• Segregation of duties
• Access controls
• Authorization
• Preventative/Detective controls

Bert wasn’t suggesting that we neglect the third group of people, but that by getting the basics right we can address a large percentage of certain types of risk.
 
Related to this point, Bert mentioned that there are limits to operational risk management in terms of accurately quantifying and/or predicting risk events.  He suggested that risk management should focus more on the structure (activities) of risk rather than risk measurement.  He believes that with many risk assessment activities risk managers are getting lost in the weeds and missing the key fundamentals of managing risk. Bert believes that we can enhance the value of risk management more by focusing on improving risk identification, risk monitoring and risk management processes as opposed to trying to obsessively quantify risk exposure.
 
 
Bert can be contacted at: bert@ely-co.com; www.ely-co.com

• Segregation of duties
• Access controls
• Authorization
• Preventative/Detective controls

Bert wasn’t suggesting that we neglect the third group of people, but that by getting the basics right we can address a large percentage of certain types of risk.
 
Related to this point, Bert mentioned that there are limits to operational risk management in terms of accurately quantifying and/or predicting risk events.  He suggested that risk management should focus more on the structure (activities) of risk rather than risk measurement.  He believes that with many risk assessment activities risk managers are getting lost in the weeds and missing the key fundamentals of managing risk. Bert believes that we can enhance the value of risk management more by focusing on improving risk identification, risk monitoring and risk management processes as opposed to trying to obsessively quantify risk exposure.
 
 
Bert can be contacted at: bert@ely-co.com; www.ely-co.com

Listen to the podcast to learn more.

The panel after the break consisted of:

• John Walter, SVP for Risk and Capital Analysis for Bank of America 
• Joe Sabatini, MD and Global Head of OpRisk at JPMorgan Chase
• Jay Newberry, MD and Head of OpRisk at Citigroup
• Yousef Valine, Head of Institutional Risk Group and COO, Wachovia

John Walter spoke about some recent work at ORX. External data, of course, is integral to the AMA approach to round out the data because none of the banks have enough internal data otherwise. External data 

1. reduces sampling error
2. introduce minimal bias
3. should be stationary

A bit on ORX: 42 members, 14 countries, 90K loss events worth over Euro 30 billion. Key questions: Is data relevant? Does the data come from the same distribution? How do you cover for regional, size differences? ORX Analytics Working Group tried to address these issues as well as what we can learn from the data.

Walter discussed some of the results of the ORX working group. Regarding testing for homogeneity of the data, simple transformations helped aligned the distributions. He discussed how the loss data could be scaled across the membership.

Some findings:

• Larger banks have greater sales and trading losses but lower external fraud losses
• More extreme losses out of the US (potentially because of the legal regime)
• European banks have greater internal fraud losses

Walter also discussed location and scale shift factors for the data and the modeling approach of the ORX. Not being a quant, I will refer you to the ORX site for additional info on their modeling approach.

The bottom line in that you can control for big population differences in the ORX membership.

Joe Sabatini spoke on the “Art of Scenario Analysis”. Sabatini noted that the original approach for calculating oprisk capital was largely reliant on scenario analysis as there wasn’t a large amount of data available. The benefits included getting the business involved, but the data, of course, was synthetic and the process incredibly labor intensive.

Scenario analysis has evolved into a tool to assess the appropriateness of the capital estimated by the model, which now has six years of internal loss data and is much more reliable. Further, there’s external loss data available as well.

Now, you can use scenario analysis to work with business managers to assess there understanding of the range of events that could occur. Aggregate loss analysis can be used to facilitate a discussion with management. The goal is to ask the question if there should be any adjustments to the capital being calculated.

Newberry spoke about using publicly available external data in the AMA framework. He noted that they aim for useful results for the business to get business managers engaged. He also called out the need for the framework to enable an evaluation of risk vs. return jumped out.

In describing the value of using publicly available industry data, Newberry noted that it has value by illustrating to the business managers that extreme events might actually be able to occur in their business.

Newberry also spent some time reviewing the granularity of measurement units, for instance by event types, business lines or the intersections. The tests appear to be where the loss types appear sufficiently different and when there’s enough data to make calculations.

Newberry went on to discuss why you would exclude specific events. You may want to exclude events because you’re not in that line of business, there have been structural changes in the business/industry, etc; however, Newberry cautioned that there will always be push back and that you need to be careful here because all large losses result in the door closing afterwards.

What about the time lag on High-Water mark events, e.g. rogue trading? Should a loss at Bank A effect the AMA capital at Bank B and if so how quickly? What are the rules of the road here? Newberry left these questions up for discussion.

So what are the advantages of using industry event selection as scenario analysis for AMA? Newberry seemed to argue that the biggest benefit here was business buy in.

Before Valine spoke, a fire alarm went off, as apparently our lunch caught on fire on the fourth floor (we are on the ground level), a realized operational risk that was well mitigated by the Boston Fire Department and a brief visit outside to the gorgeous spring day in Boston.

Back in our seats, Valine spoke on execution risk management, including governance, data and capital. Execution risk management is really about change management or implementation risk: an M&A activity, new product offering, etc. At any one time, Wachovia has 60-80 in-flight high risk initiatives (of 1600-1800 total). These initiatives come in front of company governance committees.

Wachovia established a distinct risk discipline around implementation risk. Some accomplishments included

• Transparency for all investments over $250K
• Reduced project spend from $2.8B in 2005 to $1.4B in 2007
• Better reporting on projects

Scenario analysis is conducted at divisional level through a facilitated workshop. Implementation risk has a dedicated process.

In summary, Wachovia saw a convergence of business benefits and compliance. According to Valine, for Basel II there was nothing they had to do for regulatory purposes that they wouldn’t have done for business purposes.

In the Q&A session, Joe Sabatini noted that today’s there’s been relatively little discussion of business management. He also said that risk management should really aspire to break down the silos between credit, market and operational risk to help improve the performance of the business.

Valine followed by saying that if there’s anything we should have done differently [in the development of the operational risk industry] there should have been more thinking about the linkage between business risk and operational risk. For instance, if you look at the greatest losses in the US, it comes down to poor operating practices or decisions that lead to big legal losses. There’s a tremendous overlap between business risk and operational risk.

After lunch, the European banks held a panel. We heard from: 

• Michael Kalkbrener, VP, Risk Analytics and Instruments, Deutsche Bank
• Marc Leipoldt, Senior Risk Reviewer, ABN AMRO Bank
• Mike Constantinou, Head of Operational Risk Framework and Measurement, Barclays Group

All addressed their experiences with AMA from different perspectives.

Michael Kalkbrener started out with their AMA history. What was interesting here is that DB started collecting loss data in 1999, so they have more internal loss data than most banks in the industry.

He then reviewed their approach.

They use four data sources 

1. Internal loss data 
2. ORX consortium loss data 
3. Commercial loss database 
4. Scenarios are used to close the gaps

They then model frequency and severity distributions separately. Gross losses are then netted after the effect of insurance to get to net losses and then an aggregate loss distribution is calculated.

Kalkbrener noted that the event type with the highest losses is Clients, Products and Business Practices. Fraud is also important.

DB considers internal loss data as the most important data source, as it reflects the company’s underlying risk exposure. Internal loss data is used for modeling frequencies, severities and estimating correlations. DB uses external data and scenarios to model the tails of severity distributions.

Kalkbrener had a gem: “The problem with data is that it gets outdated.”

On bias of external loss data: 

• Is it true that losses are dependent upon bank size? Not really, according to DB. However, they will be evaluating the data supplied by ORX. 
• There is a positive relationship between loss amount and the probability that the loss will be reported.
• A disproportionate number of large losses could lead to an estimate that overstates a bank’s exposure.

Kalkbrener went into an extensive discussion of distributions. They considered:

• Poisson (no dependence between occurrence of events in a cell)
• Negative Binomial (positive dependence)
• Selection algorithm based on statistical tests

In then end, they use Poisson because they’ve found limited difference in this application between distributions.

Regarding decisions about distributions: 

• One distribution for the entire severity range or different distributions for small, medium and high losses?
• Choice of distribution family (people are talking about the three- or four- parametric distributions)
• Mixing internal and external data

Next, we heard from Marc Leipoldt, who set out to address three simple questions: 

1. Is AMA achievable? 
2. Is AMA desirable? 
3. What is an acceptable timeframe?

AMA requirements

• Governance framework
• Measurement framework
• Validation framework
• Use test

So, what is AMA anyway? Is it a set of tools? A mathematically exact model? The point seemed to be that there’s a huge range across banks in terms of how they are approaching AMA.

Leipoldt reviewed the AMA experiences of 10 different banks from Asia, Middle East and South Africa. He reviewed the issues associated with four different areas: 

• Governance - No real near term job for governance structure given implementation timelines; No Risk committees deal only with Credit and AML; Implementation timelines are not being hit
• Measurement framework  - Few internal losses; No severe losses (yet); No established regional loss database; Business and control environment not measured consistently
• Validation framework - Not an independent function and not always on the agenda
• Use test  - Less attention from banks not pursuing validation; ORM is getting less attention than credit and liquidity risk

Among the 10 banks, where are things going well? Leipoldt did some simple research of the banks annual reports and found that the banks were mentioning risk more now than in 2000. Apparently, this is a good finding, though it’s hard to know what the tangible outcomes of this are.

AMA is not an off the shelf product as the ways to get there will vary so much by institution. But, AMA does provide a roadmap for ORM.

Finally, 

1. Is AMA achievable? Yes 
2. Is AMA desirable? Yes 
3. What is an acceptable timeframe? 2-3 years

Next, Mike Constantinou from Barclays (an OpenPages customer) talked about the process and goals of AMA, principally reducing the losses and severity of larger losses.

He reviewed the application process, which he described as a lengthy and iterative but, overall, appropriate. The process started in 2005 and ended in Dec 2007. As an example of the iteration involved, the FSA visited all the material areas, with the FSA talking to senior people in each business unit about the use test. The FSA would follow up with feedback and Barclays would respond with the FSA reviewing carefully each response.

In terms of validating their AMA model, Barclays set up an extensive internal and external model review process which included internal stakeholders and the FSA. However, Constantinou got most confidence from sharing best practices with peer banks, and they ran generic test data through multiple banks’ models and got similar results.

Very much unlike DB, scenarios are the key input to the model at Barclays. This was also the area in which they had the toughest discussion with the FSA. The key test was could an independent person understand each of the scenarios and the risks and risk mitigation strategies.

The FSA also pushed on the scenario validation process. Some of the BUs have set up model validation committees for independent review. The process now is very robust, according to Constantinou.

Scenarios are where internal and external data comes together. Constantinou mentioned a large unauthorized trading event (SocGen, we can presume) which stretched their assessment of such a loss which had previously been estimated at £1 billion. By the end of Q1, additional capital had been allocated for this risk.

The use test was a key focus during the application process with the FSA in extensive conversations with the business unit heads about how they were using the use test data. Now, there’s a focus on ‘making the bank run better’.

They have found that the business wants the capital allocation process to be: 

• Easy to understand
• Transparent
• Predictable
• Risk-based
• Drive good behavior
• Fair

Finding a capital allocation scheme that maps to the above is quite difficult in practice, however.

Also very much unlike DB, Barclays is reviewing its approach to insurance and does not net out their insurance claims against loss data. One wonders what drives such a different approach.

In the Q&A period, Kalkbrener noted that the qualitative adjustment is the way to make the model more forward looking.

The first keynote was delivered by Eric Rosengren, President and CEO of the Boston Fed. Rosengren opened by showing an interesting chart on the LIBOR to Overnight Swap spread, which jumped last summer and has been very volatile ever since, evidence of the reluctance of banks willingness to lend to each other.

Rosengren covered the role of liquidity in risk modeling, which he noted was largely underestimated in many models over the last year. He also noted that other fundamental assumptions were wrong, like the one that housing prices across the US are not correlated (he showed a chart of regional housing data over the last five years that looked highly correlated.)

Rosengren also spoke about the impact of rogue trading and legal settlements. Many institutions think these losses are 1 in a 1000 year events, but as we get more data, it’s emerging that these events are much more common than previously thought.

Regarding scenarios analysis and stress testing, Rosengren asked how much confidence should we put into this? In many cases, the stress tests did not accurately take into account the risks. He noted that the effect of falling housing pricing was not accurately assessed. He also noted that the impact of mortgage defaults on liquidty was universally missed.

In the Q&A period, he went on to say that we need to be more humble about the effect of some of these unexpected events and that we need to broaden our thinking about what could possibly happen.

A key theme of Rosengren’s talk is that organizations are too willing to ignore what they consider 1 in a 1000 year events, when in fact these events are turning out to be quite frequent. For instance, last year there were 14 losses over $1 billion reported. He reinforced this notion in the Q&A session that extreme losses have occurred much more frequently than we would have assumed a couple years ago.

Rosengren was followed by Randall Kroszner, Member of the Board of Governors, Federal Reserve. Kroszner took a broader perspective on Basel II, and the enhancements the framework committee is considering. He noted that banks pursuing AMA qualification need strong senior management and board oversight. He also noted that senior management can create an AMA that’s reflective of organizational realities.

Kroszner noted that Basel II has been the official regulation for just one month, but the implementation will take some time. Implementation must be taken “thoughtfully and deliberately” by individual banks which should first start with a sober and frank appraisal of their current state.

The core banks will have to plan in place for AMA qualification by Oct 1, and Kroszner noted that this will require buy-in and resource commitment from the top.

Kroszner also noted that their hope is to provide more information over the next couple months but provided some initial thoughts on what the plan will have to cover:

• Gaps between existing practice and AMA
• Objective and measurable milestones
• Planning and governance process for meeting qualification requirements fully

He noted that the final rule allows 36 months before exiting the parallel run phase.

After some discussion of upcoming improvements to the Basel II framework, Kroszner addressed the standardized approach for non-core banks. He stated that the Fed expects that Basel II (referring to both the AMA and standardized approaches) will make the US banking system more resilient.

A key theme that emerged from Kroszner’s talk and the subsequent Q&A period was that a one size fits all approach is probably not best for the range of institutions we have in the US. Rosengren noted in the Q&A period that the final rule is more of a principles-based than a rules-based document and repeated that “it’s not clear that one size fits all.” He also noted that there’s already a wide range of practices in play right now.

Someone asked if Basel II make us more vulnerable to systemic risk because of model convergence? Kroszner responded that the flexibility of the final rule and the judgement afforded by the icap process should mitigate systemic risk. Rosengren said that oprisk has enough variety in the modeling, but that credit risk calculations over the last year may have been too reliant on the same historical data.

Listen to the Podcast

Listen to the Podcast

What's interesting here is that the regulators called out the ability of senior management to share risk information across silos, to discuss how exposures and risks all came together at the top of the business.   This is certainly about risk culture, but it's also about having access to that information so that it can be shared in the first place, which is really a systems problem.  Regardless, it's pretty clear that the days of siloed risk management are going to come to an end.  Senior management must look at risk across the business in a more holistic way.  It would be overly simplistic to say that Bear Stearns collapsed because of siloed risk management, but for anyone who's ever read Memos From the Chairman, it's hard to imagine this happening to a firm once run by Ace Greenberg, who championed a culture that had little tolerance for festering problems.

Patricia Meadow, one of the keynote speakers at OpRisk USA stated that a good day for a risk manager is when nothing happens. And another panelist commented that you are doing well if you are mitigating more than you cost. Many speakers told the audience to “Just point at the subprime crisis or remind the board about what happened at Soc Gen.”

The subprime crisis was caused by a number of factors including market conditions (higher interest rates and lower housing prices), credit mistakes (aggressive lending to risky borrowers and negative amortizing mortgages) and operational errors (lowered underwriting standards). I don’t think anyone believes that sound operational risk practices alone could have prevented the subprime crisis. Nor should risk managers threaten that “Soc Gen could have been us but for the grace of God.” So how do you provide quantifiable data to demonstrate the business value of operational risk?

The problem is similar to one of the biggest challenges of operational risk: namely, quantifying operational risk exposure. Risk exposure is very difficult to quantify in many instances because there is a lack of available historical data, models are inadequate, using data from external sources presents issues such as scaling, and fat tail events dominate the distributions.

Quantifying the business value of operational risk is also very difficult. In his keynote at OpRisk USA, Nassim Taleb talked about the “grave yard of non success.” Taleb’s point is that we never hear about the failures, just the successes when it comes to the notable money managers/traders. The parallel for operational risk is that we never hear about the operational loss that was avoided. If Societe General had caught Jerome Kerviel after $100K of fraudulent trades it would be a non-story. But proving to management that you saved $7B in losses by catching a rogue trader early on is very difficult.

What do you do? First let’s agree that the goal is not to mitigate what you cost – that can only be a floor. Operational risk should be leveraged across the organization in the same way that a sales organization is leveraged (not many companies could survive for long if the sales team only covered their own expenses). Second, start with the tangible areas that can be measured, for example:

1) Reduction in capital requirements: look at what the AMA waiver will mean for your business in terms of reduced capital allocation charges
2) Year-to-year reduction in losses: track your losses and report on improvements over time
3) Benchmarking: ultimately, external benchmarking of losses may be the most effective method of demonstrating to senior management that your risk management function is providing value. When you can show that in terms of loss amounts your firm compares favorably to peers in your industry sector, you will be in a much stronger position to defend the business of value of your operational risk function.

You may not be able to predict black swan events but as a risk manager you have to plan for their occurrence. No one could predict or even imagine the series of events that occurred on 9/11, but some firms did plan for the possibility of a long term disruption of their business operations due to a catastrophic event taking place in Manhattan. These companies had business continuity plans in place that provided alternative operation centers for critical business operations. Many of them were up and running within hours of the fatal events of 9/11.

Enterprise risk managers should be aware that many of their key risk exposures, whether they are operational, market or credit risks, do not follow a normal distribution or bell curve. These risks have fat tails and it is these events that lie at the lower and upper ends of the distribution that are most important to consider and plan for. Too often, black swans are ignored by risk managers because we think we understand more than we actually do. You have to fight the natural tendency to focus on the known, the tangible and the repeated and devise strategies to cope with the unknown – your company’s viability may depend on it.

You may not be able to predict black swan events but as a risk manager you have to plan for their occurrence. No one could predict or even imagine the series of events that occurred on 9/11, but some firms did plan for the possibility of a long term disruption of their business operations due to a catastrophic event taking place in Manhattan. These companies had business continuity plans in place that provided alternative operation centers for critical business operations. Many of them were up and running within hours of the fatal events of 9/11.

Enterprise risk managers should be aware that many of their key risk exposures, whether they are operational, market or credit risks, do not follow a normal distribution or bell curve. These risks have fat tails and it is these events that lie at the lower and upper ends of the distribution that are most important to consider and plan for. Too often, black swans are ignored by risk managers because we think we understand more than we actually do. You have to fight the natural tendency to focus on the known, the tangible and the repeated and devise strategies to cope with the unknown – your company’s viability may depend on it.

As ENRON proved, creativity is a No-No and common sense just isn’t enough when it comes to risk management. As business activities have become more complex, so too has risk management.

A risk manager’s primary concern is to help protects the firm’s continued business success by preparing for unexpected and unfavorable events and outcomes. Implementing an enterprise risk management process can help by providing a framework within which managers can explicitly consider how the organization's risk exposures are changing, determine the amount of risk they are willing to accept, and ensure that they have the appropriate risk mitigants and controls in place to limit risk to targeted levels. At a first glance, risk management may seem relatively simple – just apply a good dose of common sense. 

But with the advent of very large organizations that engage in a wide variety of business activities – some of them quite complex – risk management has also grown into a very complex process. First of all, risk management covers a wide variety of risk disciplines including operational, compliance, financial controls, legal, liquidity, business strategy and technology. Each of these disciplines has its own nuances and specialized models for assessing risk. In addition, the risks should not be managed within silos since the interdependencies between risk disciplines are very important to consider.

Another challenge is that as organizations grow larger, it becomes more difficult to make sure that the “right hand” knows what the “left hand” is doing. In other words, risks must be recognized and managed across the entire organization. In some cases, firms may be practicing good risk management on a product-by-product basis, but they may not be paying close enough attention to aggregation of exposures across the entire organization. Growth can place considerable pressure on, among other areas, an organization’s management information systems, change-management controls, strategic planning, and asset-liability management.

Another dimension of risk to consider is the diversity of the business. While business diversification has its benefits, the organization must also understand how the various business components interact on a dynamic basis to affect the risk profile. Related to diversification is the complexity and sophistication of an organization’s products and services. While an institution may alter its risks by expanding into several business lines, the nature of its products and services also makes a tremendous difference in its risk profile.

Compliance risk management is an area that contributes significant complexity especially for highly regulated industries such as banking, insurance and energy. “Compliance risk” can be defined as the risk of legal or regulatory sanctions, financial loss, or damage to an organization’s reputation and franchise value; this type of risk may result when an organization fails to comply with the laws, regulations, or standards or codes of conduct that are applicable to its business activities and functions. Many firms are struggling to put in place processes and infrastructure that are able to identify and control the compliance risks facing their organization due to the sheer magnitude of the regulations they are required to comply with.

ERM is a process that enables management to deal effectively with uncertainty and the associated risk and opportunity and includes:

• aligning the entity's risk appetite and strategies;
• enhancing the rigor of the entity's risk-response decisions;
• reducing the frequency and severity of operational surprises and losses;
• identifying and managing multiple and cross-enterprise risks;
• proactively seizing on the opportunities presented to the entity; and
• improving the effectiveness of the entity's capital deployment.

Implementing a predictable, sustainable and repeatable ERM process requires discipline, determination and attention to detail. It also involves the development of sophisticated models and analytics with accompanying software tools – rocket science may be an apt depiction. 

Creating an enterprise wide risk management structure is certainly not simple. But organizations that successfully measure and act upon risk-adjusted returns are typically rewarded with higher valuations from financial markets, higher credit ratings and lower costs of capital – and that is common sense.

As ENRON proved, creativity is a No-No and common sense just isn’t enough when it comes to risk management. As business activities have become more complex, so too has risk management.

A risk manager’s primary concern is to help protects the firm’s continued business success by preparing for unexpected and unfavorable events and outcomes. Implementing an enterprise risk management process can help by providing a framework within which managers can explicitly consider how the organization's risk exposures are changing, determine the amount of risk they are willing to accept, and ensure that they have the appropriate risk mitigants and controls in place to limit risk to targeted levels. At a first glance, risk management may seem relatively simple – just apply a good dose of common sense. 

But with the advent of very large organizations that engage in a wide variety of business activities – some of them quite complex – risk management has also grown into a very complex process. First of all, risk management covers a wide variety of risk disciplines including operational, compliance, financial controls, legal, liquidity, business strategy and technology. Each of these disciplines has its own nuances and specialized models for assessing risk. In addition, the risks should not be managed within silos since the interdependencies between risk disciplines are very important to consider.

Another challenge is that as organizations grow larger, it becomes more difficult to make sure that the “right hand” knows what the “left hand” is doing. In other words, risks must be recognized and managed across the entire organization. In some cases, firms may be practicing good risk management on a product-by-product basis, but they may not be paying close enough attention to aggregation of exposures across the entire organization. Growth can place considerable pressure on, among other areas, an organization’s management information systems, change-management controls, strategic planning, and asset-liability management.

Another dimension of risk to consider is the diversity of the business. While business diversification has its benefits, the organization must also understand how the various business components interact on a dynamic basis to affect the risk profile. Related to diversification is the complexity and sophistication of an organization’s products and services. While an institution may alter its risks by expanding into several business lines, the nature of its products and services also makes a tremendous difference in its risk profile.

Compliance risk management is an area that contributes significant complexity especially for highly regulated industries such as banking, insurance and energy. “Compliance risk” can be defined as the risk of legal or regulatory sanctions, financial loss, or damage to an organization’s reputation and franchise value; this type of risk may result when an organization fails to comply with the laws, regulations, or standards or codes of conduct that are applicable to its business activities and functions. Many firms are struggling to put in place processes and infrastructure that are able to identify and control the compliance risks facing their organization due to the sheer magnitude of the regulations they are required to comply with.

ERM is a process that enables management to deal effectively with uncertainty and the associated risk and opportunity and includes:

• aligning the entity's risk appetite and strategies;
• enhancing the rigor of the entity's risk-response decisions;
• reducing the frequency and severity of operational surprises and losses;
• identifying and managing multiple and cross-enterprise risks;
• proactively seizing on the opportunities presented to the entity; and
• improving the effectiveness of the entity's capital deployment.

Implementing a predictable, sustainable and repeatable ERM process requires discipline, determination and attention to detail. It also involves the development of sophisticated models and analytics with accompanying software tools – rocket science may be an apt depiction. 

Creating an enterprise wide risk management structure is certainly not simple. But organizations that successfully measure and act upon risk-adjusted returns are typically rewarded with higher valuations from financial markets, higher credit ratings and lower costs of capital – and that is common sense.

In reality, the situation calls for evolution as opposed to revolution. Much of the blame can be placed on the current regulatory climate (Basel II, SOX, Patriot Act, COSO), which has heavily influenced the design and implementation of ERM approaches. This has resulted in control-based ERM frameworks that have a bias for analysis versus action and the production of evidence for regulators and auditors in some instances has become more important than managing real risks. There needs to be a shift towards a bias for action, reversing the trend towards a top-level, enterprise view which neglects the orientation towards action.

To reset the proper balance, enterprise risk management should be embedded within the day to day business processes of the firm. ERM needs to be deployed bottom up so that business managers are the first-line managers of risk. They must understand the risk/reward trade-offs involved in their own business decisions and how they become impaired when business conditions change. Risk management should not be viewed as a way of fixing problems but as a mechanism for encountering problems. For example, organizations should focus on establishing KRIs that provoke the business to take action when certain conditions arise.

In place of creating a dashboard for an entire risk universe, a project which creates endless worries about the completeness of universe description, the focus should be on surfacing problems as they arise and on resolving everyday issues by empowering the entire organization to be risk managers. The measure of success is not the ability to prove and demonstrate control universes via elaborate spreadsheets, but a singular focus on doing the right things with respect to managing risk at the point it is undertaken.

The End of Enterprise Risk Management, David Martin and Michael Power, AEI-Brookings Joint Center For Regulatory Studies, July, 2007. 
 

In reality, the situation calls for evolution as opposed to revolution. Much of the blame can be placed on the current regulatory climate (Basel II, SOX, Patriot Act, COSO), which has heavily influenced the design and implementation of ERM approaches. This has resulted in control-based ERM frameworks that have a bias for analysis versus action and the production of evidence for regulators and auditors in some instances has become more important than managing real risks. There needs to be a shift towards a bias for action, reversing the trend towards a top-level, enterprise view which neglects the orientation towards action.

To reset the proper balance, enterprise risk management should be embedded within the day to day business processes of the firm. ERM needs to be deployed bottom up so that business managers are the first-line managers of risk. They must understand the risk/reward trade-offs involved in their own business decisions and how they become impaired when business conditions change. Risk management should not be viewed as a way of fixing problems but as a mechanism for encountering problems. For example, organizations should focus on establishing KRIs that provoke the business to take action when certain conditions arise.

In place of creating a dashboard for an entire risk universe, a project which creates endless worries about the completeness of universe description, the focus should be on surfacing problems as they arise and on resolving everyday issues by empowering the entire organization to be risk managers. The measure of success is not the ability to prove and demonstrate control universes via elaborate spreadsheets, but a singular focus on doing the right things with respect to managing risk at the point it is undertaken.

The End of Enterprise Risk Management, David Martin and Michael Power, AEI-Brookings Joint Center For Regulatory Studies, July, 2007.