Ten predictions for risk management

It's so tempting to think that it was much easier to advance a banking career in the "good old days" (which vary, depending on our age). Well, 2003 will some day be known as the "good old days" of enterprise-wide risk management. The future awaits...

The future for risk management is bright.

Regulators and managers are recognizing the importance of risk management as a way to minimize losses and improve business performance. Risk professionals are moving up in the business world, both in terms of organizational level and compensation. Advances in risk methodologies and technologies are introducing a vast array of new tools for measuring and managing enterprise-wide risks, at a higher speed and lower cost than anyone could have imagined just a few years ago. While there are many remaining challenges, one cannot help but think that the best is yet to come for the risk management profession. Against this backdrop, I will look into my crystal ball and make 10 predictions of how risk management will change over the next decade.

1. ERM will become the industry standard for risk management.

ERM (enterprise-wide risk management) will continue to gain acceptance as the best way to ensure that a firm's internal and external resources work efficiently and effectively in optimizing its risk/return profile. New financial disasters will continue to highlight the pitfalls of the traditional "silo" approach to risk management. External stakeholders will continue to hold the board of directors and senior management responsible for risk oversight and demand an increasing level of risk transparency. More importantly, leaders in ERM will continue to produce more consistent business results over various economic cycles and weather market stresses better than their competitors. Their successes will gain attention and other companies will follow. These trends, coupled with a stock market that is increasingly unforgiving of negative earnings surprises, will compel businesses in all industries to adopt a much more integrated approach to measuring and managing enterprise-wide risks.

2. A CRO will become prevalent in risk-intensive businesses.

The rise of the CRO goes hand-in-hand with the trend toward enterprise risk management. Risk management is a key driver of success for financial institutions, energy firms, asset management firms, and nonfinancial corporations with significant risk exposures. Many market leaders in these industries have already created the position of a CRO. Others will follow suit. Companies without a CRO are faced with three perplexing questions: First, are we comfortable with diffused risk responsibilities, and if not, who is the de facto CRO--the CEO or CEO? Second, are their necessarily part-time efforts sufficient to manage risk in an increasingly volatile business environment? Finally, will the company be able to attract and retain high-caliber risk professionals if a CRO career track is not available to them? For an increasing number of companies, the logical resolution of these questions will be the appointment of a CRO and the dedication of resources to implement an ERM program.

3. Audit committees will evolve into risk committees.

As boards of directors recognize that they have responsibilities to ensure that appropriate risk management resources are in place, they will replace or supplement their audit committees with risk committees. A number of leading institutions have already established risk committees of the board. The board's responsibilities for risk management have been clearly established in regulatory and industry initiatives worldwide, including the Dey Report in Canada, the Turnbull Report in the U.K., and the Treadway Commission Report in the U.S. The result of these and other similar initiatives is that board directors have begun to realize that their responsibilities go beyond traditional audit activities, and that they need to ensure resources and controls are in place for all types of risk. Going forward, companies will establish risk committees of the board, and their audit committees will either become subcommittees or independent committees that have the traditional audit committee focus of ensuring accurate finan cial reporting and statements.

4. Economic capital will be in.

VaR (1) will be out: Managers and external stakeholders will demand a standardized unit of risk measurement, or common currency, for all types of risk. This way, they can spot trends in a company's risk profile, as well as compare the risk/return performance of one company against others. To date, VaR has gained wide acceptance as a standardized measure for market risk. However, VaR has three major flaws. First, it does not capture "tail risks" due to highly infrequent, but potentially devastating, events. Second, its inability to capture tail risks makes VaR a poor measure for credit and operational risks (or even market risk positions with significant optionality). Third, VaR measures the risk, not the return, of any risk position. Yet financial models that have passed the test of time, such as CAPM or the Black-Scholes option pricing model, evaluate both risk and return. The concept of economic capital is intuitively appealing because one of the main reasons companies hold capital is to absorb potential losse s from all types of risk. Risk-adjusted return on capital extends the concept and measures business profitability on a risk-adjusted basis. The Basel Committee has already adopted economic capital as the framework for international regulatory capital requirements in the banking industry. Other industries will follow and adopt it as a common currency for risk.

5. Risk transfer will be executed at the enterprise level.

The integration of risk-transfer activities has already happened as far as hedging and insurance strategies are concerned. For example, companies that hedge with derivatives realize they can save on hedging costs if they execute portfolio hedges rather than individual securities hedges. Companies that bundle their insurance coverage through multi-risk multiyear policies are also realizing significant savings on insurance premiums. Alternative risk transfer (ART) goes one step further in combining capital markets and insurance techniques. The rise of ERM and ART products will mean that risk-transfer strategies are increasingly formulated and executed at the enterprise level. In the past, companies made risk-transfer decisions to control specific risks within a defined range, without being particularly thoughtful about the cost of risk transfer unless it was prohibitively high. In the future, companies will make risk-transfer decisions based on an explicit comparison between the cost of risk retention versus t he cost of risk transfer and execute only those transactions that increase shareholder value.

6. Advanced technology will have a profound impact on risk management.

The Internet (and Intranet) will have a significant impact on risk management and how information, analytics, and risk-transfer products are distributed. Beyond the Internet, the increase in computing speed and decline in data storage costs will provide much more powerful risk management systems. Mid-sized companies will have access to sophisticated risk models that were once the privilege of large organizations. Even individual investors will be able to apply advanced risk/return measurement tools in managing their investment portfolios. Just as market risk measurement at large trading organizations is being conducted increasingly frequently, the time interval for enterprise-wide risk measurement and reporting will move from monthly to weekly to daily, and perhaps ultimately to real time. Moreover, the development of wireless and handheld communication devises will enable the instantaneous escalation of critical risk events and allow risk managers to respond immediately to emerging problems or new opportuni ties.

7. A measurement standard will emerge for operational risk.

Today, there is considerable debate not only about the quantification of operational risk, but also about how to best define it. Approaches to assessing operational risk range from qualitative assessment of probability and severity based on management judgment, to quantitative estimates of potential loss based on industry and company loss histories. The lack of consistent operational loss data, partially as a function of the infrequency of major operational risk events, has led to the development of analytical models such as extreme value theory to come up with loss estimates. Other models borrow from total quality management techniques or dynamic simulations to quantify operational risk. More recently, there has been some support, and some encouraging results, from early experimentation with neural networks to recognize patterns in operational risk. As the practice of operational risk management gains acceptance, and as data resources become more available as a result of company and industry initiatives, a measurement standard will emerge for operational risk. However, the greatest challenge for operational risk will remain one of management, not measurement.

8. Mark-to-market accounting will be the basis of financial reporting.

Over time, the risk management profession has recognized the importance of mark-to-market accounting versus accrual accounting in reporting the financial condition of a company. While accrual accounting is adequate in reporting the value of physical assets, it can provide the wrong signals in reporting financial and other intangible assets. The use of mark-to-market accounting is widely accepted in the market risk field and is gaining acceptance in credit risk management, where credit-based assets are mark-to-market given their probability of default (e.g., credit ratings or credit spreads). Given the cry for greater risk transparency from shareholders and regulators, it is likely that variability (i.e., risk sensitivity) will be much more integrated into financial reporting in future, including the full use of mark-to-market accounting for all financial assets.

9. Risk education will be a part of corporate training and college finance programs.

As companies recognize the need to train and develop their risk management staff, corporate training programs will increasingly feature risk management. These training programs will likely be a combination of internal and external resources, and include internal workshops, external conferences, and Internet-based training tools. Given the rising corporate demand for skilled risk professionals, professional organizations and colleges will continue to integrate risk management into their course offerings. Professional certification and college degree programs will gain popularity and acceptance. Similar to the development of the CFA certification in finance and investments over the past decade, a widely accepted professional certification in risk management will emerge in the next decade. Colleges will expand their course offerings beyond derivative products and credit analysis and offer courses in ERM, risk management applications in various industries, and integrated risk transfer.

10. The salary gap among risk professionals will continue to widen.

The trend toward ERM and the appointment of GROs have created an exciting career path, and attractive compensation opportunities, for risk professionals. However, this new career opportunity will be available only to risk professionals who continue to develop new skills and gain new experiences, while the other will be left behind. The salary gap that has developed over the past several years will continue to widen in the next 10 years. On the one hand, the compensation for risk professionals with cross-functional skills will increase faster than in other professions due to rising demand for their services. On the other hand, risk professionals with narrow skills or in limited intermediary roles will not enjoy above-average raises, and they may in fact experience declining job security as their jobs become less relevant in the new world of risk management.

RELATED ARTICLE: Enterprise Risk Management Is...

...a comprehensive and integrated framework for managing credit risk, market risk, operational risk, economic capital, and risk transfer to maximize firm value.

A growing number of financial institutions have adopted an ERM approach, often under the leadership of a chief risk officer (CRO). The CRO usually reports directly to the CEO, and some even have a dotted line to the board of directors. The office of the CRO generally includes the functional heads for credit risk, market risk, operational risk, risk policy, and risk analytics and reporting. Other oversight functions (e.g., audit compliance) and line risk units would also have a solid or dotted-line reporting relationship to the CRO.

The rationale for ERM is that financial institutions must manage all of their risks based on a robust analysis of aggregate exposures and key interdependencies. Companies that have implemented ERM programs have reported material improvements in loss experience, customer satisfication, regulatory capital relief, pricing performance, and shareholder value.

Notes

(1.) Value-at-risk (VaR) can be defined as the maxi mum potential loss given a predefined tine horizon and confidence level. For example, daily VaR of $10,000 given a 95% confidence level indicates that losses would exceed $10,000 only 5% of the time (or about one day per month).

James Lam can be reached by email at jameslam@attbi.com

[C] 2003 by RMA. James Lam is president of James Lam & Associates, a Wellesley-based risk advisory firm. This article is an excerpt from his book Enterprise Risk Management--From Incentives to Controls, which will be published by Wiley Finance this month.

COPYRIGHT 2003 The Risk Management Association
COPYRIGHT 2005 Gale Group