Financial risk management (FRM) had its origins in trading floors and the Basel Accords during the 1980s and 1990s. If a unifying theme emerged, it was a need to update asset-liability management (ALM) techniques. These tended to define risks in terms of their effects on a firm’s accounting results—such as earnings, net interest income, and return on assets. The proliferation of off-balance sheet tools, including derivatives and securitization, were rendering those measures of performance easy to manipulate.

Financial risk management tended to look beyond accounting measures of value and focus on market values. Till Guldimann (1994) captured the new spirit:

Across markets, traded securities have replaced many illiquid instruments, e.g., loans and mortgages have been securitized to permit disintermediation and trading. Global securities markets have expanded and both exchange traded and over-the-counter derivatives have become major components of the markets.

These developments, along with technological breakthroughs in data processing, have gone hand in hand with changes in management practices: a movement away from management based on accrual accounting toward risk management based on marking-to-market of positions.

Following the lead of the Basel Committee, financial risks came to be divided into three categories:

New techniques for assessing and managing these risks focused on their impact on market value. Market risk, by definition, is risk due to uncertainty in future market values. New credit risk models assessed potential defaults or credit deteriorations in terms of their mark-to-market impact. Operational risk was assessed in terms of its actual or potential direct costs.

Such techniques are most effective on bank trading floors, where market values are readily available. Extending them to other parts of the bank, or even to non-financial corporations, is problematic.

Corporate risk management emerged as a name for practices that serve to optimize risk taking in a context where both book value accounting and market value accounting are relevant but neither is entirely sufficient. An example would be a utility that owns power plants, suitably valued using book value accounting, that generate electricity sold on the spot market, where market value accounting is more applicable.

Risks vary from one corporation to the next, depending on such factors as size, industry, diversity of business lines, sources of capital, etc. Practices that are appropriate for one corporation are inappropriate for another. For this reason, corporate risk management is a more elusive notion than is financial risk management. It encompasses a variety of techniques drawn from both financial risk management and asset-liability management. The challenge for corporations is selecting from these, adapting techniques to suit their own needs. This article is an overview.

Corporate Risk Management

In a corporate setting, the familiar division of risks into market, credit and operational risks breaks down.

Of these, credit risk poses the least challenges. To the extent that corporations take credit risk (some take a lot; others take little), new and traditional techniques of credit risk management are well established and transferable from one context to another.

Operational risk has little applicability to most corporations. It includes such factors as model risk or settlement errors. Some aspects do affect corporations—such as fraud or natural disasters—but corporations have been addressing these with internal audit, facilities management and legal departments for decades. Corporations may face risks that are akin to the operational risk of financial institutions but are unique to their own business lines. An airline is exposed to risks due to weather, equipment failure and terrorism. A power generator faces the risk that a generating plant may go down for unscheduled maintenance. In corporate risk management, these risks—those that overlap with the operational risks of financial firms and those that are akin to such operational risks but are unique to non-financial firms—are called operations risks.

The biggest challenge of corporate risk management is those risks that are akin to market risk but aren’t market risk. An oil company holds oil reserves. Their “value” fluctuates with the market price of oil, but what does this mean? Oil reserves don’t have a market value. As another example, suppose a chain of restaurants is thriving. Its restaurants are “valuable,” but it is impossible to assign them market values. Something that doesn’t have a market value doesn’t pose market risk. This is almost a tautology. Such risks are business risks as opposed to market risks.

In the realm of corporate risk management, we abandon the division of risks into market, credit and operational risks and replace it with a new categorization:

  • market risk,
  • business risk,
  • credit risk,
  • operations risk.

Corporations do face some market risks, such as commodity price risk or foreign exchange risk. These are usually dwarfed by business risks. Techniques for addressing business risk take two forms:

  • those that treat business risks as market risks, so that techniques of financial risk management can be directly applied or adapted, and
  • those that address business risks from a book value standpoint, modifying or adapting techniques of asset-liability management.

Both approaches are discussed below.

Economic Value

Techniques of the first form focus on a concept called economic value. If a market value exists for an asset, then that market value is the asset’s economic value. If a market value doesn’t exist, then economic value is the “intrinsic value” of the asset—what the market value of the asset would be, if it had a market value. Economic values can be assigned in two ways. One is to start with accounting metrics of value and make suitable adjustments, so they are more reflective of some intrinsic value. This is the approach employed with economic value added (EVA) analyses. The other approach is to construct some model to predict what value the asset might command, if a liquid market existed for it. In this respect, an unflattering name for economic value is mark-to-model value.

Once some means has been established for assigning economic values, these are treated like market values. Standard techniques of financial risk management—such as value-at-risk (VaR) or economic capital allocation—are then applied.

This economic approach to managing business risk is applicable if most of a firm’s balance sheet can be marked to market. Economic values then only need to be assigned to a few items in order for techniques of financial risk management to be applied firm wide. An example would be a commodity wholesaler. Most of its balance sheet comprises physical and forward positions in commodities, which can be mostly marked to market.

More controversial has been the use of economic valuations in power and natural gas markets. The actual energies trade and, for the most part, can be marked to market. However, producers also hold significant investments in plants and equipment—and these cannot be marked to market. Suppose some energy trades spot and forward out three years. An asset that produces the energy has an expected life of 50 years, which means that an economic value for the asset must reflect a hypothetical 50-year forward curve. The forward curve doesn’t exist, so a model must construct one. Consequently, assigned economic values are highly dependent on assumptions. Often, they are arbitrary.

In this context, it isn’t enough to assign economic values. Value-at-risk analyses require standard deviations and correlations as well. Assigning these to 50-year forward prices that are themselves hypothetical is essentially meaningless—yet, those standard deviations and correlations determine the reported value-at-risk.

Such practices got out of hand in the US energy markets during the late 1990s and early 2000s. The most publicized case was Enron Corp., which went beyond using economic values for internal reporting and incorporated them into its financial reporting to investors. The 2001 bankruptcy of Enron and subsequent revelations of fraud tainted mark-to-model techniques.

Book Value

The second approach to addressing business risk starts by defining risks that are meaningful in the context of book value accounting. Most typical of these are:

  • earnings risk, which is risk due to uncertainty in future reported earnings, and
  • cash flow risk, which is risk due to uncertainty in future reported cash flows.

Of the two, earnings risk is more akin to market risk. Yet, it avoids the sometimes arbitrary assumptions of economic valuations. A firm’s accounting earnings are a well defined notion. A problem with looking at earnings risk is that earnings are, well, non-economic. Earnings may be suggestive of economic value, but they can be misleading and are often easy to manipulate. A firm can report high earnings while its long term franchise is eroded by lack of investment or the emergence of competing technologies. Financial transactions can boost short-term earnings at the expense of long-term earnings.

Cash flow risk is less akin to market risk. It relates more to liquidity than the value of a firm, but this is only partly true. As anyone who has ever worked with distressed firms can attest, “cash is king.” When a firm gets into difficulty, earnings and market values don’t pay the bills. Cash flow is the life blood of a firm. However, as with earnings risk, cash flow risk offers only an imperfect picture of a firm’s business risk. Cash flows can also be manipulated, and steady cash flows may hide corporate decline.

Techniques for managing earnings risk and cash flow risk draw heavily on techniques of asset-liability management—especially scenario analysis and simulation analysis. They also adapt techniques of financial risk management. In this context, value-at-risk (VaR) becomes earnings-at-risk (EaR) or cash-flow-at-risk (CFaR). For example, EaR might be reported as the 10% quantile of this quarter’s earnings.

The actual calculations of EaR or CFaR differ from those for VaR. These are long-term risk metrics, with horizons of three months or a year. VaR is routinely calculated over a one-day horizon. Also, EaR and CFaR are driven by rules of accounting while VaR is driven by financial engineering principles. Typically, EaR or CFaR are calculated by first performing a simulation analysis. That generates a probability distribution for the period’s earnings or cash flow, which is then used to value the desired metric of EaR or CFaR.

One decision that needs to be made with EaR or CFaR is whether to use a constant or contracting horizon. If management wants an EaR analysis for quarterly earnings, should the analysis actually assess risk to the current quarter’s earnings? If that is the case, the horizon will start at three months on the first day of the quarter and gradually shrink to zero by the end of the quarter. The alternative is to use a constant three-month horizon. After the first day of the quarter, results will no longer apply to that quarter’s actual earnings, but to some hypothetical earnings over a shifting three-month horizon. Both approaches are used. The advantage of a contracting horizon is that it addresses an actual concern of management—will we hit our earnings target this quarter? A disadvantage is that the risk metric keeps changing—if reported EaR declines over a week, does this mean that actual risk has declined, or does it simply reflect a shortened horizon?


While the two approaches to business risk management—that based on economic value and that based on book value—are philosophically different, they can complement each other. Some firms use them side-by-side to assess different aspects of business risk.

This article has focused on the unique challenges of corporate risk management. There is much else about corporate risk management that overlaps with financial risk management—the need for a risk management function, the role of corporate culture, technology issues, independence, etc. See the article Financial Risk Management for a discussion of these and other topics.


  • Guldimann, Till (1994). Introduction, RiskMetrics Technical Document, second edition. Morgan Guarantee: New York.