P1: OTA/XYZ
P2: ABC
fm
JWBT177-Simkins
October 24, 2009
9:16
Printer Name: Hamilton
ENTERPRISE RISK
MANAGEMENT
G
A
T
E
S
,
Fraser
John
Betty J. Simkins
D
E
A
N
D
R
A
The Robert W. Kolb Series in Finance
1
1
2
3
T
S
John Wiley & Sons, Inc.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
October 24, 2009
9:15
Printer Name: Hamilton
PART I
Overview
G
A
T
E
S
,
D
E
A
N
D
R
A
1
1
2
3
T
S
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
October 24, 2009
9:15
Printer Name: Hamilton
G
A
T
E
S
,
D
E
A
N
D
R
A
1
1
2
3
T
S
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
October 24, 2009
9:15
Printer Name: Hamilton
CHAPTER 1
Enterprise Risk Management
An Introduction and Overview
JOHN R.S. FRASER
G
Vice President, Internal Audit & Chief Risk Officer,
Hydro One Networks Inc.
A
BETTY J. SIMKINS
T
Williams Companies Professor of Business and Professor of Finance, Oklahoma State
E
University
S
,
Dnor the most intelligent, but those that are
It’s not the strongest of the species that survive,
the most responsive to change.
E
—Charles Darwin
A
N
WHAT IS ENTERPRISE RISKDMANAGEMENT?
R viewed as a natural evolution of the
Enterprise risk management (ERM) can be
process of risk management. The Committee
A of Sponsoring Organizations of the
Treadway Commission (COSO) defines enterprise risk management as: “. . . a process, effected by an entity’s board of directors, management and other personnel,
applied in strategy setting and across the enterprise,
designed to identify potential
1
events that may affect the entity, and manage risk to be within its risk appetite,
1 the achievement of entity objectives.”
to provide reasonable assurance regarding
The COSO definition is intentionally broad2and deals with risks and opportunities
affecting value creation or preservation. Similarly, in this book, we take a broad
3
view of ERM, or what we call—a holistic approach
to ERM.
Some sources have referred to ERM T
as a new risk management paradigm.
As in the past, many organizations continue to address risk in “silos,” with the
S
management of insurance, foreign exchange, operations, credit, and commodities
each conducted as narrowly focused and fragmented activities. Under ERM, all
risk areas would function as parts of an integrated, strategic, and enterprise-wide
system. And while risk management is coordinated with senior-level oversight,
employees at all levels of the organization using ERM are encouraged to view risk
management as an integral and ongoing part of their jobs.
The purpose of this book is to provide a blend of academic and practical
experience on ERM in order to educate practitioners and students alike about this
3
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
4
October 24, 2009
9:15
Printer Name: Hamilton
Overview
evolving methodology. Furthermore, our goal is to provide a holistic coverage of
ERM, and in this process, provide the “‘what,” “why,” and “how” of ERM to assist
firms with the successful implementation of ERM.
The chapters that follow are from some of the leading academics and practitioners of this new methodology, with the in-depth insights into what practitioners
of this evolving business practice are actually doing, as well as anticipating what
needs to be taught on this topic. The leading experts in this field clearly explain
what enterprise risk management is and how you can teach, learn, or implement
these leading practices within the context of your business activities.
Enterprise Risk Management introduces you to the wide range of concepts and
techniques for managing risk in a holisticGway, by correctly identifying risks and
prioritizing the appropriate responses. It offers a broad overview of the different
A
types of techniques: the role of the board, risk tolerances, risk profiles, risk workT
shops, and allocation of resources, while focusing
on the principles that determine
business success. This comprehensive resource
also
provides a thorough introducE
tion to enterprise risk management as it relates to credit, market, and operational
S of the rating agencies and their imrisks, and covers the evolving requirements
portance to the overall risk management in
, a corporate setting. As well, it offers a
wealth of knowledge on the drivers, the techniques, the benefits, and the pitfalls
to avoid, in successfully implementing enterprise risk management.
D
E
DRIVERS OF ENTERPRISE RISK MANAGEMENT
A
There are theoretical and practical arguments for the use of ERM. As outlined in
N
Chapter 2 there has been an increasing consciousness
in risk literature that a more
holistic approach to managing risk makesD
good business sense.
External drivers for its implementation have been studies such as the Joint
R
Australian/New Zealand Standard for Risk Management,1 the Committee of Sponsoring Organizations of the Treadway Commission
(COSO),2 the Group of Thirty
A
Report in the United States (following derivatives disasters in the early 1990s),3
CoCo (the Criteria of Control model developed by the Canadian Institute of Char1
Dey Report in Canada following
tered Accountants),4 the Toronto Stock Exchange
major bankruptcies,5 and the Cadbury report in the United Kingdom.6
1
Major legal developments such as the New York Stock Exchange Listing Standards and the interpretation of the recent2Delaware case law on fiduciary duties,
7
among others, have provided an additional
3 force for ERM. In addition, large
pension funds have become more vocal about the need for improved corporate
governance, including risk management, T
and have stated their willingness to pay
premiums for stocks of firms with strongSindependent board governance.8 ERM
has also increased in importance due to the Sarbanes-Oxley Act of 2002—which
places greater responsibility on the board of directors to understand and monitor
an organization’s risks.
Finally, it is important to note that ERM can increase firm value.9 Security rating
agencies such as Moody’s and Standard & Poor’s include whether a company has
an ERM system as a factor in their ratings methodology for insurance, banking,
and nonfinancial firms.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
October 24, 2009
9:15
Printer Name: Hamilton
ENTERPRISE RISK MANAGEMENT
5
SUMMARY OF THE BOOK CHAPTERS
As mentioned earlier, the purpose of this book is to provide a blend of academic and
practical experience on ERM in order to educate practitioners and students alike
about this evolving methodology. Furthermore, our goal is to provide a holistic
coverage of ERM, and in this process, provide the what, why, and how of ERM to
assist firms with the successful implementation of ERM. To achieve this goal, the
book is organized into the following sections.
Overview
ERM Management, Culture, and Control
G
ERM Tools and Techniques
A
Types of Risks
Survey Evidence and Academic Research
T
Special Topics and Case Studies
E
S the chapters is provided below.
A brief description of the author(s) and
,
Overview
In Chapter 2, “A Brief History of Risk Management,”
we ask Felix Kloman—retired
D
risk management consultant, conceptual thinker, and lover of sailing—to provide
E
the background and history of risk management
and the evolution of enterprise
risk management. Felix was ideally suited
Ato do this as someone who has dedicated more than 30 years to sharing stories, raising interesting risk concepts, and
N field. There is no one we know who
generally enjoying the challenges of this entire
is better suited or knows more about this D
topic. He takes us right back literally to
some of the earliest recorded thinking on risk management and brings us through
R
the ages to current thinking. Felix goes back to the basic questions of “What is risk
management? When and where did we begin
A applying its precepts? Who were the
first to use it?” He provides a highly personal study of this discipline’s past and
present. It spans the millennia of human history and concludes with a detailed
1 is an ideal starting point for anyone
list of contributions in the past century. This
new to the topic of risk management or the older scholars who wish to revisit this
1
easy-to-read summary of risk. Felix is adamant in his view that risk must consider
2
opportunities as well as threats.
“ERM and Its Role in Strategic Planning
3 and Strategy Execution” is presented
in Chapter 3 by Mark L. Frigo (Director, the Center for Strategy, Execution, and
T
Valuation and Ledger & Quill Alumni Foundation,
Distinguished Professor of
Strategy and Leadership at the DePaul University
Kellstadt
Graduate School of
S
Business and School of Accountancy, Chicago) and Mark S. Beasley (Deloitte Professor of Enterprise Risk Management and Professor of Accounting in the College
of Management at North Carolina State University, and Director of North Carolina State’s Enterprise Risk Management Initiative). The authors have captured
the essence of leading ERM and strategic risk management initiatives at their universities as well as their work with hundreds of practice leaders in enterprise risk
management. They recognize that one of the major challenges in ensuring that
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
6
October 24, 2009
9:15
Printer Name: Hamilton
Overview
risk management is adding value is to incorporate ERM in business and strategic
planning of organizations. They explain how focusing on strategic risks serves as
a filter for management and boards of directors to reduce the breadth of the risk
playing field and ensure that they are focused on the right risks. These insights
should help respond to the numerous calls following the recent credit crisis for
improvements in overall risk oversight, with a particular emphasis on strategic
risk management.
In Chapter 4, “The Role of the Board of Directors and Senior Management
in Enterprise Risk Management,” Bruce Branson (Professor and Associate Director, Enterprise Risk Management Initiative, North Carolina State College of Management) explains that the oversight of the
G enterprise risk management process
employed by an organization is one of the most important and challenging funcA
tions of a corporation’s board of directors. He notes that a failure to adequately
T associated with decisions being made
acknowledge and effectively manage risks
throughout the organization can and often
E do lead to potentially catastrophic results. Bruce explains the shared responsibility between the members of the board
S a risk aware culture in the organizaand the senior management team to nurture
tion that embraces prudent risk taking within
, an appetite for risk that aligns with
the organization’s strategic plan. He identifies the legal and regulatory framework
that drives the risk oversight responsibilities of the board. He also clarifies the
separate roles of the board and its committees
D vis-à-vis senior management in the
development, approval, and implementation of an enterprise-wide approach to
E
risk management. Finally, the chapter explores
optimal board structures to best
discharge their risk oversight responsibilities.
A
N
D
Anette Mikes (Assistant Professor of Business Administration at Harvard Business
R
School) provides insights into the types of roles that CROs play, based on her
personal research in Chapter 5, “Becoming
Athe Lamp Bearer: The Emerging Roles
ERM Management, Culture, and Control
of the Chief Risk Officer.” Anette gained her PhD in enterprise risk management
from the London School of Economics, and is setting up a program at Harvard
1 ERM. Anette describes the role of
Business School with Robert Kaplan to teach
chief risk officers (CRO) and different types of ERM methodologies that she sees
1
in practice. She draws on the existing practitioner and academic literature on the
role of chief risk officers, and a number of2case studies from her ongoing research
program on the evolution of the role of the
3 CRO. Anette describes the origins and
rise of the CRO, and outlines four major roles that senior risk officers may fulfill:
T expert; (3) the strategic advisor; and
(1) the compliance champion; (2) the modeling
(4) the strategic controller. She demonstrates
S how chief risk officers could improve
business decision making and incorporate both good risk analytics and expert
judgment, as well as influence risk-taking behavior in the business lines. As she
explains: “The art of successful risk management is in getting the executive team
to see the light and value the lamp-bearer.” This chapter will be of great interest to
all CROs and those organizations thinking about how to implement ERM.
“Creating a Risk-Aware Culture” is discussed in Chapter 6 by Doug Brooks
(President and CEO, Aegon Canada Inc.). The author draws on his actuarial training and business insights to provide the methods to create a positive culture for risk
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
October 24, 2009
9:15
Printer Name: Hamilton
ENTERPRISE RISK MANAGEMENT
7
management in any organization. The actuarial profession has for several years
recognized and been a leading advocate for the research and expansion of ERM
into their organizations. Actuaries are by training and experience well versed in
managing risks and have expanded into additional areas such as investments and
know how best to apply ERM concepts. We wanted to ensure the actuarial profession was included in this book and were delighted when we approached Doug
Brooks that he suggested writing about the role of culture in risk management.
Doug has been one of the early pioneers in ERM and this has likely added to his
continued professional success, as he was recently appointed President and CEO of
Aegon Canada Inc. Doug observes that an organization could possess world-class
technical capabilities and strong processes
Gfor collecting and reporting information, but still have a bankrupt culture so that no value was added through ERM
A
efforts. He considers that there is nothing more crucial to the success of ERM efforts
in an organization than an informed andTsupportive culture. He points out that
culture is not merely an intangible concept,
E but that its elements can be defined
and progress in moving toward a desired culture can be measured. He notes that
S
to be successful in risk management, organizations
must recognize the importance
of encouraging and rewarding disciplined, behaviors, as well as openness in communication. Culture is key to ERM and this chapter is helpful to all practitioners
who are implementing ERM.
Chapter 7, “ERM Frameworks,” is authored
by one of the leading authoriD
ties on risk frameworks, Professor Emeritus John Shortreed of the University of
E
Waterloo, Canada. Professor Shortreed provides
a forward-looking view at the
forthcoming international framework forA
risk management. He is the Canadian
representative on the committee that has developed the new ISO 31000 Risk ManN the same time as this book). This
agement Standard (due to be published around
chapter is a great “companion” for those using
D the new ISO 31000 standard. Historically, ERM has been molded by the Australian/New Zealand Risk Standard
R
4360, by COSO’s 2004 publication, and recent pronouncements of rating agencies
such as Standard & Poor’s; however, thisA
new ISO standard is expected to have
greater international acceptance in years to come. This chapter describes the new
ISO risk management framework, which incorporates best practice from COSO,
PMI (Project Management Institute), the 1
Australian and New Zealand Standard
(AS/NZS 4360:2004) and other leading international risk management standards.
1
John notes that an ERM framework can often be implemented in a step-by-step
2 acceptance of ERM and in encourway and this approach will assist in building
aging a risk culture, particularly if potentially
successful areas are selected for
3
the first steps. As the risk management culture matures in the organization there
should be noticeable improvements in theTability to discuss risks easily, decision
making under uncertainty, comfort levels S
with risk situations, and achievement of
objectives.
Susan Hwang (Associate Partner, Deloitte, Toronto, Canada) provides some
original views on the role of Key Risk Indicators (KRIs) in Chapter 8 “Identifying
and Communicating Key Risk Indicators.” Since 2000 when Hydro One first began
practicing ERM, there have not been a lot of new concepts introduced, despite
the numerous publications on the topic. A year or two ago, John Fraser was at
a presentation made by Susan Hwang on the topic of KRIs and realized that she
was describing a concept that we had not seen before. She demonstrated how to
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
October 24, 2009
9:15
8
Printer Name: Hamilton
Overview
use metrics, or what were often packaged among Key Performance Indicators, as a
means of identifying evolving risks that might arise or increase in the future. This is
a seemingly simple concept but one that we thought to be important to identifying
future key risks. We found that virtually nothing had been written on the topic
before, so we asked Susan to write this chapter and share her findings and views.
Susan notes that the formal use of KRIs as an ERM tool is an emerging practice.
Although many organizations have developed key performance indicators as a
measure of progress against the achievement of business goals and strategies, this
differs from using KRIs to support risk management and strategic and operational
performance. In this chapter, Susan clarifies what KRIs are and demonstrates their
practical applications and value to an organization.
She outlines the guiding prinG
ciples for designing KRIs, and discusses implementation and sustainability. The
A
key message she shares is that there are lots of metrics and performance measures
in any organization, but the art of ERM isTidentifying the key ones that will help
identify future risks.
E
ERM Tools and Techniques
S
,
“How to Create and Use Corporate Risk Tolerance” is presented in Chapter 9 by
Ken Mylrea (Director, Corporate Risk, Canada Deposit Insurance Corporation) and
Joshua Lattimore (Policy and Research Advisor,
Canada Deposit Insurance CorD
poration). The authors explore and provide practical examples of the role of risk
E
tolerances. John first learned of Canada Deposit
Insurance Corporation (CDIC) in
the early 1990s when CDIC issued expectations
about the business and financial
A
practices of its member institutions. These principle-based standards were develN
oped by Ken Mylrea and focus on enterprise-wide
governance and management.
Their underlying premise was that well-managed
institutions are less likely to enD
counter difficulties that could result in CDIC having to pay the claims of depositors.
R
A key feature of the standards was the requirement that institutions’ management
and board of directors perform a self-assessment
against the CDIC control criteria
A
and report the results to the CDIC. In setting the context for this chapter, Ken and
Joshua pose the following questions: What is risk tolerance? Why is setting risk
1 consider in setting risk tolerance? And
tolerance important? What are the factors to
how can you make risk tolerance useful in managing risk? They describe risk toler1
ance as the risk exposure an organization determines appropriate to take or avoid
2 calculated risks—namely, taking risks
taking, that is, risk tolerance is about taking
within clearly defined and communicated3parameters set by the organization.
In Chapter 10, “How to Plan and Run a Risk Management Workshop,” Rob
T One Networks Inc.) provides hardQuail (Outsourcing Program Manager at Hydro
hitting practical advice on how to actually
S design and run a risk workshop. Rob
was a major reason for the success of ERM at Hydro One and its sustainability to
date. He has run more than 200 risk workshops at all levels, including facilitating
meetings of up to 800 staff! When we were designing this book we realized that
there was nothing we could find documented elsewhere on how to design and run
a risk workshop. Rob describes in an easy step-by-step fashion how to design workshops based on the objectives to be achieved, for example, how important is team
building versus specific action planning? Rob explains that risk workshops play a
vital role in ERM by helping engage executive managers and staff in understanding
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
October 24, 2009
9:15
Printer Name: Hamilton
ENTERPRISE RISK MANAGEMENT
9
the corporate objectives and the risks to achieving these within given tolerances.
He goes on to show how workshops not only help identify and address critical
risks, but also provide opportunities for participants to learn about organizational
objectives, risks, and mitigants. He makes it clear that one size does not fit all and
each workshop has to be designed carefully depending on the circumstances and
desired outcomes.
In Chapter 11, “How to Prepare a Risk Profile,” John Fraser (Vice President,
Internal Audit & Chief Risk Officer at Hydro One) provides practical advice on
how to prepare a risk profile for executive management and the board of directors.
We wanted to have a chapter on risk profiles, and while there is a lot written
about risk maps, heat maps, and risk identification,
we could not find anything
G
specific about how to actually conduct structured interviews and prepare a risk
A
profile. As a result, we decided to document the Hydro One model, which we have
been using since 1999, and which has beenTproven to be simple and effective. This
methodology is based primarily on interviews
E with executives and risk specialists
and complements the results captured by risk workshops. Ideally the results of
S
workshops and interviews (or surveys) should
be consolidated and reconciled.
It is our hope that these step-by-step instructions
will give confidence to risk
,
managers implementing ERM on how best to conduct these interviews effectively.
As Sir Graham Day, who was an early champion of ERM at Hydro One, told John
“ERM obviously works in practice but canDyou make it work in theory?”
Chapter 12, “How to Allocate Resources Based on Risk,” by Joe Toneguzzo
(Director—Implementation & Approvals, E
Power System Planning, Ontario Power
Authority) outlines a business framework
A for prioritizing resources based on
risks, as part of the business planning process. Soon after we began implementing
N was responsible for obtaining fundERM at Hydro One, Joe Toneguzzo—who
ing and allocating resources for asset management—worked
with the Hydro One
D
Corporate Risk Management Group to determine how best to do so utilizing a
R
risk-based approach. (Joe is now with another organization.) A methodology and
supporting business process was developed
A that has served Hydro One well and
is regarded as a leading asset management resource allocation model, as validated
in international forums on this subject area. The concept involves identifying the
1 proposals available to mitigate them.
critical business risks and the expenditures
This is followed by rating all the expenditure proposals in a consistent manner
1
based on the risks that will be mitigated per unit of cost. The expenditures proposals are then dispatched on a priority basis,2based on cost/benefit scores (where the
benefit is measured in terms of reduced risk)
3 until the resources are exhausted. The
advantages of the methodology developed are that it is transparent, consistent, and
T
easy to justify to stakeholders such as regulators,
boards of directors, and others.
Joe takes us through the theory and practice
in
an
easy-to-follow manner.
S
John Hargreaves (Managing Director, Hargreaves Risk & Strategy, London,
England) explores and provides guidance on the popular topic of quantifying
risks in Chapter 13, “Quantitative Risk Assessment in ERM.” John Hargreaves has
seen his ideas and expertise implemented in various major organizations in England and brings an easy-to-understand introduction to what can become complex
theories. John enjoyed a successful career in the real world of finance with major
organizations, including being responsible for introducing risk management systems in a major bank following the last U.K. depression. Over the last 10 years, he
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
October 24, 2009
10
9:15
Printer Name: Hamilton
Overview
has helped implement risk management systems in about 60 organizations. This
chapter explains the complex world of quantification of risks in progressive steps
to help those who are new to ERM. John provides descriptions of four differing
approaches to the quantification of individual risks. Statistical methods for calculating and reporting a company’s total corporate risk are described and illustrated
by a simple example and he also shows how quantified risks may be incorporated
in the business planning process. Note that specialized methods to quantify risks
in financial institutions are not covered here. His chapter is a must-read for anyone
interested in the theory of practical and workable methods for quantifying risks.
G
A
In Chapter 14, “Market Risk Management and Common Elements with Credit
Risk Management,” Rick Nason (Partner,T
RSD Solutions, and Associate Professor
of Finance, Dalhousie University, Nova Scotia)
E explains very sophisticated trading
and market risk concepts and risk management methods in an easy-to-understand
S
format. Rick left the exciting world of derivatives
trading at a major Canadian
bank to join the even more exciting world
of
academia
where he is sharing his
,
Types of Risks
experiences through his teaching and consulting activities. Although comfortable
with the complex models and math for market risk and derivatives, Rick decided
to write this chapter for the general practitioner
D who wants to learn about market
risk management and how it relates to credit risk management. In this chapter,
Rick describes how to consider these risksEand a framework that provides a focus
on market risk. Rick points out that market
Arisk management requires not only an
understanding of the tools and techniques, but also of the underlying business in
Nrisk function within the enterprise risk
order to successfully implement the market
management framework of the organization.
D
Continuing his discussion from the previous chapter, Rick Nason provides
R
the basic elements of credit risk management as well as the more sophisticated
concepts every credit risk manager shouldAunderstand in Chapter 15, “Credit Risk
Management.” Each year, Rick runs a credit competition at the university, as well as
consulting with major banks on ERM and credit risk management. Rick explains
that when conducting credit analysis, it1is important to remember that, unlike
market risk, credit risk is almost always a downside risk; that is, unexpected credit
1
events are almost always negative events and only rarely positive surprises. He
2 credit to a customer, or executes a loan
also reminds the reader that no one extends
to a counterparty, expecting that it will not3be repaid. Rick has crafted this chapter
for the general practitioner who wants to learn about credit risk management and
for the more experienced credit managersTseeking to validate their approach.
Diana Del Bel Belluz (President, Risk S
Wise Inc.) explains operational risk concepts and methods in an easy-to-read format that will be essential to any student
of ERM and helpful to more experienced readers in Chapter 16, “Operational Risk
Management.” Diana has taught risk management since 1992 and has a background
in decision science. With her broad experience from her consulting practice, she
understands the challenges of a wide variety of organizations in getting a handle
on this multifaceted topic. In this chapter, Diana explains the fundamentals of risk
management in an operational setting and how operational risk management can
be used to capture the full performance potential of an organization. She explores
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
October 24, 2009
9:15
Printer Name: Hamilton
ENTERPRISE RISK MANAGEMENT
11
what is meant by operational risk and why it is important. She frames her explanations around questions such as: How do you align operational risk management
with enterprise risk management? How do you assess operational risks? Why do
you need to define risk tolerance for aligned decision making? What can you do
to manage operational risk? How do you encourage a culture of risk management
at the operational level? This chapter provides a well-rounded introduction to a
topic that is becoming of increasing interest.
In Chapter 17, “Risk Management: Techniques in Search of a Strategy,” Joseph
V. Rizzi (Senior Investment Strategist, CapGen Financial Group, New York) explores the reasons for the losses that triggered massive shareholder value destruction resulting in dilutive recapitalizations,
G replacement of whole management
teams, the failure of numerous institutions, and the adoption of the $700 billion
A
TARP rescue program, and what can be done to avoid this in future. He suggests
T from a technical, specialist control
that risk management needs to move away
function with limited linkage to shareholder
E value creation. This can be achieved
by firms and risk decisions moving from an internal egocentric focus to an external
S a market context. Further, he states
systems approach incorporating the firm within
that we need to move beyond risk measurement
to risk management that integrates
,
risk into strategic planning, capital management, and governance. Joseph draws
on Warren Buffett’s principles and numerous practical examples (including Long
Term Capital Management) to explain, using
D charts and models, how governance
and ERM can address many of the pitfalls we have seen.
Daniel A. Rogers (Associate ProfessorEof Finance, School of Business Administration, Portland State University) provides
A in Chapter 18, “Managing Financial
Risk and Its Interaction with Enterprise Risk Management,” a useful background
N
on financial risk management, namely corporate
strategies of employing financial
transactions to eliminate or reduce measurable
D risks. He includes possible definitions and examples of industry applications of financial hedging. He then moves
R
on to a basic review of the theoretical rationales for managing (financial) risk and
explores the potential for the interaction of
A financial hedging with other areas of
risk management (such as operational, strategic). He also discusses the lessons that
can be applied to ERM from the knowledge base about financial hedging. He points
1 are critical to the implementation of
out that active board involvement and buy-in
a successful ERM program, and that boards that better understand financial risks
1
are likely to be more receptive to conversations about other significant risks that
2
could negatively affect company performance.
Benton E. Gup (Robert Hunt Cochrane/Alabama
Bankers Association Chair of
3
Banking at the University of Alabama) traces the evolution of bank capital requireT and Enterprise Risk Management,”
ments in Chapter 19, “Bank Capital Regulation
from the 1800s to the complex models used
S in Basel I and II. He points out that
the recent subprime crisis makes it clear that our largest banks and financial institutions do not have adequate risk management as evidenced by problems with
major banks and that the models employing economic capital can be subject to
large errors. He goes on to introduce enterprise risk management and economic
capital, which he believes represent the future of bank capital. He notes that enterprise risk management uses a “building block” approach to aggregate the risks
from all lines of business, and that economic capital must be “forward looking,”
and based on expected scenarios instead of recent history.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
12
October 24, 2009
9:15
Printer Name: Hamilton
Overview
In “Legal Risk Post-SOX and the Subprime Fiasco: Back to the Drawing Board”
(Chapter 20), Steven Ramirez (Director, Business & Corporate Governance Law
Center, Loyola University, Chicago) notes that legal risk should be managed in
accordance with basic notions of risk management generally. He points out that it
should not exist within a risk silo, but should be managed with a view toward the
firm’s overall risk tolerance and through coordinated efforts of senior management,
as well as the board. Professor Ramirez explains in a “no holds barred” way how
the rules of professional responsibility governing lawyers were flawed, corporate
law was stunted, whistle-blowing was not encouraged, codes of conduct were
wholly optional, and there was insufficient regulation of the audit function. This
chapter reviews the most developed framework
governing legal and reputational
G
risk (SOX) and suggests innovative and proactive ways that controls could be
A
improved and risk can be reduced in the future.
“Financial Reporting and DisclosureT
Risk Management” is discussed extensively by Susan Hume, Assistant Professor
Eof Finance and International Business,
School of Business, the College of New Jersey) in Chapter 21. The author boils
S regulations for financial reporting and
down the key requirements of the extensive
disclosure into an easy-to-understand chapter.
Key topics such as reporting on
,
internal controls under Sarbanes-Oxley, accounting for derivatives, and fair value
accounting are discussed and explained. Susan explains how ERM reporting and
disclosure provides the forum to discuss the
Dkey vulnerabilities and risks of the firm
and strengthens management accountability. It is for the board and senior manageElevels of acceptable risk exposure, and
ment to set the risk policy, establish the key
communicate these policies to managersAand other employees. Implementation
and reporting then flows up from the bottom to senior management and to the
risk management committee, which mayN
be a subcommittee of the board in the
ideal structure. This chapter will be an ideal
D place to gain an introduction to these
complex requirements as well as add helpful insights for the more experienced
R
reader.
A
Survey Evidence and Academic Research
1 of this book) teamed with Karen
John Fraser and Betty Simkins (co-editors
Schoening-Thiessen (Senior Manager of Executive Networks in the Governance
1
and Corporate Responsibility Group at the Conference Board of Canada) to de2 of risk executives working in the area
velop and analyze the first survey evidence
of ERM about the literature they find most3effective in assisting and facilitating the
successful implementation of ERM. The study in Chapter 22, “Who Reads What
T on ERM, and it is hoped that these
Most Often?” highlights crucial areas of need
will be a starting point to encourage and S
stimulate more advances in the research
and practice of ERM. It highlights excellent opportunities for academics to closely
collaborate with practitioners to conduct research in these key areas of need. The
chapter also discusses problems and challenges risk executives have encountered
that were not addressed in the literature. Detailed listings are provided of the top
readings of articles (i.e., surveys, academic studies, and practitioner articles), books,
and research reports. This chapter was originally published in the Spring/Summer
2008 issue of the Journal of Applied Finance.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
October 24, 2009
9:15
Printer Name: Hamilton
ENTERPRISE RISK MANAGEMENT
13
Chapter 23, “Academic Research on Enterprise Risk Management,” by Subbu
Iyer (PhD student, Oklahoma State University), Daniel A. Rogers (Associate Professor, Portland State University), and Betty Simkins (Williams Companies Professor
of Finance, Oklahoma State University), provides a summary to date of research
on enterprise risk management. To conduct the review, they searched academic
journals and other databases of academic research and limited their focus to papers that can be classified as either academic research or case studies that would
be appropriate for a classroom setting. After a thorough search of ERM literature,
the authors located 10 research studies and 5 case studies to synthesize. Overall,
the authors find little in the way of consistent results about ERM. In addition,
they find that more case studies on enterprise
G risk management are needed so that
risk executives can learn from the experiences of others who have successfully
A
implemented it.
T
In Chapter 24 “Enterprise Risk Management:
Lessons from the Field,” we have
the benefit of the knowledge from a trioEof experienced ERM experts, namely:
William G. Shenkir (William Stamps Farish Professor Emeritus, University of
S
Virginia’s McIntire School of Commerce), Thomas
L. Barton (Kathryn and Richard
Kip Professor of Accounting, University,of North Florida) and Paul L. Walker
(Associate Professor of Accounting, University of Virginia). The authors of this
chapter have been involved in the area of ERM since 1996. They have taught ERM
at the undergraduate and graduate levels and
D for businesses and executives worldwide as well as consulting on ERM implementation. They point out that one of
E ERM is that many layers of the comthe early lessons that companies glean from
pany, including senior management, operating
A managers, and regular employees
do not know or understand the strategies and objectives of the organization and
how these, in turn, relate to their daily jobNand tasks. ERM compels companies to
identify and focus on the organization’s strategies
and objectives. This chapter is
D
illustrated with numerous real-life examples and provides a wonderful lesson in
R
what enterprise risk management is like in real life.
A
Special Topics and Case Studies
1 Enterprise Risk Management,” Mike
In Chapter 25, “Rating Agencies Impact on
Moody (Managing Director, Strategic Risk Financing Inc.) provides the history and
1
current published thinking of the major rating agencies. This is an area that we
2
expect will expand and become more established
as time goes on. Mike has an
MBA in finance, is the Managing Director
of
a
risk
consulting firm, and was a
3
risk manager of a Fortune 500 company. He has a broad view of the risk universe
T of the rating agencies. The interest
and what is happening due to the activities
taken by the agencies, especially Standard
S & Poor’s (S&P) in recent years, has
focused boards and senior management on the need for and the advantages of
ERM. Mike notes that one of the primary reasons for the movement of rating
agencies into ERM is that they believe companies with an enterprise-wide view of
risks, such as that offered by ERM, are better managed. Several have also noted
that ERM provides an objective view of hard-to-measure aspects such as management capabilities, strategic rigor, and ability to manage in changing circumstances.
He explains that the view of S&P is that positive or negative changes in ERM
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
14
October 24, 2009
9:15
Printer Name: Hamilton
Overview
programs are considered as leading indicators that show up long before they
could be seen in a company’s published financial data. This chapter provides a
sound base for understanding the background and role of rating agencies in ERM,
a story that is likely still evolving.
“Enterprise Risk Management: Current Initiatives and Issues” (Chapter 26),
contains a roundtable discussion sponsored and published by the Journal of Applied Finance, which includes an expert group of academics and practitioners in the
area of risk management. The discussants consisted of Bruce Branson (Associate
Director of the Enterprise Risk Management Initiative and Professor in the Department of Accounting at North Carolina State University), Pat Concessi (Partner
in Global Energy Markets with Deloitte and
G Touche, Toronto, Canada), John R.S.
Fraser (Chief Risk Officer and Vice President of Internal Audit at Hydro One Inc.
A
in Toronto), Michael Hofmann (Vice President and Chief Risk Officer at Koch InT Kolb (Frank W. Considine Chair in
dustries, Inc. in Wichita, Kansas), Robert (Bob)
Applied Ethics at Loyola University Chicago),
E Todd Perkins (Director of Enterprise
Risk at Southern Company, Inc. in Atlanta, Georgia), Joe Rizzi (Senior Investment
S but at the time of the roundtable disStrategist at CapGen Financial in New York,
cussion, he was the Managing Director of,Enterprise Risk Management at Bank of
America and La Salle Bank in Chicago, Illinois), and the moderator Betty J. Simkins
(Williams Companies Professor of Business and Associate Professor of Finance in
the Spears School of Business at Oklahoma
D State University). This roundtable explored many avenues, concerns, and possible solutions in this evolving arena of
E
risk management.
Demir Yener, Senior Advisor at Deloitte
AConsulting, Emerging Markets (Washington D.C.), discusses enterprise risk management applications suitable for, and as
Ncorporations in Chapter 27, “Establishthey exist in, a number of emerging market
ing ERM Systems in Emerging Countries.”DHe notes that there is a growing interest
in improving corporate governance practices in emerging markets. Following the
R
financial crises in the Far East and Russia, which impacted many other emerging
markets in 1997–1998, there was a realization
A that corporate governance practices
had to be improved along with the financial sector infrastructure. The Financial
Stability Forum was convened, as a result of which the OECD (Organisation for
1 Principles of Corporate Governance
Economic Co-operation and Development)
were developed in 1999. Since then the principles have been revised in 2004, and
1
other standards of business conduct had been introduced to provide guidance in
2
a number of critical areas of global cooperation
for business and finance among
nations. The emerging countries in Demir’s
sample
include Egypt, Jordan, Mon3
golia, Serbia, Turkey, and Ukraine. The ERM concept is still a new concept in these
T the emerging country firms, given the
countries and it is likely to take a while to get
legal and regulatory requirements, to reach
Sthe desirable level of risk management
practices.
In Chapter 28, “The Rise and Evolution of the Chief Risk Officer: Enterprise
Risk Management at Hydro One,” Tom Aabo (Associate Professor, Aarhus School
of Business, Denmark), John R.S. Fraser (Chief Risk Officer, Hydro One Inc.), and
Betty J. Simkins (Williams Companies Professor of Business, Oklahoma State University) describe the successful implementation of enterprise risk management
(ERM) at Hydro One Inc. over a five-year period. This chapter was first published
in the Journal of Applied Corporate Finance. Hydro One is a Canadian electric utility
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
October 24, 2009
9:15
Printer Name: Hamilton
ENTERPRISE RISK MANAGEMENT
15
company that has experienced significant changes in its industry and business.
Hydro One has been at the forefront of ERM for many years, especially in utilizing
a holistic approach to managing risks, and provides a best practices case study for
other firms to follow. This chapter describes the process of implementation beginning with the creation of the chief risk officer position, the deployment of a pilot
workshop, and the various tools and techniques critical to ERM (e.g., the Delphi
Method, risk trends, risk maps, risk tolerances, risk profiles, and risk rankings).
As this brief overview indicates, the chapters in this book present an impressive
coverage of crucial issues on enterprise risk management and are written by leading
ERM experts globally. We believe that no other book on the market provides such
a wide coverage of timely topics—such asG
ERM management, culture and control,
ERM tools and techniques, types of risk from a holistic viewpoint, leading case
A
studies, practitioner survey evidence, and academic research on ERM. The authors
T reader comments and suggestions.
of these chapters and we, the editors, invite
E
S
FUTURE OF ERM AND UNRESOLVED ISSUES
,
As is generally recognized, ERM is still evolving with new techniques and research
of best practices being studied and documented on almost a daily basis. Some of
the issues that we feel deserve the attention
D of our readers and those interested in
the future of ERM include:
r
r
r
r
r
E
A and others failed in the implementaWhy have some companies succeeded
tion of ERM?
N
What do we predict for the future of ERM?
D
What research issues remain?
A comment on universities’ ERM programs
and education.
R
What unresolved issues do we see?
A
The above issues all merit study and more attention than they have received to
1 written on the reasons for failure in the
date. An entire chapter, if not book, could be
implementation of ERM. Often it appears to be caused in part by confusion over
1
exactly what ERM is and undue expectations of management. Our observation is
that too often the skills and techniques are2not available and without support from
the most senior ranks, ERM is destined to3
fail.
We expect ERM to continue to grow until, in looking back, future managers will
T these basic techniques?” Obviously
ask “How could you have managed without
there has to be more discussion and clarification
on what ERM is and what it has
S
to offer. While regulatory interest can force ERM into companies, if not done well,
it can become another box-ticking exercise that adds little value.
As highlighted in Chapter 23, the opportunities to study ERM and assist in
moving this new methodology forward are limitless and likely to continue. While
some analysis can be done based on public information, it will require proactive
visionary academics to go into the real world and study what is evolving in real
business practices. This is a veritable goldmine for some intrepid academics and a
minefield for the more timid.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
16
October 24, 2009
9:15
Printer Name: Hamilton
Overview
NOTES
1. The Joint Australian/New Zealand Standard for Risk Management (AS/NSZ 4360: 2004),
first edition published in 1995, is the first guide on enterprise risk management that provides practical information. This publication covers the establishment and implementation of the enterprise risk management process.
2. The Committee of Sponsoring Organizations of the Treadway Commission (COSO)
(September 1992 and September 2004).
3. Group of Thirty, Derivatives: Practices and Principles (Washington, DC: 1993).
4. CoCo (Criteria of Control Board of the Canadian Institute of Chartered Accountants).
5. “Where Were the Directors”—GuidelinesGfor Improved Corporate Governance in
Canada, report of the Toronto Stock Exchange Committee on Corporate Governance
A
in Canada (December 1994).
T
6. Committee on the Financial Aspects of Corporate
Governance (Cadbury Committee,
final report and Code of Best Practices issued December 1, 2002).
E
7. NYSE Corporate Governance Rules 7C(iii)(D) www.nyse.com/pdfs/finalcorpgovrules
.pdf and Emerging Governance Practices in S
Enterprise Risk Management, the Conference
Board (2007).
,
8. McKinsey & Company and Institutional Investor, 1996. “Corporate Boards: New Strategies for Adding Value at the Top.”
9. Risk management in general has been shown
D to increase firm value. See Smithson,
Charles W., and Betty J. Simkins, “Does Risk Management Add Value? A Survey of the
E vol. 17, no. 3 (2005): 8–17.
Evidence,” Journal of Applied Corporate Finance
A
ABOUT THE EDITORS
N
John Fraser is the Vice President, Internal
D Audit & Chief Risk Officer of Hydro
One Networks Inc., one of North America’s largest electricity transmission and
R
distribution companies. He is an Ontario and Canadian Chartered Accountant, a
Fellow of the Association of Chartered Certified
Accountants (U.K.), a Certified
A
Internal Auditor, and a Certified Information Systems Auditor. He has more than
30 years experience in the risk and control field mostly in the financial services
1 derivatives, safety, environmental,
sector, including areas such as finance, fraud,
computers, and operations. He is currently Chair of the Advisory Committee of
1
the Conference Board of Canada’s Strategic Risk Council, a Practitioner Associate
Editor of the Journal of Applied Finance, and2a past member of the Risk Management
and Governance Board of the Canadian 3
Institute of Chartered Accountants. He
is a recognized authority on enterprise risk management and has co-authored three
T Journal of Applied Corporate Finance and
academic papers on ERM—published in the
the Journal of Applied Finance.
S
Betty J. Simkins is Williams Companies Professor of Business and Professor of
Finance at Oklahoma State University (OSU). She received her BS in Chemical
Engineering from the University of Arkansas, her MBA from OSU, and her PhD
from Case Western Reserve University. Betty is also active in the finance profession and currently serves as Vice-Chairman of the Trustees (previously President)
of the Eastern Finance Association, on the board of directors for the Financial
Management Association (FMA), as co-editor of the Journal of Applied Finance,
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
October 24, 2009
9:15
Printer Name: Hamilton
ENTERPRISE RISK MANAGEMENT
17
and as Executive Editor of FMA Online (the online journal for the FMA). She
has coauthored more than 30 journal articles in publications including the Journal
of Finance, Financial Management, Financial Review, Journal of International Business
Studies, Journal of Futures Markets, Journal of Applied Corporate Finance, and the Journal of Financial Research and has won a number of best paper awards at academic
conferences.
G
A
T
E
S
,
D
E
A
N
D
R
A
1
1
2
3
T
S
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c01
JWBT177-Simkins
October 24, 2009
9:15
Printer Name: Hamilton
G
A
T
E
S
,
D
E
A
N
D
R
A
1
1
2
3
T
S
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c02
JWBT177-Simkins
October 24, 2009
9:16
Printer Name: Hamilton
CHAPTER 2
A Brief History of
Risk Management
H. FELIX KLOMAN
President, Seawrack Press Inc.
G
A
T
E
S
INTRODUCTION
, title “enterprise risk management”)?
What is risk management (and its alternative
When and where did we begin applying its precepts? Who were the first to use it?
This is a brief and highly personal study of this discipline’s past and present. It is
a description of some of its emotional andD
intellectual roots. It spans the millennia
of human history and concludes with a detailed
list of contributions in the past
E
century.
A
N
RISK MANAGEMENT IN ANTIQUITY
D
Making good decisions in the face of uncertainty and risk probably began during
R
the earliest human existence. Evolution favored those human creatures able to
use their experience and minds to reduceAthe uncertainty of food, warmth, and
protection. Homo sapiens survived by developing “an expression of an instinctive
and constant drive for defense of an organism against the risks that are part of
1 expression” can be construed as the
the uncertainty of existence.”1 This “genetic
beginning of risk management, a discipline for dealing with uncertainty.
1
As the millennia passed, our species developed other mechanisms for coping
2
with each day’s constant surprises. We invented
a pantheon of divine creatures
to blame for misfortune, praise for good luck,
and
to whom we offered sacrifices
3
to mitigate the worst. These gods and goddesses, the personification of heavenly
T led to a dependence on human orbodies, high mountains, and the deepest seas,
acles, soothsayers, priests, priestesses, and
S astrologers, to predict the future. We
created a written language (Mesopotamia, Sumeria, Egypt, Phoenicia) in order to
pass knowledge to the future. As our species used language, experience, memory, and deduction to explain random uncertainty, we created an alternative and
backup explanatory system.
The classical world of the Greeks and Romans demonstrates the development
of written language, providing a significant advantage over oral recitation. At
first, Greek memories passed on information from the past. Their written language
19
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c02
JWBT177-Simkins
20
October 24, 2009
9:16
Printer Name: Hamilton
Overview
extrapolated it into more rational predictions. Homer, capturing memory, sang of
Zeus, Hera, Athena, Apollo, and the corps of divinities responsible for the victory
at Troy as well as the misadventures of Odysseus on his return home. But by 585 BC,
the Greek philosopher Thales used his observations, written data, and deductions
to predict an eclipse of the sun, even though he continued to profess a belief in these
gods.2 A century later Herodotus used intelligent “enquiry” to write “history,” but
he too persisted with the power of divinities. It was finally Thucydides, in the early
400s BC, who proposed a “new penetrating realism,” one that “removed the gods
as explanations of the course of events.” Thucydides was “fascinated by the gap
between expectation and outcome, intention and event.”3 Perhaps he should be
called the father of risk management.
G
A few philosophers in classical Greece tried to emphasize observation, deA
duction, and prediction, but they inevitably collided with the inertia of belief in
T
the long-standing system of divine intervention
as the explanation for misfortune
as well as good luck. With the growth and
dominance
of the new monotheistic
E
religions in the Middle East and Mediterranean, it would take another millennium
S grew into the solid body of scientific
before the ideas Thucydides first advanced
knowledge to replace myth and superstition.
,
AFTER THE MIDDLE AGES D
Jump ahead another 1,000 years to the emergence
of the Renaissance and EnlightE
enment. Two changes encouraged the idea that we could actually think intelligently
A the first, in his Against the Gods: “The
about the future. Peter Bernstein described
idea of risk management emerges only when
N people believe they are to some degree free agents.”4 The second was our growing fascination with numbers. Our
D that a “superior power” ordained
increasing disenchantment with the explanation
everything became coupled with the capability
of manipulating experience and
R
data into numbers and thence probabilities. We could predict alternative futures!
A
Peter Bernstein’s book is a joyful and often lyrical exploration of development of
the concept of risk as both threat and opportunity. We became capable of “scrutinizing the past” to suggest future possibilities. He describes those men who first
1
advanced the ideas of probability measurement, introducing us to familiar and
1
unfamiliar names from the Renaissance onward:
2
Leonardo Pisano (who introduced Arabic
3 numerals)
Luca Paccioli (double-entry bookkeeping)
T
Girolamo Cardano (measuring the probability
of dice)
Blaise Pascal (“fear of harm ought to be
proportional
not merely to the gravity
S
of the harm, but also to the probability of the event”)
John Graunt (who calculated statistical tables)
Daniel Bernoulli (the concept of utility)
Jacob Bernoulli (the “law of large numbers”)
Abraham de Moivre (the “bell” curve and standard deviation)
Thomas Bayes (statistical inference)
Francis Galton (regression to the mean)
Jeremy Bentham (the law of supply and demand)
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c02
JWBT177-Simkins
October 24, 2009
9:16
Printer Name: Hamilton
A BRIEF HISTORY OF RISK MANAGEMENT
21
Today’s risk management rests, for better or for worse, on these and other
fascinating characters.
Where once philosophers and theologians attributed fortune or misfortune
to the whims of gods, the efforts of those early thinkers described in Bernstein’s
book, “have transformed the perception of risk from chance of loss into opportunity
for gain, from FATE and ORIGINAL DESIGN to sophisticated, probability-based
forecasts of the future, and from helplessness to choice.”5
Bernstein contrasts the development of more rigorous quantitative approaches
to probabilities with recent attempts to understand why “people yield to inconsistencies, myopia, and other forms of distortion throughout the process of decisionmaking.” His story of risk and risk management
is one of rationality and human
G
nature, fighting with each other and then cooperating, to provide a better underA
standing of uncertainty and how to deal with it. “. . . Any decision relating to risk
T the objective facts and a subjective
involves two distinct yet inseparable elements:
view about the desirability of what is to be
E gained, or lost, by the decision. Both
objective measurement and subjective degrees of belief are essential; neither is
S
sufficient by itself.”
“The essence of risk management,” Bernstein
concludes, “lies in maximizing
,
the areas where we have some control over the outcome while minimizing the areas
where we have absolutely no control over the outcome and the linkage between
effect and cause is hidden from us.”
D
E
A
Experience and new information allowed us to think intelligently about the future
N Many millennia contributed to our
and plan for potential unexpected outcomes.
growing ability to distill and use information,
D but the developments since 1900 are
more apparent and useful. Here is a synopsis of these critical events.
R
The twentieth century began with euphoria, new wealth, relative peace, and
industrialization, only to descend into chaotic
A regional and worldwide wars. These
THE PAST 100 YEARS
and other catastrophes crushed illusions about the perfectibility of society and
our species, leaving us less idealistic and more appreciative of the continuing
1
uncertainty of our future.
Ideas drove change in this century. Stephen Lagerfeld cogently summed it up:6
1
“Apart from the almost accidental tragedy of World War I, the great clashings of
2 by the hunger for land, or riches,
our bloody century have not been provoked
or other traditional sources of national desire,
but by ideas—about the value of
3
individual dignity and freedom, about the proper organization of society, and
ultimately about the possibility of humanT
perfection.”
Risk management is one of those ideas
S that a logical, consistent, and disciplined approach to the future’s uncertainties will allow us to live more prudently
and productively, avoiding unnecessary waste of resources. It goes beyond faith
and luck, the former twin pillars of managing the future, before we learned to
measure probability. As Peter Bernstein wrote, “If everything is a matter of luck,
risk management is a meaningless exercise. Invoking luck obscures truth, because
it separates an event from its cause.”7
If risk management is an extension of human nature, I should list the most
notable political, economic, military, scientific, and technological events of the past
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c02
JWBT177-Simkins
22
October 24, 2009
9:16
Printer Name: Hamilton
Overview
100 years. The major wars (from the Russo-Japanese, World Wars I and II, Korea,
the Balkan, the first Gulf War and Iraq, to the numerous regional conflicts) and
the advent of the automobile, radio, television, computer and Internet, the Great
Depression, global warming, the atom bomb and nuclear power, the rise and fall
of communism, housing, the dot-com, derivative, and lending bubbles, and the
entire environmental movement affected the development of risk management.
Major catastrophes did so more directly: the Titanic (the “unsinkable” ship sinks),
the Triangle Shirtwaist fire (the failure to allow sufficient exits), Minimata Bay (mercury poisoning in Japan), Seveso (chemical poisoning of the community in Italy),
Bhopal (chemical poisoning in India), Chernobyl (Russian nuclear meltdown),
Three Mile Island (potential U.S. nuclear G
disaster that was contained), Challenger
(U.S. space shuttle break up), Piper Alpha (North Sea oil production platform exA
plosion and fire), Exxon Valdez (Alaskan ship grounding and oil contamination),
T tsunamis, typhoons, cyclones, and
to cite some of the more obvious. Earthquakes,
hurricanes continue to devastate populousEregions, and their increasing frequency
and severity stimulate new studies on causes, effects, and prediction, all part of
S
the evolution of risk management.
The most significant milestones, in my
, opinion, are more personal: the new
ideas, books, and actions of individuals and their groups all of whom stimulated the
discipline. Here’s my list:
D
1914 Credit and lending officers in the United States create Robert Morris AssoE
ciates in Philadelphia. By 2000 it changes
its name to the Risk Management
Association and continues to focus
A on credit risk in financial institutions.
In 2008 it counted 3,000 institutional and 36,000 associate members.8
N
1915 Friedrich Leitner publishes Die Unternehmensrisiken
in Berlin (Enzelwirt.
Abhan. Heft 3), a dissertation on risk
D and some of its responses, including
insurance.
R
1921 Frank Knight publishes Risk, Uncertainty and Profit, a book that becomes
a keystone in the risk management
A library. Knight separates uncertainty,
which is not measurable, from risk, which is. He celebrates the prevalence
of “surprise” and he cautions against over-reliance on extrapolating past
1
frequencies into the future.9
1921 A Treatise on Probability, by John Maynard Keynes, appears. He too scorns
1
dependence on the “Law of Great Numbers,” emphasizing the importance
2 when determining probabilities.10
of relative perception and judgment
1928 John von Neumann presents his first
3 paper on a theory of games and strategy at the University of Göttingen, “Zur Theorie der Gesellschaftsspiele,”
Mathematische Annalen, suggestingTthat the goal of not losing may be superior to that of winning. Later, in 1944,
S he and Oskar Morgenstern publish
The Theory of Games and Economic Behavior (Princeton University Press,
Princeton, NJ).
The U.S. Congress passes the Glass-Steagall Act, prohibiting common
ownership of banks, investment banks, and insurance companies. This Act,
finally revoked in late 1999, arguably acted as a brake on the development
of financial institutions in the United States and led the risk management
discipline in many ways to be more fragmented than integrated. The financial disasters after 2000 cause some to question the wisdom of revocation.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c02
JWBT177-Simkins
October 24, 2009
9:16
Printer Name: Hamilton
A BRIEF HISTORY OF RISK MANAGEMENT
23
1945 Congress passes the McCarran-Ferguson Act, delegating the regulation
of insurance to the various states, rather than to the federal government,
even as business became more national and international. This was another
needless brake on risk management, as it hamstrung the ability of the
insurance industry to become more responsive to the broader risks of its
commercial customers.
1952 The Journal of Finance (No. 7–, 77–91) publishes “Portfolio Selection,” by
Dr. Harry Markowitz, who later wins the Nobel Prize in 1990. It explores
aspects of return and variance in an investment portfolio, leading to many
of the sophisticated measures of financial risk in use today.11
1956 The Harvard Business Review publishes
G “Risk Management: A New Phase
of Cost Control,” by Russell Gallagher, then the insurance manager of
A
Philco Corporation in Philadelphia. This city is the focal point for new “risk
management” thinking, from Dr. T
Wayne Snider, then of the University of
Pennsylvania, who suggested in E
November 1955 that “the professional
insurance manager should be a risk manager,” to Dr. Herbert Denenberg,
S professor who began exploring the
another University of Pennsylvania
idea of risk management using some
, early writings of Henri Fayol.
1962 In Toronto, Douglas Barlow, the insurance risk manager at Massey
Ferguson, develops the idea of “cost-of-risk,” comparing the sum of selffunded losses, insurance premiums,
D loss control costs, and administrative
costs to revenues, assets, and equity. This moves insurance risk manageE but it still fails to cover all forms of
ment thinking away from insurance,
financial and political risk.
A
That same year Rachel Carson’s The Silent Spring challenges the public
N to our air, water, and ground from
to consider seriously the degradation
both inadvertent and deliberate pollution.
Her work leads directly to the
D
creation of the Environmental Protection Agency in the United States in
R
1970, the plethora of today’s environmental regulations, and the global
Green movement so active today.12
A
1965 The Corvair unmasked! Ralph Nader’s Unsafe at Any Speed appears and
gives birth to the consumer movement, first in the United States and later
1 which caveat vendor replaces the old
moving throughout the world, in
precept of caveat emptor. The ensuing wave of litigation and regulation
1
leads to stiffer product, occupational safety, and security regulations in
most developed nations. Public 2
outrage at corporate misbehavior also
leads to the rise of litigation and 3
the application of punitive damages in
U.S. courts.13
T develops a set of three examinations
1966 The Insurance Institute of America
that lead to the designation “Associate
S in Risk Management” (ARM), the
first such certification. While heavily oriented toward corporate insurance
management, its texts feature a broader risk management concept and are
revised continuously, keeping the ARM curriculum up-to-date.14
1972 Dr. Kenneth Arrow wins the Nobel Memorial Prize in Economic Science,
along with Sir John Hicks. Arrow imagines a perfect world in which every
uncertainty is “insurable,” a world in which the Law of Large Numbers
works without fail. He then points out that our knowledge is always
incomplete—it “comes trailing clouds of vagueness”—and that we are
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c02
JWBT177-Simkins
24
October 24, 2009
9:16
Printer Name: Hamilton
Overview
best prepared for risk by accepting its potential as both a stimulant and
penalty.
1973 In 1971, a group of insurance company executives meet in Paris to create
the International Association for the Study of Insurance Economics. Two
years later, the Geneva Association, its more familiar name, holds its first
Constitutive Assembly and begins linking risk management, insurance,
and economics. Under its first Secretary General and Director, Orio Giarini,
the Geneva Association provides intellectual stimulus for the developing
discipline.15
That same year, Myron Scholes and Fischer Black publish their paper
on option valuation in the Journal G
of Political Economy and we begin to learn
about derivatives.16
A
1974 Gustav Hamilton, the risk manager for Sweden’s Statsforetag, creates
T
a “risk management circle,” graphically
describing the interaction of all
elements of the process, from assessment
and control to financing and
E
communication.
S Society of Insurance Management
1975 In the United States, the American
changes its name to the Risk & Insurance
Management Society (RIMS),
,
acknowledging the shift toward risk management first suggested by
Gallagher, Snider, and Denenberg in Philadelphia 20 years earlier. By 2008,
RIMS has almost 11,000 members
Dand a wide range of educational programs and services aimed primarily at insurance risk managers in North
E
America. It links with sister associations
in many other countries around
the world through IFRIMA, the International
Federation of Risk & InsurA
ance Management Associations.17
N magazine publishes a special article
With the support of RIMS, Fortune
entitled “The Risk Management Revolution.”
It suggests the coordination
D
of formerly unconnected risk management functions within an organizaR
tion and acceptance by the board of responsibility for preparing an organizational policy and oversight ofA
the function. Twenty years lapse before
many of the ideas in this paper gain general acceptance.
1979 Daniel Kahneman and Amos Tversky publish their “prospect theory,”
demonstrating that human nature1can be perversely irrational, especially
in the face of risk, and that the fear of loss often trumps the hope of gain.
1
Three years later they and Paul Slovic write Judgment Under Uncertainty:
Heuristics and Biases, published by2
Cambridge University Press. Kahneman
wins the Nobel Prize in Economics
3 in 2002.
1980 Public policy, academic and environmental risk management advocates
form the Society for Risk AnalysisT(SRA) in Washington. Risk Analysis, its
quarterly journal, appears the same
Syear. By 2008, SRA has more than 2,500
members worldwide and active subgroups in Europe and Japan. Through
its efforts, the terms risk assessment and risk management are familiar in
North American and European legislatures.18
1983 William Ruckelshaus delivers his speech on “Science, Risk and Public
Policy” to the National Academy of Sciences, launching the risk management idea in public policy. Ruckelshaus had been the first director of the
Environmental Protection Agency, from 1970 to 1973, and returned in 1983
to lead EPA into a more principled framework for environmental policy.
Risk management reaches the national political agenda.19
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c02
JWBT177-Simkins
October 24, 2009
9:16
Printer Name: Hamilton
A BRIEF HISTORY OF RISK MANAGEMENT
25
1986 The Institute for Risk Management begins in London. Several years later,
under the guidance of Dr. Gordon Dickson, it begins an international set
of examinations leading to the designation, “Fellow of the Institute of
Risk Management,” the first continuing education program looking at risk
management in all its facets. This program is expanded in 2007–2008 for
its 2,500 members.20
That same year the U.S. Congress passes a revision to the Risk Retention Act of 1982, substantially broadening its application, in light of
an insurance cost and availability crisis. By 1999, some 73 “risk retention
groups,” effectively captive insurance companies under a federal mandate,
account for close to $750 million in
Gpremiums.
1987 “Black Monday,” October 19, 1987, hits the U.S. stock market. Its shock
A
waves are global, reminding all investors of the market’s inherent risk and
T
volatility.
That same year Dr. Vernon E
Grose, a physicist, student of systems
methodology, and former member of the National Transportation Safety
S
Board, publishes Managing Risk: Systematic
Loss Prevention for Executives,
a book that remains one of the clearest
primers
on risk assessment and
,
management.21
1990 The United Nations Secretariat authorizes the start of IDNDR, the International Decade for Natural Disaster
D Reduction, a 10-year effort to study
the nature and the effects of natural disasters, particularly on the lessE to build a global mitigation effort.
developed areas of the world, and
IDNDR concludes in 1999 but continues
under a new title, ISDR, the InA
ternational Strategy for Disaster Reduction. Much of its work is detailed
in Natural Disaster Management, a N
319-page synopsis on the nature of hazards, social and community vulnerability,
risk assessment, forecasting,
D
emergency management, prevention, science, communication, politics,
R
financial investment, partnerships, and the challenges for the twenty-first
century.22
A
1992 The Cadbury Committee issues its report in the United Kingdom, suggesting that governing boards are responsible for setting risk management
1 understands all its risks, and acceptpolicy, assuring that the organization
ing oversight for the entire process. Its successor committees (Hempel and
1
Turnbull), and similar work in Canada, the United States, South Africa,
Germany, and France, establish a 2
new and broader mandate for organizational risk management.23
3
In 1992, British Petroleum turns conventional insurance risk financing
T on an academic study by Neil Doherty
topsy-turvy with its decision, based
of the University of PennsylvaniaS
and Clifford Smith of the University of
Rochester, to dispense with any commercial insurance on its operations in
excess of $10 million. Other large, diversified, transnational corporations
immediately study the BP approach.24
The Bank for International Settlements issues its Basel I Accord to help
financial institutions measure their credit and market risks and set capital
accordingly.
The title “Chief Risk Officer” is first used by James Lam at GE
Capital to describe a function to manage “all aspects of risk,” including risk management, back-office operations, and business and financial
planning.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c02
JWBT177-Simkins
26
October 24, 2009
9:16
Printer Name: Hamilton
Overview
1994 Bankers Trust, in New York, publishes a paper by its CEO, Charles
Sanford, entitled “The Risk Management Revolution,” from a lecture at
MIT. It identifies the discipline as a keystone for financial institution
management.25
1995 A multidisciplinary task force of Standards Australia and Standards
New Zealand publishes the first Risk Management Standard, AS/NZS
4360:1995 (since revised in 1999 and 2004), bringing together for the first
time several of the different subdisciplines. This standard is followed by
similar efforts in Canada, Japan, and the United Kingdom. While some
observers think the effort premature, because of the constantly evolving
nature of risk management, mostG
hail it as an important first step toward
a common global frame of reference.26
A
That same year Nick Leeson, a trader for Barings Bank, operating
T
in Singapore, finds himself disastrously
overextended and manages to
topple the bank. This unfortunateEevent, a combination of greed, hubris,
and inexcusable control failures, receives world headlines and becomes
S in operational risk management.
the “poster child” for fresh interest
1996 The Global Association of Risk Professionals
(GARP), representing credit,
,
currency, interest rate, and investment risk managers, starts in New York
and London. By 2008, it has more than 74,000 members, plus an extensive
27
global certification examination program.
D
Risk and risk management make the best-seller lists in North AmerE of Peter Bernstein’s Against the Gods:
ica and Europe with the publication
The Remarkable Story of Risk. Bernstein’s
book, while first a history of the
A
development of the idea of risk and its management, is also, and perhaps
N the overreliance on quantification:
more importantly, a warning about
“The mathematically driven apparatus
D of modern risk management contains the seeds of a dehumanizing and self-destructive technology.”28 He
R
makes a similar warning about the replacement of “old-world superstitions” with a “dangerous relianceAon numbers,” in “The New Religion of
Risk Management,” in the March–April 1996 issue of The Harvard Business
Review.
1 Management, a four-year-old hedge
1998 The collapse of Long-Term Capital
fund, in Greenwich, Connecticut, and its bailout by the Federal Reserve,
1
illustrate the failure of overreliance on supposedly sophisticated financial
2
models.
2000 The widely heralded Y2K bug fails
3 to materialize, in large measure because of billions spent to update software systems. It is considered a success
T
for risk management.
The terrorism of September S
11, 2001, and the collapse of Enron remind the world that nothing is too big for collapse. These catastrophes
reinvigorate risk management.
PRMIA, the Professional Risk Manager’s International Association,
starts in the United States and United Kingdom. By 2008, it counts 2,500
paid and 48,000 associate members. It, too, sponsors a global certification
examination program.29
In July, the U.S. Congress passes the Sarbanes-Oxley Act, in response
to the Enron collapse and other financial scandals, to apply to all public
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c02
JWBT177-Simkins
October 24, 2009
9:16
Printer Name: Hamilton
A BRIEF HISTORY OF RISK MANAGEMENT
27
companies. It is an impetus to combine risk management with governance
and regulatory compliance. Opinion is mixed on this change. Some see this
combination as a step backward, emphasizing only the negative side of
risk, while others consider it a stimulus for risk management at the board
level.
2004 The Basel Committee on Banking Supervision publishes the Basel II Accords, extending its global capital guidelines into operational risk (Basel I
covered credit and market risks). Some observers argue that while worldwide adoption of these guidelines may reduce individual financial institution risk, it may increase systemic risk. These global accords may lead
to similar guidelines for nonfinancial
G organizations.30
2005 The International Organization for Standardization creates an internaA
tional working group to write a new global “guideline” for the definition,
T
application, and practice of risk management,
with a target date of 2009
for approval and publication.31 E
2007 Nassim Nicolas Taleb’s The Black Swan is published by Random House in
New York. It is a warning that “ourSworld is dominated by the extreme, the
unknown, and the very improbable
, . . . while we spend our time engaged
in small talk, focusing on the known and the repeated.”32 Taleb’s 2001
book, Fooled by Randomness (Textere, New York) was an earlier paean to
the importance of skepticism on models.
D
2008 The United States Federal Reserve bailout of Bear Stearns appears to
E of conventional risk management
many to be an admission of the failure
in financial institutions.
A
N
Perhaps Peter Bernstein’s Against the Gods
D is a fitting end to this list of risk management milestones. It illustrates the importance of communication. Too often, new
Rthe cognoscenti. Arcane mathematics,
ideas have been unnecessarily restricted to
academic prose, and the secretiveness of current
risk management “guilds,” each
A
protecting their own turf, discourage needed interdisciplinary discussion. Peter’s
lucid prose, compelling syntheses of difficult concepts, personal portraits of creative people, and particularly his warnings
1 of the perils of excess quantification,
bring us an appreciation of both the potential and perils of risk management. No
1 process (risk management; enterprise
matter what title we attach to this thinking
risk management; strategic risk management;
2 etc.), it will continue to be a part of
the human experience.
3 or value unless it acts as a stimulant
None of this retrospection has any meaning
for a more prudent, intelligent, and optimistic
T use of the ideas and tools of past
innovators.
S
Step out and create some new risk milestones.
Paradoxically, the very mortality that bears each of us along to a finite conclusion also
gives us, through its unfolding, the means to repossess what we believe we have lost. It is
in memory, given its true shape through the imagination, that we can truly possess our
lives, if we will only strive to regain them.
—Louis D. Rubin Jr., Small Craft Advisory
Atlantic Monthly Press, New York, 1991
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c02
JWBT177-Simkins
October 24, 2009
9:16
28
Printer Name: Hamilton
Overview
Risk and time are opposite sides of the same coin, for if there were no tomorrow there would
be no risk. Time transforms risk, and the nature of risk is shaped by the time horizon: the
future is the playing field.
—Peter Bernstein, Against the Gods, John Wiley & Sons, New York, 1996
(Revision September 2008. An earlier version of this brief history
appeared in the December 1999 issue of Risk Management Reports.)
NOTES
1. Douglas Barlow, in letter to the author, January 8, 1998. Barlow was, for many years, the
risk manager for Canada’s Massey Ferguson Company.
G
A
Ibid., 157.
T John Wiley & Sons, 1996) xxxv.
Peter L. Bernstein, Against the Gods (New York:
Ibid., 337.
E
Stephen Lagerfeld, “Editor’s Comment,” Wilson Quarterly (Autumn 1999).
S
Bernstein, op. cit., 197.
See www.rmahq.org for more information,about RMA.
2. Robin Lane Fox, The Classical World (New York: Basic Books, 2006) 49.
3.
4.
5.
6.
7.
8.
9. See 1985 reprint from the University of Chicago Press and first edition, 1921, Hart,
Schaffner, and Marx, Boston.
D
E
See www.afajof.org.
A
See 1952 original and 2003 reprint from Houghton
Mifflin, Boston.
See Grossman Publishers, New York, 1965.N
See www.aicpcu.org.
D
See www.genevaassociation.org for more information on the Geneva Association.
R
See www.journals.uchicago.edu.
See www.rims.org for more information on
ARIMS.
10. See 1963 reprint from Macmillan.
11.
12.
13.
14.
15.
16.
17.
18. See www.sra.org for more information about SRA.
19. See Science, vol. 221, no. 4615, September 9, 1983, and www.science.mag.org.
1
Prentice-Hall, Englewood Cliffs, NJ, 1993. 1
See www.unisdr.org for more information2
on ISDR.
See www.archive.official-documents.co.uk.
3
See Journal of Applied Corporate Finance, vol. 6, no.
T
synergy.com.
See www.terry.uga.edu/sanford/vita.html.
S
20. See www.theirm.org for more information about IRM.
21.
22.
23.
24.
25.
3 (Fall 1993) www.blackwell-
26. See www.standards.com.au.
27. See www.garp.org for more information about GARP.
28. Bernstein, op. cit., 7.
29. See www.prmia.org for more information about PRMIA.
30. See www.bis.org.
31. See www.iso.org.
32. Nassim Nicholas Taleb, The Black Swan (New York: Random House, 2007) xxvii.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c02
JWBT177-Simkins
October 24, 2009
9:16
Printer Name: Hamilton
A BRIEF HISTORY OF RISK MANAGEMENT
29
ABOUT THE AUTHOR
Felix Kloman is President of Seawrack Press, Inc. and a retired principal of Towers Perrin, an international management consulting firm. His experience includes
serving as Editor and Publisher of Risk Management Reports for 33 years, from 1974
to 2007, and more than 40 years in risk management consulting with Risk Planning
Group (Darien, CT), Tillinghast (Stamford, CT), and Towers Perrin (Stamford, CT).
He is the author of Mumpsimus Revisited (2005), and The Fantods of Risk (2008),
both sets of essays on risk management. He is a Fellow of the Institute of Risk
Management (London), a past director of the Nonprofit Risk Management Center,
a past and founding director of the PublicGEntity Risk Institute, past chairman of
the Risk Management & Insurance Committee for the U.S. Sailing Association, and
a charter member of the Society for Risk A
Analysis. He received the Dorothy and
Harry Goodell Award from the Risk & Insurance
Management Society in 1994.
T
He is a graduate of Princeton University, 1955, with an AB in History.
E
S
,
D
E
A
N
D
R
A
1
1
2
3
T
S
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c02
JWBT177-Simkins
October 24, 2009
9:16
Printer Name: Hamilton
G
A
T
E
S
,
D
E
A
N
D
R
A
1
1
2
3
T
S
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c03
JWBT177-Simkins
October 24, 2009
9:16
Printer Name: Hamilton
CHAPTER 3
ERM and Its Role in
Strategic Planning and
Strategy Execution
G
MARK S. BEASLEY, PhD, CPA
A
Deloitte Professor of Enterprise Risk Management and Director of the ERM Initiative,
T University
College of Management, North Carolina State
E
MARK L. FRIGO, PhD, CPA, CMA
S
Director, The Center for Strategy, Execution, and Valuation and Ledger & Quill Alumni
, and Leadership at the DePaul UniverFoundation Distinguished Professor of Strategy
sity Kellstadt Graduate School of Business and School of Accountancy
D
E
A
nterprise risk management (ERM) has
N rightfully become a top priority for
directors and executive management. The current economic crisis highlights
D
the disastrous results when risks associated
with strategies are ignored or ineffectively managed. Coming out of the crisis
R are numerous calls for improvements
in overall risk oversight, with a particular emphasis on strategic risk management.
A that risk management is adding value
One of the major challenges in ensuring
E
is to incorporate ERM in business and strategic planning of organizations. The
“silos” that separate risk management functions in organizations also create bar1
riers that separate strategic planning from ERM. In many cases, risk management
1 strategic planning, and strategic risks
activities are not linked or integrated with
can be overlooked, creating dangerous “blind spots” in strategy execution and risk
2
management that can be catastrophic.
The challenge, as well as opportunity, 3
for organizations is to embed risk thinking and risk management explicitly into T
the strategy development and strategy
execution processes of an organization so that strategy and risk mindsets are one
S cases, and research by the authors
in the same. This chapter is based on articles,
in leading ERM and Strategic Risk Management initiatives at North Carolina State
University and DePaul University, respectively, and their work with hundreds of
practice leaders in enterprise risk management.
31
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c03
JWBT177-Simkins
32
October 24, 2009
9:16
Printer Name: Hamilton
Overview
RISING EXPECTATIONS FOR STRATEGIC
RISK MANAGEMENT
The expectations that boards of directors and senior executives are effectively
managing risks facing an enterprise are at all-time highs.1 Much of this shift in
expectations was prompted initially by corporate scandals and resulting changes
in corporate governance requirements, such as the Sarbanes-Oxley Act of 2002
(SOX) and the NYSE Corporate Governance Rules updated in 2004. Debt-rating
agencies such as Standard & Poor’s, Moody’s, and Fitch now examine enterprisewide risk management practices of institutions as part of their overall creditrating assessment processes. Their particular
focus is on understanding the
G
risk management culture and the overall strategic risk management processes
A
in place.1
The economic crisis that began in 2007T
and still continues is now shining a huge
spotlight on the board and senior management’s
E enterprise-wide risk management
processes. Reform proponents are pointing to failures in the overall risk oversight
S
processes, including unaware boards, overreliance
on sophisticated models, and
underreliance on sound judgment. Critics
argue
that
because returns on certain
,
strategic initiatives were so great, risks that were present were either unknown
or ignored.2 Numerous calls are now arising for drastic improvements in risk
management, with a specific call for moreD
formal risk considerations in managing
an organization’s deployment of specific strategic initiatives.
This sentiment is evidenced by FederalEReserve Governor Randall S. Kroszner’s
October 2008 speech where he argued that
A financial institutions must improve
the linkage between overall corporate strategy and risk management given that
N
“survivability will hinge on such an integration.”
Governor Kroszner noted that
many firms have forgotten the critical importance
of undertaking an adequate
D
assessment of risks associated with the overall corporate strategies.3
R
This shift toward greater expectations for effective enterprise-wide risk management oversight is complicated by the fact
A that the volume and complexities of
risks affecting an enterprise are increasing as well. Rapid changes in information
technologies, the explosion of globalization and outsourcing, the sophistication of
1
business transactions, and increased competition
make it that much more difficult
for boards and senior executives to effectively oversee the constantly evolving
1
complex portfolio of risks.
Even before the recent financial crisis,2
board members believed that risks were
increasing. Ernst & Young’s 2006 report,3“Board Members on Risk,” found that
72 percent of board members surveyed believed that the overall level of risk that
companies face has increased in the pastTtwo years, with 41 percent indicating
that overall levels of risk have increased S
significantly.4 Given recent events, that
concern is only heightened. Similarly, management has a comparable observation.
IBM’s 2008 “Global CFO Study” reported that 62 percent of enterprises with revenues greater than $5 billion encountered a major risk event that substantially
affected operations or results in the last three years and nearly half (42 percent)
stated that they were not adequately prepared.5
Many of the risks threatening an enterprise are difficult to see and manage,
given their systemic nature. However, while many risks may be unknown, they
often have a similar impact. Management and boards of directors are increasingly
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c03
JWBT177-Simkins
October 24, 2009
9:16
Printer Name: Hamilton
ERM AND ITS ROLE IN STRATEGIC PLANNING AND STRATEGY EXECUTION
33
being held accountable for considering the probabilities and impact of various
possible risk scenarios tied to their overall business strategies, even for risk events
that may not be foreseeable. For example, the events of 9/11 and the catastrophic
impact of Hurricane Katrina, although “unknown” by most, had similar impacts:
loss of employees, destroyed operations, damaged IT infrastructure, lack of cash
flow, and so on. Management and boards are not expected to predict the next
9/11–type event, but they are expected to consider and be proactive about thinking
of responses to events (whatever the cause) that might have a similar impact. That
is, management should have a plan for any significant scenario that might lead
to consequences that might be detrimental to its core strategy, such as a loss of
employees, destroyed operations, damaged
G IT infrastructure, lack of cash flow,
drastic shift in regulations, and so on.
A
The rise in the volume and complexities of risks is complicated by the fact
T and senior executives are dated, lack
that many of the techniques used by boards
sophistication, and are often ad hoc. Few boards
E and senior executives have robust
key risk indicators that provide adequate data to recognize shifts in risks patterns
within and external to their organizations,Sresulting in an inability to proactively
alter strategic initiatives in advance of risk
, events occurring. This has created an
“expectations gap” between what stakeholders expect boards and senior executives to do regarding enterprise-wide risk management and what they actually
are doing.
D
In response to these changing trends, organizations are embracing ERM because it emphasizes a top-down, holistic E
approach to effective risk management
for the entire enterprise. The goal of ERM is
Ato increase the likelihood that an organization will achieve its objectives by managing risks to be within the stakeholders’
N ultimately not only protect but also
appetite for risk. ERM done correctly should
create stakeholder value.
D
R
A
ERM differs from a traditional risk management approach, frequently referred to
ERM Positioned as Value-Adding
as a “silo” or “stovepipe” approach, where risks are often managed in isolation.
In those environments, risks are managed1by business unit leaders with minimal
oversight or communication of how particular risk management responses might
affect other risk aspects of the enterprise,1including strategic risks. Instead, ERM
seeks to strategically consider the interactive
2 effects of various risk events with the
goal of balancing an enterprise’s portfolio of risks to be within the stakeholders’
appetite for risk. The ultimate objective is3to increase the likelihood that strategic
objectives are realized and value is preserved
T and enhanced.
Several conceptual frameworks have been developed in recent years that proS effective ERM processes. In 2004, the
vide an overview of the core principles for
Committee of Sponsoring Organizations of the Treadway Commission (COSO)
issued its “Enterprise Risk Management—Integrated Framework,” with this
definition of ERM (see www.coso.org):
Enterprise risk management is a process, effected by the entity’s board of directors, management, and other personnel, applied in strategy setting and across the enterprise, designed
to identify potential events that may affect the entity, and manage risk to be within the risk
appetite, to provide reasonable assurance regarding the achievement of entity objectives.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c03
JWBT177-Simkins
34
October 24, 2009
9:16
Printer Name: Hamilton
Overview
Note that ERM is directly related to “strategy setting.” For ERM to be value
creating, it must be embedded in and connected directly to the enterprise’s strategy.
Another part of this definition refers to the goal of ERM, which is to help the
enterprise achieve its core objectives. So, to be effective, ERM must be part of the
strategic planning process and strategy execution processes.
The Conference Board’s 2007 research study, “Emerging Governance Practices in Enterprise Risk Management,” notes that while many organizations are
engaging in some form of ERM, only a few have full-fledged ERM program
infrastructures.6 Many of these organizations initially launched their ERM efforts
out of a compliance function, such as compliance with SOX, emerging privacy
legislation, and environmental regulations.
GMore boards and senior executives are
now working to shift their ERM approach from a compliance orientation to a
A
strategic orientation, consistent with the view that an enterprise-wide approach to
T A 2008 survey, “The 2008 Financial
risk management should be value enhancing.
Crisis: A Wake-Up Call for Enterprise Risk
E Management,” by the Risk and Insurance Management Society (RIMS) found that about 65 percent of the businesses
S a strategic risk management system.7
surveyed have begun or plan to implement
,
Board Demands for More Strategic Risk Management
Boards are feeling an increasing pressureD
to strengthen their overall oversight of
the enterprise’s risk management processes, with a stronger emphasis on strategic
E Conference Board’s “Overseeing Risk
risk management. Recent reports, such as the
Management and Executive Compensation”
A report issued in December 2008, note
that while companies report some progress in developing an enterprise-wide risk
N
management program, it has yet to be adequately
embedded in strategy execution
8
and entity culture.
D
Boards are becoming more aggressive at pushing management to reassess vulR
nerabilities in existing risk management processes and to begin strengthening the
soundness of its risk management analysis
A to the company’s strategic setting activities. Benchmarking surveys about the state of ERM consistently find that the
launch of ERM is often tied to the board’s (more specifically the audit commit1
tee’s) demand for more robust risk management
processes. Boards are now asking
management about their risk oversight processes and they are adding formal risk
1
discussions to their agendas on a regular basis.9 Boards are also seeking to take
a strategic view of Governance, Risk and 2
Compliance (GRC) by setting and articulating the organization’s “Enterprise Risk
3 Policy and Appetite” and the role of
each GRC function.10 Despite these emerging trends, board members still believe
they need to have a better handle around T
issues affecting strategic risk.
S
INTEGRATING RISK INTO STRATEGIC PLANNING
Successful deployments of ERM in strategic planning seek to maximize value when
setting strategic goals by finding an optimal balance between performance goals
and targets and related risks. As management evaluates various strategic alternatives designed to reach performance goals, it includes related risks across each
alternative in that evaluation process to determine whether the potential returns
are commensurate with the associated risks that each alternative brings. It also considers how one strategic initiative might introduce risks that are counterproductive
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c03
JWBT177-Simkins
October 24, 2009
9:16
Printer Name: Hamilton
ERM AND ITS ROLE IN STRATEGIC PLANNING AND STRATEGY EXECUTION
35
to goals associated with another strategy. At that point, management is in a better
position to evaluate various strategic alternatives to ensure that the combined risks
that the entity might take on are within the stakeholders’ appetite for risk and that
they collectively support the strategic direction desired.
Considering risk during strategy planning also creates an ability to seize risk
opportunities. Again, the goal of ERM is to preserve and enhance value. In some
situations, ERM may reveal areas where the enterprise is being too risk averse
or is ineffectively responding to similar risks that exist across multiple silos of
the enterprise. In other situations, ERM may identify risk opportunities that may
create potential increased returns to the enterprise. If risks are ignored in strategy,
risk opportunities may be overlooked. G
A consumer products company’s experience illustrates the advantage of conA
necting strategy and risks. As part of its sales strategy, the company sought to
increase revenues by strategically aligningT
with a key distributor customer through
electronic reordering systems. As part of this
E alliance, the consumer products company entered into contracts requiring the automatic shipment of products to the
retail customer’s distribution warehousesSwithin two-hour increments upon receipt of the customer’s electronic reorder purchase
request.
,
As the consumer products company began to launch its ERM processes, senior
management quickly discovered a huge potential threat to this strategic arrangement with the retail customer. The company’s
D information technology (IT) disaster
recovery processes were set to be within acceptable tolerance limits established by
the IT group. In an effort to balance costsEwith perceived IT needs, the IT group
had put recovery procedures in place to fully
A restore IT-based sales systems within
a two-day (not two-hour) period. When core sales executives learned about this recovery time frame, they quickly partneredN
with IT to reduce recovery thresholds to
shorter windows of time. Had they not linked
D IT’s disaster recovery response risks
with the sales strategies to fulfill customer orders within two-hour increments, a
R
looming IT disaster could have significantly affected their ability to achieve sales
goals, thus compromising the enterprise’sA
ability to achieve strategic goals. ...
Purchase answer to see full
attachment