I give you two options

Pay Rs. 50

I toss a coin. Heads you pay Rs. 100 and tails you pay 0

Which will you choose?


A third teaser

The bird flue epidemic is expected to hit your town and it is
estimated that 600 people die. Which of the following two
drugs, A or B, will people recommend to combat the
epidemic, given the following information?

If Drug A is used: 200 will be saved.

If Drug B is used: 1/3 chance that all 600 will be saved and
2/3 chance that nobody will be saved.

It seems a greater percentage of the respondents vote
for Drug A


The bird flue epidemic is expected to hit your town and it is
estimated that 600 people will die. Which of the following two
drugs, C or D, will people recommend to combat the
epidemic, given the following information?

If Drug C is used

: 400 will die.

If Drug D is used: 1/3 chance that nobody will die, and 2/3
chance that 600 will die.

It seems a greater percentage of the respondents vote
for Drug D.


Key messages

Our attitudes towards risk are highly perplexing.

The essence of good risk management is making the right
choices when it comes to dealing with different risks .

Risk management should not be equated with risk hedging.

The most successful companies have risen to the top by finding
particular risks that they are better at exploiting than their

Some risks are “black swans”.

They come when we least expect them but their effects can be

An integrated approach to risk management can be highly


How Enterprise Risk Management adds value

Enterprise Risk management creates value at both a “macro”
or company
wide level and a “micro” or business
unit level.

At the macro level, ERM enables senior managers to quantify
and manage the risk
return tradeoff that faces the entire firm .

At the micro level, ERM becomes a way of life for managers
and employees at all levels of the company.

Why did risk management fail during the financial melt down of


What determines the value of a firm?

The value of a firm can generally be considered a function of
four key inputs

Cash flow from assets in place or investments already

Expected growth rate in cash flows during a period of high
growth excess returns

Time before stable growth sets in and excess returns are

Discount rate which reflects both the risk of the investment
and the financing mix used by the firm


What can a firm do to increase its value?

Generate more cash flows from existing assets

Grow faster or more efficiently during the high growth phase

Prolong the high growth phase

Lower the cost of capital

What is the role of risk management in adding value to firm?


How hedging can help?

Managers often under invest because of risk aversion.

By providing hedging tools, we can remove the disincentive
that prevents them from investing.

By hedging and smoothening earnings, firms can extend
their high growth/excess returns period .

Providing protection against firm specific risks may help
align the interest of stockholders and managers and lead to
higher firm value.

The pay off from risk hedging must be greater for firms with
weak corporate governance structures and managers with
long tenure.


How taking risk helps?

The way the firm strategically manages its risk exposure,
such as by making the right R&D investments, will clearly
help in extending the growth phase.

The pay off from risk management may be greater in
businesses that are volatile but earn high returns on

There must be unpredictable, but lucrative investment

Look for the positive black swans!


Strategy, Finance, and Operations : The need for

Risk management as a discipline has evolved unevenly
across different functional areas.

In strategy, the focus has been on competitive advantage
and barriers to entry.

In finance, the preoccupation has been with hedging and
discount rates. Little attention has been paid to the upside.

People in charge of operations may not have the big picture.

Risk management at most organizations is splintered.

There is little communication between those who assess
risk and those who make decisions based on those risk

Three ways to manage risk

Fundamentally, there are three ways to manage risk.

Which are these ways?


Different approaches to managing risk









capital structure






Integrated risk management

“Integration” refers to

the combination of these three risk management


and to the aggregation of all the risks faced by the firm.

Integrated risk management is by its nature “strategic”, rather
than “tactical”.

Because the three ways to manage risk are functionally
equivalent in their effect on risk, their use connects seemingly
unrelated managerial decisions.

For instance, effective capital structure decisions cannot be
made in isolation from the firm’s other risk management

Can we think of some examples?


Modifying the firm’s operations to gain competitive

Companies are in business to
take strategic and business

By reducing non
core exposures, ERM effectively enables
companies to take more strategic business risks.

Consider the following :

Pharma R&D

Human capital management in software company

Cricket pitch during rainy season

Environmental management

Oil company


When to hold the risk?

Companies should be guided by the principle of
advantage in risk

A company that has no special ability to forecast market
variables has no comparative advantage in bearing the risk
associated with those variables.

In contrast, the same company should have a comparative
advantage in bearing information
intensive, firm
business risks.

That is because it knows more about these risks than
anybody else.


Risk transfer using targeted financial instruments

When should firms use targeted financial instruments?

Some risks cannot be managed effectively through the
operations of the firm.

Either because no feasible operational approach exists.

Or an operational solution is simply too expensive to
implement or it is too disruptive of the firm’s strategic goals .

Targeted financial instruments are especially suited for firms
with large exposures to commodity prices, currencies, interest
rates, or the overall stock market.


Risk adjustment via the capital structure

By decreasing the amount of debt in the capital structure,
managers can reduce the shareholder’s total risk exposure.

Lower debt means that the firm has fewer fixed expenses.

This translates into greater flexibility in responding to any
type of volatility that affects firm value .

Lower debt also reduces the chance that the firm becomes
financially distressed.


Equity: An all purpose cushion

Equity provides an all
purpose risk cushion against loss.

There are some risks that a firm can both anticipate and
measure relatively precisely and these can be shed through
targeted risk management .

Equity provides ideal protection against those other risks
that cannot be readily anticipated or measured, or for which
no specific targeted financial instrument exists .

The larger the amount of risk that cannot be accurately
measured or shed, the larger the firm’s equity cushion
should be.

What is the current debate about banking?

The most important risks faced by Corporates


Ref :
, “ The theory
and practice of
corporate risk
management”, Journal
of Applied Corporate
Finance, Fall 2009

Benefits of risk management for Corporates


Ref :
, “ The theory
and practice of
corporate risk
management”, Journal
of Applied Corporate
Finance, Fall 2009

Costs of risk management for corporates


Ref :
, “ The theory
and practice of
corporate risk
management”, Journal
of Applied Corporate
Finance, Fall 2009

The most important risk management products used
by corporates


Ref :
, “ The theory
and practice of
corporate risk
management”, Journal
of Applied Corporate
Finance, Fall 2009

Measuring risk management


Ref :
, “ The theory
and practice of
corporate risk
management”, Journal
of Applied Corporate
Finance, Fall 2009

The most important risk management products used
by corporates


Ref :
, “ The theory
and practice of
corporate risk
management”, Journal
of Applied Corporate
Finance, Fall 2009

Liquidity, model and market risks

Liquidity, market and model risks are interrelated.

Breakdown of markets leads to liquidity problems.

When markets are not in place, models become necessary.

Models pose various risks.

Credit and market risks are inter related.

Consider bonds

Consider swaps

Financial Disintermediation has led to more integration


Credit and Market risks

Market and operational risks are interrelated

When positions move, losses may have to be booked.

Trader’s psychology may lead to systems and processes
being breached.

More risks may be taken than warranted.

Sound systems and processes can help.


Market and operational Risks


Behavioral issues in Risk Management


The duality of risk

It is part of human nature to be attracted to risk.

At the same time, there is evidence that human beings try to
avoid risk in both physical and financial pursuits.

Some individuals take more risk than others.


Behavioural finance and prospect theory

Decisions are affected by the way choices are framed.

Individuals may be risk seeking in some situations and risk
averse in others.

Individuals feel more pain from losses than from equivalent


Propositions about risk aversion (1/2)

Individuals are generally risk averse and more so when the stakes are large
than when they are small.

There are big differences in risk aversion across the population and noticeable
differences across sub groups.

Individuals are far more affected by losses than by equivalent gains.

The choices that people make when presented with risky choices or gambles
depend on how the choice is presented.

Individuals tend to be much more willing to take risk with what they consider
found money than with money they have earned.


Propositions about risk aversion (2/2)

There are two scenarios where risk aversion seems to
decrease and is even replaced by risk seeking.

One is when individuals are offered the chance of making an
extremely large sum with a small probability of success.

The other is when individuals who have lost money are
presented with choices made allow them to make their
money back.

When faced with risky choices, individuals often make
mistakes in assessing the probabilities of outcomes, over
estimating the likelihood of success.

The problem gets worse as the choices become more


Risk Management vs. Risk hedging

Risk management is aimed at generating higher and more
sustainable excess returns.

The benefits of risk management will be greatest in
businesses with high volatility and strong barriers to entry.

The greater the range of firm specific risks, the greater the
potential for risk management.

Risk management will create more value if new entrants can
be kept out of business.


Managing the upside

A simple vision of successful risk taking is that we should
expand our exposure to upside risk while reducing the
potential for downside risk.

The excess returns on new investments and the length of
the high growth period will be directly affected by decisions
on how much risk to take in new investments .

There is a positive pay off to risk taking but not if it is

Firms that are selective about the risks they take can exploit
these risks to their advantage.

Firms that take risks without sufficiently preparing for their
consequences can be hurt badly.


Risk Management vs. Risk Hedging: A summary

Risk Hedging

Risk Management

View of risk

Risk is a danger

Risk is a danger & an opportunity


Protect against the downside

Exploit the upside


Financial, Product oriented

Strategy/cross functional process

Measure of success

Reduce volatility in earnings,

cash flows, value

Higher value

Type of real option



Primary impact on value

Lower discount rate

Higher & sustainable excess returns

Ideal situation

Closely held, private firms, publicly
traded firms with high financial
leverage or distress costs

Volatile businesses with significant
potential for excess returns

ERM : Managing the upside and the downside


Ref : Ten Common misconceptions about ERM, , by John R. S. Fraser, Hydro One, and Betty J.
, Oklahoma State University, Journal of Applied Corporate Finance, Fall 2007


How to gain an advantage over competitors through
superior risk management






Corporate governance


Reward/punishment mechanisms


Information advantage

Firms that take risk must invest in superior information networks.

Companies must be clear about the kind of information needed for decision
making in a crisis and put in place necessary information systems.

Early warning information systems must trigger alerts and preset responses.


The speed advantage

The speed of response can be critical in a crisis .

Speed depends on the quality of information, and understanding the potential
consequences and the interests of the stakeholders.

Organizational structure and culture also determine the speed of response.


The experience/knowledge advantage

Having experienced similar crises in the past can give us an advantage.

Firms must invest in learning .

They can enter new and unfamiliar markets, expose themselves to risk

and learn from mistakes.

They can acquire firms in unfamiliar markets .

They can form strategic alliances or poach people with the

necessary expertise.


The resource advantage

Having the resources to deal with crisis can give a company a significant
advantage over competitors.



A flexible response to changing circumstances can be a generic advantage.

For some firms, flexibility may come from production facilities that can be
modified at short notice to produce modified products that better fit customer

For others, flexibility may come from lower overheads/fixed costs.

Flexibility also mean the ability to get rid of past baggage, cannibalising existing
product lines and having a “paranoid” culture.


Corporate governance

Interests of decision makers must be aligned with those of the owners.

Both managers with too little wealth and too much wealth tied up in their
business will not take risk.

The appropriate corporate governance structure for the risk taking firms would
call for decision makers to be invested in the equity of the firm but also to be



When facing a crisis, some people panic, others freeze but a few thrive and
become better decision makers.


Reward/Punishment mechanisms

A good compensation system must consider both process and results.


Five questions about risk

Question #1: Have senior managers communicated the core values of the business in a
way that people understand and embrace?

Question #2: Have managers in the organization clearly identified the specific actions and
behaviors that are off

Question #3: Are diagnostic control systems adequate at monitoring critical performance

Question #4: Are the control systems interactive and designed to stimulate learning?

Question #5: Is the company paying enough for traditional internal controls?


Risk management: First principles (1/2)

Risk is everywhere:

Our biggest risks will come from places that we
least expect them to come from and in forms that we did not anticipate
that they would take

Risk is threat and opportunity:

Good risk management is about
striking the right balance between seeking out and avoiding risk

We are ambivalent about risks and not always rational:

A risk
management system is only as good as the people manning it

Not all risk is created equal:

Different risks have different implications
for different stakeholders .

Risk can be measured:

The debate should be about what tools to use
to assess risk than whether they can be assessed

Good risk measurement should

lead to better decisions :
The risk
assessment tools should be tailored to the decision making process.


Risk management: First principles (2/2)

The key to good risk management is deciding which risks to avoid, which
ones to pass through and which to exploit :
Hedging risk is only a small
part of risk management.

The pay off to better risk management is higher value:
To manage risk
right, we must understand the levers that determine the value of a business.

Risk management is part of everyone’s job :
Ultimately, managing risks well
is the essence of good business practice and is everyone’s responsibility.

Successful risk taking organizations do not get there by accident :
risk management philosophy must be embedded in the company’s structure
and culture.

Aligning the interests of managers and owners, good and timely
information, solid analysis, flexibility and good people is key :
these are the key building blocks of a successful risk taking organization.


Concluding remarks

Extreme negative outcomes are always a possibility, and the
effectiveness of risk management cannot be judged on whether such
outcomes materialize.

The role of risk management is to limit the probability of such outcomes
to an agreed
upon, value maximizing level.

A company where risk is well understood and well managed will
command the resources required to invest in the valuable projects
available to it because it is trusted by investors.

In such cases, investors will be able to distinguish bad outcomes that are
the result of bad luck rather than bad management, and that should give
them confidence to keep investing in the firm.