The Language of Enterprise Risk Management: a Practical Glossary and Discussion of Relevant Terms, Concepts, Models, and Measures

Overall Corporate Performance Measures

• General Industry
• Return on equity (ROE)—net income divided by net worth.
• Operating earnings—net income from continuing operations, excluding realized investment gains
• Earnings before interest, dividends, depreciation, and amortization (EBITDA)—a form of cash flow measure, useful for evaluating the operating performance of companies with high levels of debt (when the debt service costs may overwhelm other measures such as net income).
• Cash flow return on investments (CFROI)—EBITDA divided by tangible assets.
• Weighted average cost of capital (WACC)—the sum of the required market returns of each component of corporate capitalization, weighted by that component's share of the total capitalization.
• Economic value added (EVA)—a corporate performance measure that stresses the ability to achieve returns above the firm's cost of capital. It is often stated as net operating profits after tax less the product of required capital times the firm's weighted average cost of capital.
• Financial Services Industry
• • Return on risk-adjusted capital (RORAC)—a target ROE measure in which the denominator is adjusted depending on the risk associated with the instrument or project.
  • Risk-adjusted return on capital (RAROC)—a target ROE measure in which the numerator is reduced depending on the risk associated with the instrument or project.
  • Risk-adjusted return on risk-adjusted capital (RARORAC)—a combination of RAROC and RORAC in which both the numerator and denominator are adjusted (for different risks).
• Insurance Industry
  • Economic capital—market value of assets minus fair value of liabilities. Used in practice as a risk-adjusted capital measure; specifically, the amount of capital required to meet an explicit solvency constraint (e.g., a certain probability of ruin).
  • RAROC—the expected after-tax return divided by economic capital (thus, the more technically correct label is RORAC but in the insurance industry, RAROC is the term commonly used). RAROC is typically employed to evaluate the relative performance of business segments that have different levels of risk; the different levels of risk are reflected in the denominator. Evaluating financial performance under RAROC calls for comparison to a benchmark return; when the benchmark return is risk-adjusted, the result is similar to RARORAC, though the term RAROC is still applied.
  • Embedded value—a measure of the value of business currently on the books of an insurance company; it comprises adjusted net worth (the market value of assets supporting the surplus) plus the present value of expected future profits on in-force business. (Embedded value differs from appraisal value in that the latter also includes the value of future new business.) The performance measure is often expressed in terms of growth (i.e., year-on-year increase) in embedded value.
  • Risk Based Capital (RBC)—a specific regulatory capital requirement promulgated by the National Association of Insurance Commissioners (NAIC). It is a formula-derived minimum capital standard that sets the points at which a state insurance commissioner is authorized and expected to take regulatory action.

Risk Assessment

• Risk Assessment Activities
  • Risk identification—the qualitative determination of risks that are material, i.e., that potentially can impact the organization's achievement of its financial and/or strategic objectives. This is often done through structured interviews of key personnel by internal (e.g., internal audit) or external experts. In some cases, the organization's business process maps are used to guide the risk assessment.
  • Risk prioritization—the ranking of material risks on an appropriate scale, such as frequency and/or severity (see also "risk mapping").
• Risk mapping—the visual representation of risks (which have been identified through a risk assessment exercise) in a way that easily allows priority-ranking them. This representation often takes the form of a two-dimensional grid with frequency (or likelihood of occurrence) on one axis, and severity (or degree of financial impact) on the other axis; the risks that fall in the high-frequency/high-severity quadrant are given priority risk management attention.
• Risk types—there are, in practice, a number of different ways that risk types are categorized. Below are a few categories that are commonly used:
  • Market risk—exposure to uncertainty due to changes in rate or market price of an invested asset (e.g., interest rates, equity values).
  • Credit risk—exposure to loss due to the default or downgrade of a counterparty (e.g., bond-issuer, reinsurer).
  • Operational risk—exposure to uncertainty arising from daily tactical business activities.
  • Strategic risk—exposure to uncertainty arising from long-term policy decisions.
  • Liquidity risk—exposure to adverse cost or return variation stemming form the lack of marketability of a financial instrument at prices in line with recent sales.
  • Hazard risk—exposure to loss arising from damage to property or from tortious acts; typically includes the perils covered by property/casualty insurance.
• "Risk profile"—there is no standard definition for this term; it is commonly used in a conceptual sense to represent the entire portfolio of risks that constitute the enterprise. Some companies represent this portfolio in terms of a cumulative probability distribution (e.g., of cumulative earnings) and use it as a base from which to determine the incremental impact (e.g., on required capital) of alternative strategies or decisions.

Risk Measurement

• Solvency-related measures—these measures concentrate on the adverse "tail" of the probability distribution (see "risk profile") and are relevant for determination of capital requirements; they are of particular concern to customers and their proxies, e.g., regulators and rating agencies:
  • Probability of ruin—the percentile of the probability distribution corresponding to the point at which capital is exhausted. Typically, a minimum acceptable probability of ruin is specified, and economic capital is derived therefrom.
  • Shortfall risk—the probability that a random variable falls below some specified threshold level. (Probability of ruin is a special case of shortfall risk in which the threshold level is the point at which capital is exhausted.)
  • Value at risk (VaR)—the maximum loss an organization can suffer, under normal market conditions, over a given period of time at a given probability level (technically, the inverse of the shortfall risk concept, in which the shortfall risk is specified, and the threshold level is derived therefrom). VaR is a common measure of risk in the banking sector, where it is typically calculated daily and is used to monitor trading activity.
  • Economic cost of ruin (ECOR)—an enhancement to the probability of ruin concept (and thus shortfall risk and VaR) in which the severity of ruin is also reflected. Technically, it is the expected value of the shortfall. (In an analogy to bond rating, it is comparable to considering the salvage value of a bond in addition to the probability of default.) For insurance companies, the equivalent term is expected policyholder deficit (EPD), and represents the expected shortage in the funds due to policyholders in the event of liquidation.
  • Tail Value at Risk (Tail VaR) or Tail Conditional Expectation (TCE)—an ECOR-like measure in the sense that both the probability and the cost of "tail events" are considered; the calculation differs from ECOR in such a way that it has a desirable statistical property (i.e., coherence) that is beyond the scope of this document to describe.
• Performance-related measures—these measures concentrate on the mid-region of the probability distribution (see "risk profile") i.e., the region near the mean, and are relevant for determination of the volatility around expected results; they are of particular concern to owners and their proxies, e.g., stock analysts:
  • Variance—the average squared difference between a random variable and its mean.
  • Standard deviation—the square root of the variance.
  • Semi-variance and downside standard deviation—modifications of variance and standard deviation, respectively, in which only unfavorable deviations from a specified target level are considered in the calculation.
  • Below-target-risk (BTR)—the expected value of unfavorable deviations of a random variable from a specified target level.
• Covariance—a statistical measure of the degree to which two random variables are correlated. Related to correlation coefficient (correlation coefficient is covariance divided by the product of the standard deviations of the two random variables). A correlation coefficient of +1.0 indicates perfect positive correlation; -1.0 indicates perfect negative correlation (i.e., a "natural hedge"); zero indicates no correlation.
• Covariance matrix—a two-dimensional display of the covariances (or correlation coefficients) among several random variables; the covariance between any two variables is shown at their cross-section in the matrix.

Risk Modeling

Risk modeling refers to the methods by which the risk and performance measures described above are determined.

• Analytic methods—models whose solutions can be determined "in closed form" by solving a set of equations. These methods usually require a restrictive set of assumptions and mathematically tractable assumed probability distributions. The principal advantage over simulation methods is ease and speed of calculation.
• Simulation methods (often called Monte Carlo methods)—models that require a large number of computer-generated "trials" to approximate an answer. These methods are relatively robust and flexible, can accommodate complex relationships (e.g., so-called path dependent relationships commonly found in options pricing), and depend less on simplifying assumptions and standardized probability distributions. The principal advantage over analytic methods is the ability to model virtually any real-world situation to a desired degree of precision.
• Statistical methods—models that are based on observed statistical qualities of (and among) random variables without regard to cause-and-effect relationships. The principal advantage over structural models is ease of model parameterization from available (often public) data.
  • Mean/variance/covariance (MVC) methods—a special class of statistical methods that rely on only three parameters: mean, variance, and covariance matrix.
• Structural methods—models that are based on explicit cause-and-effect relationships, not simply statistical relationships such as correlations. The cause/effect linkages are typically derived from both data and expert opinion. The principal advantages over statistical methods include the ability to examine the causes driving certain outcomes (e.g., ruin scenarios) and the ability to directly model the effect of different decisions on the outcome.
• Dynamic Financial Analysis (DFA)—the name for a class of structural simulation models of insurance company operations, focusing on underwriting and financial risks, designed to generate financial pro forma projections. DFA models are typically used in risk management applications.

Note: As a practical matter, the choice of modeling approach is typically between statistical analytic models and structural simulation models.

• Optimization—the formal process by which decisions are made under conditions of uncertainty. Components of an optimization exercise include a statement of the range of decision options, a representation of the uncertain conditions (usually in the form of probability distributions), a statement of constraints (usually in the form of limitations on the range of decision options), and a statement of the objective to be maximized (or minimized). An example of an optimization exercise is an asset allocation study.
• Candidate analysis—a restricted form of optimization analysis in which only a finite number of pre-specified decision options are considered, and the best set among those options is determined through the analysis.

Risk Management Applications

All of these techniques, models, and measures are used in various combinations to assist management decision-making.

• Capital management:
  • Capital adequacy—the determination of the minimum amount of capital needed to satisfy a specified economic capital constraint (e.g., a certain probability of ruin), usually calculated at the enterprise level.
  • Capital structure—the determination of the optimal mix of capital by type (i.e., debt, common equity, preferred equity), given the risk profile and performance objectives of the enterprise.
  • Capital attribution—the determination of the assignment of enterprise level capital to the various business segments (e.g., lines of business, regions, projects) that make up the enterprise, in recognition of the relative risk of each segment, for purposes of measuring segment performance on a risk adjusted basis (e.g., to provide the denominator for a RORAC analysis by segment).
    • Diversification credit—the recognition of the "portfolio effect," i.e., the fact that the economic capital required at the enterprise level will be less than the sum of the capital requirements of the business segments calculated on a stand-alone basis. The diversification credit is typically apportioned to the business segments in a manner that attempts to preserve the relative equity of the capital attribution process.
  • Capital allocation—the actual deployment of capital to different business segments.
• Asset allocation—the determination of the optimal mix of assets by asset class (usually to maximize expected reward within risk constraints). In advanced applications, the analysis reflects the nature and structure of both assets and liabilities.
• Reinsurance/hedging strategy optimization—the determination of the optimal reinsurance/hedging program, reflecting program costs and risk reduction capability; usually conducted through candidate analysis. The risk reduction capability manifests itself in terms of both reduction in required economic capital and reduction in the cost of capital or required risk-adjusted rate of return
• Crisis management—the proactive response of an organization to a severe event that could potentially impair its ability to meet its performance objectives.
• Contingency planning—the process of developing and embedding in the organization crisis management protocols in advance of crisis conditions.

Risk Monitoring

• Risk dashboard—the graphical presentation of the organization's key risk measures (often against their respective tolerance levels); typically used in reports to senior management.

External Oversight

There are a number of regulatory, rating agency and corporate governance guidelines and regulations that ERM programs and policies need to consider. The more prominent of these are identified and categorized below.

• General Industry
  • Cadbury Report, et al. (UK) corporate governance guidelines.
  • Dey Report (Canada) corporate governance guidelines.
  • Australia/New Zealand Risk Management Standard
• Financial Services Industry
  • Basel Capital Accord
  • Office of the Superintendent of Financial Institutions (OSFI) supervisory framework (Canada)
  • Financial Services Authority (UK) system of risk based supervision
  • Standard & Poor's Revised Risk-Based Capital Adequacy Model for Financial Products Companies
  • Moody's Financial Institutions' Enterprise Risk Management
• Insurance Industry
  • A.M. Best's Enterprise Risk Model: A Holistic Approach to Measuring Capital Adequacy
  • Moody's One Step in the Right Direction: The New C-3a Risk-Based Capital Component
  • National Association of Insurance Commissioners (NAIC) Risk Based Capital requirements.
  • Australian Prudential Regulation Authority (APRA) reforms to the regulation of general insurers.