Where's risk? EWRM knows! (Enterprise-Wide Risk Management).

A few years ago, everyone was searching for Waldo. Now everyone's looking for Risk. And Risk is a lot harder to find than Waldo ever was. Today's sleuth requires enterprise-wide risk management. In a two-part article complete in this issue, a consultant creates an EWRM framework. Then a practitioner s view-point is presented through a case study.

A Practical Approach in Establishing an Enterprise-Wide Risk Management Program

James Lam

The Chinese saying, "May you live in interesting times," (1) is an understatement for today's business world. Another saying, one that well serves the practice of risk management, is "Expect the unexpected."

Risk management is no longer strictly a credit administration or corporate insurance function. It is widely recognized, by bankers and regulators alike, as a core competency that deserves the highest level of management attention. An approach toward this core competency that is being adopted by both institutions and regulators is enterprise-wide risk management (EWRM).

EWRM is the integrated measurement and management of credit risk, market risk, and operational risk, involving all of the company's internal control and risk functions, such as credit, asset-and-liability management, audit, compliance, and insurance. EWRM focuses on enhancing shareholder value through better business strategies, relationship management, product pricing, capital management, and risk transfer.

Risks, by their nature, are highly interdependent. For example, the quality of a bank's loan documentation (operational risk) will likely be tested when there are loan defaults (credit risk). The bank will suffer greater loan losses if loan documentation is poor or collateral protection is not well established. Interdependent risks cannot be segregated and managed in isolation.

Oversight functions must work together to be effective. Most companies have control functions other than risk management, such as finance/treasury, audit, security and compliance. When each operates in a silo, a major risk can easily fall through the cracks. Just as the U.S. homeland security initiative is meant to integrate the information from, and coordinate the activities of, key U.S. intelligence agencies, an EWRM framework should do the same for a company's oversight functions.

Regulators are taking an EWRM approach. Basel II is prompting banking regulators worldwide to take an EWRM approach to both its minimum capital requirements (Pillar I) and examination processes (Pillar II). While the full implementation of Basel II is a few years away, companies must act now to integrate their risk functions and develop the necessary systems and data to meet the new standards and requirements. Leading companies that are early adopters of EWRM may even help shape the final implementation of the proposal. Lagging companies will be ill prepared and will likely face greater regulatory scrutiny and higher capital charges (or worse).

A practical five-step approach to EWRM includes the following:

1. Establish the business case.

2. Secure the best resources.

3. Develop a framework.

4. Use pilots and prototypes.

5. Stay the course.

Establish the Business Case

As a multiyear effort, EWRM requires dedicated resources, coordination between different internal control and risk management functions, and support from line managers. The business case for EWRM must be well established to obtain (and maintain) support from the board, senior management, and other key stakeholders. A business case should do the following:

Create a compelling vision. What does EWRM look like and why is it different and better? The business case should first establish a compelling …