Enterprise Risk Management (ERM) market are largely driven by the Finance & Banking (F&B) sector’s interpretation of what ERM means. Classical ERM takes traditional risk methodology in the areas of Credit, Market and Operational risk management and extended that out to other areas of their businesses and called that ERM. In actuality the F&B institution’s methodology for managing risk is applying too much emphasis on backward-looking analysis of loss, as opposed to a more forward-looking speculation about potential loss (or risk) in future. Also, historical analysis of actual loss is of course a significant indicator of further loss in future, but only where defined losses are to be expected, such as in the areas of insurance or the provision of credit, or speculation into markets etc.
But, this approach doesn’t provide a sound analytical basis for those less frequent and possibly more drastic events, or those events where historical loss data doesn’t exist, which applies to the general operations of most businesses today. Consequently, for F&B, risk management translates into very much a science except for areas of risk outside the realms of credit, market and banking operations, and without the benefit of hindsight and a loss history, where it is tends to be very much an art.
Accepted Definitions of Risk
There different risk definitions also given in different perspectives. Wikipedia provides a universal definition and by its very nature takes a broad view, not specifically in the context of business, and states simply that “risk is a concept that denoted the precise probability of specific eventualities,” or that risk can be defined as “the threat or probability that an action or event, will adversely or beneficially affect an organization’s ability to achieve its objectives.” Hence, there is a recognition by Wikipedia that speculation of loss has to be tied to a desire to achieve stated objectives; translating to realizing opportunities.
By another measure, Corporate Integrity, a leading Global advisory on Governance, Risk and Compliance provides a different definition of Risk as “the effect of uncertainty on business objectives,” which also focuses on what a company is endeavoring to achieve through the realization of its opportunities.
The inherent imperative is that the word ENTERPRISE can be interchanged with OPPORTUNITY given that businesses are in business to profit from opportunities, and that the definitions of risk given above relate its management to the achievement of those objectives, it would seem that this has to be the basis of risk analysis. And therefore, provide us with the acronym ORM instead of ERM for the management of business risks, which unfortunately is already generally accepted as meaning Operational Risk Management, a term well understood and accepted in the F&B world because it is a component part of the Basel II Capital Accord.
Given that F&B understands Operational Risk Management in Basel II terms and by extending it across the enterprise and assuming or ascribing it to be Enterprise Risk Management, but, as stated previously the methodology used is driven by the analysis of losses, not the analysis of risks to the achievement of objectives, goals or opportunities.
In the context of today’s risk in the enterprise which has been made more vexing and complex, it is both correct and opportunistic that loss analysis is an excellent way of predicting likely loss in future especially if only an extensive loss history exists. This is the key point. In most businesses, the loss history does not exist or is very limited, and even in the F&B industry it is limited to the scope of Basel II, which does not cover business risks such as supply-chain, internal operations such as HR or reputational risks and many other risk areas.
Putting it together, while it is recognized that extensive loss history can add the science to the art of risk management across the enterprise, the fact is that an extensive history of losses does not exist for most businesses, so the only viable approach is to start with understanding a business’s strategy, its objectives, its opportunities, and to try to quantify what will prevent the company to achieving those, i.e. accurately determining what are the risks and obstacles from realizing of opportunities.