Corporate Value of Enterprise Risk Management. The Next Step in Business Management

Sim Segal

 

Review by: Lorenzo Preve

 

This book is a recipe on how to implement ERM in a company.  Is filled with examples and lists of step by step to do’s.  I do not like this kind of books because it does not provoke or challenge the reader.  They just provide a recipe.  For those looking for a recipe is a fine book, but it will not teach you, it will just be an instructions manual…  I summarize the main point of the ten chapters and make some comments regarding what I like and dislike most of this book.

Chapter 1 starts by briefly defining ERM and explaining its evolution presenting eight factors that shaped it; namely, the Basel accords, September 11, corporate accounting frauds, Katrina, rating agencies scrutiny, the 2008 financial crisis, rare events (referred to H1N1 flu, and Pirates’ attacks off Somalia) and long-term trends (referred to more computing power and a higher risk perception in the business world).  The whole chapter is devoted to the explanation about how these factors have contributed to the arrival of ERM to the business world.  The chapter ends by discussing the main challenges faced by ERM.

Chapter 2 presents a definition of risk and expands on the definition of ERM by giving its 10 critical defining elements.  The definition of risk is based on: (i) risk is uncertainty, (ii) risk can be also upside, and (iii) risk is deviation from expected. This Chapter presents and interesting discussion regarding the importance of strategic and operational risk (and the relative low importance of financial risks) and on the bias introduced by financial analysts.

Chapter 3 starts by discussing the Value-Based ERM framework, that is composed by: (i) risk identification (to be discussed in Ch.4), (ii) risk quantification (to be discussed in Ch.5), (iii) risk decision-making (to be discussed in Ch.6), and (iv) risk messaging (to be discussed in Ch.7).  Risk identification is just a short guide on how to identify all the relevant risks for a company.  In risk quantification the author explains how to measure objective and subjective risks (and correctly suggests that even the most objective risks need a subjective assessment).  Continues by estimating a probability adjusted firm value (but it does offer no explanation about how this value should be calculated. In the risk decision-making section, the book explains the interaction between risk appetite and risk exposure, through the strategic planning.  There is no discussion on risk messaging at this point.  The Chapter ends with a discussion on how the ERM process can overcome its “three core challenges”: (1) inability to quantify strategic and operational risks, (2) unclear definition of risk appetite, and (3) lack of integration of ERM in the decision making process.

Chapter 4 is devoted to the study of risk identification. The book uses three steps for this, the first one, risk categorization and definition, categorizes risks in the three categories; strategic, operational and financial.  After that, the book provides several other sub-categorizations and divisions and presents a definition for each risk. The second step, qualitative risk assessment, is described by its purpose (prioritize the risks and narrow down the list), process (soliciting input form internal personnel for key risks) and product (they are three; key risks list, tool to monitor changes in importance of risks, and advancement in the organization’s risk culture). The third step, emerging risk identification, consists of two components: (1) monitoring known risks and (2) environmental scanning for unknown risks.  The chapter ends with a discussion on killer risks.

Chapter 5 discusses risk quantification.  The steps suggested in the book are: (a) calculate baseline value, (ii) quantify individual risk exposures, and (iii) quantify enterprise exposure. The first part is just an explanation of corporate valuation, since the author suggests that every firm needs to know its intrinsic value (which I agree).  In the second step, i.e. quantification of individual exposures, the author discusses how to value the exposure to individual risks, and offers a discussion regarding the benefits of stochastic and deterministic scenarios, strongly backing the latter because, in his opinion, they offer more space for judgment (I do not agree with the author in this point).  In order to mix both steps, the author suggests including the risk scenarios into the value estimation step by step i.e., one at the time.

Chapter 6 is devoted to the discussion of risk decision making.  This is discussed through the (i) definition of risk appetite and risk limits, and (ii) integration of ERM into the decision making process.  The main point in this chapter is the aim for a process that ensures that the company is able to improve its decision making process, and ultimately its value, by applying ERM into their decisions.

Chapter 7 called risk messaging, is about communication. This topic is divided in internal risk messaging, and external risk messaging.  In the internal communication, the focus is put in the interaction between ERM and performance evaluation and ERM and incentive compensation. Regarding the external communication, the books stresses the importance of communication with different stakeholders, namely: shareholders, stock analysts, rating agencies, and regulators.

Chapter 8 discusses risk governance.  There is a focus on the roles and responsibilities, the organizational structure and policies and procedures that some readers might find useful.  The chapter brings some insights on the role of the board of directors, the internal audit, discusses the position of the CRO, the ERM committee, etc.

Chapter 9 is a study of the 2007 global financial crisis.  It discusses the causes of the crisis and it evaluates the banks ERM programs in the light of the 10 key ERM criteria discussed in Chapters 2 and 3.

Chapter 10 discusses ERM for non-corporate entities; describing the ways the model presented in chapters 1-9 has to be modified in order to accommodate every different non-corporate entity.

 

Some additional general comments on the book

à What I do Like.

This book treats risk in a holistic manner, including most of the important risk factors into the discussion, and extensively discussing non-financial risks.  Additionally, it considers upside and downside effects for the risks.  I also like the fact that the author states that even objective and measurable risks should be assessed in some subjective manner.

à What I do not like.

One of the things I do not like of this book, is that it focuses exclusively on value, instead of considering other important places in which risks have an impact (i.e. outputs), such as cash flows, morale of people, competitiveness, reputation (by the way, I do not really buy the reputational risk story told by many authors; risk affects reputation, it is not a risk factor. This books has my same view, stated in page 123, but it does not really stress, I suspect because it does not fit into the framework outlined by the author, since its only output is value, and therefore tells a story in which reputation might not affect value that much after all) etc.

I do not like the idea of using a deterministic approach for measuring risks.  I do not agree with the reasons why the author suggests that this is better; a good stochastic planning can satisfy all the potential problems the author poses in order to justify his deterministic approach.

The book does not discuss risk factors, so the reader has no clue on interest rates, FX, strategic risks, political risk, human resources risks, etc. Understanding the determinants of risk is one of the single most important issues in risk management; this point is not mentioned in this book.

There is no discussion regarding hedging. In my view, you cannot discuss risk management without a thoughtful discussion on hedging.  The role of operational hedging, insurance and derivatives is crucial in any risk management design and implementation.

The book is extremely boring because it has a step by step implementation full o lists and recipes (every recipe or instructions manual is boring, almost buy definition…), instead of a discussion of ideas, so I found it boring and not provoking.