Enterprise risk management has been steadily evolving since James Lam coined the term circa 1993. At first, ERM was hard to define, even by high-level practitioners. At a conference in 1999, after a team of consultants from one of the big accounting firms made a lengthy presentation about the ERM program they had implemented for a Fortune 500 client, someone in the audience suggested they should return their fee because they had not delivered ERM.

Despite the ensuing intellectual brawl between actuaries and accountants, a few characteristics stood out that most of these professionals would associate with ERM. A company had to be über-large before it could absorb the fixed costs and create sufficient risk pools associated with ERM. It needed terabytes of data to analyze. It needed someone to lead the process.

Many firms tried to ignore ERM, hoping it would go away before they got around to it. But after 20 years, it’s clear that ERM is here to stay. In the last few years, it has been forced on certain industries by regulators or rating agencies. Other industries have seen leading institutions pursue ERM in waves as they see their cohorts and competitors improving strategic outcomes.

The definition of ERM has also solidified, though a number of ERM approaches compete for legitimacy. I like the wording of the Casualty Actuarial Society’s definition, with my emphasis added: “ERM is the discipline by which an organization in any industry assesses, controls, exploits, finances, and monitors risks from all sources for the purpose of increasing the organization’s short- and long-term value to its stakeholders.”

Three defining aspects of ERM that distinguish it from traditional risk management are 1) considering risks from all sources and their interactions; 2) the goal of maximizing firm value rather than minimizing or controlling losses; and 3) a forward-looking approach that is strategic and proactive, rather than reactive. This is in sharp contrast to traditional risk management, in which specific risks are managed by specific, autonomous managers.

Consider three common risks that have the potential to disrupt earnings: price risk, human capital risk and pure risk. Price risk reflects the change in firm value that can result from changes in the price of a firm’s inputs or outputs. It is often managed by a treasurer or CFO using derivative contracts. Human capital risk is manifest in employee turnover, employment practices and employee benefits. It is traditionally managed by a human resources department with due diligence and insurance. Pure risk is the risk of property losses (fire, theft, hurricane) or liability losses. Pure risk is traditionally handled by a risk manager or loss control department, implementing safety programs and buying insurance. None of these managers is aware of the risk management steps being taken by the other.

In the same way that a financial portfolio expects to balance out winners and losers, it is likely that losses from these three sources of risk will not be correlated. If a firm has more liability losses than usual but fewer turnover costs than expected, the end result is the expected outcome, without buying insurance.

An early example of ERM was the case of United Grain Growers, a large Canadian farm services provider. In 1999, UGG realized that, despite hedging commodity and currency price risks and purchasing insurance for property and liability exposures, earnings were still volatile. Management implemented an ERM planning process and ultimately determined that the only material risk was the volume of grain produced by its customers. Managers then had to decide whether to retain the risk or shift it to another party using weather derivatives or a new type of insurance contract that only covered reduction in the volume of grain produced.

For some businesses in Arkansas, ERM is already in effect or underway. For others, the possible benefits of ERM do not outweigh the fixed costs of implementation. Nonetheless, ERM offers something for everyone. Just the process of evaluating ERM strategies can help managers understand risks even if they choose not to implement a strategy.

Any firm can begin collecting and analyzing data — internal data as well as data from public and commercial sources. I have never seen a firm of any size that could not benefit from deliberate consideration of its risks and opportunities in context of firm value.

Featured Publications