Chapter 1 - Introduction To Risk Management PDF
Document Details
Uploaded by DeadCheapVerisimilitude
Toronto Metropolitan University
Tags
Summary
This chapter introduces the evolving risk management environment. It describes how risk management is becoming more complex due to technological advancements, and how new methods of identifying, assessing, and managing a variety of risks are critical for organizational success.
Full Transcript
Chapter 1 -- Introduction to Risk Management ============================================ The Risk Management Environment ------------------------------- **Objective** **Explain how the risk management environment is evolving.** Risk management can be the difference between an invisible threat t...
Chapter 1 -- Introduction to Risk Management ============================================ The Risk Management Environment ------------------------------- **Objective** **Explain how the risk management environment is evolving.** Risk management can be the difference between an invisible threat that vanishes before we are even aware of it and one that causes a loss whose gravity can imperil a global corporation and its customers. Imagine a rogue microbe that stows away in a food distributor's lettuce supply. As the bacteria multiply, the tainted greens hitch rides on tractors, trucks, and cargo planes throughout the unwitting supplier's network. But the ramifications are not apparent until clusters of consumers begin reporting salmonella symptoms: widespread sickness, accusatory headlines, and potential lawsuits for any company implicated in the produce's fateful trip from farm to table. Traditional risk management may have prevented this scenario from unfolding. For example, the distributor could have developed safe food-handling techniques, or downstream users could have imposed standards on suppliers. And it may have mitigated some of the consequences, as insurance could have covered a business's liability, continuity plans may have guided a company's reputation rehabilitation, and so forth. Ultimately, though, these measures would have been undermined by uncertainty---whether about the outbreak's true origin, its scope, its severity, or any number of additional factors that simply could not be known. However, today's risk management environment is animated by increasingly potent combinations of inexpensive data-gathering technology and predictive analytic techniques that can transform data into more certainty about risk management decisions than ever before. The food distributor could have virtual eyes and ears at every step along the supply chain, with data about the journey recorded in an immutable electronic ledger accessible to every farm, store, and restaurant in its network---for example, in conjunction with the ability to immediately pinpoint conditions (such as a tainted water supply or ailing livestock) that could lead to a potential outbreak in real time before it spreads. Founded in traditional risk management, these kinds of innovations represent the next step in the evolution from merely reacting to a loss after it occurs to preventing it from happening in the first place. The Evolution of Risk and Risk Management ----------------------------------------- This transformation of the risk management environment has occurred in tandem with the evolution of how we think of risk and risk management itself. The traditional concept of risk, inherent in insurance, is that risk is a hazard posed to an individual or organization. For example, fire or wind could destroy a home or business. In this context, the homeowner or business owner views risk in a negative sense, a possibility of loss. Today's conception of risk also incorporates its potential positive consequences---the idea that taking risks is necessary for growth. In this context, a home or business could increase in value over time. Recent risk management theory also includes the concept of a holistic approach to risk management. Organizations now realize the importance of managing all their risks, not just those that are familiar or easy to quantify. Risks that may seem relatively harmless or unlikely do have the potential to create significant damage or opportunity when they interact with other events. This holistic view of risk helps identify the risks that truly matter to an organization and provides a full perspective of the identified risks. High-level categories of risk include hazard risks, operational risks, financial risks, and strategic risks. These categories can be broken down into subcategories, such as project risk, financial reporting risk, and process risk. Over time, all these risks become part of an organization's overall risk portfolio, which has its own individual [**[risk profile]**](https://learning.theinstitutes.org/pluginfile.php/108367/mod_scorm/content/2566/index.html). ### Technology and the Changing Risk Management Environment Traditional risk assessment techniques focus on root cause analysis (RCA), which identifies a loss's predominant cause. This approach's inherent weakness is obvious---RCA can only look backward. Plus, it might not identify all root causes and the related events that contribute to a loss and can only be performed periodically. Today, however, a universe of data about past events can empower decision making that is further refined through data about previously imperceptible risk factors. Examples may include a worker's dangerous package-lifting technique, the presence of a hazardous chemical in the air at a factory, or the catastrophic intersection of seemingly disconnected financial transactions as they unfold in real time. The ways that technology and risk management intersect to achieve this can seem complex, but the basics are simple: The big data revolution is fueled by the capture, storage, and analysis of data. **How Big Data Has Transformed the Risk Management Environment** \[DA12739\] ### Data Capture Data capture is enabled primarily by [**[smart products]**](https://learning.theinstitutes.org/pluginfile.php/108367/mod_scorm/content/2566/index.html) that sense their environment, process data, and communicate with other smart products and smart operations through the [**[Internet of Things (IoT)]**](https://learning.theinstitutes.org/pluginfile.php/108367/mod_scorm/content/2566/index.html). These interactions generate the data to which advanced analytics can be applied. The availability and sophistication of smart products and the IoT's continued growth have led to an explosion of risk management innovation. Here are just a few examples: - - - ### Data Storage The decision-making value of data produced by smart products, the IoT, and other data-capturing technology can be undermined by its volume, velocity, and veracity---more and faster is not necessarily better. [**[Cloud computing]**](https://learning.theinstitutes.org/pluginfile.php/108367/mod_scorm/content/2566/index.html) enables the storage and sharing of vast amounts of data. But what if there was a way to ensure that the data used for risk management analysis was from a trusted source and independently verified? That is the premise underlying the data storage and sharing medium known as the blockchain. Think of the blockchain as a virtual distributed ledger that maintains a dynamically updated list of data records (blocks). These records are not actually recorded in the ledger, however, until the veracity of data within them is confirmed and verified through a consensus process called mining. This verification process removes intermediary validation and establishes trust without the use of a centralized authority. After a block is confirmed and the data within it is verified through mining, the block is time stamped and added to the preexisting blocks in the chain---hence the term "blockchain." The blockchain is encrypted and protected against tampering and revision. The myriad risk management ramifications of the blockchain are a by-product of the medium's immutability, security, transparency, scalability, and ability to facilitate the sharing of verified, quality data. For example, a supply chain linking disparate entities across a continent could be connected through a blockchain-enabled database. This virtual ledger could record sensor-enhanced data about inventory levels, weather, labor conditions, and other data relevant to the welfare of the supplier's products collected from radio frequency identification (RFID) sensors and other sources at each link in the chain and shared among all participants. The supplier could use the data to not only monitor conditions in real time, potentially staving off losses, but also inform ongoing analysis of its products, processes, and employment practices to continually refine its management of supply chain and other risks. ### Data Analytics The collection, storage, and sharing of data empowers real-time risk management for organizations that use data gleaned from sensors to react immediately to hazardous situations. For instance, sensors affixed to the clothing of an assembly line laborer might sense that worker's hydration level dropping to a dangerous level. Collected and stored data can also be used to reveal forward-thinking risk management strategies when that data is organized and analyzed through methods that use artificial intelligence, such as machine learning and data modeling. In short, insurers and risk managers can improve their business results through data-driven decision making in an ever-increasing variety of ways, such as these: Automating decision making for improved accuracy and efficiency Organizing large volumes of new data Discovering new relationships in data Exploring new sources of data Developing new products ### Knowledge Check **Recent risk management theory uses which of the following approaches to risk management?** - Hazard - Holistic - Operational - Financial **Summary** Grounded in traditional risk management techniques, today's risk management environment is animated by increasingly potent combinations of inexpensive data-gathering and storage technology and predictive analytic techniques that can transform data into more certainty about risk management decisions than ever before. Risk Management Benefits ------------------------ **Objective** **Explain how risk management benefits both an organization and the economy.** Organizations have long recognized the benefits of risk management techniques related to hazard risks---primarily risk mitigation and risk transfer---that benefit not only the individual organization, but also the overall economy. For example, insurance can prevent a business failure and the resulting unemployment after a catastrophe. However, truly comprehensive risk management also should account for broader risks within organizations and [**[systemic risk]**](https://learning.theinstitutes.org/pluginfile.php/108369/mod_scorm/content/2566/index.html) in the economy. A risk management strategy that looks beyond just hazard risk allows an organization to reduce the cost and deterrence effects of hazard risks while maximizing its profitability and ensuring its compliance with legal and regulatory risk management requirements. A holistic strategy also benefits the economy through waste reduction, the improved allocation of productive resources, and the reduction of systemic risk. Benefits for an Organization ---------------------------- All organizations face various risks simply by operating. Many risks result in a negative outcome only, such as the possibility of accidental loss, and could prevent an organization from meeting its objectives. Other risks can have either a positive or negative outcome, such as a new product or a financial investment, and could help an organization meet its objectives. There are various benefits to any organization in managing these risks. ### Reduce Cost of Hazard Risk In risk management, an organization's [**[cost of risk]**](https://learning.theinstitutes.org/pluginfile.php/108369/mod_scorm/content/2566/index.html) associated with a particular asset or activity is the total of these: - - - - Risk management aims to reduce the long-term overall cost of risk for the organization without precluding or otherwise interfering with the organization's achieving its goals or engaging in its normal activities. The reduction in the overall cost of risk can increase the organization's profits (or, for a not-for-profit organization, reduce the budget it needs for a particular activity). Risk management also supports safety while minimizing the financial effect of safety measures on the organization's productivity. ### Reduce Deterrence Effects of Hazard Risks The fear of possible future losses tends to make senior management reluctant to undertake activities they consider too risky. Consequently, the organization is deprived of potential benefits. Risk management reduces the deterrent effects of uncertainty about potential future accidental losses by making these losses less frequent, less severe, or more foreseeable. The resulting reduction in uncertainty benefits an organization in these ways: - - - Many new products and manufacturing processes have become attractive only after better ways of preventing and paying for accidental losses have reduced related uncertainty. Like an organization's senior managers, those who would provide the organization with funds seek assurances: stockholders or other investors seek assurance that their equity is safe and will generate future income; creditors seek assurance that the money they have loaned will be repaid on time with interest. The security sought by these sources of new capital rests, at least partly, on confidence that the organization will prosper despite any accidental losses that might befall it. Consequently, an organization's ability to attract willing investors depends to a significant degree on the effectiveness of its risk management program to protect investors' capital against the cost of accidental losses. ### Reduce Downside Risk Downside risks, including losses and failures, are an inevitable aspect of any type of business or speculative risk. For example, a company has downside risk whenever it introduces a new product. A financial institution has downside risk every time it makes a loan or an investment. Operational risk is a part of an organization's processes, and the downside risks include delays, errors, cost increases, and the failure of any aspect of the operation. Reducing downside risk provides similar organizational benefits as reducing the deterrence effects of hazard risks. To reduce downside risks, organizations can use threshold limits, which can be applied to many types of risks. By monitoring risks with preset limits based on established risk criteria, triggers are in place to alert management when the threshold has been breached. This threshold might be a certain number of faulty manufactured items within a certain amount of time (operational risk), a certain variation in interest rates on investments (financial risk), or the number of serious accidents within a specified time frame (hazard risk). When these thresholds are breached, management can review the situation and discuss changes before the losses become more significant and much more difficult to manage. ### Manage the Downside of Risk Although it cannot eliminate downside risk, risk management can help an organization meet its objectives. **Example of Risk Management Failure at Equifax** Equifax, one of the big three credit reporting companies, revealed that approximately 143 million Americans had their sensitive financial and personally identifiable information compromised by a security breach. Consumers learned that these thefts occurred months before the company notified them of the breach. And many of the affected consumers had not requested that their information be given to Equifax but assumed that credit reporting companies would manage and safeguard all private information in their possession. The fallout from this failure has affected not only Equifax but also the banks, credit card companies, and other institutions that were entrusted with Social Security numbers and other personal and financial information. This incident is an example of ineffective risk management---a corporate failure to manage risks effectively---from the organization itself all the way to vendors and anyone else entrusted with valuable consumer information. In addition to the public outrage, Equifax will be exposed to lawsuits, investigations, and financial penalties. Banks and other institutions that report to the credit reporting agencies will experience negative responses from consumers who believe that these institutions were also culpable. Despite these setbacks, the most damaging fallout for Equifax may result from reputational risk. This is, at least in part, because this breach affected so many people and because all the details of its occurrence and the extent of the damage may be far worse than predicted. This security breach will be in the spotlight for a long time; consumers will not soon forget it. Equifax did not perform its due diligence regarding what it was entrusted to do, and it did not have the appropriate or sufficiently updated systems in place to fulfill its corporate responsibility to its customers. This incident underscores the need to establish and continually monitor effective practices to manage an organization's risks and maintain the trust of its stakeholders. \[DA12692\] The risk management strategy an organization uses must be well thought out so that the strategy itself does not increase risk. Hedging is an example of a risk management technique that can be used to manage downside risk resulting from market volatility, but it must be well designed and executed. ### Knowledge Check **Which one of the following best describes the deterrence effects of hazard risk?** These effects deter individuals from committing unsafe acts. - These effects deter cyber attacks. - These effects deter management from undertaking risky activities. - These effects deter an organization from practicing risk management. ### ### Take Intelligent Risks Successful organizations usually take risks to grow and increase profit. This type of risk can create a positive or a negative outcome. Decisions regarding new opportunities should be based on the organization's risk appetite, which is "the total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one or more desired and expected outcomes."[^^](https://learning.theinstitutes.org/pluginfile.php/108369/mod_scorm/content/2566/index.html) An important benefit of risk management is that it provides organizations with a framework to analyze and manage the risks associated with an opportunity. For example, when an organization considers whether to expand into a new product line, risk management can help it decide whether the potential rewards are greater than the downside risks. If the organization decides to go forward with the new product line, risk management can assist in designing a process to manage the associated risks. ### Maximize Profitability Risk management can help an organization achieve the optimal risk-adjusted return on capital. If an organization does not take enough risk, its capital may be underutilized. However, if an organization takes on too much risk, it may exceed its capability to withstand potential losses. Risk management provides an organization with information to evaluate the potential risk-adjusted return on its activities and to manage the risks associated with those activities. For example, an organization may consider whether to increase its dividend to shareholders versus investing in a new product. Although the same amount of capital may be considered for each option, the risk-adjusted return will not be the same. Risk managers can help the organization evaluate the risks and potential return of each option and their effects on the organization's meeting its objectives. ### Practice Holistic Risk Management Traditional risk management was conducted in silos within an organization. For example, a manufacturing organization would typically have the risk management function manage hazard risk; the finance function manage financial risks, such as credit and exchange-rate risk; the operations function manage operational risks, such as equipment failures; and the information technology function manage cyber risk. This fragmented approach can miss critical risks to the organization and fails to provide senior management with a picture of the organization's risk portfolio and profile. In the example of the manufacturing organization, the risk management function may not be aware of the age and condition of equipment in the plants if this equipment is not insured. Operations may not be aware of the risks presented by some of the older equipment, and its request to senior management for a capital expenditure for new equipment may be turned down. In that scenario, a piece of machinery could then malfunction and cause a fire, rendering the plant unusable for a year and delaying production. An integrated, holistic approach that manages risk across all levels and functions within an organization presents a more complete picture of an organization's risk portfolio and profile. This picture allows for better decisions by and improved outcomes for senior management. In the example of the manufacturing organization, if there were a complete understanding of the risks the equipment presented, senior management may have allocated capital to replacing the equipment instead of making a different investment. ### Comply With Legal and Regulatory Requirements Because of the failure of large organizations and the ensuing financial crisis, subsequent U.S. legislation and regulations require public companies to use and report on risk management. The Securities and Exchange Commission approved a rule requiring corporate disclosure about risk. The Sarbanes-Oxley Act requires both the management of public companies and their auditors to assess and report on financial risk and controls. The Dodd-Frank Act requires that financial bank holding companies and certain other public companies have a risk committee, and at least one member of the committee must be a risk management expert. Basel III and Solvency II in Europe also have risk management requirements for financial firms and insurers. One of the benefits of effective risk management is that organizations will be able to comply with these regulatory requirements. Additionally, external auditors will be able to report on these risk management processes to satisfy the reporting requirements. Benefits for the Economy ------------------------ The economy at both local and national levels incurs certain costs associated with risk and its management, as well as uncertainty about future losses. For example, a major hurricane can have widespread effects on the national economy, not just on individual organizations. Beyond a single loss occurrence like a hurricane, the cumulative effect of many smaller losses also adversely affects the national and local economies. For example, many retail stores in a shopping mall would suffer reduced sales if one of the anchor stores were closed because of an accidental loss. Depending on the magnitude of the loss and the length of time required for the anchor store to recover, the local community may sustain lost jobs, reduced tax revenue, and an overall reduction in the quality of life that was enjoyed when the mall was fully operational and thriving. An economy's cost of risk management includes the resources consumed by or devoted to combating losses. For example, uncertainty throughout the economy causes organizations to be more risk averse. This in turn causes allocation of the economy's resources away from assets or activities that seem to be too risky so that the economy is not as productive as it might otherwise be. Consequently, average living standards can be reduced. Risk management benefits the entire economy by reducing waste of resources, improving allocation of productive resources, and reducing systemic risk. ### Reduced Waste of Resources Any economy possesses a given quantity of resources with which to produce goods and services. If an accidental loss reduces those resources, such as when a fire or an earthquake demolishes a factory or destroys a highway, that economy's overall productive resources are reduced. Risk management prevents or minimizes the waste of these productive resources. Whenever there is a risk that accidental losses may occur, some portion of the economy's resources must be devoted to risk management. Allocating such resources is a cost because the resources cannot be used for other purposes that could promote growth. However, without such resources the economy would suffer even more in the event of an accidental loss. ### Improved Allocation of Productive Resources Risk management also improves the allocation of productive resources because when economic uncertainty is reduced for individual organizations, productive resources are better allocated. Risk management makes those who own or run an organization more willing to undertake formerly risky activities because they are better protected against the downside of risk. That greater willingness frees senior managers, workers, and suppliers of financial capital to pursue activities that maximize profits, returns on investments, and ultimately wages. Such a shift increases overall productivity within an economy and, on balance, improves everyone's average standard of living. ### Reduced Systemic Risk The Dodd-Frank Act, Solvency II, and Basel III are all intended to reduce systemic risk. If a systemically important organization does not have an effective risk management program, that organization's risks can result in failure for not only the organization but also the economy. Not only did the financial crisis of 2008--09 cause widespread negative consequences, such as recessions and high unemployment, it also caused many organizations to become risk averse and therefore afraid to invest their capital because of uncertainty. The benefits of risk management programs at systemically important organizations include reducing systemic risk and reassuring investors and the public about reasonable risk taking that can provide economic growth. ### Apply Your Knowledge State the benefits of risk management for an insurer. *Feedback:* Insurers, which are in the risk business, can provide benefits to their organizations and their clients by developing methods to reduce the cost of hazard risk and by providing cost-effective risk transfer mechanisms. By employing risk management, insurers can make optimal use of their capital through new opportunities and prudent risk taking. Holistic risk management allows an insurer to gain perspective on its entire risk portfolio. Additionally, insurers need effective risk management programs to meet regulatory requirements. ### Knowledge Check **Decisions regarding an organization's opportunities should be based on the organization's** - Risk appetite. - Cost of risk. - Hazard risk. - Systemic risk. **Summary** An effective risk management program provides benefits to an organization in meeting its goals and complying with regulations. Such programs also benefit the economy as a whole by helping to prevent business failures. Additionally, regulators who apply risk management principles in their functions can help address systemic risk to ensure that risk provides economic benefits rather than negative consequences. Risk Management Objectives and Goals ------------------------------------ **Objective** **Summarize various objectives and goals for organizations to manage risk.** A structured, logical, and appropriate program is the foundation on which an organization's entire risk management effort rests. The support of an organization's senior management is essential to an effective risk management program. To gain that support, a risk management professional should design a program with objectives and goals that align with the organization's overall objectives. In some circumstances, a trade-off will be necessary between organizational objectives and risk management goals. ### Risk Management Objectives Each organization should align its risk management objectives with its overall objectives. Common objectives for risk management are balancing risk and reward and supporting decision-making. These objectives should reflect the organization's risk appetite and the organization's internal and external context. Objectives can emphasize certain goals, such as business continuity, protection of reputation, or growth. **Example of an Organization's Risk Management Objectives: Zurich's Enterprise Risk Management** **Mission and Objectives of Risk Management** The mission of Zurich\'s Enterprise Risk Management is to promptly identify, measure, manage, report and monitor risks that affect the achievement of our strategic, operational and financial objectives. This includes adjusting the risk profile in line with the Group\'s stated risk tolerance to respond to new threats and opportunities in order to optimize returns. Our major Enterprise Risk Management objectives are to: - - - - © Zurich Insurance Company \[DA08642\] Risk management objectives can emphasize certain goals in order to align the risk management program with the organization's risk philosophy and to help the organization meet its overall objectives. Risk Management Goals --------------------- The risk management program should have goals to manage the risks that an organization will face. These goals should be incorporated into the risk management framework and the process designed to meet a particular organization's objectives. These are typical risk management goals: - - - - - - - - ### Tolerable Uncertainty A typical risk management goal is tolerable uncertainty, which means aligning risks with the organization's risk appetite ("the total exposed amount that an organization wishes to undertake on the basis of risk-return trade-offs for one or more desired and expected outcomes").[^1^](https://learning.theinstitutes.org/pluginfile.php/108371/mod_scorm/content/2566/index.html) Managers want to be assured that whatever might happen will be within the bounds of what was anticipated and will be effectively addressed by the risk management program. Risk management programs should use measurements that align with the organization's overall objectives and take into account the risk appetite of senior management. For example, [**value at risk (VaR)**](https://learning.theinstitutes.org/pluginfile.php/108371/mod_scorm/content/2566/index.html) can be used to analyze various financial portfolios with different assets and risk factors. VaR can be calculated quickly and easily to determine risk factor returns on a portfolio. ### Legal and Regulatory Compliance An important goal for risk management programs is to ensure that the organization's legal obligations are satisfied. Such legal obligations are typically based on these items: - - - A risk management professional has an essential role in helping the organization manage regulatory risk and the potential for liability. ### Survival For risk management purposes, an organization can be viewed as a structured system of resources such as financial assets, machinery and raw materials, employees, and managerial leadership. The organization generates income for its employees and owners by producing goods or services that meet others' needs. Many risks can threaten the survival of an organization. Traditionally, hazard risk, which could destroy an organization's facilities or cause injury to employees or customers, was viewed as the major threat to an organization's survival. Risk management professionals use techniques such as loss control and risk transfer to manage hazard risks. However, the risks that organizations face are much broader than hazard risk. These risks include financial risks such as the value of assets (for example, the organization's stock value), competition, supply-chain risks, and technology (vulnerability to computer attacks and ability to keep pace with technological developments). Survival of an organization depends on identifying as many risks as possible that could threaten the organization's ability to survive and managing those risks appropriately. It also depends on anticipating and recognizing emerging risks, such as those related to climate change. ### Business Continuity Continuity of operations is a key goal for many private organizations and an essential goal for all public entities. Although survival requires that no risk occurrence (no matter how severe) permanently shut down an organization, the goal of continuity of operations is more demanding. To be resilient, an organization cannot interrupt its operations for any appreciable time. When an organization's senior management sets business continuity as a goal, its risk management professionals must have a clear, detailed understanding of the specific operations for which continuity is essential and the maximum tolerable interruption interval for each operation. These are the steps an organization should take to provide business continuity and, therefore, resiliency: - - - - ### Earnings Stability Earnings stability is a goal of some organizations. Rather than strive for the highest possible level of current profits (or, for not-for-profit organizations, surpluses) in a given period, some organizations emphasize earnings stability over time. Striving for earnings stability requires precision in forecasting fluctuations in asset values; liability values; and risk management costs, such as costs for insurance. ### Profitability and Growth An organization's senior management might have established a minimum amount of profit (or surplus) that no event should reduce. To achieve that minimum amount, risk management professionals must identify the risks that could prevent this goal from being reached, as well as the risks that could help achieve this goal within the context of the organization's overall objectives. For example, an organization concerned that a disaster preventing a key supplier from delivering parts will cause a supply-chain risk could develop a backup plan that might not only avoid this risk but also provide an opportunity to sell the backup parts to other companies. An organization might measure profitability for its various units on a risk-adjusted basis. For example, high-risk investments require higher expected profits to account for the risk involved. By measuring profit on a risk-adjusted basis, the organization can efficiently deploy its capital. Most organizations set goals for growth. Emphasizing growth---for example, enlarging an organization's market share, the size and scope of its activities or products, or its assets---might have two distinctly opposing effects on its risk management program: the reduction of the potentially negative consequences of risk versus supporting the organization's entrepreneurial risk-taking. Those effects depend on managers' and owners' tolerance for uncertainty. It is essential that risk managers understand growth goals in the context of senior management's risk appetite. Risk managers should also advise senior management of the potential risk in different growth strategies that the organization considers. For example, before the financial crisis, many financial organizations became highly leveraged in order to achieve growth. Although this strategy provided significant short-term growth, it ultimately caused the failure of several prominent firms. ### Social Responsibility Social responsibility is a goal for many organizations. It includes the organization's ethical conduct as well as the philanthropic commitments that the owners of the organization have made to the community and society as a whole. Beyond the altruistic interests of the organization's owners, many organizations justify pursuing the objective of social responsibility because such activities enhance the organization's reputation. Risk management professionals should consider an organization's societal commitments when developing its risk management program. ### Economy of Risk Management Operations Risk management should operate economically and efficiently; that is, an organization generally should not incur substantial costs for slight benefits gained. Risk management programs should be operated economically and efficiently. One way to measure the economy of a risk management program is through benchmarking, in which an organization's risk management costs are compared with those of similar organizations. The Risk and Insurance Management Society (RIMS), a global organization of risk management professionals, conducts an annual benchmarking survey, in partnership with Advisen, that organizations can use to compare their cost of hazard risk with other organizations in their industry. The benchmark survey combines expenditures for risk assessment, risk control, and risk financing, as well as the administrative costs of risk management programs. These costs are then related to revenue so that comparisons can be made between organizations and industry sectors. Trade-Offs Among Goals ---------------------- Although an organization's risk management objectives and goals are interrelated, sometimes they are not consistent with one another. For example, to obtain tolerable uncertainty, the risk management professional may have to advise senior management that a growth goal may not be achievable without adjusting either the risk appetite or the growth strategy. Legality and social responsibility goals may conflict with the economy of operations goal. Some externally imposed legal obligations, such as safety standards dictated by building codes, are nonnegotiable. Therefore, costs associated with these obligations are unavoidable. Other nonlegal obligations, such as charitable contributions, may be negotiable. However, while meeting social responsibility may raise costs in the short term, it can have worthwhile long-term benefits that make the costs acceptable. In working with others regarding the trade-offs among organizational goals, a risk management professional must consider the likely effects of alternative risk treatment techniques and the costs and benefits of each. The interests and concerns of the various groups affected by an organization's risk management program should also be considered. The way in which a risk management department is structured, how it cooperates with other departments, and how it handles communication of information are all relevant in enabling risk management professionals to respond to the goals and concerns of the organization and of affected parties. ### Knowledge Check **Which of the following best describes the desired relationship of risk management objectives to an organization's overall objectives?** - The risk management objectives should be the same as the overall objectives. - The risk management objectives should be aligned with the overall objectives. - The risk management objectives do not need to relate to the overall objectives. **Summary** A risk management program provides a framework for planning, organizing, leading, and controlling the resources and activities of an organization to achieve the organization's objectives. The risk management program's goals should be aligned with those objectives. Because there may be inconsistency at times between an organization's objectives and risk management goals, trade-offs may be necessary to achieve the desired results. Basic Risk Measures ------------------- **Objective** **Explain how basic risk measures apply to the management of risk.** The physicist Lord Kelvin said, "To measure is to know" and "If you cannot measure it, you cannot improve it." Risk management requires measures of risk in order to both know the nature of risks and manage them to help an organization meet its objectives. Although it is not possible to measure all the risks that could potentially affect an organization's ability to meet its objectives, quantifying those risks that can be measured should form the basis of risk assessment. Additionally, ongoing measurement provides benchmarks to monitor and evaluate the success of an organization's risk management program. These are the basic measures that apply to risk management: - - - - - - [**[Exposure]**](https://learning.theinstitutes.org/pluginfile.php/108373/mod_scorm/content/2566/index.html) provides a measure of the maximum potential damage associated with an occurrence. Generally, the risk increases as the exposure increases, assuming the risk is nondiversifiable. For example, if a bank underwrites mortgages to subprime borrowers, the credit risk increases as the amount of subprime mortgages increases because the exposure to default increases. An insurer that writes homeowners policies in coastal areas increases its exposure to windstorms as its coastal book of business increases. In these examples, the exposure can be quantified based on the amount of mortgages or policy coverage issued. Other exposures, such as the risk of a data breach or reputational risk, are not as easily quantified. However, even if an exposure cannot be readily quantified, there should be an attempt to qualitatively measure its effect on the organization to effectively manage the risk. For example, the effect of reputational risk could be measured in terms of its potential influence on an organization's stock price, customer loyalty, and employee turnover. [**[Volatility]**](https://learning.theinstitutes.org/pluginfile.php/108373/mod_scorm/content/2566/index.html) provides a basic measure that can be applied to risk. Generally, risk increases as volatility increases. Volatility can often be quantified. For example, VIX, the Chicago Board Options Exchange Market Volatility Index, provides a measure of stock market volatility. The volatility of energy prices, for example, is a major risk for many organizations. Utility companies, airlines, trucking companies, and other types of organizations that are highly dependent on fuel use strategies such as hedging to manage the risk associated with volatility in the price of oil. However, organizations that may be only indirectly affected by energy price volatility, such as retailers whose customers have less disposable income when gas prices rise, may also want to assess and manage this risk through inventory and pricing adjustments. The likelihood of an occurrence is a key measure in risk management. The ability to determine the probability of an event mathematically is the foundation of insurance and risk management.[^^](https://learning.theinstitutes.org/pluginfile.php/108373/mod_scorm/content/2566/index.html) The term "likelihood" is used rather than "probability" because probability analysis relies on the [**[law of large numbers]**](https://learning.theinstitutes.org/pluginfile.php/108373/mod_scorm/content/2566/index.html). Although insurers and some other organizations can use the law of large numbers to accurately determine the probability of various risks, most organizations need to determine the likelihood of an occurrence without the benefit of a probability analysis of large numbers. For example, a bank can probably determine and quantify the likelihood of default on a loan based on credit scores and other factors in the bank's extensive data. However, it would be more difficult for the bank to determine the likelihood of a cyber attack in which customer data are taken, resulting in liability. It would be even more difficult for the bank to predict the likelihood of a terrorist attack that could be catastrophic. Similarly, it is easier to determine the likelihood that certain risks undertaken to improve an organization's performance will have a positive outcome than it is for others. If a bank decides to issue credit to borrowers with slightly lower credit scores than its current borrowers, the bank probably has sufficient data to determine the likelihood of a positive outcome. However, if the bank decides to expand into a new and unfamiliar region, it may be more difficult to predict the likelihood of a successful outcome. The relationship between likelihood and consequences is critical for risk management in assessing risk and deciding whether and how to manage it. Therefore, organizations must determine to the extent possible the likelihood of an event and then determine the potential consequences if the event occurs. Consequences are the measure of the degree to which an occurrence could positively or negatively affect an organization. The greater the consequences, the greater the risk. In assessing the level of risk, the risk management professional must understand to the extent possible both the likelihood and the consequences. If there is a low likelihood of an occurrence with minor consequences, it may not be necessary for an organization to actively manage the risk. For example, a bank may decide that the likelihood of employees taking office supplies for personal use is low, and the consequences if this occurs are minor. Therefore, the bank may decide not to manage this risk. Risks with high likelihood and minor consequences should usually be managed through an organization's routine business procedures. For example, there is a significant likelihood that a customer will be a few days late in making a loan payment. The consequences of payments that are a few days late are relatively minor. However, the bank should manage this risk through normal business procedures such as late charges or sending reminder notices if the payment is not received by the due date. Risks with potentially major consequences should be managed even if the likelihood of their occurrence is low. For example, the risk of a fire at a bank, although unlikely, must be managed. Risks with significant likelihood and major consequences require significant, continuous risk management. For example, an international bank faces exchange rate risk that is likely and that could result in considerable losses. The bank may use hedging strategies and other techniques to modify this type of risk. The [**[time horizon]**](https://learning.theinstitutes.org/pluginfile.php/108373/mod_scorm/content/2566/index.html) of an exposure is another basic measure that is applied in risk management. A risk's time horizon can be measured in various ways. The time horizon associated with an investment risk, such as a stock or bond, can be determined by specified bond duration or by how quickly a stock can be traded. Longer time horizons are generally riskier than shorter ones. For example, a thirty-year mortgage is usually riskier for a bank than a fifteen-year mortgage. A business strategy that involves purchase of real estate and building new structures is not as easily reversed as one that involves only a new advertising campaign and is therefore riskier. Although an organization may have little or no control over the time horizon of a risk, the organization should evaluate and manage this risk just as it would manage other risks over which it has no control, such as weather-related risks. For example, diversification in financial investments can help manage the risks associated with the time horizon of those investments. An insurance company that matches the durations of its assets (investments) and liabilities (loss reserves) neutralizes the risks associated with time horizon. When real estate prices are highly volatile, an organization may defer an expansion strategy that involves a long time horizon, such as purchasing or building new facilities. [**[Correlation]**](https://learning.theinstitutes.org/pluginfile.php/108373/mod_scorm/content/2566/index.html) is a measure that should be applied to the management of an organization's overall risk portfolio. If two or more risks are similar, they are usually highly correlated. The greater the correlation, the greater the risk. For example, if a bank makes mortgage loans primarily to the employees of a local manufacturer and business loans primarily to that same manufacturer, the bank's loan risks are highly correlated. The failure of the manufacturing business would likely be catastrophic for the bank's entire loan book of business. If a manufacturer contracts with three major suppliers in the same earthquake-prone region in Asia, the manufacturer's supply-chain risks are highly correlated. Diversification is a risk management strategy that can reduce the risk of correlation.[^^](https://learning.theinstitutes.org/pluginfile.php/108373/mod_scorm/content/2566/index.html) Risk management professionals should evaluate all of these measures and their overall effect on an organization's risk portfolio. Highly correlated risks with a high likelihood, major consequences, high volatility, and significant exposure over a long time horizon should be a key focus of risk management. The global financial crisis that started in 2007 resulted in part from the failure to recognize or address this type of risk. Subprime mortgages represented highly correlated risk to the same types of risky borrowers, large exposure with major consequences, high volatility due to fluctuations in their market value (and in the market value of the underlying real estate collateral), and a long time horizon because of their duration. Therefore, it is essential that organizations apply these basic measures when assessing their risk. ### Apply Your Knowledge An insurer decides to achieve growth in its auto insurance line by offering a discount to its homeowners insurance customers who also purchase auto insurance. Which of the following risk measures is or are likely to increase as a result of this business decision? Select all that apply. a. b. c. d. *Feedback: a. and d.* The insurer increases its exposure to its existing customer base by offering discounted auto insurance to its homeowners customers. The insurer also increases its risk correlation because it insures the same customers for both the homeowners and auto lines. Presumably, the insurer can manage its risk volatility through diversification, and its time horizon for risk is largely limited by the length of the auto and homeowners policy terms. ### Knowledge Check **Which characteristic could prevent risk from increasing when exposure increases?** - Volatile - Diversifiable - Correlated ### Summary Effective risk management should quantify risks and the results of risk management efforts to the extent possible. The basic measures that are applied to risk management include exposure, volatility, likelihood, consequences, time horizon, and correlation. Risk Classifications and Categories ----------------------------------- **Objective** **Explain how classifying and categorizing risk help an organization meet its risk management goals.** Classifying the various types of risk can help an organization understand and manage its risks. The categories should align with an organization's objectives and risk management goals. Classification can help with assessing risks, because many risks in the same classification have similar attributes. It also can help with managing risk, because many risks in the same classification can be managed with similar techniques. Finally, classification helps with the administrative function of risk management by helping to ensure that risks in the same classification are less likely to be overlooked. These classifications of risk are some of the most commonly used: - - - - These classifications are not mutually exclusive and can be applied to any given risk. Pure and Speculative Risk ------------------------- A [**[pure risk]**](https://learning.theinstitutes.org/pluginfile.php/108375/mod_scorm/content/2566/index.html) is a chance of loss or no loss, but no chance of gain. For example, the owner of a commercial building faces the risk associated with a possible fire loss. The building will either burn or not burn. If the building burns, the owner suffers a financial loss. If the building does not burn, the owner's financial condition is unchanged. Neither of the possible outcomes would produce a gain. Because there is no opportunity for financial gain, pure risks are always undesirable. **Classifications of Risk** \[DA02396\] In comparison, [**[speculative risk]**](https://learning.theinstitutes.org/pluginfile.php/108375/mod_scorm/content/2566/index.html) involves a chance of gain. As a result, it can be desirable, as evidenced by the fact that every business venture involves speculative risks. For example, an investor who purchases an apartment building to rent to tenants expects to profit from this investment, so it is a desirable speculative risk. However, the venture could be unprofitable if rental price controls limit the amount of rent that can be charged. Certain businesses involve speculative risks, such as these: - - Financial investments, such as the purchase of stock shares, involve a distinct set of speculative risks. **Speculative Risks in Investments** \[DA02398\] Insurance deals primarily with risks of loss, not risks of gain; that is, with pure risks rather than speculative risks. However, the distinction between these two classifications of risk is not always precise---many risks have both pure and speculative aspects. Distinguishing between pure and speculative risks is important because those risks must often be managed differently. For example, although a commercial building owner faces a pure risk from causes of loss such as fire, he or she also faces the speculative risk that the market value of the building will increase or decrease during any one year. Similarly, although an investor who purchases an apartment building to rent to tenants faces speculative risk because rental income may produce a profit or loss, the investor also faces a pure risk from causes of loss such as fire. To properly manage these investments, the commercial building owner and the apartment owner must consider both the speculative and the pure risks. For example, they may choose to manage the pure risk by buying insurance or taking other measures to address property loss exposures. The speculative risk might be managed by obtaining a favorable mortgage and maintaining the property to enhance its resale value. Subjective and Objective Risk ----------------------------- When individuals and organizations must make a decision that involves risk, they usually base it on the individual's or organization's assessment of the risk. The assessment can be based on opinions, which are subjective, or facts, which are objective. Because it is based on opinion rather than fact, [**[subjective risk]**](https://learning.theinstitutes.org/pluginfile.php/108375/mod_scorm/content/2566/index.html) may be quite different from the actual underlying risk that is present. In fact, subjective risk can exist even where [**[objective risk]**](https://learning.theinstitutes.org/pluginfile.php/108375/mod_scorm/content/2566/index.html) does not. The closer an individual's or organization's subjective interpretation of risk is to the objective risk, the more effective its risk management plan will likely be. The reasons that subjective and objective risk can differ substantially include these: Familiarity and control Consequences over likelihood Risk awareness Both risk management and insurance depend on the ability to objectively identify and analyze risks. However, subjectivity is also necessary because facts are often not available to objectively assess risk. Diversifiable and Non diversifiable Risk ---------------------------------------- [**[Diversifiable risk]**](https://learning.theinstitutes.org/pluginfile.php/108375/mod_scorm/content/2566/index.html) is not highly correlated and can be managed through diversification, or spread, of risk. An example of a diversifiable risk is a fire, which is likely to affect only one or a small number of businesses. For instance, an insurer can diversify the risks associated with fire insurance by insuring many buildings in several different locations. Similarly, business investors often diversify their holdings, as opposed to investing in only one business, hoping those that succeed will more than offset those that fail. Examples of [**[nondiversifiable risks]**](https://learning.theinstitutes.org/pluginfile.php/108375/mod_scorm/content/2566/index.html) include inflation, unemployment, and natural disasters such as hurricanes. Nondiversifiable risks are correlated---that is, their gains or losses tend to occur simultaneously rather than randomly. For example, under certain monetary conditions, interest rates increase for all firms at the same time. If an insurer were to insure firms against interest rate increases, it would not be able to diversify its portfolio of interest rate risks by underwriting a large number of insureds, because all of them would suffer losses at the same time. [**[Systemic risks]**](https://learning.theinstitutes.org/pluginfile.php/108375/mod_scorm/content/2566/index.html) are generally nondiversifiable. For example, if excess leverage by financial institutions causes systemic risk resulting in an event that disrupts the financial system, this risk will have an effect on the entire economy and, therefore, on all organizations. Because of the global interconnections in finance and industry, many risks that were once viewed as nonsystemic (affecting only one organization) are now viewed as systemic. For instance, many economists view the failure of Lehman Brothers in early 2008 as a trigger event: highlighting the systemic risk in the banking sector that resulted in the financial crisis. Quadrants of Risk: Hazard, Operational, Financial, and Strategic ---------------------------------------------------------------- Although no consensus exists about how an organization should categorize its risks, one approach involves dividing them into risk quadrants: - - - - Hazard and operational risks are classified as pure risks, and financial and strategic risks are classified as speculative risks. The focus of the risk quadrants is different from the risk classifications previously discussed. Whereas the classifications of risk focus on some aspect of the risk itself, the four quadrants of risk focus on the risk source and who traditionally manages it. For example, the chief financial officer traditionally manages financial risk, and the risk manager traditionally manages hazard risk. Just as a particular risk can fall into more than one classification, a risk can also fall into multiple risk quadrants. For example, embezzlement of funds by an employee can be considered both a hazard risk, because it is an insurable pure risk, and an operational risk, because it involves a failure of controls. **Risk Quadrants** \[DA08677\] Organizations define types of risk differently. Some organizations consider legal risks as operational risk, and some may characterize certain hazard risks as operational risk. Financial institutions generally use the categories of market, credit, and operational risk (defined as all other risk, including hazard risk). Each organization should select categories that align with its objectives and processes. Apply Your Knowledge The New Company manufactures electronic consumer products. The company's manufacturing plant is highly automated and located in the United States. However, it purchases components from three companies in Asia. The majority of its sales are in the U.S., but European sales represent a growing percentage. Describe the types of risk New Company would have in each of the four risk quadrants. *Feedback:* In the hazard risk quadrant, New Company would have property damage risks to its plant and equipment resulting from fire, storms, or other events. It would also have risk of injury to its employees and liability risks associated with its products. In the operational risk quadrant, New Company would have risks from employee turnover or the inability to find skilled employees. It would also have business process risk related to how it manages its supply chain and information technology risk related to its automated manufacturing process. In the financial risk quadrant, New Company would have exchange rate risk related to its European sales. It would also have price risk for raw materials and supplies. Strategic risks include competition, economic factors that could affect consumer demand, and the political risk arising from countries in which the company's component suppliers are located. ### Knowledge Check **An automobile owner faces a risk of loss from a possible collision. The auto will either suffer a collision loss or not. If a collision occurs, there will be a financial loss. If there is no collision, the owner's financial condition is unchanged. This is an example of what type of risk?** - Pure - Speculative - Nondiversifiable - Subjective **Summary** Classifying the various types of risk can help organizations manage risk. Some of the most commonly used classifications are pure and speculative risk, subjective and objective risk, and diversifiable and nondiversifiable risk. An organization\'s risks can also be categorized into quadrants as hazard risk, operational risk, financial risk, and strategic risk. - - - - - - - - - - - - - - - Enterprise Risk Management -------------------------- **Objective** **Compare the concepts of enterprise risk management and traditional risk management.** The concept of [**[enterprise risk management]**](https://learning.theinstitutes.org/pluginfile.php/108377/mod_scorm/content/2566/index.html) (ERM) was developed as a way to manage all of an organization\'s risks, including operational, financial, and strategic risk. Traditional risk management is concerned with an organization\'s pure risk, primarily hazard risk. In practice, there is no clear dividing line between risk management and ERM, with the terms often used interchangeably. ERM Definitions --------------- The evolving similarity of the concepts of risk management and ERM is demonstrated in the International Organization for Standardization (ISO) definition of risk management in ERM terms: "coordinated activities to direct and control an organization with regard to risk."[^^](https://learning.theinstitutes.org/pluginfile.php/108377/mod_scorm/content/2566/index.html) The ISO definition of risk as "the effect of uncertainty on objectives" also reflects an ERM approach to risk and risk management. There are many similar definitions of ERM, including one from the Committee of Sponsoring Organizations of the Treadway Commission: "the culture, capabilities, and practices, integrated with strategy-setting and performance, that organizations rely on to manage risk in creating, preserving, and realizing value."[^^](https://learning.theinstitutes.org/pluginfile.php/108377/mod_scorm/content/2566/index.html) The various definitions of ERM all include the concept of managing an organization's risks to help that organization meet its objectives. This link between management of an organization's risks and its objectives is a key driver in deciding how to assess and treat risks. Theoretical Pillars ------------------- Whether the source of a risk is financial, hazardous, operational, or strategic, risks managed separately are not the same as they are when managed together. Three main theoretical concepts explain how ERM works: - - - The silo type of management that is typical of traditional risk management ignores any interdependencies and assumes that a financial risk is unrelated to a hazard risk. Events are statistically independent if the probability of one event occurring does not affect the probability of a second event occurring. However, the traditional assumption of independence may not always be valid---and when it is not, the result may be inefficient treatment of an organization's portfolio of risks. For example, mortgage loans in different geographical regions may seem independent. But the 2008 financial crisis revealed that there was actually a significant interdependency. Correlation increases risk, while uncorrelated risks can provide a balance or hedge. For example, if all of an organization's suppliers are located in an earthquake-prone region in Asia, there is a significant correlation among suppliers in the organization's supply-chain risk. The third concept that makes ERM work well is the portfolio theory. In an ERM context, a portfolio is a combination of risks. The portfolio theory assumes that risk includes both individual risks and their interactions. For example, an airline may experience an increased portfolio risk from increased fuel prices. This increase may affect not only the airline's costs but also consumer demand. The effect of rising gas prices on consumers' available disposable income could reduce the demand for air travel and constrict the airline's ability to offset its higher costs with higher prices. An airline that successfully hedged against rising oil prices may be able to take advantage of these circumstances to increase its market share. Organizational Relationships ---------------------------- Under the traditional risk management organizational model, there is a risk manager and a risk management department to manage hazard risk. This traditional function mainly provides risk transfer, such as insurance, for the organization. Larger organizations typically include a claims management function. Many organizations include safety and loss prevention in the risk management department. **Example of a Traditional Risk Management Department** \[DA01662\] In ERM, the responsibility of the risk management function is broader and includes all of an organization's risks, not just hazard risk. Additionally, the entire organization at all levels becomes responsible for risk management as the ERM framework encompasses all stakeholders. The board of a public company has the ultimate responsibility for oversight of the organization's risks. The Dodd-Frank Act requires that certain types of financial companies appoint board risk committees. A board risk committee may consist of the full board, the audit committee, or a dedicated risk committee. In addition, some public companies have formed an executive-level risk committee to assist the board in its risk oversight function. The executive-level committee might be chaired by a chief risk officer (CRO), who reports to both the chief executive officer (CEO) and the board risk committee. **Example of an ERM Governance Model** \[DA08658\] As facilitator, the CRO engages the organization's management in a continual conversation that establishes risk strategic goals in relationship to the organization's strengths, weaknesses, opportunities, and threats (SWOT). The stakeholders in the organization include employees, management, the board of directors, and shareholders. External stakeholders include customers, regulators, and the community. The CRO's responsibility includes helping the enterprise to create a risk culture in which managers of the organization's divisions and units, and eventually individual employees, become risk owners. In the fully integrated ERM organization, identifying and managing risk become part of every job description and project. Successful risk management of strategic objectives becomes a measure on all evaluations. Implementation -------------- It is essential to have senior management's commitment in a midsize to large organization to successfully implement an ERM program. The risk management professionals must have access to data from all organizational areas and levels to identify and assess the organization's risks. The risk management process to manage those risks must be integrated throughout the organization. To accomplish this, risk managers must have authority to make and enforce necessary changes, often against significant resistance. Effective communication is essential to a successful ERM program. The CEO should meet with the senior managers of each organizational function to discuss the purpose and goals of ERM and the importance of management support. A task force composed of representatives from each function to work with the CRO and/or risk professionals can help achieve buy-in from key stakeholders. It is important for risk professionals to communicate with representatives from the various functions as well as receive communication from them. For example, operations managers may want more information about various types of risks, including hazard risks, such as employee injuries, or opportunity risks, such as communities with high growth rates. It is also essential to find out the type of information the CEO and other senior managers need to understand the organization's risk portfolio. An organization with a fully integrated ERM program develops a communication matrix that moves information throughout the organization. Communications include dialogue and discussions among the different units and levels within the organization. The establishment of valid metrics and the continuous flow of cogent data are a critical aspect to this communication process. The metrics are carefully woven into reporting structures that engage the entire organization, including both internal and external stakeholders. Impediments ----------- An impediment to successfully adopting ERM is technological deficiency. For ERM to succeed, people have to receive relevant information. Management needs information on all organizational risks in a timely and concise manner---for example, a dashboard highlighting the critical risks affecting the organization's ability to meet its objectives. Some risk management functions are able to use existing internet technology systems to produce this information, while others require new systems. The risk management information system (RMIS) of a broker or insurer could provide a starting point for a system to be tailored to the organization's ERM program. Perhaps the single largest impediment to successful implementation of ERM is the organizational culture of entrenched silos. The risk management function traditionally purchased insurance and had claims oversight. The human resource function typically managed employee benefits and absences. The financial function managed prices; credit; investments, including hedges; and exchange rates. The operations function managed the core business operations, such as manufacturing or distribution. The safety function was separate or part of either risk management or operations. Information technology was a separate function or part of finance. Each of these functions typically had its own management structure. In the new ERM culture, risk management is integrated throughout the organization. In many organizations, this involves operations managers taking responsibility for risk management within their areas of responsibility. For example, a bank branch manager would assume responsibility for speculative risk involved in growing the business and for financial risk, such as credit risk associated with the loans written by the branch. In large organizations, there may be a risk committee or task force headed by the CRO that includes representatives of each major function within the organization. To achieve accountability, many organizations charge back the gains and costs associated with risk management to the responsible function. For example, an operating division would be charged for the cost of hazard insurance and claims and also receive credit for new business or production improvements. ### Apply Your Knowledge An organization, with locations throughout the U.S., provides oxygen and related supplies to customers who need oxygen for medical reasons. Oxygen is an oxidizer that, although not a flammable gas, makes other substances around it more likely to burn faster and hotter. Therefore, there is a risk of fire and explosion at these locations. Describe a traditional risk management approach to this risk, versus an ERM approach. *Feedback*: A traditional risk management approach would be to procure property, liability, and workers compensation insurance for this risk. Additionally, risk management might include the safety function to help prevent the occurrence and to provide an analysis of the cause if the event occurs. An ERM approach, in addition to risk transfer and safety, would assess additional risks such as those associated with the ability to provide a necessary medical product to customers, the organization's reputational risks in communities, the effect of demographics on the future of the business, and the ability to continue operations after a disaster. ### Knowledge Check **The assumption that risk includes both individual risks and their interactions is the key concept in which one of the following?** - Interdependency - Correlation - Portfolio theory - Strategic risk Summary Traditional risk management took responsibility for hazard risk, typically arranging for risk transfer. ERM identifies operational, financial, and strategic risks in addition to hazard risks; develops an understanding of their relationships; and evaluates the potential effect of the risk portfolio on an organization's ability to achieve its objectives. ERM seeks to optimize a risk management strategy that is integrated into the entire organization.