Enterprise Risk Management has been getting an increased amount of attention in recent years.  Companies and organizations are recognizing the value of taking an enterprise approach to risk.  While there have been numerous general frameworks that have been developed by various industries, regions and professional organizations, there has been little attention focused to the quantitative aspects of ERM within the frameworks.

The report, authored by Christopher Bohn and Brian Kemp, maintains that this presents an opportunity for individuals with a quantitative background to not only add value to organizations interested in implementing an ERM framework, but also to aid in the development of a more rigorous quantitative framework.


Many of the risks that are emerging as a result of the implementation of ERM do not fall within the classic insurable subset of operational and financial risks. The article presents three main opportunities that arise from the nature of these risks.

1. There are not extensive databases of relevant loss or event data.  This presents an opportunity to help develop procedures for the collection and storage of this data.
2. Through the quantification of risk, individuals can aid in the understanding of the cost/benefit tradeoffs of various management strategies.
3. The ability to quantify risk will also advance the development of new transfer products available in the marketplace.

Next, the article presents a six step process for developing a risk model:

Determine the Underlying Risk Process

First, one must clearly define the risks one wishes to model. This can be done by identifying the underlying exposure and key events that impact the exposure and key consequences that arise from those events.

Second, one must determine the desired output. It is important to understand what outputs or performance indicators you wish to track. Next, it is important to keep in mind the potential mitigation strategies that may be implemented. Finally, one should map out the risk process. This can be done by developing a flowchart of risk process. The last four steps are intended to be the foundational blueprint on which your quantitative model will be built.

Build Risk Modules

After making a blueprint it is necessary to convert the risk process it into a stochastic model. When building the risk model, make sure to keep in mind considerations that were the foundation in the development of the risk blueprint.  Next, the article suggests that one takes a modular approach to building the model, to allow you to easily add or remove exposure, event or consequence modules.

Identify Inputs and Parameters

This stage of the framework deals with determining the probability distributions and their associated parameters and incorporating them into your loss modules.  The loss and event data would preferable come from actuarial applications, however if this is not available the modeler must fall back on his or her own experience regarding the general shape of the distributions.


At this point, it is time to run the model, which should consist of a number of modules.  The results should be evaluated for their reasonableness.  Additional value can be derived from the model by conducting sensitivity tests and using scenario analyses.

Overlay Current and Proposed Mitigation

At this point the model is prepared to make strategic decisions about the amount of risk an organization wishes to retain, transfer and avoid. Through the quantification of risk, the organization can learn much about their current risk exposure, improving risk strategy, and appetite for risk.


Risk modeling should not be considered a one-time analysis, but an ongoing process throughout the organization.  As time passes it is likely that a number of factors in your quantitative model will change, therefore there should be constant monitoring.

Link: Bohn, Christopher, and Brian Kemp, “Enterprise Risk Management Quantification – An Opportunity,” AON, February 2006.

Subscribe to ERM Insights

The latest research, insights and opportunities from the NC State ERM Initiative to help
you and your organization lead with confidence.

ERM Enterprise Risk Management Initiative 2006-02-01