Is Financial Risk Management Equivalent to ERM?

Episode: 017
Date: Tue 21 Sep 2021
Title:               Is Financial Risk Management Equivalent to ERM?

Enterprise Risk Management, for some, consists solely of Financial Risk Management. Is this sound? We offer commentary on quantitative modelling and its place in ERM.


Financial risk management consists of a suite of quantitative methods. Are they foolproof?

Main points
1. Quantitative analysis as risk management
Value at Risk; Credit Risk
Monte Carlo simulations
Stress testing
Cash flowing projects and investments; IRR and WACC
2. Chief limitations of quantitative models
Forecasts and probability estimates
Proprietary internal risk rating systems
3. 2008-2009 financial crisis: crisis in risk management methods?
Adequacy of methods vs sincerity of application (corruption)
4. Recommendation:
Bring financial models to the table
Assess their relevance in a well-informed strategic context
Use High Quality Risk Assessment; in other words, multi-disciplinary risk identification
5. Quotes from the financial experts
6. What constitutes due diligence?
7. What is the worldview that quantitative modelling represents?

1. Quantitative models are only as valid as the the scope and assumptions built into them.
2. Calculations and estimates often rely upon historical statistical information. Data often does not exist for the given investment candidate, or it lacks credibility or relevance.
3. Improperly specified models cannot display accurate stress test results.
4. Many firms with good financials and sound insurance portfolios have crashed because they ignored strategic risk that could not be discerned in quantitative models.
5. Financial decisions should be considered using the results of quantitative models, subject to a multi-disciplinary round-table review in the process we call High Quality Risk Assessment.

”…a new kind of blindness: the one induced by new technology and elaborate quantitative models.”
(B. Voyles ) Voyles and other financial experts mentioned quoted in Robertson, p.98

”…much more is being underwritten, correlated, and contemplated [by major insurers] than the traditional hazard risks.”
Interview of LoriAnn Lowery-Biggers and colleague Sean Murphy by John Czuba of Legal Talk Network:

(E. Robertson 2016) Solving the Enterprise Risk Management Puzzle: Secrets to Successful Implementation


[edited for clarity]

This is Episode 17: Is Financial Risk Management Equivalent to Enterprise Risk Management? 

Enterprise risk management is often construed simply as quantitative or financial risk management and I think that’s largely true in many organizations that are financial in nature themselves; that is, that have finance and investment as their core business. My essential question then is: Is this a sound approach?

What we’ll do is review several aspects of quantitative or financial risk management, and discuss these in the context of the financial crisis of 2008/2009. We’ll review some of the limitations of quantitative models and then I’ll make some recommendations. I’ll end with some quotes from financial experts to show that my view is substantiated by people who are really immersed in the field, that is in financial risk management, and offer an opinion as to the world view that seems to inform financial risk management. 

Financial risk management, according to standard definitions, has to do with using financial instruments to mitigate the risks that are incurred by the organization. In one workshop that I attended, led by a financial expert, Enterprise risk management was actually relegated to be a subset of financial risk management.

Taking just one example of a certain technique or measure: the Value at Risk. The Value at Risk measure is the measure of risk of loss on a given portfolio of assets.  

Another related concept is the calculation of Credit Risk.  

A fundamental idea in investments or potentially cash flowing projects is to compare the Internal Rate of Return, that is, the expected or forecast return of a project, against the WACC — the Weighted Average Cost of Capital, with the idea that we don’t want to overburden the firm with a financial obligations that it will not be able to meet.  

The Monte Carlo simulation technique gives a forecast by running multiple trials on a model with one or more inputs randomly varied, within defined limits.  

And yet another technique: Stress Testing has to do with the inflation of one or more variables within a given formula or model.  

I don’t pretend to give a comprehensive and orderly presentation of financial risk management techniques. I’m simply pointing out that all of the ones that have mentioned so far have common features. One of the most striking features that they have in common, for example, Value at Risk or Credit Risk, is that they rely on probability distributions. They rely on probability estimates. So then the question immediately arises: well probabilities based on what?  

Of course, it’s reasonable in an actuarial operation to to draw upon historical data that has been specified and marshalled very carefully to inform insurance products. But what inevitably comes up in the question of risk identification, in various administrative contexts, is that we just don’t have the data to inform the myriad of decisions that we have to make in all various situations.

Even if we do have the data, well often it’s impugned, that is, subject to criticism, because it’s not really strictly relevant to the context that we’re trying to analyze, or it comes from a source that lacks credibility, that is biased. Not only that, but even if we do have the data, it’s rather questionable to manage the future strictly by looking into the past.  

So let’s be clear. If you look at the formula for Value at Risk, for example, it requires a specific “probability of loss” numerical input. Similarly, the calculation for Credit Risk relies on “probability of default” input. So the question then arises: where are you going to get those numbers?  

Now shifting back for a second to the Monte Carlo simulation exercise, or various kinds of stress testing: The Monte Carlo itself does generate a probability distribution for the expected outcome, but it necessarily uses just a finite number of only relatively valid assumptions. Similarly, with stress testing — I’m quoting here — “If the underlying model being stressed is incorrectly specified or estimated, then the conclusions drawn from the stress test may be invalid.” — of course. That’s from an IMF working paper.

Now the answer, as I understand it, from the world of finance, is that any organization involved in financial projects, investments in potentially cash flowing projects, and so on… the whole idea is to use the historical data that is available. It is in the database of the organization, and it’s called often an Internal Risk Rating system. The more fully developed and finely specified the Internal Risk Rating system is in a given organization, the better its position in the market; the more accurate, presumably, its decisions will be; the more successful its decisions will be with respect to investing.

That means that they’ve got databases to specify [estimates for] this or that type of business. [However] many organizations that have to make these investment and financial decisions don’t have an Internal Risk Rating system. So what happens? They end up relying on industry analysts, the investment firm analysts, or the credit rating agencies. The complaint that I heard right “from the horse’s mouth” was that these people don’t even (often) return your calls, if the investment is really questionable, if it is suspect, if there’s some risk involved. We have to question whether the various analysts and advisers are positioning themselves in the market truly as advisers and consultants, or simply as sales people.  

The conclusion from the workshop leader (that I was referring to just earlier) was that organizations really have to design and build their own risk assessment systems. They have to have their own Internal Risk Rating systems and methodologies for risk identification and assessing projects. So that seemed to be sound advice, and yet he was still, seemingly, recommending that we continue to use quantitative models — even if you haven’t got the data to support it.  

So let’s summarize the critique: all of these various techniques and models that we have been discussing so far clearly are only valid within the limitations imposed by their own scope and the assumptions built into them. And so if you say, “Well, Edward, that’s obvious.” I can say then there’s cause for questioning whether in many cases, financial risk management — I’m quoting here — “has become a mathematical exercise with over reliance on models.” Now, that’s from an article in the Actuarial Post.

I should address a related issue, which got a lot of press at the time of the financial crisis 2008/2009 and in the aftermath, in the ensuing years, and that is whether enterprise risk management actually failed.

I resurrected and re-posted an article that I had originally published in 2009, and I updated it. It’s called “Economic Crisis: Why ERM Did Not Fail”. The essential argument is that there’s a difference between assessing the efficacy of enterprise risk management methods and the question of whether they were actually applied in a sincere manner.

Well, at this point some listeners might think that I’m being unfair, that I’m really mischaracterizing the whole financial risk management industry. And yet I can say that due diligence is not carried out in the exempt market (in private market investments), for example, for the average retail investor in any way that could be called consistent or comprehensive.

If you want a demonstration of what happens if major firms construe enterprise management simply to be financial information — managing the insurance portfolio, and so on — then it’s sufficient to look at all the cases where firms have simply driven themselves off a cliff, because they ignored important strategic and market-based information that had nothing to do with their financial position, financial forecasts, stress testing, and credit risk calculations.  

My conclusion from all this is not to reject financial models altogether — that would be silly — but rather to suggest that they be brought to the table. All of the various models, calculations, forecasts, and so on [should be] brought to a roundtable that is multidisciplinary in nature, that is informed by environmental scan. What that allows you to do is to examine financial decisions, financial risk, in a full strategic context with all of the various views being presented — [and] if that is the way things are managed, we have to conclude that financial risk management is a subset of enterprise risk management, not the other way around.  

Well I’d like to substantiate my view here with some quotes from financial experts which I gathered pretty much at the time when I wrote the original article on this (that I had posted on my blog back in 2009):

“All the amazing models created by mathematicians and software engineers did not fail because they were inaccurate. They failed because the risk managers did not have the common sense or the drive to address the growing and problematic OTC (over the counter) portfolios that they were hired to manage.”

That’s from commentator Allyson Heumann.

Here’s an interesting article:

“CEOs discovered too late that they had treated their old fashioned blind spots for a new kind of blindness: one induced by the comfort of new technology and elaborate quantitative models. With such disasters as a backdrop [and here he is referring to the Société Générale $7billion “rogue trading” loss]… many risk management experts say it’s time for companies to revisit the fundamentals.” 

That’s from author Bennett Voyles.

Or how about this one, from Peter Bernstein, the risk management icon:

“With too much dependence on the math, you lose sight of the dynamics; that the world really moves and that it’s a complex system.”

Indeed! — and that’s the whole point of considering financial and investment questions in the context of a multidisciplinary roundtable, in other words, in high quality risk assessment.

Financial models will simply not be able to incorporate and express all of the various elements of the problem. Even if you have a highly developed database in an Internal Risk Rating system for a similar project, that is still looking into the past! You need to examine the current investment on its own merits, with the current situation.

Well, on the face of it, I think it’s pretty hard to refute the argument that I’m making, and probably a lot of people would say: “We’re already doing that. We’re already looking at financial risk in a strategic context.” But I challenge you to examine whether you’re really bringing to the table a comprehensive review of all of the various risk, from all the different domains, with the proper preparation — i.e., [establishing] the context and all the specifications of high quality risk assessment that I’ve been discussing throughout the various episodes in this podcast series.  

A closely related topic is due diligence. The question there is: “What constitutes due diligence?” Is there a comprehensive and really well-informed design for a due diligence system that you’re using, or is it more informal, and sort of hit-and-miss?  

Obviously there are due diligence methods and systems that have good predictive power, that are successful — but this is all a matter of finding them within the firms that hold them as a proprietary methods.  

So in the absence of a really good due diligence system, or high quality risk assessment, which is multidisciplinary, with which to review financial decisions, then the financial view that is arrived at through the quantitative models is going to predominate. It will carry the day. And I believe it has a certain prestige. This leads me to offer a comment about the worldview that informs financial risk management, and really management in general — it’s more of a general cultural comment:

Whatever is quantifiable, whatever is connected with scientific methodology and quantities and numbers — that seems to have some sort of prestige that is not necessarily warranted.  

One common expression is “If you can’t measure it, you can’t manage it” and is that strictly true? There’s a lot of things that we simply will not be able to quantify. In fact, I would argue that most of the decisions that we make in business realms are not going to be subject to quantification. We simply won’t have the data, as I pointed out earlier, and decision-making is going to be a matter of synthesizing a whole range of qualitative and quantitative information.

 As a concluding comment, I can mention that the article that I referenced back in Ep 1 pointed out that much more is being underwritten these days. In other words, there’s a much more comprehensive view of the firm and its risk management practices being taken into account by insurance companies and credit rating agencies. That really speaks to the necessity of having high quality risk assessment either as a complement of, or context for conventional financial risk management techniques!

Well, let’s summarize what we covered today:
1. Quantitative models are only as valid as they scope and the assumptions built into them.
2. Calculations and estimates often rely upon historical statistical information. Except for actuarial operations, that data often doesn’t even exist for a given investment candidate, or the data lacks credibility because of the source, or lacks strict relevance to the case at hand.
3. Improperly specified models cannot display accurate stress test results.
4. Many firms with good financials and sound insurance portfolios have crashed because they ignored strategic risk that could not be discerned in quantitative models.
5. Financial decisions should be considered using the results of quantitative models subject to a multidisciplinary roundtable review in the process that we call high quality risk assessment. In this way, finance and investment decisions can be reviewed in a full strategic context.




Share on facebook
Share on twitter
Share on pinterest
Share on linkedin

Leave a Comment

Your email address will not be published. Required fields are marked *

Social Media

Recent Posts

Get Transcripts | Resources

Subscribe To Our Monthly Newsletter