Tag Archives: financial risk management

Risk and Strategy: How to Find the Links

This is the first paper of a series of five on the topic of risk appetite. Understanding of risk appetite is very much a work in progress in many organizations. The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards are mobilized and comprehend the links between risk and strategy. This is achieved either through painful and expensive crises, or through the less expensive development of a risk appetite framework (RAF).

Paper 1 makes a number of general observations based on experience in working with a wide variety of companies. Paper 2 describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management. Paper 3 answers questions relating to the need for risk appetite frameworks and describes in some detail the relationship between them and strategy. Paper 4 answers further questions on risk appetite and goes into some detail on the questions of risk culture and maturity. Paper 5 describes the characteristics of a risk appetite statement and provides a detailed summary of how to operationalize the links between risk and strategy.

Paper 1: Introduction

Since the global financial crisis (GFC), regulators, investors and boards have become determined to avoid a repetition of such a cataclysmic event and have increased demand for more effective risk management. As financial risk reporting failed to predict the GFC, there is growing recognition of the need to build organizational resilience through effective mapping of risks and to demonstrate the capability to manage low-probability, high-impact events. Concern is also growing over the increase in cybercrime and over digital risk.

Some observations:

1. Directors and senior managers need a globally accepted guide on the attributes of an effective risk appetite framework.

2. Emphasis is shifting globally from risk management to building resilience. Risk optimization is achieved when risk and strategy are aligned with corporate objectives. Achieving this requires that both the board and executives master strategic, emerging and external/global risks through robust (risk) horizon scanning, proofing and testing.

3. “Strategic risks” are those that are most consequential to the organization’s ability to execute its strategies and achieve its business objectives. These are the risk exposures that can ultimately affect shareholder value or the viability of the organization. “Strategic risk management” is “the process of identifying, assessing and managing the risk in the organization’s business strategy—including taking swift action [when problems arise]. Strategic risk management is focused on those most consequential and significant risks to shareholder value, an area that requires  the time and attention of executive management and the board of directors’’1

RMI thus defines board risk assurance as assurance that strategy, objectives and execution are aligned.

4. That alignment is achieved through operationalizing the links between risk and strategy. This involves:

  • Strengthening the strategic planning process through organizational integration of the risk and strategy functions/processes, with authority derived directly from the board and CEO’s office,
  • Establishing an effective risk appetite framework,
  • Understanding, and improving, the organizational level of risk maturity,
  • Building organizational resilience,
  • Proofing and testing management’s ability to offer credible solutions when both exploiting and defending operations, the business model and reputation.

5. The risk appetite framework (RAF)2 is to the board what risk management3 is to the rest of the organization. As such, there is a direct correlation between the efficacy of the RAF and the efficacy of the risk management framework4. The audit committee of the board and the risk subcommittee must have charters that provide a risk governance framework that mandates:

  • Direct CEO oversight of an integrated risk and strategy capability,
  • Board risk subcommittee oversight of:
    • The risk appetite framework,
    • Advancing and maintaining risk maturity, which can deliver value through:
      • Access to capital at lower cost than that achieved by less mature competitors,
      • More favorable credit ratings than those achieved by less mature competitors,
      • Optimization of risk transfer through both traditional and modern self-insurance methods.
  • Risk data governance maintained to standards of rigor and consistency like those that apply for accounting data,
  • Perpetual proofing and testing of management’s readiness to offer credible solutions when both opportunity strikes and abnormal and adverse events occur.

We agree with Peter Bernstein, author of Against the Gods: The Remarkable Story of Risk, when he says, “In the absence of certainty. . . [we must] focus on excellent execution and demonstrable resilience at the same time whilst taking as much acceptable risk as is reasonably possible.” We likewise agree with Robert S. Kaplan, author of Risk Management and the Strategy Execution System, who says: “Risk management. . . is about identifying, avoiding and overcoming the hurdles that the strategy may encounter along the way. Avoiding risk does not advance the strategy; but risk management can reduce obstacles and barriers that would otherwise prevent the organization from progressing to its strategic destination.”


1Source: Harvard Law School Forum on Corporate Governance and Financial Regulation: Strategic Risk Management: A Primer for Directors Aug 2012

2The RAF is the ‘’overall approach including the policies, controls and systems, through which risk appetite is established, communicated and monitored.’’

3Risk management: coordinated activities to direct and control an organization with regard to risk Source: ISO Guide 73 Risk Management – Vocabulary

4Risk management framework: set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout  the organization

    • NOTE 1 The foundations include the policy, objectives, mandate and commitment to manage risk.
    • NOTE 2 The organizational arrangements include plans, relationships, accountabilities, resources, processes and  activities.
    • NOTE 3 The risk management framework is embedded within the organization’s overall strategic and operational policies and practices.

(Source: ISO Guide 73 risk management vocabulary)


How to Apply ERM to Cyber Risks

The advent of new technologies has enabled risk stakeholders to perform enhanced data analytics to gain more insights into the customer, risk assessment, financial risk management and quantification of operational risk.

Companies manage many risks aligned to their risk profile and risk appetite. They do so by risk awareness and risk assessment. The visionaries and early adopters do so dynamically by use of mathematics (stochastically or actuarially) and simulations for the future based on the historical loss data to correlate all the risks of the enterprise into one holistic view. Factors to consider include:

Cyber risk. Operational risk affects every organization on an equal basis and is often quantified as a percentage of gross written premiums. Cyber risks are no different from any other risk in terms of risk management and risk transfer. However, IT departments, even with the best of intentions, can increase  cyber risk by their strategy — and there is no silver bullet to protect the company. Keyless signature infrastructure (KSI) enables companies to plan data breach strategies where systems administrators are no longer involved in the security process. This will bring great comfort to risk managers who see  new technology being introduced that will increase cyber risk.

Risk mitigation. Insurance and reinsurance are not alternatives to enterprise risk management (ERM).  Risk transfer programs should be used to address structural residual risk. From EY’s experience, companies can identify risks and adopt leading practices to ease the process of finding the right cover at the right price — with the correct reinsurance optimization. The insurance industry should insist upon this enterprise level of risk mitigation before it issues cover for large risks and data breaches.

Risk modeling. The exercise in Figure 1 uses a robust industrial risk modeling tool to look at cyber risk.  The red is the tail value at risk (TVAR) and the area that needs to be mitigated by risk transfer mechanisms. Reinsurance, the most obvious mechanism, is not the replacement for leading-practice risk management. The assumption is that data integrity standards have already been adopted here, so we are looking at the residual risk mitigation following that implementation.


The bottom graph shows the situation prior to reinsurance, where small claims are aggregated and a long tail cuts into the companies’ risk-based capital limits. The top graph shows a leaner risk situation after the application of reinsurance, bringing it back in the comfort zone.

The standard deviation process will depend on how the regulator views cyber risk and solvency. Currently, solvency models are geared on average to a 1-in-200-year event, which may be suitable for earthquake and other peril risks but is likely to be different for cyber risks and to vary by country risk appetite.

Other risk transfer mechanisms. In addition to reinsurance, cyber captives are used to address continuing risk. A point worth noting is the potential to mathematically create a “cyber index” in the same manner that weather and stock market indices appear in the macroeconomic models representing market risk exposure correlation to other enterprise risks. This cyber index could be created from the data patterns of the cyber catastrophe models and other data and then used as a threshold to trigger a data breach claims process following notification of a data breach.

Special-purpose vehicles (SPVs). This risk transfer approach is used in conjunction with capital market investors and sponsors, and it is similar to the catastrophe bond investments that protect countries from earthquake risk. It creates a bond shared by government and private industry to pay and share claims by loss bands in the event of a large or black-swan event. While these partnerships are very effective, such bonds often have a 10-year span, and a shorter life-span vehicle will be more suitable to cyber.

Sidecars. For natural catastrophes, these two-year vehicles have been referred to as sidecars, an SPV derivative of a captive where investors invest in a risk via A-rated hedge funds. If the event has not taken place within a given time frame, investors receive their money back with interest. This makes cyber risk part of an uncorrelated portfolio investment for chief investment officers. They can also base investment on the severity level of the attack, so investments are not lost on all events.

It will take time for this SPV approach to evolve over reinsurance and captives, but with good data quality, proper event models, ratings and adoption of KSI and other standards in the IT space, the capability to use capital markets to risk-transfer cyber risks will emerge. Data integrity standards would increase investor confidence in such SPVs.

For the full report on which this article is based, click here.