While managing an enterprise’s portfolio of risks to be within the entity’s risk appetite is core to enterprise risk management (ERM), boards and senior executives struggle at finding practical ways to define the entity’s overall appetite for risk. Spencer Schwartz, Group Head of Enterprise Risk Management at MasterCard International based in Purchase, New York, was the featured speaker at NC State’s ERM Roundtable on November 2, 2007. Schwartz provided an overview of how MasterCard tackles defining its risk appetite to an audience of over 120 business professionals.
Defining Risk Appetite
Organizations struggle with how to define their risk appetite. As entities embrace an enterprise-wide approach to risk management, they often begin with implementing processes that assist in the identification and assessment of risks, but delay in developing formal processes for defining risk appetite. Several studies suggest that the embrace of ERM within corporate America is in the “adolescence” phase, with only the more advanced deployments of ERM tackling the concept of risk appetite.
At MasterCard, risk appetite is defined as “The amount of risk exposure from an activity or portfolio of activities that an organization is willing to accept or retain.” The vehicle they use to define appetite is one that expresses risk appetite through tolerance ranges for several key performance measures (e.g., revenue growth, EPS, market share, etc.). They build their focus on risk appetite on a series of steps that consist of the following:
- Answering “Why risk appetite?”
- Selecting an approach
- Defining risk tolerance
- Assessing risks
- Quantifying risks
- Simulating outcomes
- Analyzing results
- Establishing risk appetite
Step 1: Answering “Why Risk Appetite”?
The value of answering the question of why an enterprise should define risk appetite is tied to three categories of benefits. First, articulation of the entity’s risk appetite enhances communications by helping facilitate board responsibility for understanding the entity’s risk profile and communicating the entity’s risk appetite to rating agencies who now have expectations for board understanding of risk appetite. Second, defining the entity’s risk appetite leads to optimized decision making by providing better information to the decision making process by highlighting which decision keeps the entity within acceptable ranges of performance and those which fail outside those bounds. Third, focus on risk appetite has led to better understanding of the business by providing a more focused consideration of how much risk is acceptable.
Step 2: Selecting an Approach
As businesses attempt to measure risk appetite, some seek to model appetite quantitatively through formal models. Others build their focus on qualitative descriptions of the entity’s appetite for bearing certain risks. Both approaches have advantages and limitations. MasterCard’s approach is based on something in between. According to Schwartz, the company has built their analysis of risk appetite using a blend of quantification and qualitative techniques. They build their analysis of risk appetite using a 12-to-24 month time horizon. MasterCard uses a top-down risk inventory view and considers specific scenarios surrounding those top risks to analyze their tolerance for certain ranges of those risks occurring over the 12-24 months.
Step 3: Defining Tolerance Ranges
MasterCard defines specific tolerance ranges for various risk events to proxy for its risk appetite. Using the core performance measures used to evaluate the business, management identifies ranges of those performance metrics that reflect outcomes ranging from very pessimistic to very optimistic assuming certain risk events occur. Performance metrics often include those metrics communicated to the investment community, board of directors, employees, or metrics used by peer groups or by management to measure the performance of the business, such as revenue growth, gross margin, EPS, market share, etc.
Step 4: Assessing Risks
Once tolerance ranges are determined for key performance metrics, MasterCard uses both a top-down and bottom up risk identification process to identify risk areas. These span risk considerations along product and project service lines, departments and geography, business units and entity-wide risk areas. A variety of techniques are used to identify risk areas including interviews, workshops, discussions with subject matter experts, external analyses, and internal audit/compliance activities. They assess risks severity and likelihood using the following ten-point scales:
Insignificant (1-2): The risk may have almost no financial implications
Minor (3-4): The risk may have a minimal impact on financial performance
Moderate (5-6): The risk may have a significant impact on financial performance
Major (7-8): The risk may have a substantial impact on financial performance requiring multi-year recovery
Extreme (9-10): The risk may have a significant impact on corporate solvency
Rare (1-2): The risk has a negligible probability of impact in the next 12-24 months
Unlikely (3-4): The risk has a low probability of impact in next 12-24 months
Possible (5-6): The risk has a medium probability of impact in next 12-24 months
Likely (7-8): The risk has a high probability of impact in next 12-24 months
Almost certain (9-10): The risk is affecting the organization right now or almost certainly will in the next 12-24 months
Step 5: Quantifying Risks
Most of MasterCard’s risks are operational, which makes quantifying risks a challenge. MasterCard works to finds ways to measure risks, believing that it is difficult to manage something that you cannot measure. They use various approaches to measure risks including qualitative assessments of ranges of risks, use of historical loss data, external data, and expert opinion. For hard-to-quantify risks, MasterCard relies on subject matter experts to develop various risk scenario analyses to estimate various ranges of risk effects. For a given risk, they will consider both likelihood and impact along five different scenarios:
- Very Optimistic
- Best Estimate
- Very pessimistic
For each of the five scenario categories, they estimate the anticipated probability and then they identify the estimated impact across multiple performance measures, such as revenues, expenses, and profitability.
Step 6: Simulating Risks
Using the ranges of probabilities and impact across each of the five different scenario classes, MasterCard then conducts simulation/Monte Carlo analyses using Crystal Ball software (a Microsoft ad-on package). These simulation analyses generate estimated potential outcomes across multiple performance measures (revenue growth, net income growth, customer satisfaction) that are then mapped (or plotted) against management’s already defined acceptable ranges for those performance measures (see Step 3 above). It is through these simulation analyses that management is able to determine whether the probable risk outcome is acceptable within its risk appetite. As potential risk outcomes fall outside management’s already predetermined acceptable ranges for performance measures, management is able to link the impact of certain risks events to its appetite for risk.
Step 7: Analyzing Results
Management analyzes the simulation of potential outcomes relative to pre-determined tolerances of the performance measures. They label the range of potential positive outcomes that are within the organization’s risk tolerance as “Areas of Opportunity,” while they label the range of potential outcomes that exceed its tolerance ranges as “Areas of Concern.” They seek to take advantage of the areas of opportunities and seek to ensure their strategic planning processes are adequately addressing the areas of concern.
Step 8: Establishing Risk Appetite
Obviously, the key to the above approach is having pre-determined ranges of performance measures that are acceptable to management and the board. MasterCard performs simulation analyses of various risk scenarios and then compares the simulated potential outcomes to predetermined ranges of acceptable performance ranges. The key to MasterCard’s approach is the selection of important performance metrics such as revenue growth, earnings per share, customer satisfaction and market share, among others, which are desired targets of performance. These targets define management’s ranges of acceptable performance that are then used to establish its risk appetite. The risk simulations are conducted and potential outcomes are generated that measure the impact of a risk event using those same performance metrics, based on different likelihood and severity conditions. Once the potential risk outcomes are generated from the simulation analyses, those projected outcome effects on the performance measures are mapped against the pre-determined ranges of acceptable performance to help analyze whether a risk event falls within MasterCard’s risk appetite relative to that performance measure. Thus, the key to MasterCard’s ability to define its risk appetite is its ability to analyze risk events in terms of its key performance measures that are already used to manage its business.
In establishing its tolerance ranges for each performance measure, MasterCard uses several inputs of possible target ranges. These include historical experience surrounding ranges of those measures, ranges for its average peer group, ranges for the top quartile of its peer group, and ranges from its forecasting procedures.
Importance of Collaboration
The key to ERM success at MasterCard is the collaboration of various business functions in the above analysis. Input from finance, human resources, operations, audit, product development, and legal are all important as management evaluates various risk events along dimensions related to likelihood and impact of those risk events against MasterCard’s performance targets. Schwartz emphasized the importance of finding quick wins and involving the entire organization when launching ERM and taking the long-term view of ERM as a journey where different tools and techniques can be discovered along the way.