By Michael Leibrock, Part-Time Lecturer of Traditional ERM Practices and Managing Director of Credit Risk at the Options Clearing Corporation
I’ve held a number of enterprise risk management positions at financial institutions during my 30-plus-year career, primarily in the areas of counterparty credit and systemic risk management. All roles required the risk teams under my responsibility to identify, assess, and mitigate credit and other forms of risks to my organizations, as well as to the broader financial system.
One of the most important topics I’ve faced throughout my career is the real-world relevance of the risk assessment framework covered in the Traditional ERM Practices course I’m teaching this semester in the Enterprise Risk Management program at Columbia’s School of Professional Studies (SPS).
Risk assessment is the process of identifying, assessing, prioritizing, and responding to issues that can impact an entity’s ability to meet its business objectives. Its purpose is to assess how big the risks are, individually and collectively, in order to focus management’s attention on the most important threats and opportunities and to lay the groundwork for risk mitigating actions.
There are three basic steps to any risk assessment:
- The first step in the assessment process is to estimate the impact, which refers to the extent to which a risk event might affect the entity and the likelihood, which represents the probability a risk event will occur.
- The second step is usually accomplished in two stages where an initial screening of risks is performed using qualitative and quantitative techniques, depending on the specific type of risk being analyzed.
- The final step in the “assess” part of risk assessment recognizes that risks do not exist in isolation; risks can interact to cause greater damage or create significant opportunities. Many firms refer to this as interconnectedness risk.
I’ve applied this framework extensively to the management of systemic risks during my career. For example, given the wide array of risks present in today’s global financial ecosystem (e.g., geopolitical risks, cyber risk, interest-rate risk, etc.), this risk assessment framework allowed me to focus my company’s resources primarily on those risks deemed to have a combination of the greatest potential likelihood of occurring and the greatest potential impact.
Depending on the nature of the specific risks under review, a qualitative or quantitative assessment is made. Should the risk in question lend itself to quantitative measurement, this would allow for further prioritization among the other risks being reviewed. Firms can then utilize “heat maps” to visually illustrate these risks, which provides senior management and board risk committees a very clear and user-friendly picture of which risks require their closest attention.
At this point, a firm can choose to take additional risk mitigation measures such as reducing a counterparty’s credit limit, requiring an increased amount of collateral, or establishing a firewall to prevent cyber-attacks, just to name a few.
Alternatively, a firm may choose to accept the residual risk, meaning that the risk cannot be further mitigated, but also cannot be avoided due to the nature of the firm’s business model or operating environment. One such example might be a significant concentration risk in a single cloud service provider such as Amazon Web Services to host a firm’s data and transactions, which may be difficult to avoid due to the limited number of firms who provide such a unique service.
The real-world benefits of using traditional enterprise risk management techniques such as the risk assessment framework are apparent once recognized and understood. They can be used to better manage all forms of risks facing firms that operate in today’s complex global marketplace.
About the Course
Traditional ERM Practices provides an overview of the traditional ERM frameworks used to identify, assess, manage, and disclose key organizational risks. The traditional ERM frameworks are those that are more commonly in use and include COSO ERM, ISO 31000, and the Basel Accords. This course also provides an understanding of the methods, tools, techniques, and terminology most organizations use to manage their key risks, presented in the context of the foundational elements of an ERM process. This will enable students to navigate the ERM landscape within most organizations, and, along with the second-semester course Value-Based ERM, evaluate opportunities to enhance the existing ERM practices and evolve their ERM programs over time.
About the Program
The Master of Science in Enterprise Risk Management (ERM) program at Columbia University prepares graduates to inform better risk-reward decisions by providing a complete, robust, and integrated picture of both upside and downside volatility across an entire enterprise.
