In this approach, line management owns all risks and a slim central risk department provides light-touch support and coordination as needed. The central risk department sees itself mainly in a process-coordination role, but it typically lacks the resources and insights to challenge businesses on their risk-management and control practices. In one case, a central risk-management department of fewer than 20 full-time employees was accompanied by a broad risk-champion network composed of several hundred people who spent between 10 and 20 percent of their time on risk topics, collectively representing about 50 to 60 additional full-time positions.
Many of the corporates that follow a decentralized approach conduct regular surveys for example, quarterly and brief polls of the risk-champion network to ensure that business departments think through and identify the most important existing and emerging risks. A strong risk culture is a key ingredient of this approach, since the departments themselves are held responsible for risks that strike.
Here, the risk function closely controls and owns most of the risks an arrangement that is often used for foreign exchange FX and commodity risk hedging while remaining risks are overseen by line managers, with double-checking or even close supervision provided by the central risk function.
Risk-related models typically reside in the central risk group and are rolled out and updated consistently throughout the company. The risk function challenges the assumptions made by businesses and enters into detailed discussions with them. As a result, the central risk department often also assigns responsibilities for individual risks and business departments to its dedicated employees. Both decentralized and centralized designs for the risk function have their merits.
Each is suited to managing different kinds of risk. A decentralized approach allows greater variety and flexibility in risk-management practices; business departments can tailor models and processes to their specific needs. Operational and technical risks, which rely for their management on expert knowledge that resides in the individual businesses, are usually best managed by a decentralized approach, with supporting tools and best practices supplied by the central department. Another advantage of the decentralized approach is the close integration of the risk function with the business through the risk-champion network, which ensures a seamless flow of communication on risk-related topics.
The central group is frequently updated on topics emerging throughout the company, and embedding risk champions in business departments ensures that risk is an integral part of the decisions made there. A centralized risk function, on the other hand, ensures a consistent approach and is often used for comparable risks throughout the organization; similar risks are treated with the same tools and processes.
For these reasons, market and credit risk, which are usually quite similar across the enterprise, will typically benefit from a centralized approach. Such an approach increases the efficiency and effectiveness of risk management because it allows for the sharing and refinement of good practices throughout the organization.
To select the right approach, corporates first need to identify the risks inherent in their business model and then decide on the trade-offs between centralization and decentralization of their setup for each risk type. They might consider questions such as the following: Who is responsible for managing and controlling each risk type?
In the future, who should be responsible for the risks, and which processes and policies need to be updated or written anew? How should we deal with the shortcomings of the chosen approach for example, how can we ensure sound and consistent models using a decentralized approach, and how can we strengthen risk culture in a centralized approach? Our survey revealed that the two industries we studied show different degrees of centralization across different risk types.
Generally speaking, corporates in AI follow a decentralized approach, whereas energy companies are much more centralized. This can be explained by reminding ourselves of the core risks laid out earlier. The quality risks in the AI industry can hardly be managed centrally; they must be taken care of by the line functions themselves for example, on the production lines.
On the other hand, the core risks in the energy industry respond well to centralized management: interaction with regulators and politicians is best dealt with by the regulatory-management group which often reports directly to the CEO in close cooperation with the management board. Within that broad pattern, however, if we look at three main types of risk, the picture becomes more nuanced Exhibit 3.
Note that in this exhibit, we split the energy sector into two segments: first, energy, petroleum, and natural gas typically the incumbents that provide or are mostly concerned with electricity generation and the distribution of energy , and second, oil and gas in particular, the oil majors.
For market risk that is, commodity, credit, and FX risks , we see different approaches.
Consider commodity risk. In the energy industry, commodity-risk management is typically centralized within the trading group, which receives input from risk managers in the trading units. In advanced industries, however, commodity risks often reside with the business departments. For instance, we have seen a global AI corporation that had no central understanding of its exposure to changes in the price of steel.
The reason was that product lines and plants typically signed their own contracts with suppliers, and these were not gathered in a central database—and so it was impossible for this company to hedge its steel-price exposure with any accuracy. For credit risk, the approach used by companies in both industries is inconsistent, both between and within firms. Credit models are not the same in all parts of the organization; some sales teams, for example, do not explicitly consider counterparty risk. For currency risk, most players in both industries have a central treasury that is responsible for controlling and managing FX risk for the whole organization.
Display event - BookTalk: Executive Risk Mindfulness™
Across industries, operational and technical risk is typically controlled and managed within businesses. This seems a rather natural setup given the diversity of operational risks and the expert knowledge needed to deal with them. However, some companies we observed are now striving to centralize their management of operational risk. This is no doubt due to recent major operational-risk events such as the Macondo oil spill in the Gulf of Mexico that appear to have resulted, at least in part, from slack execution of on-site procedures and inadequate risk control by contractors.
A more rigorous centralization of operational-risk management will allow companies to identify and define standards of good practice and roll them out throughout the enterprise—and beyond, to contractors. Management of political and regulatory risks is typically handled in all industries by a specialized department that operates in close contact with the management board and other departments such as the businesses to understand their needs and by the compliance function.
Across our survey sample, we noticed that advanced industries in general fared better than the energy industry in most parts of the risk framework shown in Exhibit 2.
This is particularly evident in two elements: risk insight and transparency, and risk organization and governance, especially with regard to collaboration between risk and other functions Exhibit 4. Still, companies in both industries could further improve risk management in selected dimensions. We have compiled some suggestions for AI, energy, and both kinds of companies that can add value for most players.
Most AI companies use fairly sophisticated models in departments such as logistics and supply-chain management and in managing specific technical risks. In contrast, their risk-management departments often rely on relatively simple models to assess the impact of individual risks. The industry could benefit from a more quantitative approach to assessing the exposures that reside in different parts of the organization. In particular, companies should consider a more robust application of the risk-book approach that is, the rigorous mapping and aggregation of long and short positions in order to understand net exposure to improve transparency into core commodity exposures such as steel, aluminum, and energy, as well as a more rigorous application of forward price models and Monte Carlo simulations to quantify risks.
Company-wide hedging strategies can then accurately limit and mitigate these risks. However, we would not suggest centralizing specialized models in the risk-management department, because this would detach these models from experts in the line functions. In general, the risk-management department in AI companies could often take more of a leading role in harmonizing risk assumptions and approaches throughout the enterprise—for example, in defining limits, developing scenarios, and linking these scenarios to strategic and annual plans.
In other dimensions, the central risk function could move toward a stronger role as a sparring partner for the businesses and other groups. This will require the assignment of dedicated individuals within the central risk-management department to certain risk types; these people must then develop stronger capabilities. This would allow the risk group to challenge and double-check the identification and assessment of individual risks made by the businesses. Even better, the group can develop recommendations for individual businesses and better support other departments in tracking and controlling mitigation measures.
In the energy industry, we typically see strong transparency on core commodity exposures via risk books and sophisticated models used to define and execute hedging strategies. However, we also observe a bias toward focusing on those risks that are relatively easy to quantify such as trading-related risks while treating other risks such as operational risk in a comparatively superficial way.
enterprise risk management (ERM)
To counteract this bias, energy companies should foster a dedicated network of risk practitioners and ensure common risk-management standards throughout the organization. This would allow the central risk function to stay in the loop on risks emerging throughout the enterprise and foster the involvement of individual departments with risk topics. In turn, this moves companies closer to an integrated view of the various risk types and allows them to make educated trade-offs. For both kinds of companies, a number of moves could help extract more value from ERM.
Five will be most powerful:. Risk appetite and limit setting. Many of the companies we spoke to consider the most crucial elements of risk to be risk appetite that is, the definition of the nature of risks the company wants to take, along with quantitative limits to the amount of those risks it assumes and risk strategy that is, the implications of risk appetite on corporate strategy. However, they often struggle with implementation. Companies sometimes fail to develop limits for each relevant risk type; in other cases, the chosen risks can seem to users to have been pulled out of thin air, with no consistency among them.
An integrated view is necessary because risks are often strongly interdependent. In the first case, the corporate bears the full counterparty credit risk; if the counterparty defaults, the company may never receive any payment due under the derivative contract. In the second case, the company suffers no counterparty credit risk its counterparty is the clearinghouse, which protects itself through margin agreements with its members but instead faces liquidity risk; the company will need to post collateral with the clearinghouse if the derivative moves against it. In both cases, the size of the exposure is driven by market risk, since market prices determine whether and by how much the derivative is in the money.
In order to bring the concepts of risk appetite and risk strategy to life, companies must first define measurable key performance indicators KPIs for all essential risks. Naturally, these will differ by risk type. What kind of gap in the liquidity profile makes a severe event for liquidity risk?
Which price fluctuations would do the same for market risk? After having agreed on the KPIs and their thresholds, the company needs to decide where it is the natural owner of particular risks. A natural owner of a risk can achieve competitive advantages from taking it on and can generate attractive returns from it. The company should keep such risks, but it must also decide how to deal with those risks of which it is not the natural owner. Should it pass them on?
- Schaums outline of theory and problems of signal and systems!
- Providing Thought Leadership, Education and Training on the Subjects of Enterprise Risk Management!
- Australian Soul: Religion and Spirituality in the 21st Century!
- The Best of Edward Bellamy.
- BookTalk: Executive Risk Mindfulness™.
- Agency veteran W. Todd Grams says approach might have softened VA, IRS scandals..
- Enterprise Risk Management.
Avoid them? Insure against them? Additionally, the company should decide how much of each risk it can bear. These decisions ultimately need to be made by the board since they are intrinsically linked to corporate strategy. However, we often see boards struggle in the absence of a framework for meaningful discussions of their risk appetite. A matrix such as the one shown in Exhibit 5 can be a useful tool to facilitate the discussion by allowing board members to prioritize which risks to take and to decide in which parts of the company to take them.
Quality assurance for the risk appetite and strategy is essential. Companies can periodically challenge these documents and compare them with the risks that competitors take when this information is available. Moreover, they can detect breaches of the risk appetite and trigger predesigned contingency and escalation measures, thus making the risk appetite and strategy a meaningful tool for steering the company. Stress testing. Most companies that participated in our survey make sure that they not only calculate the expected trajectory of their strategic plan but also consider upside and downside scenarios related to it.
However, for many, the calculation of downside scenarios—that is, the stress testing of the business plan—does not have real impact on the decisions that are made. Specifically, we see four main areas where modifications to current stress-testing approaches could increase the relevance of the activity. Stress-testing goals and scenario definition.
Often, corporates are not explicit on the objectives of calculating downside scenarios. In particular, they often are not specific about the probabilities they attach to each scenario. In defining their downside scenarios, corporates should ensure a balanced mix between severe but very improbable events such as major natural disasters and more moderate, but more probable, scenarios such as a further tightening of macroeconomic conditions.
It is worthwhile to include senior management in defining the scenarios early on so that their opinions and insights are taken into account. That also makes it more likely that they will deem the stress-testing results relevant. Technical stress testing and scenario calculation. Often, however, the dynamic that evolves after a shock needs much more thorough modeling. How might supply and demand change, and what are the dynamics until they reach a new equilibrium? How would the company and its competitors react to shocks? What might the midterm effects be on the sector? Treasury officials stated they integrated ERM into their quarterly performance or data-driven reviews and strategic reviews, both of which already existed.
Officials stated this action has helped elevate and focus risk discussions. Customizing ERM helps agency leaders regularly consider risk and select the most appropriate risk response that fits the particular structure and culture of an agency. Agencies can implement this best practice by designing an ERM program that allows for customized agency fit, developing a consistent, routinized ERM program, and using a maturity model approach to build an ERM program. Examples of agencies that utilize this best practice follow.
To identify and review risks, the TSA Risk taxonomy organizes risks into categories so the agency can consistently identify, assess, measure, and monitor risks across the organization, as discussed in the TSA Policy Manual. Conducting the ERM review cycle on a regular basis and monitoring the selected risk response with performance indicators allows the agency to track results and impact on the mission, and whether the risk response is successful or requires additional actions.
Agencies that implement this best practice can do so by tracking and monitoring current and emerging risks. An example of a selected agency that does this is when the Department of Housing and Urban Development HUD uses risk dashboards to monitor risks. The dashboard provides a snapshot view for the current period, analysis of mitigation action to date, and trends for the projected risk.
It tracks the highest-level risks to PIH as determined by the Risk Committee, along with the corresponding mitigation plans. Sharing risk information and incorporating feedback from internal and external stakeholders can help organizations identify and better manage risks, as well as increase transparency and accountability to Congress and taxpayers.
- Creating a Comprehensive Risk Management Program!
- Handbook of Development Economics, Vol. 1;
- Complete Works of Pir-O-Murshid Hazrat Inayat Khan: Lectures on Sufism 1992 II?
- Writing on the Tablet of the Heart: Origins of Scripture and Literature.
- Enterprise Risk Management.
- Display event - BookTalk: Executive Risk Mindfulness™.
- Guide to Integrated Risk Management.
- Designing Inclusive Futures!
- Practical Enterprise Risk Management: Getting to the Truth.
- Practical Enterprise Risk Management: Getting to the Truth!
- Enterprise Risk Management (ERM) Bios | George Mason University?
- Solid State Chemistry: An Introduction.
Examples of agencies that implement this best practice follow. These two agencies have a signed agreement of understanding, to share ownership for risk that details the responsibilities for delivering the satellite and overall cost and schedule performance.