Conventional ERM systems are generally assessment based and, consequently, they typically report results via an assessment metric often based on three colors: red, amber, and green. The managerial usefulness of such systems is limited for a number of reasons: first, “assessment” as opposed to “measurement” is inherently subjective and not easily audited; second, an assessment metric cannot be aggregated to support important management techniques such as trend analysis, benchmarking, and ranking, and the comparison of actual usage against operating limits. To state the obvious, you can’t aggregate and compare colors.
The evolving risk landscape in which firms operate has undergone dramatic change in little more than a generation due to advances in science and technology and an ever-growing dependency on globally interconnected electronic data and information networks; globalization and geopolitical uncertainties leading to supply chain vulnerabilities; and the use of increasingly complex and sophisticated financial products to manage financial risks.
That has caused boards of directors, CEOs and other c-suite executives to become increasingly concerned with risk and its potential to trigger material unexpected losses which, as recent events such as the financial crisis of 2007-2008 demonstrate, can severely impact or even wipe out a firm’s capital.
Whereas accounting standards such as IFRS and GAAP are aimed at ensuring that enterprises present a fair view of their financial condition, there are no equivalent standards that apply to risk. In other words, a firm’s stakeholders — investors, regulators, customers, and auditors — receive little or no information on the risks firms accept absolutely or in comparison to others in order to create shareholder value.
The misalignment between finance and risk reporting is what academics have set out to resolve through their codification of the new accounting technique referred to as “risk accounting.” Risk accounting begins with the assertion that effective ERM must operate within a standardized system of risk measurement using a common risk metric that expresses all forms of risk. Accordingly, a unit of risk measurement unique to risk accounting has been created, the “risk unit,” or “RU.”
Analogous to financial accounting where profits are created through the sale of products and services, risk accounting assumes that exposure to risk is similarly correlated with revenue generation.For management reporting, transactions associated with the sale of products and services are tagged with codes that uniquely identify products, customers, business lines, organizational components, legal entities, and locations. For risk reporting, these same transactions are tagged with additional codes that are used in a calculation of each transaction’s risk-weighted value, that is, its exposure to risk in RUs.
The first step in risk accounting is to identify the primary risk types to which each industry is exposed. For example, in banking these are deemed to be operational, credit, market, liquidity, interest rate, and conduct risks.
Three sets of standardized tables provide the risk-weighted factors used in the calculation:
These risk-weighted factors are then used to calculate three core metrics for each risk type triggered by the product in question:
The pairing of accounting and risk values in a single source of controlled and audited accounting data at the transaction level enables the production of combined finance and risk reports and the computation of enterprise-wide risk and return metrics. Feedback loops give managers real-time or near real-time information on risk mitigation initiatives together with calculations of the associated improvement in RMIs and reduced residual RUs.
Given that risk accounting is an extension of management accounting, risk appetite can also be calibrated in RMIs and residual RUs and become an integral part of firms’ budgeting and planning cycles, thereby constituting a true ERM system. The RMI is the de facto measure of risk culture as it blends risk attributes from across the enterprise.
A more detailed description of risk accounting is available in a research working paper which is being published in the Journal of Risk Management in Financial Institutions. Whereas the theoretical models and worked examples included in the paper relate to banking, the method can be adapted for non-banks.
Peter Hughes is a chartered accountant, a former banker with JPMorgan Chase, a member of the advisory board of Durham University Business School’s banking, risk, and intermediation research group and a visiting research fellow at the Leeds University Business School.