The first step in any good risk-management program is to inventory and assess risk at a granular level:
How supply-chain interruptions affect production, for example, or what effect rising interest rates might have on enterprise cash flow. Yet the effects of such threats are rarely limited to a single operational unit. Rather, they ripple throughout the organization with a number of consequences. That’s one reason why experts recommend not just a bottom-up approach to risk management, but a top-down strategy as well—one in which risks are viewed in the aggregate and evaluated against the organization’s overall risk appetite.
An enterprise approach
Broadly speaking, risk aggregation refers to the accumulation of the total risk exposures of various types of threats throughout the organization. “An enterprise approach to risk management should offer a view across all areas,” says Mohit Ramani, executive vice president, credit risk management at Regions Bank. “What are the operational, legal, and financial risks of a particular event?” Traditionally, he adds, middle-market companies have lacked the capabilities of large, publicly-traded companies to aggregate risk across the enterprise, but the risks are there nonetheless. For rapidly growing middle market companies, he suggests that the most cost-effective approach may be to seek assistance from an outside expert while developing the internal resources necessary for long-term success. “Often times, the risk-management role is relegated to a mid-level staffer with no direct access to senior management, or it is held by a senior manager, such as CFO, without sufficient bandwidth to take on risk identification, since he or she also has multiple ‘day jobs,” he points out. “I think companies have come a long way in managing risk, but the stakeholders—directors, shareholders, employees, regulators, etc. —continue to require more and more sophistication.”
Ramani offers the example of severe weather as a risk that is exacerbated by competitive strategies while transcending functional boundaries. “Because we work in a rapidly changing economy, middle- market companies have improved their just-in-time processes,” he explains. But as companies reduce inventory and streamline supply chains, they can become vulnerable. “You have to look at the overall effect of an event on revenues when employees can’t get to work or supplies are sitting on a truck,” he says. “You need to consider mitigating strategies such as diversifying your supply chain or purchasing business-interruption coverages. Often, these are additional expenditures that do not show their true value until ‘tail events’ occur. They may be taken for granted, or they’re first on the chopping block when expense-management is a concern. But failure to invest in these areas is penny-wise and pound-foolish.”
Greater efficiency, broader vision
One reason to aggregate is to avoid inefficiency. The typical, “siloed” approach to risk can easily result in a complex web of redundant and even counterproductive processes, perhaps even with incompatible metrics, from assessment and reporting on to response. By taking a broader, cross-departmental view, companies establish metrics that measure specific risks across the organization and coordinate thresholds for action, response, and reporting.
Aggregation also permits a clearer view of total exposure, which can be masked when analysis and response remain compartmentalized. The result may be that the company cannot see the overall degree of risk it is taking on as interdependent risks multiply. Individual risks may correlate to one another to various degrees. When a risk is highly correlated, such as the risk an insurer takes on when writing individual earthquake policies in southern California, they are additive. When they are less so, the mathematics becomes more complex. Consider the weather example: If a storm disrupts the supply chain as well as employee attendance, the effects on production may overlap so that they are not entirely cumulative.
First steps? “Senior executives and the board of directors really need to demonstrate buy-in,” Ramani says “That means putting risk management in the C-suite—not necessarily a dedicated chief risk officer, but a role that reports to the CFO or CEO with the license to work across different silos that may not naturally talk with one another.” Another requirement is a written risk-management strategy that defines the organization’s risk appetite. “It should be concrete, not abstract,” Ramani concludes. “It should link with actual operational metrics and be ingrained in the culture. And finally, the risk appetite and related policies should be reviewed at least annually by the board of directors to ensure the enterprise is operating within its prescribed targets.”
