Risk and Enterprise Value

Abstract

The term ‘‘enterprise risk management’’ and its predecessors ‘‘integrated risk management’’ and ‘‘holistic risk management’’ have been in use since at least the late 1980s. Many definitions for these terms have been put forward and much has been written about the merits of enterprise risk management over traditional risk management. In general, two themes emerge in these definitions. The first is that traditional risk management does not look broadly enough in its search for risks. Enterprise risk management contends that more risks should be identified and studied. Much discussion is given over to taxonomies of risk, with different professional groups and different industry associations putting forward different classification systems. The emphasis of these systems is on developing comprehensive lists and profiles of risk following the logic that in order to solve a problem it needs first to be identified. The second theme of enterprise risk management holds that risks should be managed together rather than individually. Managing risks individually misses the interaction between the risks and leads to sub-optimal or, worse, counterproductive actions. By combining the risks in an integrated model, interactions are captured and better solutions can be developed. Unfortunately, implementing both of these themes together is difficult. Identifying more risks increases the complexity of modeling them in an integrated way. Trying to accommodate all risks and every interaction between them soon leads to a practical roadblock. Furthermore, with little or no numerical data available to describe newly identified risks and even less to describe their interactions, mathematical and statistical tools soon fail to add much value or insight. This frustration confounds the search for new risks as well as integrated modeling. Why bother looking for new risks if it is impossible to model and measure those already identified? Is it possible to overcome this impasse? Certainly, ceasing to search for new risks is not a good solution. Instead, we should revisit what it means to model risks together. In other words, rather than defining enterprise risk as the integrated modeling of various separately identified risks, could we define it in a different way? Traditionally, risk and risk management has focused on the risk itself. For example, when an enterprise investigates the merits of insuring a risk, it compares the cost and variability of possible losses against the cost of one or more insurance options. Likewise, when investigating the merits of a financial hedge, the cost and variability of the unhedged risk is compared with the costs of the available hedges. When risks are studied together these individual risk models are integrated. In this paper we develop an enterprise risk theory focused on the enterprise, not the risk. In this theory the subject of study is the enterprise impacted by the risk rather than a