Is your organisation risk-intelligent? That is the question Indian companies are increasingly asking themselves.
Faced with newer types of risk profiles across their enterprise the concept of the chief risk officer -- or the CRO -- may soon mark its presence in India.
Whilst the concept of enterprise risk management has been around since the early 1990s, the spectacular collapse of mega corporates like Enron and Arthur Andersen in the recent past has brought risk management into focus like never before.
In India too, with the banking sector slated to embrace Basel II norms, it is very likely that a holistic approach to risk management will soon be teed off in the financial institutions in the country.
Basel II is a set of binding rules set by central bankers from around the world, under the auspices of the International Bank of Settlements in Basel, Switzerland, and is aimed at producing uniformity in the way banks and banking regulators approach risk management across national borders.
So while risk management, as a practice, is enforced across business divisions today, there is no one who is holistically looking at it.
For example, the IT infrastructure in a bank may be taken care of by the IT department that will not only monitor usage but also restrict access from within. At the same time the credit risk portfolio will be handled by the individual business division, while the investment risk would be handled by yet another division.
Points out Deb Ghosh, chief architect at the $417-million, Nasdaq-listed TIBCO, an enabler of real-time business and one of the world's largest independent business integration software companies: "Today enterprise-wide risks are dispersed in silos. While each business division head may be looking at risk associated with their business there is no enterprise-wide risk assessment."
According to Ghosh, whose company competes with the likes of International Business Machines and BEA Systems, historically operational risk across an enterprise has been managed in an ad-hoc manner, with different departments implementing different policies and procedures.
To compound the maze, factors related to risk have been managed with auditing procedures, wherein potential or future risk factors are almost always not identified, leaving no scope for it to be averted -- a perfect recipe for a disaster to happen.
Indian IT industry watchers point out that organisations have so far been able to do with the position of chief security officers (CSOs) who handle risk factors but these are only IT-related. The CSO in a bank will neither be able to comprehend nor understand the way credit risk is assigned or measured.
Enter the CRO.
The CRO oversees the enterprise risk management process of managing financial and non-financial risk for the entire company. There are four main categories of risks: strategic, financial, operational, and compliance and the CRO can comprehend, evaluate, avert the risks which would mean that the person concerned needs to have a multi-functional domain expertise.
According to estimates put out by analysts at Forrester Research, close to 75 per cent of the largest companies in the world will create a position of a chief risk officer by 2007.
Future CROs though have one man to thank -- James Lam, an independent consultant and president of James Lam & Associates, was once vice chairman of New York-based risk management consultancy ERisk.
Lam defined and developed the CRO role when GE Capital hired him in 1993 to set up a new capital markets business. Later, he joined Fidelity Investments in the same capacity.
The position of a CRO has come about partly because of the pressure regulators and shareholders have put on companies to properly divulge the business risk. CROs in a financial institution will have to integrate credit risk, market risk, operational risk, economic capital and risk transfer.
At the end of the day whether the concept of enterprise risk management works or not will largely depend on how the business process is managed in an enterprise. And according to TIBCO's Ghosh, business process management would probably be the first step to managing risk holistically also.
"A good business process management system will orchestrate information from one process system to another and make it seamless and intelligent." And TIBCO is eyeing India's BFSI (banking, financial services and insurance), telecom and discrete manufacturing sectors to offer such solutions.
No surprise then that more than 40 per cent of the CROs are found in the insurance/banking/financial services sector and 50 per cent are found in energy or utilities companies, which are the most risk prone businesses.
In the Indian context some recent judicial decisions may end up forcing companies look at creating CRO positions. The Supreme Court has only days back taken away the immunity of the companies to be prosecuted in financial irregularities.
The apex court has ruled that corporate bodies can always be prosecuted in financial irregularity cases and courts can impose fine on them.
A five-judge constitution Bench headed by Justice N Santosh Hegde gave the ruling while setting aside an earlier ruling of the court that companies cannot be prosecuted in economic offences as they were not a natural person and could not be imprisoned if found guilty.
Why adopt ERM
There are multiple forces that mandate the adoption of ERM.
- Corporate Governance and Internal Controls -- made famous (or infamous depending on how you look at it) by Sarbanes Oxley Act;
Basel II Accord.
Part of the larger initiative of 'outside-in' approach to total customer process platform
The risk in the business is passed on to the business -- directly (customer business continuity may be adversely affected) or indirectly (reputational risk).
Innovation in products/services
- Particularly modern exotic products are often cuts across traditional lines making integrated risk treatment mandatory.
Benefits of ERM
Whatever the case that has made you think about ERM, keep in mind that it's not the slap on the wrist by a big brother.
Prudent risk management is just plan simple 'better business.' Period.
Today 15 per cent of financial companies measure the integrated effects of risks across the entire organisation. In three years this proportion is expected to rise to 43 per cent.
A couple of servers
"Ninety per cent of companies with an ERM program report that they are "very confident" in managing their risks, compared with only 45 per cent of those without such a programme." -- Tillinghurst Survey
Eighty-four per cent of the companies in a recent Oliver Wyman survey believe that ERM has the potential to improve their price/earnings ratio and cost of capital.
Strategic benefits of ERM
1. Enhancing shareholder and policyholder value through:
Systematic assessment of all relevant types of risk, using qualitative and quantitative methods;
Improving capital efficiency and costs savings through more effective management of internal resources and capital;
Providing an objective basis for allocating resources;
Reducing expenditures on immaterial risks;
Exploiting natural hedges and portfolio effects;
Protection against earnings-related surprises; and
The selection of financial and operational strategies for maximising the optimal balance of value to both policyholders and shareholders.
2. Transactional benefits of ERM
- Risk-based pricing;
- Pricing (particular pricing services) is a hot topic amongst Indian bankers. Risk adjusted pricing models can greatly benefit the business model of banks;
- Customer profitability and portfolio management;
- Reduce insurance premiums; and
Reduce unprofitable dealings with clients.
3. Other benefits of ERM
Supporting informed decision-making;
Uncovering areas of high-potential adverse impact on drivers of share value;
Identifying and exploiting areas of 'risk-based advantage';
Ability to aggregate business unit risks across an enterprise enabling better understanding of risk across functions and business units;
Building investor confidence;
Establishing a process to stabilise results by protecting them from disturbances; and
- Demonstrating proactive risk stewardship.