Ten Predictions for Risk Management

An Excerpt from Enterprise Risk Management -- From Incentives to Controls, by James Lam, President of James Lam & Associates

The future for risk management is bright. Regulators and managers are recognizing the importance of risk management as a way to minimize losses and improve business performance. Risk professionals are moving up in the business world, both in terms of organizational level and compensation. Advances in risk methodologies and technologies are introducing a vast array of new tools for measuring and managing enterprise-wide risks, at a higher speed and lower cost than anyone could have imagined just a few years ago. While there are many remaining challenges, one cannot help but think that the best is yet to come for the risk management profession. Against this backdrop I will look into my crystal ball and make 10 predictions of how risk management will change over the next decade.

1. ERM will become the industry standard for risk management. ERM will continue to gain acceptance as the best way to ensure that a firm’s internal and external resources work efficiently and effectively in optimizing its risk/return profile. New financial disasters will continue to highlight the pitfalls of the traditional “silo” approach to risk management. External stakeholders will continue to hold the board of directors and senior management responsible for risk oversight and demand an increasing level of risk transparency. More importantly, leaders in ERM will continue to produce more consistent business results over various economic cycles and weather market stresses better than their competitors. Their successes will gain attention and other companies will follow. These trends, coupled with a stock market that is increasingly unforgiving of negative earnings surprises, will compel businesses in all industries to adopt a much more integrated approach to measuring and managing enterprise-wide risks.

2. A CRO will become prevalent in risk intensive businesses: The rise of the CRO goes hand-in-hand with the trend towards enterprise risk management. Risk management is a key driver of success for financial institutions, energy firms, asset management firms and non-financial corporations with significant risk exposures. Many market leaders in these industries have already created the position of a CRO. Others will follow suit. Companies without a CRO are faced with three perplexing questions: First, are we comfortable with diffused risk responsibilities, and if not, who is the de facto CRO—the CEO or CFO? Second, are their necessarily part-time efforts sufficient in managing risk in an increasingly volatile business environment? Finally, will the company be able to attract and retain high caliber risk professionals if a CRO career track is not available to them? For an increasing number of companies, the logical resolution of these questions will be the appointment of a CRO and the dedication of resources to implement an ERM program.

3. Audit committees will evolve into risk committees. As boards of directors recognize that they have responsibilities to ensure that appropriate risk management resources are in place, they will replace or supplement their audit committees with risk committees. A number of leading institutions have already established risk committees of the board. The board’s responsibilities for risk management have been clearly established in the Sarbanes-Oxley Act, as well as corporate governance initiatives such as the Dey, Turnbull, and Treadway Commission Reports. The result of these and other similar initiatives is that board directors have begun to realize that their responsibilities go beyond traditional audit activities, and that they need to ensure resources and controls are in place for all types of risk. Regardless of its name, the audit committees of the future will have enterprise-wide risk management scope.

4. Economic capital will be in; VaR will be out: Managers and external stakeholders will demand a standardized unit of risk measurement, or common currency, for all types of risk. This way, they can spot trends in a company’s risk profile, as well as compare the risk/return performance of one company against others. To date, VaR has gained wide acceptance as a standardized measure for market risk. However, VaR has three major flaws. First, it does not capture “tail risks” due to highly infrequent, but potentially devastating, events. Second, its inability to capture tail risks makes VaR a poor measure for credit and operational risks (or even market risk positions with significant optionality). Third, VaR measures the risk, not the return, of any risk position. Yet financial models that have passed the test of time, such as CAPM or the Black-Scholes option pricing model, evaluate both risk and return. The concept of economic capital is intuitively appealing because one of the main reasons companies hold capital is to absorb potential losses from all types of risk. Risk-adjusted return on capital extends the concept and measures business profitability on a risk-adjusted basis. The Basel Committee has already adopted economic capital as the framework for international regulatory capital requirements in the banking industry. Other industries will follow and adopt it as a common currency for risk.

5. Risk transfer will be executed at the enterprise level: The integration of risk transfer activities has already happened as far as hedging and insurance strategies are concerned. For example, companies that hedge with derivatives realize they can save on hedging costs if they execute portfolio hedges rather than individual securities hedges. Companies that bundle their insurance coverage through multi-risk multi-year policies are also realizing significant savings on insurance premiums. Alternative risk transfer (ART) goes one step further in combining capital markets and insurance techniques. The rise of ERM and ART products will mean that risk transfer strategies are increasingly formulated and executed at the enterprise level. In the past, companies made risk transfer decisions to control specific risks within a defined range, without being particularly thoughtful about the cost of risk transfer unless it was prohibitively high. In the future, companies will make risk transfer decisions based on an explicit comparison between the cost of risk retention versus the cost of risk transfer and execute only those transactions that increase shareholder value.

6. Advanced technology will have a profound impact on risk management: The Internet (and Intranet) will have a significant impact on risk management and how information, analytics and risk transfer products are distributed. Beyond the Internet, the increase in computing speed and decline in data storage costs will provide much more powerful risk management systems. Mid-sized companies will have access to sophisticated risk models that were once the privilege of large organizations. Even individual investors will be able to apply advanced risk/return measurement tools in managing their investment portfolios. Just as market risk measurement at large trading organizations is being conducted increasingly frequently, the time interval for enterprise-wide risk measurement and reporting will move from monthly to weekly to daily, and perhaps ultimately to real-time. Moreover, the development of wireless and handheld communication devises will enable the instantaneous escalation of critical risk events, and allow risk managers to respond immediately to emerging problems or new opportunities.

7. A measurement standard will emerge for operational risk: Today, there is considerable debate not only about the quantification of operational risk, but also how to best define it. Approaches to assessing operational risk range from qualitative assessment of probability and severity based on management judgment, to quantitative estimate of potential loss based on industry and company loss histories. The lack of consistent operational loss data, partially as a function of the infrequency of major operational risk events, has led to the development of analytical models such as extreme value theory to come up with loss estimates. Other models borrow from total quality management techniques or dynamic simulations to quantify operational risk. More recently, there has been some support, and some encouraging results, from early experimentation with neural networks to recognize patterns in operational risk. As the practice of operational risk management gains acceptance, and as data resources become more available as a result of company and industry initiatives, a measurement standard will emerge for operational risk. However, the greatest challenge for operational risk will remain one of management, not measurement.

8. Mark-to-market accounting will be the basis of financial reporting: Over time, the risk management profession has recognized the importance of mark-to-market accounting versus accrual accounting in reporting the financial condition of a company. While accrual accounting is adequate in reporting the value of physical assets, it can provide the wrong signals in reporting financial and other intangible assets. The use of mark-to-market accounting is widely accepted in the market risk field, and is gaining acceptance in credit risk management, where credit-based assets are mark-to-market given their probability of default (e.g., credit ratings or credit spreads). Given the cry for greater risk transparency from shareholders and regulators, it is likely that variability (i.e. risk sensitivity) will be much more integrated into financial reporting in future, including the full use of mark-to-market accounting for all financial assets.

9. Risk education will be a part of corporate training and college finance programs: As companies recognize the need to train and develop their risk management staff, corporate training programs will increasingly feature risk management. These training programs will likely be a combination of internal and external resources, and include internal workshops, external conferences, and Internet-based training tools. Given the rising corporate demand for skilled risk professionals, professional organizations and colleges will continue to integrate risk management into their course offerings. Professional certification and college degree programs will gain popularity and acceptance. Similar to the development of the CFA certification in finance and investments over the past decade, a widely accepted professional certification in risk management will emerge in the next decade. Colleges will expand their course offerings beyond derivative products and credit analysis, and offer courses in ERM, risk management applications in various industries, and integrated risk transfer.

10. The salary gap among risk professionals will continue to widen. The trend towards ERM and the appointment of CROs has created an exciting career path, and attractive compensation opportunities, for risk professionals. However, this new career opportunity will only be available to risk professionals that continue to develop new skills and gain new experiences, while the others will be left behind. The salary gap that has developed over the past several years will continue to widen in the next 10 years. On the one hand, the compensation for risk professionals with cross-functional skills will increase faster than other professions due to rising demand for their services. On the other hand, risk professionals with narrow skills or serve limited intermediary roles will not enjoy above average raises, and may in fact see their job security decline as their jobs become less relevant in the new world of risk management.