Conventional risk management efforts are often designed to manage risk when conditions are considered normal or in a business-as-usual environment, but not during extremes, which is when risk management is most needed.
Effective risk management must be risk-intelligent, because a diet of pure risk aversion is a recipe for disaster just as much as swinging for the fences at every opportunity. While each retirement system is unique and likely at a different stage of capability development, they are grappling with some common questions and issues.
Retirement plan executives increasingly are recognizing the need to take a more integrated and holistic approach to risk management. Frequently, this approach is referred to as enterprise risk management. A successful process is not only enterprise-wide but also enterprise-deep and becomes part of everything everyone does every day, not just a check-the-box exercise.
An effective ERM process should help to establish a meaningful dialogue between the board and the executive about the nature of risk and the acceptability of exposures the organization faces in fulfilling its mission. So how do you kick-start a risk-intelligent dialogue?
First, it is important to come to a common understanding of what is meant by risk. Unfortunately, the answer too often depends on whom you ask. Those with deep specialist expertise naturally develop their own language. Actuaries might define risk as the frequency and severity of losses and the correlations between contracts; investment operations might see risk as unexpected variation; human resources might see risk as loss of key personnel; while legal might see risk as the potential for litigation.
Investment risk and the potential for profit are related to uncertainty. Greater uncertainty creates both greater potential for loss and also returns. For this reason, the discussion of value and risk should never be separated.
If risk is the potential for failure resulting in loss, harm or missed opportunity, then there are many risks facing retirement systems. For instance, from the perspective of investment performance, if failure is an unacceptable difference between actual and expected performance, then what is acceptable or unacceptable? How much risk are you willing to take to achieve a valuable result?
Second, once you have identified a risk, who owns that risk; the board or the executive? Typically, the board is responsible for managing certain key risks such as asset allocation policy and hiring, evaluating and compensating leadership, especially the chief executive.
The board is also primarily responsible for risk oversight. Board members need to ensure there are capable people, processes and systems in place to effectively manage the system. They also need to understand that risks are being effectively managed so objectives are achieved and risk exposures are acceptable.
Executives are primarily responsible and accountable for risk management. At the outset of any ERM process, once specific risks have been identified, risk owners should be clearly assigned for assessing, mitigating, monitoring and reporting on those exposures. In most cases, the appropriate risk owner should be obvious by the position, e.g., the chief investment officer for investment risks. In other cases, the CEO or executive director might need to assign responsibility.
Quickly establishing a single point of accountability with specific risk owners provides a focus for obtaining reasonable assurances from executives about the effectiveness of risk mitigation and the extent of residual exposure. Clear executive accountability sets the stage for an ERM process to provide support and assistance to risk owners in developing a common understanding with the board by developing a common language of risk, a common process and common tools. Obviously, this won't happen overnight. It takes time to migrate to a common understanding from divergent specialist perspectives.
ERM programs often run into difficulty when they spend too much time on the process and not enough time on the product. Even when they do focus on the product, a report on risk ought to be the beginning of a risk-intelligent dialogue not the end. The ERM process can also provide important independent reassurance about the reliability of risk owner's reports.
Third, a growing number of systems are considering appointing a director of ERM or chief risk officer to coordinate their risk management efforts. What are the CRO's responsibilities? To whom should the CRO report; the board or the CEO?
The reporting relationship depends on their responsibilities. The CRO should report to the CEO if he or she is primarily responsible for risk management (e.g., credit risk/market risk) as a member of operating management. Otherwise, the CRO should report to the board if the ERM function is primarily responsible for developing organizational risk management capabilities, e.g., risk policies, people, processes and systems, and providing independent reassurance.
Fourth, what is the preparedness of the system to prevent, detect, respond and recover from a risk occurrence or interaction of multiple risks? While there is no such thing as perfect prevention, the ability to prevent a risk from occurring depends on the ability to control its causes. Is the risk caused primarily by external or internal factors?
If the causes are largely external, you will have little or no control over risk prevention. Instead, you need to focus on mitigating the effects of risk through preparation.
If the causes are primarily internal, e.g., people, processes or systems, you ought to have much greater control over both cause and effect.
Fifth, possibly the most important part of an ERM process is the risk-intelligent dialogue it should create between the board and executives. Successful ERM is much less about crafting perfect policy and process than it is about getting the right focus on understanding and mitigating exposures and clarifying risk management accountabilities. ERM can help support risk owners in building capabilities and providing independent reassurance to the board that executive's reports about risk exposures are reliable.
Frederick D. Funston is managing partner and Randall W. Miller is principal of Funston Advisory Services LLC, a Bloomfield Hills, Mich.-based firm whose focus includes pension fund fiduciary, governance and operational assessments and risk management.