ERM Theory and Practice
Stephen P. D’Arcy
University of Illinois
Concurrent Session ERM 2CAS Spring Meeting
May 2006
Current SituationERM Theory ERM Practice
ERM Theory
• ERM considers all risks an organization can or does face holistically
• Organizations have a well defined risk appetite• All participants have a common language for, and
understanding of, risk• Risk is fully quantified• Risk management is applied consistently within
the organization• ERM adds value to the organization
ERM Theory – Risk Aggregation
Aggregate Risk Management
Hazard Risk
- Hurricanes
- Lawsuits
- Injuries
Financial Risk
- Credit Risk
- Market Risk
- Interest Rates
Operational Risk
- Internal Fraud
- Recalls
Strategic Risk
- Regulation
- Reputation
- Competition
ERM Theory – Risk Appetite
• Limits for adverse event– Severity– Frequency
• Same values used for all risks• Examples
– 99.97% chance of remaining solvent– 95% chance of retaining AA rating or higher– 0.1% chance of losses exceeding $1 billion– Need 25% return (or $250 million) to increase 0.1% loss
probability from $1 billion to $1.1 billion
ERM Theory – Common Language
ERM Theory – Quantification
• Firm has a set aggregate risk tolerance
• Entire distribution of outcomes is known
• Correlations between risk factors specified– Constant– Tail
• Need for a CAPM approach to risk– 250 risk factors → 31,125 correlations– Covariance with market risk → 250 correlations
Effect of Correlationf(x)
0
0.01
0.02
0.03
0.04
0.05
0 10 20 30 40 50 60 70 80 90 100 110 120 130 140
$ Outcome
Prob
abili
ty
f(y)
0
0.01
0.02
0.03
0.04
0.05
0.06
1 11 21 31 41 51 61 71 81 91 101 111 121 131 141
$ Outcome
Prob
abili
ty
f(x+y), corr=0.5
0
0.01
0.02
0.03
0 10 20 30 40 50 60 70 80 90 100 110 120 130 140
$ Outcome
Prob
abili
tyf(x+y), corr=1
0
0.01
0 50 100 150 200 250 300 350
$ Outcome
Prob
abili
ty
ERM Theory – Consistent Application
• Concentration of homeowners policies accepted up to point the overall risk to firm reaches risk tolerance level
• Reinsurance retention selected based on risk tolerance level
• Investment portfolio asset allocation determined based on risk tolerance level
• Chance of IT system failure in line with risk tolerance level
ERM Theory – Value Added
• Policyholders pay risk premium on auto insurance
• Aggregate loss variation of auto insurer– Directly related to loss frequency
• Oil prices impact driving patterns– Inversely related to auto loss frequency
• Auto insurer can reduce aggregate risk by assuming oil price risk
• Insurer will be paid to accept oil price risk• Combining risk adds value to insurer
ERM Practice• ERM coordinates hazard and financial risk
• Organizations can verbalize risk appetite (remote chance of insolvency) but not quantify it
• Participants have different languages for risk, but might understand some of the other participants’ terminology
• Only hazard and financial risk is quantified
• ERM is used primarily to monitor risk exposure
ERM Practice – Coordination
• Asset-Liability Management (ALM)– Duration matching
• Combining hazard and financial risk– WC and foreign exchange risk– Longevity risk and interest rate risk
ERM Practice – Risk Appetite
• Common level of risk of insolvency: 0.03%– Based on old study of AA bond defaults– One year happened to be this level– Does not reflect chance of downgrade, then
defaulting
ERM Practice –Risk Languages
“amministrazione di rischio ”
“リスク管理”
“위험 관리”
“διαχείριση
Κινδύνου”
“управления при допущении риска”
“gerencia de riesgo ”
“风险管理”
“Risikomanagement”
“ gestion des risques”
“risk management”
ERM Practice –Risk Languages
• Hazard risk language has developed over last four centuries– Frequency, severity, retentions– Probable Maximum Loss (PML)– Maximum Possible Loss (MPL)
• Financial risk language developed over last four decades– Duration and convexity– Derivatives – forwards, futures, options, swaps– Value-at-Risk (VaR), Tail VaR
• New ERM language being created now
ERM Practice –Quantification
• Hazard risk can be quantified well– Loss distributions – empirical and theoretical– Cat risk modeling
• Financial risk is also quantified– VaR – historical or analytical– Term structure models– Option pricing models– Delta hedging– Volatility smiles
• Operational risk measurement minimal– “Still in its infancy” or “Pre-infancy stage”
ERM Practice – Risk Monitoring
• Sarbanes-Oxley Act of 2002
• COSO – checklist of risks
• Basil II – risk treatment
• Rating agencies– Organizational structure– Use of models
What’s Needed for ERM to Grow
• Quantify Operational Risk
• Integrate Risk Effectively
• Develop Reliable Risk Metrics
• Communicate Risk to Decision Makers
• Weed out Ineffective Risk Managers – Positive impact of disasters– Survival of the fittest
Top Related