We often hear references to a holistic view of risk. “Holistic” is a term used in risk management to emphasize the importance of understanding the interrelationships among individual risks (or groups of related risks) and the coordinated approach that an organization’s operating units and functions undertake to manage risk. A holistic approach to risk management is, by definition, one that is not fragmented into functions and departments, but rather is organized with the intention of optimizing risk management performance.
A silo approach to managing risk is dangerous in today’s rapidly changing environment. Organizations can face change with greater confidence with an enterprise-wide perspective. That is why an enterprise risk management (ERM) approach is intended to be holistic in its perspective toward risk and how it is managed. While the goal of thinking holistically is laudable, the question arises as to what it means from a practical standpoint.
A holistic view of risk attempts to grasp the big picture by identifying the critical risks that really matter through an enterprise-level, portfolio view of risk. This is where management considers risk from an entity-wide perspective and determines whether the entity’s residual risk profile is commensurate with its overall risk appetite. Each manager responsible for a business unit, function or process must assess, from an enterprise perspective, the risks generated by the activities for which he or she is responsible. With a composite view at each level of the organization, senior management and the board then determine whether the entity’s overall risk portfolio is commensurate with its desired risk profile.
From a practical standpoint, a holistic approach means one or more of the following:
- Senior management establishes the enterprise’s appetite for risk in the context of its overall objectives and determines how to cascade it down into the organization through appropriate risk tolerances and limit structures;
- Each responsible manager develops a composite assessment of risks for his or her business unit, process or function, and considers the residual risk profile relative to the enterprise as a whole in addition to the objectives of the business unit, process or function, and relevant risk tolerances/limits;
- With a roll-up of the risks assessed for individual business units, processes and functions, senior management uses a portfolio view for the entity as a whole to ascertain whether its residual risk profile is commensurate with the organization’s overall objectives and risk appetite;
- The statement of risk appetite is supported by an analytical tool tied to status and trending reports linked to critical metrics; this tool should model relevant scenarios such as a revenue downturn or the impact of an acquisition so that management can assess the impact of potential opportunities and/or adverse events to ascertain whether their effects are in line with the company’s risk appetite;
- Different units may be within the risk tolerances of the individual units, but, taken together, risks might exceed the risk appetite of the entity as a whole, in which case additional or different risk responses are needed to bring risk within the entity’s risk appetite, consistent with the organization’s objectives; and
- Conversely, risks may naturally offset across the entity where, for example, some individual units have higher risk while others are relatively risk averse, such that the overall aggregate risk is within the entity’s risk appetite, obviating the need for a different risk response.
A holistic, portfolio view of risk can be obtained in a variety of ways. For example, it may be gained by focusing on major risks or event categories across business units to provide relevant themes for aggregating risk. Another approach is to focus on risk for the company as a whole, using such metrics as risk-adjusted capital or economic capital at risk. Such composite measures are particularly useful when measuring risk against objectives stated in terms of earnings, growth and other performance measures, sometimes relative to allocated or available capital.
One example of a holistic approach is a manufacturing company that takes a portfolio view of risk in the context of its operating earnings objectives. Management uses common event categories to capture risks across its business units and uses a graph showing, by category and business unit, the risk likelihood in terms of frequency on a time horizon and the relative impacts on earnings. The result is a composite view of the risks the company faces, with management and the board able to consider the nature, likelihood and relative size of the company’s risks and how they may affect its earnings.
Another example is a financial institution that calls on its business units to establish objectives, risk tolerances and performance measures, all in terms of risk-adjusted return on capital. This consistently applied metric facilitates management’s rolling up the various units’ combined risk assessments into a portfolio view of risk for the institution as a whole to consider the units’ risks, by objective, and determine whether the entity as a whole is within its risk appetite.
Still another example is the energy firm that (a) manages the impact of commodity price volatility on margins by hedging its projected natural gas revenues and entering into long-term contracts to lock in pricing for coal contracts over the planning horizon, and (b) addresses any remaining basis risk through natural offsets within its commodity portfolio.
By looking at risk from a portfolio perspective, senior executives can reevaluate the nature and type of risk they wish to undertake. In cases where the portfolio view shows risks significantly less than the entity’s risk appetite, management may decide to encourage certain unit managers to accept greater risk in targeted areas, striving to enhance the entity’s overall growth and profitability.
Following are more examples of thinking holistically when overseeing risk:
- Brand and reputation management might be focused on a holistic view of how strategic alignment, cultural alignment, a strong operational focus, a commitment to quality and organizational resiliency can prevent unacceptable events from happening.
- Movements in foreign currency markets, interest rates and commodity prices can have a substantial impact on a company’s revenue, income and earnings. A holistic view in managing these volatile risks means having an up-to-date, enterprisewide view of risk positions, marked-to-market. Technology is an enabler to maintaining updated, consolidated and centralized reporting of trading, physical and contractual asset portfolio positions reflecting market realities, i.e., changes in interest rates, currencies and commodity prices. Absent this capability, the enterprise is flying blind.
- When assessing supply chain disruption risk, the risk assessment process should undertake an end-to-end view of the value chain looking upstream to suppliers (including tier 2 and tier 3 suppliers), and downstream to channel partners and to the ultimate consumer, considering the logistics that glue these vital components together. With this end-to-end knowledge and visibility as a context, management then asks appropriate questions regarding what could happen to viability of the organization’s business model if any key component of the value chain were taken away, either through failure or an unexpected catastrophe.
For example, which suppliers do we depend on for essential raw materials and component parts? What would happen if we were to lose one of them for any reason? How long would we be able to operate? What if there were temporary shortages in raw materials or serious defects in supplier raw materials and component parts? What if we lost a major channel partner? What if there were significant disruptions in transportation? When assessing the potential disruptive impact of these and other events on the company’s ability to function within the value chain, consider the following:
- Velocity of the disruption – How quickly would we feel the initial impact, both internally and in terms of facing the customer?
- Persistence of the disruption – How long would we be affected if the supplier disruption continued?
- Response readiness – Given the processes in place, how resilient would we be in reacting to a loss of any significant supply chain component?
This thinking provides a touch point between risk management and crisis management.
- With respect to project management, organizations should look at risk on a project basis as well as an enterprisewide basis, using a systematic approach to consider risks across the breadth of the organization and ensure the right projects are undertaken. This portfolio view can be useful in evaluating whether individual projects should be truncated.
The point of the above examples is that a holistic approach to managing risk is an exercise in “big picture thinking.” By gaining an appreciation of the dynamics of the global marketplace and focusing on company initiatives to achieve sustained, long-term profitable growth, a holistic approach focuses on an enterprisewide view of risk and risk management. It is the only way to achieve optimal results and effect change with confidence. The only question is how to put it into practice in an organization given its strategy, structure, industry, and operating style.
Jim DeLoach has more than 35 years of experience and is a member of the Protiviti Solutions Leadership Team. His market focus is on helping organizations succeed in responding to government mandates, shareholder demands and a changing business environment in a cost-effective and sustainable manner that reduces risk to an acceptable level. He also assists companies with integrating risk management with strategy setting and performance management. Jim also serves as a member of Protiviti’s Executive Council to the CEO.