At the corporate level risks are defined as possible unexpected deviations from set targets. ERM aims at reducing these risks to a tolerable and economical level and thus safeguarding the very existence of the company: This is it – the CRISAM® understanding of enterprise-wide risks and their management.
However, companies operate their enterprise-wide risk management at very different levels of quality. This is partly due to the industry they operate in. It is also affected by how long the company has been dealing with risk management issues. For assessing the company’s current risk management status CRISAM® ERM uses a maturity model which is very closely aligned with the capability maturity model (CMM: see figure 9).
Basically, CRISAM® covers all levels of the maturity model shown in figure 9. At levels 1 and 2 content libraries, for example based on the COSO framework or created in a user-specific manner, are used to enable the evaluation of enterprise-wide risks. The individual assets are modelled analogous to the information assets in the IRM by taking into account cause and effect relationships.
Beginning with level 3 in the maturity model the risks are quantified in monetary values and their possible deviation is calculated and aggregated. This aggregation is performed by means of scenario analysis (Monte Carlo simulation) in which a very large number of possible business cases is simulated under risk exposure.
Beginning with level 4 a business logic, for example a financial budget, can be extracted from a leading system, e.g. SAP, etc., and linked to the business-related risks. After aggregating these corporate risks the planned result, including its deviation, is shown; hence key risk indicators such as value at risk, planning certainty, probability of loss as well as performance figures such as RAROC, RORAC, etc., can be generated and evaluated.
The core functions of the CRISAM® enterprise risk managements (ERM) are:
- Support of the maturity model from level 1 to level 5 – CRISAM® assists companies with the introduction of an enterprise-wide risk management along the maturity model from level 1 to level 5. In the lower levels 1 and 2 a standardised or specific (customer-specific and/or industry-specific) content library is set up. At levels 3 to 5 risks are quantified, linked to a business logic (level 4) and aggregated.
- Business logic – In addition to the conventional risk identification and assessment, CRISAM® enables the aggregation of individual risks to risk groups and risk categories as well as the connection of individual risks to a business logic. A business logic is, for example, a business plan, a profit and loss account or a project plan. By linking risks to a business logic, CRISAM ® creates a bridge between risk management and management accounting.
Figure 9: ERM maturity model
- Formulating risks with statistical distributions – Risks are not static values: As risks follow the rules of statistical distributions there is a most likely value with a corresponding spread around it. In CRISAM® these risks can be expressed as absolute figures, in monetary terms and as a percentage, i.e. relative to a predetermined planned result.
- Risk aggregation by scenario analysis (Monte Carlo simulation) – In order to evaluate risks in terms of dimension and impact with regard to a specific target value, they have to be brought together by means of aggregation. For this purpose, CRISAM® performs a scenario analysis (Monte Carlo simulation) in which a very large number of possible business cases is simulated under risk exposure; the produced results are shown including possible deviations. Based on these results, key risk indicators such as value at risk, planning certainty, probability of loss as well as performance figures such as RAROC, RORAC, etc., can be generated and evaluated.
- Effectiveness and efficiency analysis of measures – Sometimes company-wide risks cause deviations from the target and the planned results, which cannot be tolerated by corporate management. Thus, measures must be taken to counteract these risks. The measures are, however, associated with costs, i.e. initial investment and follow-up costs: These costs must be included in the overall analysis. CRISAM® analyses the effectiveness and efficiency of planned measures by simulating the business logic before and after their implementation. An improvement of the target KPI (for example EBIT) after the implementation of measures indicates effective and efficient measures.
- Flexible analysis of results and KPIs – In the management domain ERM, CRISAM® offers different possibilities for statistical evaluations and analyses (for graphical analyses see the following figures). Among other things, histograms, box plots, trend analyses, risk portfolios and sensitivity analyses can be provided out of the box. In addition, significant key risk indicators are available together with the statistical analyses.
Figure 10: CRISAM® histogram - analysis
Figure 11: CRISAM® analysis with box plots
Figure 12: CRISAM® time series analysis
- Multi-model capability – In several cases taking into account a single business logic is not sufficient in order to map risks. In case separately managed project risks are supposed to be contained in one single profit and loss account or the risk exposure of several subsidiaries is to be aggregated to assess the overall enterprise-wide risk, separate models have to be created before merging them into one common model which can then be evaluated. Building separate models first is required, among other things, for organisational reasons and for reasons linked to the authorisation. CRISAM® makes it possible to set up and merge separate models with different authorisation concepts and therefore facilitates the evaluation.