University of Arkansas ERM and Risk Mini Case Studies Paper

User Generated

ReyvpuOhpuznna

Writing

University of Arkansas at Monticello

Description

Chapters 26 through 29 presented four mini-case studies on ERM and risk. Each one presented a slightly different risk scenario. Starting with chapter 29, assume that you have been asked to advise the Akawini management team on how they should promote and monitor the transformation of risk management in their business. What performance measures would you recommend that use so that they can monitor progress and performance? Choose one other of the chapters from this week and recommend ERM measures that organization should implement as well to monitor risks outlined in that chapter.

To complete this assignment, you must do the following:

A) Create a new thread by Thursday. As indicated above, assume that you have been asked to advise the Akawini (chapter 29) management team on how they should promote and monitor the transformation of risk management in their business. What performance measures would you recommend that use so that they can monitor progress and performance? Choose one other of the chapters from this week and recommend ERM measures that organization should implement as well to monitor risks outlined in that chapter.

250-300 words

Unformatted Attachment Preview

ITS 835 ENTERPRISE RISK MANAGEMENT CHAPTER 26-29 REVIEW OF 4 MINI CASE STUDIES ON ERM AND RISK 1 OVERVIEW  Collection of four mini-cases  Leaves open ended questions  Presents real life situations  And needs for ERM  Mini-Cases  BimConsultants Inc.  Nerds Galore  The Reluctant General Counsel  Transforming Risk Management at Akawini Copper 2 BIM CONSULTANTS INC.  Consulting firm  10 offices in Canada  3,000 staff  30 partners  “Customers are number one”  But revenue is stagnant  Opportunity to buy out competitor  Purchase would double size and sales  Negotiations must be kept confidential 3 NERDS GALORE  Canadian IT service company  12 offices  Retain good people  1,000 employees  Manage talent  Grew from founder’s garage  Optimize the use of people  Rely on outsourcers  Shift from small start-ups to medium size customers  High turnover of 20% is causing concern  Decreasing customer satisfaction  Steady revenue (for now)  Strategy from new HR VP  Attract the best talent  Executive team workshop to explore HR risks  Inability to recruit people with needed skills  Loss of staff with key internal knowledge  Uncompetitive labor production  Increased departures of skilled technical staff  Loss of key business know-how 4 THE RELUCTANT GENERAL COUNSEL  Business Software Corporation (BSC)  Silicon Valley, CA  Annual revenue over $1 billion  Board wants ERM  Upper management supports establishing ERM  EVP of development and general counsel  Doesn’t want to be involved in ERM  Risk discussions could be discoverable in lawsuits  U.S. Securities and Exchange Commission (SEC)   Requires disclosure of risks Recommendation is to not formally pursue ERM 5 TRANSFORMING RISK MANAGEMENT AT AKAWINI COPPER  Akawini Copper  Mining company acquired by larger United Minerals  Single mine and plant • $774 million in revenue  1,500 employees  United Minerals implemented ISO 31000 framework  Substantially more sophisticated than Akawini’s RM  Launched project to transform Akawini RM to ERM 6 ENTERPRISE RISK MANAGEMENT The Robert W. Kolb Series in Finance provides a comprehensive view of the field of finance in all of its variety and complexity. The series is projected to include approximately 65 volumes covering all major topics and specializations in finance, ranging from investments, to corporate finance, to financial institutions. Each volume in the Kolb Series in Finance consists of new articles especially written for the volume. Each Kolb Series volume is edited by a specialist in a particular area of finance, who develops the volume outline and commissions articles by the world’s experts in that particular field of finance. Each volume includes an editor’s introduction and approximately thirty articles to fully describe the current state of financial research and practice in a particular area of finance. The essays in each volume are intended for practicing finance professionals, graduate students, and advanced undergraduate students. The goal of each volume is to encapsulate the current state of knowledge in a particular area of finance so that the reader can quickly achieve a mastery of that special area of finance. ENTERPRISE RISK MANAGEMENT John Fraser Betty J. Simkins The Robert W. Kolb Series in Finance John Wiley & Sons, Inc. c 2010 by John Wiley & Sons, Inc. All rights reserved. Copyright  Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 750-4470, or on the web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions. Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. For more information about Wiley products, visit our web site at www.wiley.com. Library of Congress Cataloging-in-Publication Data: Fraser, John, 1946– Enterprise risk management : today’s leading research and best practices for tomorrow’s executives / John Fraser, Betty J. Simkins p. cm. – (The Robert W. Kolb series in finance) Includes index. ISBN 978-0-470-49908-5 (cloth) 1. Risk management. I. Simkins, Betty J., 1957– II. Title. HD61.F74 2010 658.15–dc22 Printed in the United States of America 10 9 8 7 6 5 4 3 2 1 Contents Foreword by Robert S. Kaplan PART I Overview 1 2 Enterprise Risk Management: An Introduction and Overview xix 1 3 What Is Enterprise Risk Management? Drivers of Enterprise Risk Management Summary of the Book Chapters Overview ERM Management, Culture, and Control ERM Tools and Techniques Types of Risks Survey Evidence and Academic Research Special Topics and Case Studies Future of ERM and Unresolved Issues Notes About the Editors 3 4 5 5 6 8 10 12 13 15 16 16 A Brief History of Risk Management 19 Introduction Risk Management in Antiquity After the Middle Ages The Past 100 Years Notes About the Author 19 19 20 21 28 29 3 ERM and Its Role in Strategic Planning and Strategy Execution Rising Expectations for Strategic Risk Management ERM Positioned as Value-Adding Board Demands for More Strategic Risk Management Integrating Risk into Strategic Planning Recognizing Strategic Business Risk Evaluating Strategic Business Risk 31 32 33 34 34 35 36 v vi Contents 11 Tenets of the Return Driven Framework Using a Framework to Build a Strategic Risk Management Mindset Creating a Strategic Risk Mindset and Culture A Strategic Risk Management Mindset Recognizing Value of Strategic Risk Management at High-Performance Companies Building a Strategic Risk Assessment Process Strategic Risk Management Processes Focus on Genuine Assets at Risk Strategic Risk Management and Performance Measurement Critical Steps for Value-Added Strategic Risk Management Conclusion Notes About the Authors 4 The Role of the Board of Directors and Senior Management in Enterprise Risk Management Introduction Governance Expectations for Board Oversight of Risk Management Delegation of Risk Oversight to Board Committees Formalizing Risk Management Processes Senior Executive Leadership in Risk Management The Role of the Internal Audit Function in ERM External Audit as an Independent Source of Key Risk Identification ERM Implementation Strategies Role of the Audit Committee Role of the Board Training Board Composition Reporting Compliance Culture Conclusion Notes 37 39 40 40 42 42 43 44 45 47 48 48 50 51 51 52 58 58 60 61 61 62 62 63 64 64 65 66 66 66 67 PART II ERM Management, Culture, and Control 69 5 Becoming the Lamp Bearer: The Emerging Roles of the Chief Risk Officer 71 The Origins of the CRO The CRO as Compliance Champion The CRO as Modeling Expert The CRO as Strategic Controller The CRO as Strategic Advisor Which CRO Role to Play? Conclusion Notes 72 75 76 77 78 79 81 82 CONTENTS 6 7 vii References Acknowledgments About the Author 82 85 85 Creating a Risk-Aware Culture 87 The Importance of Culture Defining Culture The Goals of Culture The Importance of Culture When the Chips Are Down Culture Can Discourage Good Risk Taking Elements of a Risk-Aware Culture Behavioral Elements Process Elements How to Create a Risk-Aware Culture Defining the Elements Measuring and Monitoring Involvement and Buy-In Openness Tone from the Top Alignment of Incentives and Rewards—Walking the Talk What Does Risk Management Have to Do? Conclusion References About the Author 87 87 87 88 88 90 91 91 91 91 91 92 93 93 93 93 94 95 95 95 ERM Frameworks 97 Introduction Introduction to the ISO Risk Management Framework Principles of Risk Management and Excellence in Risk Management Elements of an ERM Framework ERM Framework: Concept and Elements Risk Management Process (RMP) Risk Management Process: Context Risk Management Process: Risk Assessment Risk Management Process: Risk Treatment Risk Management Process: Monitoring and Review Risk Management Process: Communication and Consultation Risk Management Process: Recording the Risk Management Process Mandate and Commitment to the ERM Framework Rationale for Commitment to ERM Gap Analysis for ERM Context for ERM Framework Design, Decision, and Implementation of the ERM Framework Risk Management Policy Policies for the ERM Framework Policies for Risk Management Decisions Review of Policies 97 97 99 100 100 102 105 106 109 109 109 110 110 111 111 112 112 113 113 113 117 viii Contents Integration of Risk Management and Resources for ERM Communications, Consultation, and Reporting Accountability Continuous Improvement Conclusion References About the Author 8 Identifying and Communicating Key Risk Indicators Introduction What Is a Key Risk Indicator? Definition Examples of KRIs Differentiation from Key Performance Indicators Practical Applications Validate Organizational Planning and Monitor Performance Enhance Operational Efficiency and Effectiveness Clarify Risk-Taking Expectations Monitor Risk Exposures Measure Risk Value of KRIs to Risk Management Design Principles Keep the Stakeholders and Objectives in Mind Leverage Management Insight and Existing Metrics Have a Good Basic Understanding of the Risks Limit Indicators to Those That Are Most Representative Ensure Clarity in What Is Being Measured Focus More on Objective Measures Consider the Wider Set of KRIs Consider the Relative Importance of KRIs Monitor for Continual Usefulness Think Longer Term Implementation Considerations Obtaining Buy-In Lack of Resources and Skills Data and Technology Challenges Integration with Business Activities Sustainability of the KRI Framework Conclusion Note Acknowledgment About the Author 118 119 120 121 122 122 123 125 125 126 126 126 128 129 129 130 131 132 133 134 135 135 135 135 136 136 136 136 136 137 137 137 138 138 138 139 139 139 139 140 140 PART III ERM Tools and Techniques 141 9 How to Create and Use Corporate Risk Tolerance 143 Introduction What Is Risk Tolerance? 143 144 CONTENTS Why Is Setting Risk Tolerance Important? What Are the Factors to Consider in Setting Risk Tolerance? Attitude About Risk Goals Capability to Manage Risk Capacity to Take Risk Cost/Benefit of Managing Risk How Can Your Organization Make Risk Tolerance Useful in Managing Risk? Conclusion Notes About the Authors 10 11 ix 144 145 146 146 147 149 150 150 152 153 154 How to Plan and Run a Risk Management Workshop 155 Introduction What Is a Risk Workshop? Why Use Workshops? How to Conduct a Risk Workshop Preparation Identify the Sponsor Set the Objectives of the Workshop Set the Scope Assemble Reference Materials Set the Agenda Decide on Attendees Arrange Venue Execution Facilitate the Workshop Record the Results Prepare the Final Report Techniques for Planning and Facilitating Effective Risk Workshops “Anonymous” Voting Useful Facilitation Tips Tough Spots Conclusion About the Author 155 155 156 156 156 157 158 159 160 162 164 164 165 165 167 167 How to Prepare a Risk Profile 171 Introduction Definition and Uses of a Corporate Risk Profile Common Types of Corporate Risk Profiles The “Top 10” List The Risk Map The Heat Map Advantages and Disadvantages of Information-Gathering Methodologies 168 168 169 169 170 170 171 171 173 173 173 174 176 x Contents How to Prepare a “Top 10” Risk Profile—Hydro One’s Experience Step 1: Schedule Interviews and Gather Background Information Step 2: Prepare the Interview Tools Step 3: Summarize the Interview Findings Step 4: Summarize the Risk Ratings and Trends Step 5: Draft the Top 10 Risk Profile Step 6: Review the Draft Risk Profile Step 7: Communicate the Risk Profile with the Board or Board Committee Step 8: Track the Results Conclusion Notes References About the Author 12 How to Allocate Resources Based on Risk Introduction Risk Policy and a Center of Excellence for Risk Management Key Policy Elements Center of Excellence Translating Strategic Objectives into Risk-Based Concepts The Consequence Domain The Probability Domain The Integration of Business Objectives/Risk Events/Risk Concepts Risk-Based Business Processes and Organizational Considerations Risk-Based Business Processes Organizational Considerations Concepts, Methods, and Models Enabling Risk Identification, Evaluation, Mitigation, Prioritization, and Management The Concept of Evaluation Time Frames Methods and Models to Quantify the Impact of Risk Events Prioritization of Investment Proposals Management of the Portfolio of Preferred Investment Proposals Information Requirements and Challenges Operational Risk Assessment Information Strategic Risk Assessments Measures of Effectiveness for Continuous Improvement Conclusion Notes About the Author Appendix 12.A 13 Quantitative Risk Assessment in ERM Introduction Risk Assessment: Four Alternative Approaches Method 1: Active Management of the Largest Risks Method 2: “High/Medium/Low” Classification of Risks: The Two-Dimensional Risk Map 176 177 178 181 182 182 184 185 186 186 186 187 188 189 189 191 191 192 192 193 197 198 200 200 204 206 206 207 209 211 211 212 212 213 213 214 216 216 219 219 222 222 224 CONTENTS Method 3: Risk Assessment Using Refined Classifications: Refining the Classification Method 4: Statistical Analysis Aggregating Probabilities and Impacts Total Corporate Risk: An Illustration Incorporating Risk Quantification in the Business Planning Process Sensitivities and Scenarios Conclusion Notes References About the Author PART IV Types of Risk 14 Market Risk Management and Common Elements with Credit Risk Management Introduction to Credit Risk and Market Risk A Taxonomy of Market and Credit Risk Credit and Market Risk in an ERM Framework Responding to Credit and Market Risk The Case for Actively Managing Market Risk The Case for Not Actively Managing Market Risk Natural Market Risk Management Measuring Market Risk The Markets as Risk Indicators Measuring Potential Impact Earnings at Risk Market Risk Management with Forward-Type Products Market Risk Management with Option-Type Products Trade-Offs Between Option Strategies and Forward Strategies Operational Issues of Using Derivatives Governance and Oversight of Market Risk Management Conclusion Notes References About the Author 15 xi 225 229 230 232 233 233 234 235 235 235 237 239 239 240 241 242 243 244 245 246 247 248 249 250 253 255 256 257 259 259 260 260 Credit Risk Management 261 Credit Risk Analysis Fundamental Analysis of Credit Default Risk (Probability of Default) Market-Based Analysis of Credit Default Probability Statistical-Based Models of Credit Risk Credit Risk Mitigation An Analysis of the Credit Crisis Conclusion Notes 261 263 266 268 269 272 277 277 xii Contents References About the Author 16 Operational Risk Management Introduction What Is Operational Risk and Why Should You Care About It? Is Risk All Bad? How Do You Assess Operational Risks, Particularly in a Dynamic Business Environment? Why You Need to Define Risk Tolerance for Aligned Decision Making What Can You Do to Effectively Manage Operational Risk? How Do You Encourage a Culture of Risk Management at the Operational Level? How Do You Align Operational Risk Management with Enterprise Risk Management? Conclusion Notes About the Author 17 Risk Management: Techniques in Search of a Strategy Introduction Current Situation Risk Strategy Framework Governance New Directions Enterprise Risk Management (ERM): The First Step Enterprise Resilience (ER): The Next Step? Conclusion Notes References About the Author 18 Managing Financial Risk and Its Interaction with Enterprise Risk Management Introduction What Is Financial Risk and How Is It Managed? Case 1: Currency Price Risk: The Multinational Corporation Case 2: Interest Rate Risk: The “Heavy-Debt” Firm Case 3: Commodity Price Risk: The Firm with a Highly Volatile Input Cost Theoretical Underpinnings of Financial Hedging and Empirical Findings Hedging Reduces Expected Costs of Financial Distress and Underinvestment Hedging Creates More Debt Capacity Hedging Reflects the Incentives of the Firm’s Management and Board Does Hedging Affect Firm Value? 277 278 279 279 280 283 284 287 289 296 297 300 301 301 303 303 304 307 312 314 314 315 316 316 318 320 321 321 322 323 324 324 325 325 326 326 327 CONTENTS Interaction of Financial Hedging with Other Types of Risk Management Credit Risk Management Operational Risk Management Strategic Risk Management Reputation and Legal Risk Management Financial Reporting and Disclosure Risk Management What Can We Learn About ERM Given Our Knowledge of Financial Hedging? Notes References About the Author 19 20 21 Bank Capital Regulation and Enterprise Risk Management xiii 328 328 329 330 330 331 332 333 333 334 337 Introduction The Evolution of Bank Capital Requirements Overview of U.S. Capital Ratios Basel I Basel II Enterprise Risk Management (ERM) and Economic Capital Conclusion Notes References About the Author 337 337 338 339 341 343 345 346 347 349 Legal Risk Post-SOX and the Subprime Fiasco: Back to the Drawing Board 351 Introduction The Legal Framework of Legal and Reputational Risk Management The Federal Rules of Professional Responsibility for Attorneys Whistle-Blower Protection Under Sox Audit Reform Codes of Conduct An Assessment of the SOX Framework on Legal and Reputational Risk The Subprime Fiasco The SOX Shortcomings Toward Optimal Reputational and Legal Risk Management Conclusion Note References About the Author 351 352 355 357 358 358 Financial Reporting and Disclosure Risk Management 369 The Importance of Disclosure Management and ERM Foundations in the United States 369 370 359 360 362 363 365 365 365 367 xiv Contents Disclosure and Sarbanes-Oxley New Group for Reporting: Public Company Accounting Oversight Board Important SOX Sections Section 404: Internal Controls and Compliance Management Section 302: Who Is Responsible for Financial Reporting? Other Financial Reporting Accounting for Derivatives—FASB 133 Firm Choice for FASB 133 and Disclosure Risk Management Risk Identification, Monitoring, and Reporting Financial Reporting Challenges Today Paring Down Internal Control: Auditing Standard 5 (AS5) Global Financial Crisis and ERM Reexamining Fair Value Accounting: FASB 157 Conflicts with International Standards: Rules versus Principles Adding ERM to Company Credit Ratings Conclusion Notes References About the Author PART V Survey Evidence and Academic Research 22 Who Reads What Most Often?: A Survey of Enterprise Risk Management Literature Read by Risk Executives 371 371 372 372 372 375 375 375 377 379 379 379 380 381 383 383 383 384 384 385 387 Introduction Survey Methodology Survey Results Survey Respondent Profile ERM Tools and Techniques Used by Respondents Most Frequently Read Literature on ERM Critical Areas of Need Key Findings of Our Survey Conclusion Appendix 22.A: Publications Included in the Survey Appendix 22.B: Survey Respondents Who Gave Permission to Be Identified Notes References About the Authors 387 389 390 390 392 396 399 400 402 403 23 Academic Research on Enterprise Risk Management 419 Introduction Academic Research on Enterprise Risk Management Colquitt, Hoyt, and Lee (1999) Kleffner, Lee, and McGannon (2003) Liebenberg and Hoyt (2003) 410 410 412 416 419 420 425 426 426 24 CONTENTS xv Beasley, Clune, and Hermanson (2005a) Beasley, Clune, and Hermanson (2005b) Desender (2007) Beasley, Pagach, Warr (2008) Pagach and Warr (2008a) Pagach and Warr (2008b) Gates, Nicolas, and Walker (2009) Case Studies on ERM Harrington, Niehaus, and Risko (2002) Aabo, Fraser, and Simkins (2005) Stroh (2005) Acharyya and Johnson (2006) Nocco and Stulz (2006) Conclusion Notes References About the Authors 427 428 429 429 430 431 431 432 432 434 434 435 436 436 437 438 439 Enterprise Risk Management: Lessons from the Field 441 Introduction Lessons from the ERM Process Clarifying Strategies and Objectives Identifying Risks Assessing Risk Acting on the Risks Monitoring Risks Lessons from Integrating ERM with Ongoing Management Initiatives Strategic Planning and ERM The Balanced Scorecard and ERM Budgeting and ERM Internal Auditing and ERM Business Continuity Planning, Crisis Preparedness, and ERM Corporate Governance and ERM Some Key Value Lessons from ERM Conclusion Notes References Further Reading About the Authors 441 442 442 443 444 448 449 PART VI Special Topics and Case Studies 25 Rating Agencies’ Impact on Enterprise Risk Management Introduction Banking: General 449 449 452 454 454 455 456 457 459 459 460 461 462 465 467 467 468 xvi Contents Insurance: S&P Insurance: Moody’s Insurance: Fitch Insurance: A.M. Best U.S. Energy Companies: S&P Nonfinancial Companies: S&P A Fly in the Ointment Conclusion Notes Further Reading About the Author 468 470 471 472 473 473 476 476 477 478 478 26 Enterprise Risk Management: Current Initiatives and Issues 479 Question 1 Question 2 Question 3 Question 4 Question 5 Question 6 Question 7 Question 8 Notes 27 Establishing ERM Systems in Emerging Countries Introduction Enterprise Risk Management and Its Benefits in Emerging Markets Evolution of Risk Management in Emerging Markets The Rationale for Effective Risk Management in Emerging Markets The Responsibility of the Board in Risk Management and Extensions to Emerging Markets Risk, Reward, and Risk Appetite in Emerging Markets Observations of ERM Practices in Emerging Countries Conclusion Appendix: COSO Approach to Enterprise Risk Management Notes References About the Author 28 482 483 489 491 493 495 497 499 502 505 505 506 509 515 516 523 524 524 525 527 528 528 The Rise and Evolution of the Chief Risk Officer: Enterprise Risk Management at Hydro One 531 Hydro One Getting Started with ERM Corporate Risk Management Group Pilot Study Final Approval 533 533 534 534 538 CONTENTS Processes and Tools The Business Context Identification and Assessment of Risks and Controls Tolerability of Risk—and Risk Mitigation Monitor and Review Corporate Risk Profile Description of Risk Sources Quantifying the Unquantifiable Benefits of ERM and Outcomes at Hydro One Current Status Conclusion Notes About the Authors Index xvii 538 538 540 542 543 543 543 548 550 552 553 553 556 557 Foreword am pleased to welcome this important collection of authoritative papers on enterprise risk management. This subject has, unfortunately, operated below the visibility screen of most CEOs for many years. In the financial institutions, where regulations require a risk management process, most bank CEOs viewed it as a compliance process, much like internal audit and internal controls. They did not view risk management as a strategic process nor one that demanded much of their time and attention. As a consequence, most businesses have limited ability to assess its risk from rapid growth, increased complexity in financing and securitization, and globalization. Company executives have not been the only ones failing to pay sufficient attention to the topic. Few MBA, accounting, or finance programs departments featured courses and training in enterprise risk management. The events of 2007–2009 have made the gaps in knowledge, training, and attention to risk management abundantly clear, albeit in a highly costly and tragic manner. Businesses, business schools, regulators, and the public are now scrambling to catch up with the emerging field of enterprise risk management. This subject must become a priority for students to study, executives to practice, and regulators to verify. Fraser and Simkins have produced an impressive contribution to the field, one that I believe will help to educate many. I hope this book, beyond its educational and attention-directing mission, will also stimulate the production of other articles and books so that a common body of knowledge can be developed for this vital profession. We are indebted to John Fraser and Betty Simkins for organizing the impressive author team and the editing of this book. I ROBERT S. KAPLAN Baker Foundation Professor Harvard University xix ENTERPRISE RISK MANAGEMENT PART I Overview CHAPTER 1 Enterprise Risk Management An Introduction and Overview JOHN R.S. FRASER Vice President, Internal Audit & Chief Risk Officer, Hydro One Networks Inc. BETTY J. SIMKINS Williams Companies Professor of Business and Professor of Finance, Oklahoma State University It’s not the strongest of the species that survive, nor the most intelligent, but those that are the most responsive to change. —Charles Darwin WHAT IS ENTERPRISE RISK MANAGEMENT? Enterprise risk management (ERM) can be viewed as a natural evolution of the process of risk management. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) defines enterprise risk management as: “. . . a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” The COSO definition is intentionally broad and deals with risks and opportunities affecting value creation or preservation. Similarly, in this book, we take a broad view of ERM, or what we call—a holistic approach to ERM. Some sources have referred to ERM as a new risk management paradigm. As in the past, many organizations continue to address risk in “silos,” with the management of insurance, foreign exchange, operations, credit, and commodities each conducted as narrowly focused and fragmented activities. Under ERM, all risk areas would function as parts of an integrated, strategic, and enterprise-wide system. And while risk management is coordinated with senior-level oversight, employees at all levels of the organization using ERM are encouraged to view risk management as an integral and ongoing part of their jobs. The purpose of this book is to provide a blend of academic and practical experience on ERM in order to educate practitioners and students alike about this 3 4 Overview evolving methodology. Furthermore, our goal is to provide a holistic coverage of ERM, and in this process, provide the “‘what,” “why,” and “how” of ERM to assist firms with the successful implementation of ERM. The chapters that follow are from some of the leading academics and practitioners of this new methodology, with the in-depth insights into what practitioners of this evolving business practice are actually doing, as well as anticipating what needs to be taught on this topic. The leading experts in this field clearly explain what enterprise risk management is and how you can teach, learn, or implement these leading practices within the context of your business activities. Enterprise Risk Management introduces you to the wide range of concepts and techniques for managing risk in a holistic way, by correctly identifying risks and prioritizing the appropriate responses. It offers a broad overview of the different types of techniques: the role of the board, risk tolerances, risk profiles, risk workshops, and allocation of resources, while focusing on the principles that determine business success. This comprehensive resource also provides a thorough introduction to enterprise risk management as it relates to credit, market, and operational risks, and covers the evolving requirements of the rating agencies and their importance to the overall risk management in a corporate setting. As well, it offers a wealth of knowledge on the drivers, the techniques, the benefits, and the pitfalls to avoid, in successfully implementing enterprise risk management. DRIVERS OF ENTERPRISE RISK MANAGEMENT There are theoretical and practical arguments for the use of ERM. As outlined in Chapter 2 there has been an increasing consciousness in risk literature that a more holistic approach to managing risk makes good business sense. External drivers for its implementation have been studies such as the Joint Australian/New Zealand Standard for Risk Management,1 the Committee of Sponsoring Organizations of the Treadway Commission (COSO),2 the Group of Thirty Report in the United States (following derivatives disasters in the early 1990s),3 CoCo (the Criteria of Control model developed by the Canadian Institute of Chartered Accountants),4 the Toronto Stock Exchange Dey Report in Canada following major bankruptcies,5 and the Cadbury report in the United Kingdom.6 Major legal developments such as the New York Stock Exchange Listing Standards and the interpretation of the recent Delaware case law on fiduciary duties, among others, have provided an additional force for ERM.7 In addition, large pension funds have become more vocal about the need for improved corporate governance, including risk management, and have stated their willingness to pay premiums for stocks of firms with strong independent board governance.8 ERM has also increased in importance due to the Sarbanes-Oxley Act of 2002—which places greater responsibility on the board of directors to understand and monitor an organization’s risks. Finally, it is important to note that ERM can increase firm value.9 Security rating agencies such as Moody’s and Standard & Poor’s include whether a company has an ERM system as a factor in their ratings methodology for insurance, banking, and nonfinancial firms. ENTERPRISE RISK MANAGEMENT 5 SUMMARY OF THE BOOK CHAPTERS As mentioned earlier, the purpose of this book is to provide a blend of academic and practical experience on ERM in order to educate practitioners and students alike about this evolving methodology. Furthermore, our goal is to provide a holistic coverage of ERM, and in this process, provide the what, why, and how of ERM to assist firms with the successful implementation of ERM. To achieve this goal, the book is organized into the following sections. Overview ERM Management, Culture, and Control ERM Tools and Techniques Types of Risks Survey Evidence and Academic Research Special Topics and Case Studies A brief description of the author(s) and the chapters is provided below. Overview In Chapter 2, “A Brief History of Risk Management,” we ask Felix Kloman—retired risk management consultant, conceptual thinker, and lover of sailing—to provide the background and history of risk management and the evolution of enterprise risk management. Felix was ideally suited to do this as someone who has dedicated more than 30 years to sharing stories, raising interesting risk concepts, and generally enjoying the challenges of this entire field. There is no one we know who is better suited or knows more about this topic. He takes us right back literally to some of the earliest recorded thinking on risk management and brings us through the ages to current thinking. Felix goes back to the basic questions of “What is risk management? When and where did we begin applying its precepts? Who were the first to use it?” He provides a highly personal study of this discipline’s past and present. It spans the millennia of human history and concludes with a detailed list of contributions in the past century. This is an ideal starting point for anyone new to the topic of risk management or the older scholars who wish to revisit this easy-to-read summary of risk. Felix is adamant in his view that risk must consider opportunities as well as threats. “ERM and Its Role in Strategic Planning and Strategy Execution” is presented in Chapter 3 by Mark L. Frigo (Director, the Center for Strategy, Execution, and Valuation and Ledger & Quill Alumni Foundation, Distinguished Professor of Strategy and Leadership at the DePaul University Kellstadt Graduate School of Business and School of Accountancy, Chicago) and Mark S. Beasley (Deloitte Professor of Enterprise Risk Management and Professor of Accounting in the College of Management at North Carolina State University, and Director of North Carolina State’s Enterprise Risk Management Initiative). The authors have captured the essence of leading ERM and strategic risk management initiatives at their universities as well as their work with hundreds of practice leaders in enterprise risk management. They recognize that one of the major challenges in ensuring that 6 Overview risk management is adding value is to incorporate ERM in business and strategic planning of organizations. They explain how focusing on strategic risks serves as a filter for management and boards of directors to reduce the breadth of the risk playing field and ensure that they are focused on the right risks. These insights should help respond to the numerous calls following the recent credit crisis for improvements in overall risk oversight, with a particular emphasis on strategic risk management. In Chapter 4, “The Role of the Board of Directors and Senior Management in Enterprise Risk Management,” Bruce Branson (Professor and Associate Director, Enterprise Risk Management Initiative, North Carolina State College of Management) explains that the oversight of the enterprise risk management process employed by an organization is one of the most important and challenging functions of a corporation’s board of directors. He notes that a failure to adequately acknowledge and effectively manage risks associated with decisions being made throughout the organization can and often do lead to potentially catastrophic results. Bruce explains the shared responsibility between the members of the board and the senior management team to nurture a risk aware culture in the organization that embraces prudent risk taking within an appetite for risk that aligns with the organization’s strategic plan. He identifies the legal and regulatory framework that drives the risk oversight responsibilities of the board. He also clarifies the separate roles of the board and its committees vis-à-vis senior management in the development, approval, and implementation of an enterprise-wide approach to risk management. Finally, the chapter explores optimal board structures to best discharge their risk oversight responsibilities. ERM Management, Culture, and Control Anette Mikes (Assistant Professor of Business Administration at Harvard Business School) provides insights into the types of roles that CROs play, based on her personal research in Chapter 5, “Becoming the Lamp Bearer: The Emerging Roles of the Chief Risk Officer.” Anette gained her PhD in enterprise risk management from the London School of Economics, and is setting up a program at Harvard Business School with Robert Kaplan to teach ERM. Anette describes the role of chief risk officers (CRO) and different types of ERM methodologies that she sees in practice. She draws on the existing practitioner and academic literature on the role of chief risk officers, and a number of case studies from her ongoing research program on the evolution of the role of the CRO. Anette describes the origins and rise of the CRO, and outlines four major roles that senior risk officers may fulfill: (1) the compliance champion; (2) the modeling expert; (3) the strategic advisor; and (4) the strategic controller. She demonstrates how chief risk officers could improve business decision making and incorporate both good risk analytics and expert judgment, as well as influence risk-taking behavior in the business lines. As she explains: “The art of successful risk management is in getting the executive team to see the light and value the lamp-bearer.” This chapter will be of great interest to all CROs and those organizations thinking about how to implement ERM. “Creating a Risk-Aware Culture” is discussed in Chapter 6 by Doug Brooks (President and CEO, Aegon Canada Inc.). The author draws on his actuarial training and business insights to provide the methods to create a positive culture for risk ENTERPRISE RISK MANAGEMENT 7 management in any organization. The actuarial profession has for several years recognized and been a leading advocate for the research and expansion of ERM into their organizations. Actuaries are by training and experience well versed in managing risks and have expanded into additional areas such as investments and know how best to apply ERM concepts. We wanted to ensure the actuarial profession was included in this book and were delighted when we approached Doug Brooks that he suggested writing about the role of culture in risk management. Doug has been one of the early pioneers in ERM and this has likely added to his continued professional success, as he was recently appointed President and CEO of Aegon Canada Inc. Doug observes that an organization could possess world-class technical capabilities and strong processes for collecting and reporting information, but still have a bankrupt culture so that no value was added through ERM efforts. He considers that there is nothing more crucial to the success of ERM efforts in an organization than an informed and supportive culture. He points out that culture is not merely an intangible concept, but that its elements can be defined and progress in moving toward a desired culture can be measured. He notes that to be successful in risk management, organizations must recognize the importance of encouraging and rewarding disciplined behaviors, as well as openness in communication. Culture is key to ERM and this chapter is helpful to all practitioners who are implementing ERM. Chapter 7, “ERM Frameworks,” is authored by one of the leading authorities on risk frameworks, Professor Emeritus John Shortreed of the University of Waterloo, Canada. Professor Shortreed provides a forward-looking view at the forthcoming international framework for risk management. He is the Canadian representative on the committee that has developed the new ISO 31000 Risk Management Standard (due to be published around the same time as this book). This chapter is a great “companion” for those using the new ISO 31000 standard. Historically, ERM has been molded by the Australian/New Zealand Risk Standard 4360, by COSO’s 2004 publication, and recent pronouncements of rating agencies such as Standard & Poor’s; however, this new ISO standard is expected to have greater international acceptance in years to come. This chapter describes the new ISO risk management framework, which incorporates best practice from COSO, PMI (Project Management Institute), the Australian and New Zealand Standard (AS/NZS 4360:2004) and other leading international risk management standards. John notes that an ERM framework can often be implemented in a step-by-step way and this approach will assist in building acceptance of ERM and in encouraging a risk culture, particularly if potentially successful areas are selected for the first steps. As the risk management culture matures in the organization there should be noticeable improvements in the ability to discuss risks easily, decision making under uncertainty, comfort levels with risk situations, and achievement of objectives. Susan Hwang (Associate Partner, Deloitte, Toronto, Canada) provides some original views on the role of Key Risk Indicators (KRIs) in Chapter 8 “Identifying and Communicating Key Risk Indicators.” Since 2000 when Hydro One first began practicing ERM, there have not been a lot of new concepts introduced, despite the numerous publications on the topic. A year or two ago, John Fraser was at a presentation made by Susan Hwang on the topic of KRIs and realized that she was describing a concept that we had not seen before. She demonstrated how to 8 Overview use metrics, or what were often packaged among Key Performance Indicators, as a means of identifying evolving risks that might arise or increase in the future. This is a seemingly simple concept but one that we thought to be important to identifying future key risks. We found that virtually nothing had been written on the topic before, so we asked Susan to write this chapter and share her findings and views. Susan notes that the formal use of KRIs as an ERM tool is an emerging practice. Although many organizations have developed key performance indicators as a measure of progress against the achievement of business goals and strategies, this differs from using KRIs to support risk management and strategic and operational performance. In this chapter, Susan clarifies what KRIs are and demonstrates their practical applications and value to an organization. She outlines the guiding principles for designing KRIs, and discusses implementation and sustainability. The key message she shares is that there are lots of metrics and performance measures in any organization, but the art of ERM is identifying the key ones that will help identify future risks. ERM Tools and Techniques “How to Create and Use Corporate Risk Tolerance” is presented in Chapter 9 by Ken Mylrea (Director, Corporate Risk, Canada Deposit Insurance Corporation) and Joshua Lattimore (Policy and Research Advisor, Canada Deposit Insurance Corporation). The authors explore and provide practical examples of the role of risk tolerances. John first learned of Canada Deposit Insurance Corporation (CDIC) in the early 1990s when CDIC issued expectations about the business and financial practices of its member institutions. These principle-based standards were developed by Ken Mylrea and focus on enterprise-wide governance and management. Their underlying premise was that well-managed institutions are less likely to encounter difficulties that could result in CDIC having to pay the claims of depositors. A key feature of the standards was the requirement that institutions’ management and board of directors perform a self-assessment against the CDIC control criteria and report the results to the CDIC. In setting the context for this chapter, Ken and Joshua pose the following questions: What is risk tolerance? Why is setting risk tolerance important? What are the factors to consider in setting risk tolerance? And how can you make risk tolerance useful in managing risk? They describe risk tolerance as the risk exposure an organization determines appropriate to take or avoid taking, that is, risk tolerance is about taking calculated risks—namely, taking risks within clearly defined and communicated parameters set by the organization. In Chapter 10, “How to Plan and Run a Risk Management Workshop,” Rob Quail (Outsourcing Program Manager at Hydro One Networks Inc.) provides hardhitting practical advice on how to actually design and run a risk workshop. Rob was a major reason for the success of ERM at Hydro One and its sustainability to date. He has run more than 200 risk workshops at all levels, including facilitating meetings of up to 800 staff! When we were designing this book we realized that there was nothing we could find documented elsewhere on how to design and run a risk workshop. Rob describes in an easy step-by-step fashion how to design workshops based on the objectives to be achieved, for example, how important is team building versus specific action planning? Rob explains that risk workshops play a vital role in ERM by helping engage executive managers and staff in understanding ENTERPRISE RISK MANAGEMENT 9 the corporate objectives and the risks to achieving these within given tolerances. He goes on to show how workshops not only help identify and address critical risks, but also provide opportunities for participants to learn about organizational objectives, risks, and mitigants. He makes it clear that one size does not fit all and each workshop has to be designed carefully depending on the circumstances and desired outcomes. In Chapter 11, “How to Prepare a Risk Profile,” John Fraser (Vice President, Internal Audit & Chief Risk Officer at Hydro One) provides practical advice on how to prepare a risk profile for executive management and the board of directors. We wanted to have a chapter on risk profiles, and while there is a lot written about risk maps, heat maps, and risk identification, we could not find anything specific about how to actually conduct structured interviews and prepare a risk profile. As a result, we decided to document the Hydro One model, which we have been using since 1999, and which has been proven to be simple and effective. This methodology is based primarily on interviews with executives and risk specialists and complements the results captured by risk workshops. Ideally the results of workshops and interviews (or surveys) should be consolidated and reconciled. It is our hope that these step-by-step instructions will give confidence to risk managers implementing ERM on how best to conduct these interviews effectively. As Sir Graham Day, who was an early champion of ERM at Hydro One, told John “ERM obviously works in practice but can you make it work in theory?” Chapter 12, “How to Allocate Resources Based on Risk,” by Joe Toneguzzo (Director—Implementation & Approvals, Power System Planning, Ontario Power Authority) outlines a business framework for prioritizing resources based on risks, as part of the business planning process. Soon after we began implementing ERM at Hydro One, Joe Toneguzzo—who was responsible for obtaining funding and allocating resources for asset management—worked with the Hydro One Corporate Risk Management Group to determine how best to do so utilizing a risk-based approach. (Joe is now with another organization.) A methodology and supporting business process was developed that has served Hydro One well and is regarded as a leading asset management resource allocation model, as validated in international forums on this subject area. The concept involves identifying the critical business risks and the expenditures proposals available to mitigate them. This is followed by rating all the expenditure proposals in a consistent manner based on the risks that will be mitigated per unit of cost. The expenditures proposals are then dispatched on a priority basis, based on cost/benefit scores (where the benefit is measured in terms of reduced risk) until the resources are exhausted. The advantages of the methodology developed are that it is transparent, consistent, and easy to justify to stakeholders such as regulators, boards of directors, and others. Joe takes us through the theory and practice in an easy-to-follow manner. John Hargreaves (Managing Director, Hargreaves Risk & Strategy, London, England) explores and provides guidance on the popular topic of quantifying risks in Chapter 13, “Quantitative Risk Assessment in ERM.” John Hargreaves has seen his ideas and expertise implemented in various major organizations in England and brings an easy-to-understand introduction to what can become complex theories. John enjoyed a successful career in the real world of finance with major organizations, including being responsible for introducing risk management systems in a major bank following the last U.K. depression. Over the last 10 years, he 10 Overview has helped implement risk management systems in about 60 organizations. This chapter explains the complex world of quantification of risks in progressive steps to help those who are new to ERM. John provides descriptions of four differing approaches to the quantification of individual risks. Statistical methods for calculating and reporting a company’s total corporate risk are described and illustrated by a simple example and he also shows how quantified risks may be incorporated in the business planning process. Note that specialized methods to quantify risks in financial institutions are not covered here. His chapter is a must-read for anyone interested in the theory of practical and workable methods for quantifying risks. Types of Risks In Chapter 14, “Market Risk Management and Common Elements with Credit Risk Management,” Rick Nason (Partner, RSD Solutions, and Associate Professor of Finance, Dalhousie University, Nova Scotia) explains very sophisticated trading and market risk concepts and risk management methods in an easy-to-understand format. Rick left the exciting world of derivatives trading at a major Canadian bank to join the even more exciting world of academia where he is sharing his experiences through his teaching and consulting activities. Although comfortable with the complex models and math for market risk and derivatives, Rick decided to write this chapter for the general practitioner who wants to learn about market risk management and how it relates to credit risk management. In this chapter, Rick describes how to consider these risks and a framework that provides a focus on market risk. Rick points out that market risk management requires not only an understanding of the tools and techniques, but also of the underlying business in order to successfully implement the market risk function within the enterprise risk management framework of the organization. Continuing his discussion from the previous chapter, Rick Nason provides the basic elements of credit risk management as well as the more sophisticated concepts every credit risk manager should understand in Chapter 15, “Credit Risk Management.” Each year, Rick runs a credit competition at the university, as well as consulting with major banks on ERM and credit risk management. Rick explains that when conducting credit analysis, it is important to remember that, unlike market risk, credit risk is almost always a downside risk; that is, unexpected credit events are almost always negative events and only rarely positive surprises. He also reminds the reader that no one extends credit to a customer, or executes a loan to a counterparty, expecting that it will not be repaid. Rick has crafted this chapter for the general practitioner who wants to learn about credit risk management and for the more experienced credit managers seeking to validate their approach. Diana Del Bel Belluz (President, Risk Wise Inc.) explains operational risk concepts and methods in an easy-to-read format that will be essential to any student of ERM and helpful to more experienced readers in Chapter 16, “Operational Risk Management.” Diana has taught risk management since 1992 and has a background in decision science. With her broad experience from her consulting practice, she understands the challenges of a wide variety of organizations in getting a handle on this multifaceted topic. In this chapter, Diana explains the fundamentals of risk management in an operational setting and how operational risk management can be used to capture the full performance potential of an organization. She explores ENTERPRISE RISK MANAGEMENT 11 what is meant by operational risk and why it is important. She frames her explanations around questions such as: How do you align operational risk management with enterprise risk management? How do you assess operational risks? Why do you need to define risk tolerance for aligned decision making? What can you do to manage operational risk? How do you encourage a culture of risk management at the operational level? This chapter provides a well-rounded introduction to a topic that is becoming of increasing interest. In Chapter 17, “Risk Management: Techniques in Search of a Strategy,” Joseph V. Rizzi (Senior Investment Strategist, CapGen Financial Group, New York) explores the reasons for the losses that triggered massive shareholder value destruction resulting in dilutive recapitalizations, replacement of whole management teams, the failure of numerous institutions, and the adoption of the $700 billion TARP rescue program, and what can be done to avoid this in future. He suggests that risk management needs to move away from a technical, specialist control function with limited linkage to shareholder value creation. This can be achieved by firms and risk decisions moving from an internal egocentric focus to an external systems approach incorporating the firm within a market context. Further, he states that we need to move beyond risk measurement to risk management that integrates risk into strategic planning, capital management, and governance. Joseph draws on Warren Buffett’s principles and numerous practical examples (including Long Term Capital Management) to explain, using charts and models, how governance and ERM can address many of the pitfalls we have seen. Daniel A. Rogers (Associate Professor of Finance, School of Business Administration, Portland State University) provides in Chapter 18, “Managing Financial Risk and Its Interaction with Enterprise Risk Management,” a useful background on financial risk management, namely corporate strategies of employing financial transactions to eliminate or reduce measurable risks. He includes possible definitions and examples of industry applications of financial hedging. He then moves on to a basic review of the theoretical rationales for managing (financial) risk and explores the potential for the interaction of financial hedging with other areas of risk management (such as operational, strategic). He also discusses the lessons that can be applied to ERM from the knowledge base about financial hedging. He points out that active board involvement and buy-in are critical to the implementation of a successful ERM program, and that boards that better understand financial risks are likely to be more receptive to conversations about other significant risks that could negatively affect company performance. Benton E. Gup (Robert Hunt Cochrane/Alabama Bankers Association Chair of Banking at the University of Alabama) traces the evolution of bank capital requirements in Chapter 19, “Bank Capital Regulation and Enterprise Risk Management,” from the 1800s to the complex models used in Basel I and II. He points out that the recent subprime crisis makes it clear that our largest banks and financial institutions do not have adequate risk management as evidenced by problems with major banks and that the models employing economic capital can be subject to large errors. He goes on to introduce enterprise risk management and economic capital, which he believes represent the future of bank capital. He notes that enterprise risk management uses a “building block” approach to aggregate the risks from all lines of business, and that economic capital must be “forward looking,” and based on expected scenarios instead of recent history. 12 Overview In “Legal Risk Post-SOX and the Subprime Fiasco: Back to the Drawing Board” (Chapter 20), Steven Ramirez (Director, Business & Corporate Governance Law Center, Loyola University, Chicago) notes that legal risk should be managed in accordance with basic notions of risk management generally. He points out that it should not exist within a risk silo, but should be managed with a view toward the firm’s overall risk tolerance and through coordinated efforts of senior management, as well as the board. Professor Ramirez explains in a “no holds barred” way how the rules of professional responsibility governing lawyers were flawed, corporate law was stunted, whistle-blowing was not encouraged, codes of conduct were wholly optional, and there was insufficient regulation of the audit function. This chapter reviews the most developed framework governing legal and reputational risk (SOX) and suggests innovative and proactive ways that controls could be improved and risk can be reduced in the future. “Financial Reporting and Disclosure Risk Management” is discussed extensively by Susan Hume, Assistant Professor of Finance and International Business, School of Business, the College of New Jersey) in Chapter 21. The author boils down the key requirements of the extensive regulations for financial reporting and disclosure into an easy-to-understand chapter. Key topics such as reporting on internal controls under Sarbanes-Oxley, accounting for derivatives, and fair value accounting are discussed and explained. Susan explains how ERM reporting and disclosure provides the forum to discuss the key vulnerabilities and risks of the firm and strengthens management accountability. It is for the board and senior management to set the risk policy, establish the key levels of acceptable risk exposure, and communicate these policies to managers and other employees. Implementation and reporting then flows up from the bottom to senior management and to the risk management committee, which may be a subcommittee of the board in the ideal structure. This chapter will be an ideal place to gain an introduction to these complex requirements as well as add helpful insights for the more experienced reader. Survey Evidence and Academic Research John Fraser and Betty Simkins (co-editors of this book) teamed with Karen Schoening-Thiessen (Senior Manager of Executive Networks in the Governance and Corporate Responsibility Group at the Conference Board of Canada) to develop and analyze the first survey evidence of risk executives working in the area of ERM about the literature they find most effective in assisting and facilitating the successful implementation of ERM. The study in Chapter 22, “Who Reads What Most Often?” highlights crucial areas of need on ERM, and it is hoped that these will be a starting point to encourage and stimulate more advances in the research and practice of ERM. It highlights excellent opportunities for academics to closely collaborate with practitioners to conduct research in these key areas of need. The chapter also discusses problems and challenges risk executives have encountered that were not addressed in the literature. Detailed listings are provided of the top readings of articles (i.e., surveys, academic studies, and practitioner articles), books, and research reports. This chapter was originally published in the Spring/Summer 2008 issue of the Journal of Applied Finance. ENTERPRISE RISK MANAGEMENT 13 Chapter 23, “Academic Research on Enterprise Risk Management,” by Subbu Iyer (PhD student, Oklahoma State University), Daniel A. Rogers (Associate Professor, Portland State University), and Betty Simkins (Williams Companies Professor of Finance, Oklahoma State University), provides a summary to date of research on enterprise risk management. To conduct the review, they searched academic journals and other databases of academic research and limited their focus to papers that can be classified as either academic research or case studies that would be appropriate for a classroom setting. After a thorough search of ERM literature, the authors located 10 research studies and 5 case studies to synthesize. Overall, the authors find little in the way of consistent results about ERM. In addition, they find that more case studies on enterprise risk management are needed so that risk executives can learn from the experiences of others who have successfully implemented it. In Chapter 24 “Enterprise Risk Management: Lessons from the Field,” we have the benefit of the knowledge from a trio of experienced ERM experts, namely: William G. Shenkir (William Stamps Farish Professor Emeritus, University of Virginia’s McIntire School of Commerce), Thomas L. Barton (Kathryn and Richard Kip Professor of Accounting, University of North Florida) and Paul L. Walker (Associate Professor of Accounting, University of Virginia). The authors of this chapter have been involved in the area of ERM since 1996. They have taught ERM at the undergraduate and graduate levels and for businesses and executives worldwide as well as consulting on ERM implementation. They point out that one of the early lessons that companies glean from ERM is that many layers of the company, including senior management, operating managers, and regular employees do not know or understand the strategies and objectives of the organization and how these, in turn, relate to their daily job and tasks. ERM compels companies to identify and focus on the organization’s strategies and objectives. This chapter is illustrated with numerous real-life examples and provides a wonderful lesson in what enterprise risk management is like in real life. Special Topics and Case Studies In Chapter 25, “Rating Agencies Impact on Enterprise Risk Management,” Mike Moody (Managing Director, Strategic Risk Financing Inc.) provides the history and current published thinking of the major rating agencies. This is an area that we expect will expand and become more established as time goes on. Mike has an MBA in finance, is the Managing Director of a risk consulting firm, and was a risk manager of a Fortune 500 company. He has a broad view of the risk universe and what is happening due to the activities of the rating agencies. The interest taken by the agencies, especially Standard & Poor’s (S&P) in recent years, has focused boards and senior management on the need for and the advantages of ERM. Mike notes that one of the primary reasons for the movement of rating agencies into ERM is that they believe companies with an enterprise-wide view of risks, such as that offered by ERM, are better managed. Several have also noted that ERM provides an objective view of hard-to-measure aspects such as management capabilities, strategic rigor, and ability to manage in changing circumstances. He explains that the view of S&P is that positive or negative changes in ERM 14 Overview programs are considered as leading indicators that show up long before they could be seen in a company’s published financial data. This chapter provides a sound base for understanding the background and role of rating agencies in ERM, a story that is likely still evolving. “Enterprise Risk Management: Current Initiatives and Issues” (Chapter 26), contains a roundtable discussion sponsored and published by the Journal of Applied Finance, which includes an expert group of academics and practitioners in the area of risk management. The discussants consisted of Bruce Branson (Associate Director of the Enterprise Risk Management Initiative and Professor in the Department of Accounting at North Carolina State University), Pat Concessi (Partner in Global Energy Markets with Deloitte and Touche, Toronto, Canada), John R.S. Fraser (Chief Risk Officer and Vice President of Internal Audit at Hydro One Inc. in Toronto), Michael Hofmann (Vice President and Chief Risk Officer at Koch Industries, Inc. in Wichita, Kansas), Robert (Bob) Kolb (Frank W. Considine Chair in Applied Ethics at Loyola University Chicago), Todd Perkins (Director of Enterprise Risk at Southern Company, Inc. in Atlanta, Georgia), Joe Rizzi (Senior Investment Strategist at CapGen Financial in New York, but at the time of the roundtable discussion, he was the Managing Director of Enterprise Risk Management at Bank of America and La Salle Bank in Chicago, Illinois), and the moderator Betty J. Simkins (Williams Companies Professor of Business and Associate Professor of Finance in the Spears School of Business at Oklahoma State University). This roundtable explored many avenues, concerns, and possible solutions in this evolving arena of risk management. Demir Yener, Senior Advisor at Deloitte Consulting, Emerging Markets (Washington D.C.), discusses enterprise risk management applications suitable for, and as they exist in, a number of emerging market corporations in Chapter 27, “Establishing ERM Systems in Emerging Countries.” He notes that there is a growing interest in improving corporate governance practices in emerging markets. Following the financial crises in the Far East and Russia, which impacted many other emerging markets in 1997–1998, there was a realization that corporate governance practices had to be improved along with the financial sector infrastructure. The Financial Stability Forum was convened, as a result of which the OECD (Organisation for Economic Co-operation and Development) Principles of Corporate Governance were developed in 1999. Since then the principles have been revised in 2004, and other standards of business conduct had been introduced to provide guidance in a number of critical areas of global cooperation for business and finance among nations. The emerging countries in Demir’s sample include Egypt, Jordan, Mongolia, Serbia, Turkey, and Ukraine. The ERM concept is still a new concept in these countries and it is likely to take a while to get the emerging country firms, given the legal and regulatory requirements, to reach the desirable level of risk management practices. In Chapter 28, “The Rise and Evolution of the Chief Risk Officer: Enterprise Risk Management at Hydro One,” Tom Aabo (Associate Professor, Aarhus School of Business, Denmark), John R.S. Fraser (Chief Risk Officer, Hydro One Inc.), and Betty J. Simkins (Williams Companies Professor of Business, Oklahoma State University) describe the successful implementation of enterprise risk management (ERM) at Hydro One Inc. over a five-year period. This chapter was first published in the Journal of Applied Corporate Finance. Hydro One is a Canadian electric utility ENTERPRISE RISK MANAGEMENT 15 company that has experienced significant changes in its industry and business. Hydro One has been at the forefront of ERM for many years, especially in utilizing a holistic approach to managing risks, and provides a best practices case study for other firms to follow. This chapter describes the process of implementation beginning with the creation of the chief risk officer position, the deployment of a pilot workshop, and the various tools and techniques critical to ERM (e.g., the Delphi Method, risk trends, risk maps, risk tolerances, risk profiles, and risk rankings). As this brief overview indicates, the chapters in this book present an impressive coverage of crucial issues on enterprise risk management and are written by leading ERM experts globally. We believe that no other book on the market provides such a wide coverage of timely topics—such as ERM management, culture and control, ERM tools and techniques, types of risk from a holistic viewpoint, leading case studies, practitioner survey evidence, and academic research on ERM. The authors of these chapters and we, the editors, invite reader comments and suggestions. FUTURE OF ERM AND UNRESOLVED ISSUES As is generally recognized, ERM is still evolving with new techniques and research of best practices being studied and documented on almost a daily basis. Some of the issues that we feel deserve the attention of our readers and those interested in the future of ERM include: r Why have some companies succeeded and others failed in the implementar r r r tion of ERM? What do we predict for the future of ERM? What research issues remain? A comment on universities’ ERM programs and education. What unresolved issues do we see? The above issues all merit study and more attention than they have received to date. An entire chapter, if not book, could be written on the reasons for failure in the implementation of ERM. Often it appears to be caused in part by confusion over exactly what ERM is and undue expectations of management. Our observation is that too often the skills and techniques are not available and without support from the most senior ranks, ERM is destined to fail. We expect ERM to continue to grow until, in looking back, future managers will ask “How could you have managed without these basic techniques?” Obviously there has to be more discussion and clarification on what ERM is and what it has to offer. While regulatory interest can force ERM into companies, if not done well, it can become another box-ticking exercise that adds little value. As highlighted in Chapter 23, the opportunities to study ERM and assist in moving this new methodology forward are limitless and likely to continue. While some analysis can be done based on public information, it will require proactive visionary academics to go into the real world and study what is evolving in real business practices. This is a veritable goldmine for some intrepid academics and a minefield for the more timid. 16 Overview NOTES 1. The Joint Australian/New Zealand Standard for Risk Management (AS/NSZ 4360: 2004), first edition published in 1995, is the first guide on enterprise risk management that provides practical information. This publication covers the establishment and implementation of the enterprise risk management process. 2. The Committee of Sponsoring Organizations of the Treadway Commission (COSO) (September 1992 and September 2004). 3. Group of Thirty, Derivatives: Practices and Principles (Washington, DC: 1993). 4. CoCo (Criteria of Control Board of the Canadian Institute of Chartered Accountants). 5. “Where Were the Directors”—Guidelines for Improved Corporate Governance in Canada, report of the Toronto Stock Exchange Committee on Corporate Governance in Canada (December 1994). 6. Committee on the Financial Aspects of Corporate Governance (Cadbury Committee, final report and Code of Best Practices issued December 1, 2002). 7. NYSE Corporate Governance Rules 7C(iii)(D) www.nyse.com/pdfs/finalcorpgovrules .pdf and Emerging Governance Practices in Enterprise Risk Management, the Conference Board (2007). 8. McKinsey & Company and Institutional Investor, 1996. “Corporate Boards: New Strategies for Adding Value at the Top.” 9. Risk management in general has been shown to increase firm value. See Smithson, Charles W., and Betty J. Simkins, “Does Risk Management Add Value? A Survey of the Evidence,” Journal of Applied Corporate Finance vol. 17, no. 3 (2005): 8–17. ABOUT THE EDITORS John Fraser is the Vice President, Internal Audit & Chief Risk Officer of Hydro One Networks Inc., one of North America’s largest electricity transmission and distribution companies. He is an Ontario and Canadian Chartered Accountant, a Fellow of the Association of Chartered Certified Accountants (U.K.), a Certified Internal Auditor, and a Certified Information Systems Auditor. He has more than 30 years experience in the risk and control field mostly in the financial services sector, including areas such as finance, fraud, derivatives, safety, environmental, computers, and operations. He is currently Chair of the Advisory Committee of the Conference Board of Canada’s Strategic Risk Council, a Practitioner Associate Editor of the Journal of Applied Finance, and a past member of the Risk Management and Governance Board of the Canadian Institute of Chartered Accountants. He is a recognized authority on enterprise risk management and has co-authored three academic papers on ERM—published in the Journal of Applied Corporate Finance and the Journal of Applied Finance. Betty J. Simkins is Williams Companies Professor of Business and Professor of Finance at Oklahoma State University (OSU). She received her BS in Chemical Engineering from the University of Arkansas, her MBA from OSU, and her PhD from Case Western Reserve University. Betty is also active in the finance profession and currently serves as Vice-Chairman of the Trustees (previously President) of the Eastern Finance Association, on the board of directors for the Financial Management Association (FMA), as co-editor of the Journal of Applied Finance, ENTERPRISE RISK MANAGEMENT 17 and as Executive Editor of FMA Online (the online journal for the FMA). She has coauthored more than 30 journal articles in publications including the Journal of Finance, Financial Management, Financial Review, Journal of International Business Studies, Journal of Futures Markets, Journal of Applied Corporate Finance, and the Journal of Financial Research and has won a number of best paper awards at academic conferences. CHAPTER 2 A Brief History of Risk Management H. FELIX KLOMAN President, Seawrack Press Inc. INTRODUCTION What is risk management (and its alternative title “enterprise risk management”)? When and where did we begin applying its precepts? Who were the first to use it? This is a brief and highly personal study of this discipline’s past and present. It is a description of some of its emotional and intellectual roots. It spans the millennia of human history and concludes with a detailed list of contributions in the past century. RISK MANAGEMENT IN ANTIQUITY Making good decisions in the face of uncertainty and risk probably began during the earliest human existence. Evolution favored those human creatures able to use their experience and minds to reduce the uncertainty of food, warmth, and protection. Homo sapiens survived by developing “an expression of an instinctive and constant drive for defense of an organism against the risks that are part of the uncertainty of existence.”1 This “genetic expression” can be construed as the beginning of risk management, a discipline for dealing with uncertainty. As the millennia passed, our species developed other mechanisms for coping with each day’s constant surprises. We invented a pantheon of divine creatures to blame for misfortune, praise for good luck, and to whom we offered sacrifices to mitigate the worst. These gods and goddesses, the personification of heavenly bodies, high mountains, and the deepest seas, led to a dependence on human oracles, soothsayers, priests, priestesses, and astrologers, to predict the future. We created a written language (Mesopotamia, Sumeria, Egypt, Phoenicia) in order to pass knowledge to the future. As our species used language, experience, memory, and deduction to explain random uncertainty, we created an alternative and backup explanatory system. The classical world of the Greeks and Romans demonstrates the development of written language, providing a significant advantage over oral recitation. At first, Greek memories passed on information from the past. Their written language 19 20 Overview extrapolated it into more rational predictions. Homer, capturing memory, sang of Zeus, Hera, Athena, Apollo, and the corps of divinities responsible for the victory at Troy as well as the misadventures of Odysseus on his return home. But by 585 BC, the Greek philosopher Thales used his observations, written data, and deductions to predict an eclipse of the sun, even though he continued to profess a belief in these gods.2 A century later Herodotus used intelligent “enquiry” to write “history,” but he too persisted with the power of divinities. It was finally Thucydides, in the early 400s BC, who proposed a “new penetrating realism,” one that “removed the gods as explanations of the course of events.” Thucydides was “fascinated by the gap between expectation and outcome, intention and event.”3 Perhaps he should be called the father of risk management. A few philosophers in classical Greece tried to emphasize observation, deduction, and prediction, but they inevitably collided with the inertia of belief in the long-standing system of divine intervention as the explanation for misfortune as well as good luck. With the growth and dominance of the new monotheistic religions in the Middle East and Mediterranean, it would take another millennium before the ideas Thucydides first advanced grew into the solid body of scientific knowledge to replace myth and superstition. AFTER THE MIDDLE AGES Jump ahead another 1,000 years to the emergence of the Renaissance and Enlightenment. Two changes encouraged the idea that we could actually think intelligently about the future. Peter Bernstein described the first, in his Against the Gods: “The idea of risk management emerges only when people believe they are to some degree free agents.”4 The second was our growing fascination with numbers. Our increasing disenchantment with the explanation that a “superior power” ordained everything became coupled with the capability of manipulating experience and data into numbers and thence probabilities. We could predict alternative futures! Peter Bernstein’s book is a joyful and often lyrical exploration of development of the concept of risk as both threat and opportunity. We became capable of “scrutinizing the past” to suggest future possibilities. He describes those men who first advanced the ideas of probability measurement, introducing us to familiar and unfamiliar names from the Renaissance onward: Leonardo Pisano (who introduced Arabic numerals) Luca Paccioli (double-entry bookkeeping) Girolamo Cardano (measuring the probability of dice) Blaise Pascal (“fear of harm ought to be proportional not merely to the gravity of the harm, but also to the probability of the event”) John Graunt (who calculated statistical tables) Daniel Bernoulli (the concept of utility) Jacob Bernoulli (the “law of large numbers”) Abraham de Moivre (the “bell” curve and standard deviation) Thomas Bayes (statistical inference) Francis Galton (regression to the mean) Jeremy Bentham (the law of supply and demand) A BRIEF HISTORY OF RISK MANAGEMENT 21 Today’s risk management rests, for better or for worse, on these and other fascinating characters. Where once philosophers and theologians attributed fortune or misfortune to the whims of gods, the efforts of those early thinkers described in Bernstein’s book, “have transformed the perception of risk from chance of loss into opportunity for gain, from FATE and ORIGINAL DESIGN to sophisticated, probability-based forecasts of the future, and from helplessness to choice.”5 Bernstein contrasts the development of more rigorous quantitative approaches to probabilities with recent attempts to understand why “people yield to inconsistencies, myopia, and other forms of distortion throughout the process of decisionmaking.” His story of risk and risk management is one of rationality and human nature, fighting with each other and then cooperating, to provide a better understanding of uncertainty and how to deal with it. “. . . Any decision relating to risk involves two distinct yet inseparable elements: the objective facts and a subjective view about the desirability of what is to be gained, or lost, by the decision. Both objective measurement and subjective degrees of belief are essential; neither is sufficient by itself.” “The essence of risk management,” Bernstein concludes, “lies in maximizing the areas where we have some control over the outcome while minimizing the areas where we have absolutely no control over the outcome and the linkage between effect and cause is hidden from us.” THE PAST 100 YEARS Experience and new information allowed us to think intelligently about the future and plan for potential unexpected outcomes. Many millennia contributed to our growing ability to distill and use information, but the developments since 1900 are more apparent and useful. Here is a synopsis of these critical events. The twentieth century began with euphoria, new wealth, relative peace, and industrialization, only to descend into chaotic regional and worldwide wars. These and other catastrophes crushed illusions about the perfectibility of society and our species, leaving us less idealistic and more appreciative of the continuing uncertainty of our future. Ideas drove change in this century. Stephen Lagerfeld cogently summed it up:6 “Apart from the almost accidental tragedy of World War I, the great clashings of our bloody century have not been provoked by the hunger for land, or riches, or other traditional sources of national desire, but by ideas—about the value of individual dignity and freedom, about the proper organization of society, and ultimately about the possibility of human perfection.” Risk management is one of those ideas that a logical, consistent, and disciplined approach to the future’s uncertainties will allow us to live more prudently and productively, avoiding unnecessary waste of resources. It goes beyond faith and luck, the former twin pillars of managing the future, before we learned to measure probability. As Peter Bernstein wrote, “If everything is a matter of luck, risk management is a meaningless exercise. Invoking luck obscures truth, because it separates an event from its cause.”7 If risk management is an extension of human nature, I should list the most notable political, economic, military, scientific, and technological events of the past 22 Overview 100 years. The major wars (from the Russo-Japanese, World Wars I and II, Korea, the Balkan, the first Gulf War and Iraq, to the numerous regional conflicts) and the advent of the automobile, radio, television, computer and Internet, the Great Depression, global warming, the atom bomb and nuclear power, the rise and fall of communism, housing, the dot-com, derivative, and lending bubbles, and the entire environmental movement affected the development of risk management. Major catastrophes did so more directly: the Titanic (the “unsinkable” ship sinks), the Triangle Shirtwaist fire (the failure to allow sufficient exits), Minimata Bay (mercury poisoning in Japan), Seveso (chemical poisoning of the community in Italy), Bhopal (chemical poisoning in India), Chernobyl (Russian nuclear meltdown), Three Mile Island (potential U.S. nuclear disaster that was contained), Challenger (U.S. space shuttle break up), Piper Alpha (North Sea oil production platform explosion and fire), Exxon Valdez (Alaskan ship grounding and oil contamination), to cite some of the more obvious. Earthquakes, tsunamis, typhoons, cyclones, and hurricanes continue to devastate populous regions, and their increasing frequency and severity stimulate new studies on causes, effects, and prediction, all part of the evolution of risk management. The most significant milestones, in my opinion, are more personal: the new ideas, books, and actions of individuals and their groups all of whom stimulated the discipline. Here’s my list: 1914 Credit and lending officers in the United States create Robert Morris Associates in Philadelphia. By 2000 it changes its name to the Risk Management Association and continues to focus on credit risk in financial institutions. In 2008 it counted 3,000 institutional and 36,000 associate members.8 1915 Friedrich Leitner publishes Die Unternehmensrisiken in Berlin (Enzelwirt. Abhan. Heft 3), a dissertation on risk and some of its responses, including insurance. 1921 Frank Knight publishes Risk, Uncertainty and Profit, a book that becomes a keystone in the risk management library. Knight separates uncertainty, which is not measurable, from risk, which is. He celebrates the prevalence of “surprise” and he cautions against over-reliance on extrapolating past frequencies into the future.9 1921 A Treatise on Probability, by John Maynard Keynes, appears. He too scorns dependence on the “Law of Great Numbers,” emphasizing the importance of relative perception and judgment when determining probabilities.10 1928 John von Neumann presents his first paper on a theory of games and strategy at the University of Göttingen, “Zur Theorie der Gesellschaftsspiele,” Mathematische Annalen, suggesting that the goal of not losing may be superior to that of winning. Later, in 1944, he and Oskar Morgenstern publish The Theory of Games and Economic Behavior (Princeton University Press, Princeton, NJ). The U.S. Congress passes the Glass-Steagall Act, prohibiting common ownership of banks, investment banks, and insurance companies. This Act, finally revoked in late 1999, arguably acted as a brake on the development of financial institutions in the United States and led the risk management discipline in many ways to be more fragmented than integrated. The financial disasters after 2000 cause some to question the wisdom of revocation. A BRIEF HISTORY OF RISK MANAGEMENT 23 1945 Congress passes the McCarran-Ferguson Act, delegating the regulation of insurance to the various states, rather than to the federal government, even as business became more national and international. This was another needless brake on risk management, as it hamstrung the ability of the insurance industry to become more responsive to the broader risks of its commercial customers. 1952 The Journal of Finance (No. 7–, 77–91) publishes “Portfolio Selection,” by Dr. Harry Markowitz, who later wins the Nobel Prize in 1990. It explores aspects of return and variance in an investment portfolio, leading to many of the sophisticated measures of financial risk in use today.11 1956 The Harvard Business Review publishes “Risk Management: A New Phase of Cost Control,” by Russell Gallagher, then the insurance manager of Philco Corporation in Philadelphia. This city is the focal point for new “risk management” thinking, from Dr. Wayne Snider, then of the University of Pennsylvania, who suggested in November 1955 that “the professional insurance manager should be a risk manager,” to Dr. Herbert Denenberg, another University of Pennsylvania professor who began exploring the idea of risk management using some early writings of Henri Fayol. 1962 In Toronto, Douglas Barlow, the insurance risk manager at Massey Ferguson, develops the idea of “cost-of-risk,” comparing the sum of selffunded losses, insurance premiums, loss control costs, and administrative costs to revenues, assets, and equity. This moves insurance risk management thinking away from insurance, but it still fails to cover all forms of financial and political risk. That same year Rachel Carson’s The Silent Spring challenges the public to consider seriously the degradation to our air, water, and ground from both inadvertent and deliberate pollution. Her work leads directly to the creation of the Environmental Protection Agency in the United States in 1970, the plethora of today’s environmental regulations, and the global Green movement so active today.12 1965 The Corvair unmasked! Ralph Nader’s Unsafe at Any Speed appears and gives birth to the consumer movement, first in the United States and later moving throughout the world, in which caveat vendor replaces the old precept of caveat emptor. The ensuing wave of litigation and regulation leads to stiffer product, occupational safety, and security regulations in most developed nations. Public outrage at corporate misbehavior also leads to the rise of litigation and the application of punitive damages in U.S. courts.13 1966 The Insurance Institute of America develops a set of three examinations that lead to the designation “Associate in Risk Management” (ARM), the first such certification. While heavily oriented toward corporate insurance management, its texts feature a broader risk management concept and are revised continuously, keeping the ARM curriculum up-to-date.14 1972 Dr. Kenneth Arrow wins the Nobel Memorial Prize in Economic Science, along with Sir John Hicks. Arrow imagines a perfect world in which every uncertainty is “insurable,” a world in which the Law of Large Numbers works without fail. He then points out that our knowledge is always incomplete—it “comes trailing clouds of vagueness”—and that we are 24 Overview best prepared for risk by accepting its potential as both a stimulant and penalty. 1973 In 1971, a group of insurance company executives meet in Paris to create the International Association for the Study of Insurance Economics. Two years later, the Geneva Association, its more familiar name, holds its first Constitutive Assembly and begins linking risk management, insurance, and economics. Under its first Secretary General and Director, Orio Giarini, the Geneva Association provides intellectual stimulus for the developing discipline.15 That same year, Myron Scholes and Fischer Black publish their paper on option valuation in the Journal of Political Economy and we begin to learn about derivatives.16 1974 Gustav Hamilton, the risk manager for Sweden’s Statsforetag, creates a “risk management circle,” graphically describing the interaction of all elements of the process, from assessment and control to financing and communication. 1975 In the United States, the American Society of Insurance Management changes its name to the Risk & Insurance Management Society (RIMS), acknowledging the shift toward risk management first suggested by Gallagher, Snider, and Denenberg in Philadelphia 20 years earlier. By 2008, RIMS has almost 11,000 members and a wide range of educational programs and services aimed primarily at insurance risk managers in North America. It links with sister associations in many other countries around the world through IFRIMA, the International Federation of Risk & Insurance Management Associations.17 With the support of RIMS, Fortune magazine publishes a special article entitled “The Risk Management Revolution.” It suggests the coordination of formerly unconnected risk management functions within an organization and acceptance by the board of responsibility for preparing an organizational policy and oversight of the function. Twenty years lapse before many of the ideas in this paper gain general acceptance. 1979 Daniel Kahneman and Amos Tversky publish their “prospect theory,” demonstrating that human nature can be perversely irrational, especially in the face of risk, and that the fear of loss often trumps the hope of gain. Three years later they and Paul Slovic write Judgment Under Uncertainty: Heuristics and Biases, published by Cambridge University Press. Kahneman wins the Nobel Prize in Economics in 2002. 1980 Public policy, academic and environmental risk management advocates form the Society for Risk Analysis (SRA) in Washington. Risk Analysis, its quarterly journal, appears the same year. By 2008, SRA has more than 2,500 members worldwide and active subgroups in Europe and Japan. Through its efforts, the terms risk assessment and risk management are familiar in North American and European legislatures.18 1983 William Ruckelshaus delivers his speech on “Science, Risk and Public Policy” to the National Academy of Sciences, launching the risk management idea in public policy. Ruckelshaus had been the first director of the Environmental Protection Agency, from 1970 to 1973, and returned in 1983 to lead EPA into a more principled framework for environmental policy. Risk management reaches the national political agenda.19 A BRIEF HISTORY OF RISK MANAGEMENT 25 1986 The Institute for Risk Management begins in London. Several years later, under the guidance of Dr. Gordon Dickson, it begins an international set of examinations leading to the designation, “Fellow of the Institute of Risk Management,” the first continuing education program looking at risk management in all its facets. This program is expanded in 2007–2008 for its 2,500 members.20 That same year the U.S. Congress passes a revision to the Risk Retention Act of 1982, substantially broadening its application, in light of an insurance cost and availability crisis. By 1999, some 73 “risk retention groups,” effectively captive insurance companies under a federal mandate, account for close to $750 million in premiums. 1987 “Black Monday,” October 19, 1987, hits the U.S. stock market. Its shock waves are global, reminding all investors of the market’s inherent risk and volatility. That same year Dr. Vernon Grose, a physicist, student of systems methodology, and former member of the National Transportation Safety Board, publishes Managing Risk: Systematic Loss Prevention for Executives, a book that remains one of the clearest primers on risk assessment and management.21 1990 The United Nations Secretariat authorizes the start of IDNDR, the International Decade for Natural Disaster Reduction, a 10-year effort to study the nature and the effects of natural disasters, particularly on the lessdeveloped areas of the world, and to build a global mitigation effort. IDNDR concludes in 1999 but continues under a new title, ISDR, the International Strategy for Disaster Reduction. Much of its work is detailed in Natural Disaster Management, a 319-page synopsis on the nature of hazards, social and community vulnerability, risk assessment, forecasting, emergency management, prevention, science, communication, politics, financial investment, partnerships, and the challenges for the twenty-first century.22 1992 The Cadbury Committee issues its report in the United Kingdom, suggesting that governing boards are responsible for setting risk management policy, assuring that the organization understands all its risks, and accepting oversight for the entire process. Its successor committees (Hempel and Turnbull), and similar work in Canada, the United States, South Africa, Germany, and France, establish a new and broader mandate for organizational risk management.23 In 1992, British Petroleum turns conventional insurance risk financing topsy-turvy with its decision, based on an academic study by Neil Doherty of the University of Pennsylvania and Clifford Smith of the University of Rochester, to dispense with any commercial insurance on its operations in excess of $10 million. Other large, diversified, transnational corporations immediately study the BP approach.24 The Bank for International Settlements issues its Basel I Accord to help financial institutions measure their credit and market risks and set capital accordingly. The title “Chief Risk Officer” is first used by James Lam at GE Capital to describe a function to manage “all aspects of risk,” including risk management, back-office operations, and business and financial planning. 26 Overview 1994 Bankers Trust, in New York, publishes a paper by its CEO, Charles Sanford, entitled “The Risk Management Revolution,” from a lecture at MIT. It identifies the discipline as a keystone for financial institution management.25 1995 A multidisciplinary task force of Standards Australia and Standards New Zealand publishes the first Risk Management Standard, AS/NZS 4360:1995 (since revised in 1999 and 2004), bringing together for the first time several of the different subdisciplines. This standard is followed by similar efforts in Canada, Japan, and the United Kingdom. While some observers think the effort premature, because of the constantly evolving nature of risk management, most hail it as an important first step toward a common global frame of reference.26 That same year Nick Leeson, a trader for Barings Bank, operating in Singapore, finds himself disastrously overextended and manages to topple the bank. This unfortunate event, a combination of greed, hubris, and inexcusable control failures, receives world headlines and becomes the “poster child” for fresh interest in operational risk management. 1996 The Global Association of Risk Professionals (GARP), representing credit, currency, interest rate, and investment risk managers, starts in New York and London. By 2008, it has more than 74,000 members, plus an extensive global certification examination program.27 Risk and risk management make the best-seller lists in North America and Europe with the publication of Peter Bernstein’s Against the Gods: The Remarkable Story of Risk. Bernstein’s book, while first a history of the development of the idea of risk and its management, is also, and perhaps more importantly, a warning about the overreliance on quantification: “The mathematically driven apparatus of modern risk management contains the seeds of a dehumanizing and self-destructive technology.”28 He makes a similar warning about the replacement of “old-world superstitions” with a “dangerous reliance on numbers,” in “The New Religion of Risk Management,” in the March–April 1996 issue of The Harvard Business Review. 1998 The collapse of Long-Term Capital Management, a four-year-old hedge fund, in Greenwich, Connecticut, and its bailout by the Federal Reserve, illustrate the failure of overreliance on supposedly sophisticated financial models. 2000 The widely heralded Y2K bug fails to materialize, in large measure because of billions spent to update software systems. It is considered a success for risk management. The terrorism of September 11, 2001, and the collapse of Enron remind the world that nothing is too big for collapse. These catastrophes reinvigorate risk management. PRMIA, the Professional Risk Manager’s International Association, starts in the United States and United Kingdom. By 2008, it counts 2,500 paid and 48,000 associate members. It, too, sponsors a global certification examination program.29 In July, the U.S. Congress passes the Sarbanes-Oxley Act, in response to the Enron collapse and other financial scandals, to apply to all public A BRIEF HISTORY OF RISK MANAGEMENT 27 companies. It is an impetus to combine risk management with governance and regulatory compliance. Opinion is mixed on this change. Some see this combination as a step backward, emphasizing only the negative side of risk, while others consider it a stimulus for risk management at the board level. 2004 The Basel Committee on Banking Supervision publishes the Basel II Accords, extending its global capital guidelines into operational risk (Basel I covered credit and market risks). Some observers argue that while worldwide adoption of these guidelines may reduce individual financial institution risk, it may increase systemic risk. These global accords may lead to similar guidelines for nonfinancial organizations.30 2005 The International Organization for Standardization creates an international working group to write a new global “guideline” for the definition, application, and practice of risk management, with a target date of 2009 for approval and publication.31 2007 Nassim Nicolas Taleb’s The Black Swan is published by Random House in New York. It is a warning that “our world is dominated by the extreme, the unknown, and the very improbable . . . while we spend our time engaged in small talk, focusing on the known and the repeated.”32 Taleb’s 2001 book, Fooled by Randomness (Textere, New York) was an earlier paea...
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Hello...I have completed the assignment. please find attached. its nice working with you😇

Running head: ENTERPRISE RISK MANAGEMENT

Enterprise Risk Management
Institution Affiliation
Date

1

ENTERPRISE RISK MANAGEMENT

2
Akawini Copper

The mining business is a very dynamic business that faces many risks in their operations.
To deal with the threats, they first need to check the accounts of the business. There should be
enough money to meet the needs of the company at all times and to guarant...


Anonymous
Awesome! Made my life easier.

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Related Tags