Enterprise Risk Management Leadership & Culture
Leadership and Culture
(Minimum of 750 words for each question, this excludes the reference section at the bottom from
your word count. You are also required to use a minimum of FOUR scholarly external sources
references. Use proper APA guidelines, you only have to make reference to the author and year
of publication in your in-text reference, but APA guidelines encourage you to also provide the
page number. Failure to do so will result in an incomplete with 0 points for the question)
1. Explain two specific enterprise risk management strategies that a Board of Directors would
use to delete their responsibilities of ERM. (750 word minimum)
2. Explain the meaning of the phrase “companies must incur risk in order to run their business
and maximize returns for stakeholders.” Give two specific examples. (750 word minimum)
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
CHAPTER 4
The Role of the Board
of Directors and Senior
Management in Enterprise
Risk Management
D
A
BRUCE C. BRANSON
Professor of Accounting and Associate Director,
North Carolina State University
I
Enterprise Risk Management Initiative
L
Y
,
INTRODUCTION
R
The oversight of the enterprise risk management
(ERM) process employed by an
Y
organization is one of the most important and challenging functions of a corpoA senior management of the company,
ration’s board of directors. In concert with
the board must establish the appropriate “tone
N at the top” to ensure that risk and
risk management considerations remain at the forefront of strategic and operating
decisions made within the business. The 2008–2009 global financial crisis and the
rapidly deteriorating global economy has2created a context in which companies
now face risks that are more complex, more interconnected, and potentially more
6
devastating than ever before. Failure to adequately
acknowledge and effectively
manage risks associated with decisions being
7 made throughout the organization
can and often do lead to potentially catastrophic results.
We need look no further than to the5current status of the financial services
sector to observe the devastation associated
B with poorly monitored and managed
risk taking. Risks associated with credit quality, liquidity, market disruptions, and
U
reputation have all contributed to unprecedented bankruptcies, bank failures, federal government intervention, and rapid (and forced) consolidation within the
industry. The fallout from this financial cataclysm spread quickly to the broader
economy, as companies in almost every industry have suffered from the effects
of a global credit freeze, dramatic reductions in consumer demand, and extreme
volatility in commodity, currency, and equity markets.
The perception that aggressive and unchecked risk taking has been central to
the breakdown of the financial and credit markets has led to increased legislative
and regulatory focus on risk management and risk prevention. In this environment,
boards and companies must be aware that regulators and the legal system may apply new standards of conduct, or reinterpret existing standards, to increase board
51
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
52
October 24, 2009
9:17
Printer Name: Hamilton
Overview
responsibility for risk management. Boards cannot and should not be involved
in the actual day-to-day management of risks encountered by the companies they
serve. The role of the board is to ensure that the risk management processes designed and implemented by senior executives and risk management professionals
employed by the company act in concert with the organization’s strategic vision, as
articulated by the board and executed by senior management. As well, the board
must exercise significant oversight to be confident that risk management processes
are functioning as designed and that adequate attention is paid to the development
of a culture of risk-aware decision making throughout the organization.
By actively exercising its oversight role, the board sends an important signal to the company’s senior management and its employees that corporate risk
management activities are not roadblocks to the conduct of business nor a mere
D ERM can and should become an inte“check-the-box” activity. Executed properly,
gral component of the firm’s corporate strategy,
A culture, and value-creation process.
The board can provide direction and support for the ERM effort, but without one
I leadership, most ERM programs are
or more risk champions within the executive
destined to fail. Thus, there is a shared responsibility
between the members of the
L
board and the senior management team to nurture a risk-aware culture in the orY within an appetite for risk that aligns
ganization that embraces prudent risk taking
with the organization’s strategic plan.
,
The company’s ERM system should function to bring to the board’s attention the company’s most significant risks and allow the board to understand and
evaluate how these risks may be correlated,
R the manner in which they may affect
the company and management’s mitigation or response strategies. It is critically
Y
important for board members to have the experience, training, and intimate knowlA meaningful assessments of the risks
edge of the business required in order to make
that the company encounters. The board must
N also consider the best organizational
structure to give risk oversight sufficient attention at the board level. In some companies, this has driven the creation of a separate risk management committee of
the board. For other organizations, it may
2 be reasonable for these discussions of
risk to occur as a regular agenda item for an existing committee such as the audit
6 the full board level. No one size fits all,
committee, enhanced by periodic review at
but it is vitally important that risk management
oversight be a board priority.
7
This chapter addresses the proper role of the board of directors in corporate risk
5
management. It identifies the legal and regulatory
framework that drives the risk
oversight responsibilities of the board. It also
clarifies
the separate roles of the board
B
and its committees vis-à-vis senior management in the development, approval, and
U
implementation of an enterprise-wide approach
to risk management. Finally, the
chapter explores optimal board structures to best discharge their risk oversight
responsibilities.
GOVERNANCE EXPECTATIONS FOR BOARD
OVERSIGHT OF RISK MANAGEMENT
The risk oversight responsibility of boards of directors is driven by a variety of
factors. These factors include the fiduciary duty owed to corporate shareholders,
which is a function of state law; U.S. and foreign laws and regulations such as the
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM
53
recently enacted Emergency Economic Stabilization Act of 2008 (EESA) and the
Sarbanes-Oxley Act; New York Stock Exchange (NYSE) listing requirements; and
certain established corporate best practices. As well, the risk of damage to corporate
reputation from shareholder activism or adverse media coverage for companies
believed or found to possess inadequate risk management capabilities also strongly
contributes to the desirability of sound risk oversight by corporate boards.
The Delaware courts (which serve to establish law for a wide swath of corporate
America) have developed guidelines for board oversight responsibilities through
a series of court cases that have dealt with purported violations of the fiduciary
duties of care and loyalty that are owed to the company by members of the board.
The Delaware Chancery Court has stated1 that director liability for a failure of
board oversight requires a “sustained or systemic failure of the board to exercise
oversight—such as an utter failure to assureDa reasonable information and reporting
system exists.” To avoid liability, boards A
should ensure that their organizations
have implemented comprehensive monitoring systems tailored to each category
I these monitoring systems and make
of risk. The board should periodically review
inquiries of management as to their robustness.
The board should also consider
L
retaining outside consultants for an independent assessment of the adequacy of
Y The company’s general counsel may
the methodology that has been implemented.
also be utilized to provide an assessment,as to whether the board has effectively
fulfilled their oversight responsibility for the ERM program.
The board should be especially sensitive to so-called “red flags,” or violations
of existing risk limits established by the risk
R management team. These violations
must be investigated by the board or delegated to the appropriate manager for
Y
investigation, and the board should document their actions in minutes that accuAthe board in reviewing the deviation
rately convey the time and effort spent by
from established policies. To preserve theirN
liability shield, boards must ensure that
the monitoring system in place includes reports on significant regulatory matters
(such as fines that have been levied against the company), that may be used as
evidence in shareholder litigation. The board
2 should treat such a report as a red
flag and investigate appropriately.
6 recently appeared in two important
Corporate risk management issues have
examples of federal regulatory oversight—the
7 EESA and the Sarbanes-Oxley Act.
Also, companies with foreign operations must be cognizant of the legal requirements in each of the locales in which they 5
do business. Whether or not a particular
piece of legislative rule making that relatesBto risk management directly applies to
the company and board, such laws and regulations will undoubtedly influence the
Uthe current environment and enhanced
activities that a company undertakes. Given
focus on risk management and risk oversight, a failure by the board to adequately
oversee a system of compliance with legal requirements can raise issues under
state law with respect to the board’s fiduciary duties, but also can provide opportunities for litigators to highlight such failures in other claims against the company
and board, such as tort liability or even criminal liability. It is imperative that the
board is aware of all material legal requirements applicable to the company, and
the company should take care to include these risks in the development of their
ERM program.
The most recent example of federal legislation that includes an explicit focus
on risk management is the Troubled Asset Relief Program (TARP) contained in
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
54
October 24, 2009
9:17
Printer Name: Hamilton
Overview
the EESA. The act requires that boards of financial institutions participating in the
TARP Capital Purchase Program (CPP) institute certain restrictions on executive
compensation that relate to corporate risk taking. Specifically, participants in the
TARP CPP must comply with the requirements illustrated in Box 4.1. Although
these requirements apply only to financial institutions participating in the CPP,
they do provide insight into federal concern over the issue of how compensation
programs may contribute to excessive risk taking. Because of this concern, companies that are not directly affected by these requirements should still consider
reviewing their compensation plans to determine whether the compensation
structure encourages excessive risk taking. To the extent that incentive compensation is externally viewed as a source of inappropriate risk, the interaction
between compensation and risk may inevitably find its way into other legislative
D a focus of shareholder activism and
and regulatory responses and/or become
undesirable media attention.
A
I
L
Box 4.1 Executive Pay Requirements
under
Y
the Troubled Asset Relief Program Capital
,
Purchase Program*
R of EESA for purposes of particiIn order to comply with Section 111(b)(2)(A)
pation in the program, a financial institution
Y must comply with the following
three rules:
A
(1) Promptly, and in no case more than 90 days, after the purchase under
N
the program, the financial institution’s
compensation committee, or a
committee acting in a similar capacity, must review the [senior executive
officer (SEO)] incentive compensation arrangements with such financial
2
institution’s senior risk officers, or other personnel acting in a similar ca6
pacity, to ensure that the SEO incentive
compensation arrangements do
not encourage SEO’s to take unnecessary and excessive risks that threaten
7
the value of the financial institution.
5
(2) Thereafter, the compensation committee,
or a committee acting in a
similar capacity, must meet at least
annually
with senior risk officers,
B
or individuals acting in a similar capacity, to discuss and review the relationship between the financial U
institution’s risk management policies
and practices and the SEO incentive compensation arrangements.
(3) The compensation committee, or a committee acting in a similar capacity, must certify that it has completed the reviews of the SEO incentive
compensation arrangements required under (1) and (2) above. These
rules apply while the Treasury holds an equity or debt position acquired
under the program.
*
Excerpted from Treasury Department Notice 2008-PSSFI.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM
55
The Sarbanes-Oxley Act of 2002 imposes significant requirements on companies and their boards, including audit committee oversight of internal and
external auditors, certification of quarterly and annual financial statements and
periodic reports by the chief executive officer and chief financial officer, maintenance of well-functioning financial reporting and disclosure controls, enhanced
disclosure of financial measures not based on generally accepted accounting principles (GAAP), and a ban on personal loans to directors and officers. Although
not directly tied to the risk oversight responsibilities of boards, compliance with
Sarbanes-Oxley requirements involves risk management issues. As an example, in
determining the effectiveness of controls over financial reporting, or in the financial statement certification process, the company should focus on whether material
risks are identified and disclosed. In their review of the company’s compliance
D should make inquiries as to whether
with Sarbanes-Oxley requirements, the board
these risk management issues have been acknowledged.
A
The New York Stock Exchange (NYSE) imposes specific risk oversight obliI
gations on the audit committee of an NYSE-listed
company. These NYSE rules
require that an audit committee “discuss L
policies with respect to risk assessment
and risk management.”2 Box 4.2 provides an excerpt from the NYSE corporate
Y These discussions should address
governance rules germane to this requirement.
major financial risk exposures and the steps
, the board has taken to monitor and
R
Y
Box 4.2 Excerpt from the NYSE’s
2004
*
A
Final Corporate Governance Rules
N
Among numerous other responsibilities, duties, and responsibilities of the audit
committee include:
2
(D) Discuss policies with respect to risk assessment and risk management;
Commentary: While it is the job of 6the CEO and senior management to
assess and manage the company’s exposure
7 to risk, the audit committee must
discuss guidelines and policies to govern the process by which this is han5
dled. The audit committee should discuss the company’s major financial risk
B taken to monitor and control such
exposures and the steps management has
exposures. The audit committee is not required to be the sole body responsible
U
for risk assessment and management, but, as stated above, the committee must
discuss guidelines and policies to govern the process by which risk assessment
and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit
committee. The processes these companies have in place should be reviewed in
a general manner by the audit committee, but they need not be replaced by the
audit committee.
*
“Final Corporate Governance Rules,” New York Stock Exchange (2004) www.nyse.com.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
56
October 24, 2009
9:17
Printer Name: Hamilton
Overview
control these exposures, including a general review of the company’s risk management programs. As the NYSE commentary indicates, the rules permit a company
to create a separate committee or subcommittee (often a separate risk committee
of the board) to be charged with the primary risk oversight responsibility. This
is subject to the need for the risk oversight processes conducted by that separate
committee or subcommittee to be reviewed in a general manner by the audit committee, and for the audit committee to continue to discuss policies with respect
to risk assessment and management. As in our earlier discussion concerning the
TARP certification requirements for those financial institutions participating in the
CPP, these rules only apply to NYSE-listed firms. Yet, it seems prudent for all
boards to acknowledge that they may be subject to “best practice” standards in the
eyes of their shareholders and the general public.
Boards should also take advantage ofD
industry-specific regulators (such as the
Federal Reserve and the FDIC in the banking
A industry) and specialized risk management organizations that have published best practice guidance. The Committee
I
of Sponsoring Organizations of the Treadway
Commission (COSO), a privatesector organization sponsored by professional
L accounting associations and institutes, has developed an ERM framework that promotes an enterprise-wide perY emphasizes the role of the board in
spective on risk management. That document
risk management in its definition of ERM:,
Enterprise risk management is a process, effected by the entity’s board of directors,
management, and other personnel, applied inR
strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage risk to be within
Y regarding the achievement of objectives.
the risk appetite, to provide reasonable assurance
3
(emphasis added)
A
N a valuable benchmarking tool and
The COSO integrated framework provides
offers detailed guidance on how a company may implement enterprise risk management procedures in its strategic planning efforts and across the entire organization. The COSO ERM framework 2
presents eight interrelated components
of risk management: (1) the internal environment
(the tone of the organization),
6
(2) objective-setting, (3) event identification, (4) risk assessment, (5) risk response,
7
(6) control activities, (7) information and communications, and (8) monitoring. The
5 has become well accepted as a deCOSO enterprise risk management framework
velopment tool for organizations seeking to initiate and/or improve on an ERM
B
program.
U
In 2007, Standard & Poor’s (S&P) announced
a major initiative to incorporate
an explicit evaluation of ERM programs as part of their credit ratings analysis of
companies. S&P has actively evaluated the ERM practices of financial institutions,
insurance companies, and the trading operations of many large energy companies
for some time. Beginning in late 2008, S&P extended this evaluation to nonfinancial
issuers. Box 4.3 provides an excerpt from the S&P announcement that highlights
their expectations for board involvement in risk management activities. It is clear
that they expect active and engaged board-level participation in the establishment
of the proper “tone at the top” as well as in the approval and monitoring of specific
risk policies the firm develops.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM
57
Box 4.3 Excerpt from Standard & Poor’s
“PIM Framework for Assessing ERM Practices”*
In November 2007, Standard & Poor’s issued a request for comment titled,
Criteria: Request For Comment: Enterprise Risk Management Analysis For Credit
Ratings Of Nonfinancial Companies, which announced S&P’s proposal to expand
its analysis of ERM processes as part of its credit-rating assessments into 17
different industries.** S&P has developed an ERM assessment framework—the
“PIM Framework” denoting policies, infrastructure, and methodology—to assess the robustness of enterprise risk management practices within an entity
as part of the credit evaluation process.
D Within the PIM framework, S&P
views “risk governance” as the foundation of the evaluation structure. SevA activities involving the board of
eral components of risk governance include
directors:
I
r In consultation with the business,L the institution has established risk
policies that would be approved by the board’s risk committee.
Y dialogue takes place among the
r The institution ensures that periodic
board, business heads, and group ,risk management on the appropriateness and relevance of the various key financial and nonfinancial risk
metrics.
r Ensure that the board is well engaged
R with ERM initiatives within the
organization and is to some degreeYsetting the tone.
*
A
“Assessing Enterprise Risk Management Practices of Financial Institutions,” Standard
N
& Poor’s (2006). www.standardandpoors.com.
**
“Criteria: Request for Comment: Enterprise Risk Management Analysis For Credit
Ratings on Nonfinancial Companies,” Standard & Poor’s (2007). www.standardandpoors
.com.
2
6
7
Reputational damage resulting from the lack of adequate risk oversight
5
is present even without mandated requirements
to adhere to specific risk
management–related laws, regulations, stock
exchange
listing rules, and best pracB
tices. Even absent any actual legal exposure, the board of a company whose excesU and/or operating performance will
sive risk taking leads to a crisis or poor financial
likely face significant criticism in the press and from shareholders. In these circumstances, the board may also be faced with proxy contests, either from a competing
slate of directors standing for election or through other shareholder resolution
campaigns. Proxy attacks against directors viewed as responsible for failures of
risk oversight have become more and more common. The business press has also
highlighted and targeted directors that they view as underperforming. With the
enhanced attention being paid to risk oversight and management, one can expect
increased pressure on companies perceived to have taken on excessive levels of
risk or who have been found to lack robust risk oversight capabilities.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
58
October 24, 2009
9:17
Printer Name: Hamilton
Overview
DELEGATION OF RISK OVERSIGHT
TO BOARD COMMITTEES
Many boards find it helpful to assign primary risk oversight responsibility to a
committee of the full board. This committee is charged with directly overseeing
the risk management function and should receive regular reports on the status
of the ERM process from those members of senior management responsible for
risk management for the enterprise. This committee, in turn, should make regular
reports to the full board to ensure that the board as a whole has an understanding
of the risk profile of the entity and can then engage in strategic, risk-informed
decision making appropriate to their leadership role.
In many instances, boards delegate primary responsibility for risk oversight
D committee’s seemingly overwhelmto the audit committee, in spite of the audit
ing list of responsibilities related to financial
A reporting and the internal/external
audit function. Audit committees are the most common board committee to be
I
charged with performance of oversight duties
over management’s risk policies
and guidelines, and they are being askedLto discuss with management the enterprise’s key risk exposures—including risk exposures beyond financial reporting
Y of audit committee charters of Forrelated risks. A recent Conference Board study
tune 100 companies reported that 66 percent
, of these companies place primary
risk oversight responsibility on the audit committee, using language similar to
the examples illustrated in Box 4.4 for the Coca-Cola Company, Wal-Mart Stores,
and Apple.4
R
Audit committees (or other board committees) that have been charged with
Y
this responsibility for risk oversight are increasing their demands on management
A processes and for up-to-date infor more information about risk management
formation about management’s assessment
N of key risk exposures. Within senior
management, it is often the chief financial officer (CFO) or chief audit executive
(CAE) who has been asked to take the lead in risk management efforts for the organization. The 2006 Conference Board report,
2 “The Role of U.S. Corporate Boards
in Enterprise Risk Management,” reports that the executive most frequently cited
6 board on risk issues is the CFO—with
by directors as responsible for informing the
more than 70 percent reporting this relationship.
However, in growing numbers,
7
organizations are creating Chief Risk Officer (CRO) positions to serve as the risk
5
leader or “champion,” while others are creating
executive-level risk committees
comprised of the CFO, CRO, general counsel,
executives
in charge of strategy and
B
internal audit, and/or other key business unit leaders to lead the ERM effort.
U
FORMALIZING RISK MANAGEMENT PROCESSES
The complexity and sheer number of risks affecting organizations has expanded
at a rapid pace over the past decade. Boards and senior executives are increasingly
feeling the pressure to respond to these increased demands on their time and
expertise. A 2007 study, “Board Members on Risk,”5 reports that 72 percent of
board members who participated in the survey believe that the overall level of risk
that the organizations they serve currently faces has increased in the past two to
three years, with 41 percent indicating that the overall level of risk has increased
significantly. Senior executives and their boards are realizing that the practice of
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM
59
Box 4.4 Illustrative Language from
Audit Committee Charters
Below are excerpts from three audit committee charters that provide examples
of audit committee involvement in risk oversight:
1. The Coca-Cola Company’s Audit Committee Charter states that one of
the 14 responsibilities of the Audit Committee of the Board of Directors
includes:
Risk Assessment and Risk Management. The committee will review and
discuss with management, the
Dinternal auditors, and the independent auditors the company’s policies and procedures with respect to
A
risk assessment and risk management.
2. Wal-Mart Stores includes the following
I language in their Audit Committee
Charter:
L
Discuss with management the company’s
major financial risk exposures
and the steps management has
taken
to monitor and control such
Y
exposures, including the company’s risk assessment and risk man,
agement policies.
3. The Audit and Finance Committee Charter of Apple states that one of the
responsibilities of the committee is:
R
Review and discuss with Management (i) Management’s financial risk
assessment and risk management
Y policies, (ii) the Corporation’s
major financial risk exposures and the steps Management has taken
A
to monitor and control such exposures.
N
managing risk informally or on an ad hoc
2 basis is no longer tolerable and that,
in many instances, current processes have proved inadequate in today’s rapidly
6
evolving business world.
To address these concerns, many boards
7 have adopted ERM as a process to develop a more robust and holistic top-down view of key risks facing the organization.
5 response to emerging expectations for
Although the adoption of ERM is largely in
greater risk oversight, recent data shows that
B entities that outperform their peers
are more likely to have developed a more formal risk management process.6 PropoU ERM is not to lower risk. Rather, ERM
nents of ERM stress that the goal of effective
is designed to more effectively manage risks on an enterprise-wide basis so that
stakeholder value is at least preserved, but hopefully enhanced. Said differently,
ERM allows management and the board to make better, more “risk-intelligent,”
strategic decisions. Recent evidence, cited above, seems to support this notion.
An ERM focus is assisting boards and senior executives to think about risks
more holistically. This is far different than traditional approaches to risk where
management has historically assigned risk oversight responsibilities to individual
functions or business units (these are often referred to as “silos” or “stove-pipes”
of the business in the language of ERM). The common result of a stove-pipe approach to risk management is that risks are often managed inconsistently or within
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
60
October 24, 2009
9:17
Printer Name: Hamilton
Overview
each individual risk manager’s personal tolerance for risk. More importantly, these
risks may be effectively managed within an individual business unit to acceptable
levels, but the risk responses or treatments selected by the manager may unknowingly create or add to risks for other units within the organization. Furthermore,
traditional silo-based approaches to risk management often fail to anticipate that
certain risk events may be correlated with other risk events, triggering a cascading
series of risk exposures. Often the net result when risks are managed in this manner
is an increase (rather than reduction) in the overall risk exposure for the enterprise.
SENIOR EXECUTIVE LEADERSHIP
IN RISK MANAGEMENT D
An ERM approach to risk management requires
a top-down view of risks faced
A
by the organization. Visible leadership from and embrace by the senior executive
I ERM process. Those organizations
team is a critical component to an effective
that have started down the ERM path attest
L to the reality that the adoption of a
holistic view of risks, which requires that risk information be shared transparently
Y a significant change in the corporate
across silos within the organization, requires
culture or mindset of management at all levels
, within the enterprise. As employees
across the organization are held accountable for the ownership of risks within
their areas of responsibility, senior executive leadership is needed to reinforce the
importance of this movement toward a more
R transparent, enterprise-wide view of
risk management.
Y
The CFOs are uniquely positioned to lead the overall enterprise risk manageA
ment effort. CFOs are already intricately involved
in providing an overall view of
the organization from a financial risk perspective,
which
gives them an enterpriseN
wide understanding of the key activities that drive performance. CFOs also have
an existing relationship with the audit committee. Thus, as audit committees turn
to management to strengthen the enterprise’s
2 approach to risk management, they
are naturally turning to CFOs to kick-start the process.
6
CFOs have responded to these new challenges
by designing basic structures
for identifying and assessing risks across
the
enterprise.
For many, this begins
7
by defining risk terminology or developing common definitions of key risk con5 are implemented consistently across
cepts so that risk management approaches
the enterprise. Providing a clear definitionBof risk terms (including a discussion of
whether “risk” represents both risky opportunities and downside risks) is often
U senior management can then survey
the required first step. Once risk is defined,
the organization to identify potential risk drivers and risk events through questionnaires, interviews, risk workshops, and external risk scanning to generate an
inventory of risks that may pose potential threats and/or opportunities for the
enterprise.
Leadership is needed to ensure that risks are assessed consistently across the organization. Risk champions at the senior executive level must develop procedures
to govern how risks are to be assessed, not only from a likelihood or probability
perspective, but also from an impact perspective in order to prioritize those risks
most important for senior executive and board oversight. Based on risk rankings,
reflecting probability and impact assessments, management is now in a position to
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM
61
identify those risks with the greatest need for the development of an appropriate
risk response. Senior executives should then identify key risk indicators that can be
included in management information reports to allow for proactive management
of these risks on an ongoing basis.
The above discussion provides an abbreviated overview of the core elements
of an ERM approach, and also illustrates the nature of risk management leadership
that the audit committee and board are expecting from the senior executive team.
Later chapters are devoted to a thorough discussion of tools and techniques that
identify and assess risks and that develop appropriate treatment strategies tailored
to the specific risks encountered.
THE ROLE OF THE INTERNAL
D
AUDIT FUNCTION IN ERM A
The CFO and other senior executives formally
lead the ERM effort, but internal
I
audit plays a major role in supporting the risk management process. In many cases,
L function have often initiated the ERM
audit executives who lead the internal audit
launch within their organizations. Although
Y internal audit is naturally involved
in risk management activities, there are specific roles the internal audit function
should and should not assume throughout, the ERM process. Internal audit should
provide an assurance service on risk management processes, giving assurance that
risks are evaluated correctly, evaluating risk management processes, evaluating the
R
reporting of key risks, and reviewing the management of key risks. However, inY
ternal audit should not be involved in developing
the risk management process for
board approval, imposing risk management processes, making decisions on risk
A
responses, managing identified risks, or establishing the enterprise’s risk appetite.
N the effectiveness of ERM processes
The internal audit’s role should be to monitor
designed and implemented by senior management. Direct reporting of the internal audit function’s monitoring activities puts audit committees in a position to be
2
more objectively informed about the effectiveness
of management’s risk management processes, including the accuracy and
completeness
of risk information they
6
receive directly from senior management.
7
5
EXTERNAL AUDIT AS AN INDEPENDENT
B
SOURCE OF KEY RISK IDENTIFICATION
Audit committees also exert pressure on U
their external auditors to share risk in-
formation they glean from audits of financial statements and, for publicly traded
entities, the audit of internal controls over financial reporting required by the
Sarbanes-Oxley Act. In the process of understanding the entity and its environment
(a requirement for financial statement audits to be conducted in conformance with
auditing standards), external auditors are likely to identify key business risks affecting the enterprise. Auditors of publicly traded companies may also identify
deficiencies in risk responses as they assess the effectiveness of internal controls
surrounding core business processes that affect financial reporting. Proactive audit
committees recognize that the external auditor can serve as a rich source of risk
information that can assist the audit committee in challenging the completeness
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
October 24, 2009
9:17
62
Printer Name: Hamilton
Overview
of risk inventories prepared by management. External auditors recognize that this
contribution is a value-added activity for their clients and respond with greater
dialogue about key risks when participating in executive sessions with the audit
committee.
While boards and senior executives are strengthening their risk oversight processes at a rapid pace, few entities are currently able to claim that they have fully
developed ERM processes in place. Most recognize that the implementation of
ERM is an evolutionary process, whereby risk oversight improves over time. Most
ERM proponents believe there is no “one size fits all” approach to enterprise risk
management. As boards and senior management strive to make real progress toward developing ERM processes into more mature business operating models,
they will need to be patient. Immediate success is rare—ERM must be viewed as
a long-term cultural change and realistic D
expectations must be established for its
implementation.
A
I
ERM IMPLEMENTATION STRATEGIES
L
In fulfilling its obligation to exercise oversight over risk management, the board or
Y responsibility for oversight should foboard committee charged with the primary
cus on the adequacy of the organization’s enterprise
risk management system. Risk
,
management must be tailored to the specific entity, but in general an effective ERM
process will identify the significant risks that the organization faces in a timely
manner, implement appropriate risk management
strategies that are in concert
R
with the company’s risk appetite and specific risk exposures, integrate the conY
sideration of risk and risk management into strategic decision making throughout
A procedures that adequately transmit
the company, and feature explicit policies and
necessary information with respect to significant
risks to senior management and,
N
as appropriate, to the board or relevant committee. To accomplish these objectives,
there are certain implementation strategies that can help the board and the senior
executives delegate responsibility for the ERM
2 program in designing and modifying the risk management function. The sections that follow discuss the following
6
strategies:
r
r
r
r
r
r
r
Role of the audit committee
Role of the board
Training
Board composition
Reporting
Compliance
Culture
7
5
B
U
Role of the Audit Committee
As discussed earlier in the chapter, most boards delegate primary oversight of risk
management to the audit committee, which is consistent with the NYSE corporate
governance rules illustrated in Box 4.2. That rule requires the audit committee to
discuss policies with respect to risk assessment and risk management. For many
companies, however, the scope and complexity of enterprise risk management may
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM
63
dictate consideration of establishing a dedicated risk management committee of the
board in order to force increased attention at the board level on risk management
and oversight. The NYSE listing requirement permits boards to so delegate the
primary risk oversight function to a different board committee, subject to limited
continuing audit committee oversight.
The audit committee may not always be the best choice for providing direct
oversight of the ERM program at the board level. Given the significant responsibilities specifically mandated or delegated to it by the Sarbanes-Oxley Act, the audit
committee typically has a crowded meeting agenda and may not have sufficient
time and resources to devote to the optimal level of risk oversight. In addition, the
audit committee’s focus on compliance with financial reporting rules and auditing
standards is not necessarily the best approach for understanding the broad array of
risks faced by their organization. In fact, itD
may be argued that an intense focus on
compliance may hinder certain risk awareness
A because once satisfaction is reached
that a standard has been correctly followed, it is natural to then turn to new issues
I on an issue seemingly resolved. A
rather than to continue spending scarce time
recent example of this phenomenon may be
L found in the banking industry, where
the creation of off-balance sheet entities (structured investment vehicles and trusts)
Y but, in hindsight, clearly contributed
conformed to applicable accounting guidance
to the catastrophic escalation of risk that has
, led to financial ruin for many financial
institutions.
If primary responsibility for risk oversight remains with the audit committee
instead of a newly constituted risk committee,
R the audit committee should explicitly include dedicated agenda time for the periodic review of risk management
Y
policies and the status of key risks apart from its review of the financial statements
and compliance issues. Although this willAundoubtedly further burden the audit
committee, it is critical to allocate necessary
Ntime and attention to the risk oversight
role specifically. The goal should be to facilitate serious and thoughtful board-level
discussion of the organization’s ERM process, the trends in the key risks the company encounters, and the robustness of the
2 company’s policies, procedures, and
actions designed to respond to and treat these risks.
6
7
Role of the Board
5 is typically delegated to a commitThe primary board-level risk oversight role
tee, but the full board is ultimately responsible
B for monitoring the ERM program.
Hence, the board should devote meeting time to discuss and analyze information
U significant risks impacting the comabout the entity’s ERM program and the most
pany’s ability to achieve its strategic objectives. This can be accomplished through
reports delivered by the committee charged with risk management oversight
and by appropriately summarized versions of the materials provided by senior
management and advisors to that committee. Risk management issues also commonly arise in the context of the work of other committees. For example, the
compensation committee is charged with approval and oversight of the incentive
compensation arrangements for senior management personnel. These compensation agreements must be carefully structured to ensure that they do not create
incentives for the senior management team to take on risky projects (that breach
the board-approved risk tolerance or appetite of the organization) in an attempt
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
October 24, 2009
64
9:17
Printer Name: Hamilton
Overview
to maximize bonus compensation. Specialized committees may also be charged
with specific areas of risk exposure. Within financial institutions, for example,
credit, market, and asset/liability management committees are common, while
some boards of energy and manufacturing companies have committees largely
devoted to environmental and safety issues.
Training
In-depth knowledge of the organization’s fundamental operations is required for
understanding the implications of the key risks a company is exposed to and then
assessing the company’s planned responses to these risks. Director orientation and
training programs should be reviewed to ensure they provide enough substance
for directors to develop an understandingD
of the company’s businesses. These programs should also discuss the company’s A
risk inventory and provide an overview
of the ERM process employed by the entity. In addition to orientation programs
I
for new directors, a company should consider
the development of continuing
education materials for directors on an ongoing
basis, to supplement board and
L
committee meetings. Participation in workshops offered through various organizations can help keep directors abreast ofYcurrent industry and company-specific
developments and specialized issues. Site
, visits by directors, either within the
framework of the board meeting schedule or as part of a continuing education
program, can be valuable for companies where a physical inspection is important
for appreciating the business-unit risks that
Rthe company faces. These visits should
allow directors to assess firsthand some of the health and safety, operational, and
Y
other risks facing the company much better than a prepared presentation or written
A
communication.
Director training should be tailored toNthe issues most relevant and important
to the particular company and its business. For example, investment banks that issue and trade complex securities and derivatives generally monitor their financial
exposure to market risk through daily value
2 at risk (VaR) calculations. Workshops
or Web-based presentations to inform bank board members about the underlying
6 the VaR statistic can be critical for
assumptions and the approach to calculating
understanding the risks the bank faces. Most
7 business decisions are made in the
context of the economic and political environments in which the various business
5
units operate, and presentations that illuminate
key aspects of these differences
across the company will be useful to the board’s
understanding
of the company’s
B
operations. Although there are presently no legal requirements that mandate conU can be extremely valuable in helping
tinuing education for the board, these efforts
directors to discharge their duties and to avoid negative media attention that may
follow announcements of bad news events.
Board Composition
Recent changes to corporate governance requirements and best practices guidance
have led many companies to enhance the independence and diversity of their
boards. There has also been a downward trend in the participation of senior executives on boards of unaffiliated entities. Because of this, companies are often
confronted with the fact that a significant portion of their boards may lack detailed
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM
65
knowledge of the industry in which the company operates. Under these conditions, the importance of well-designed and executed orientation programs for new
directors and the creation of opportunities for continuing education for all members of the board are critical. As a function of this new environment, boards should
pay particular attention to the background and experience of the individual board
members asked to serve on the committee charged with oversight of the ERM
function.
As seats on the board open up due to retirements or the creation of additional
directorships, the board should aggressively recruit new members with relevant
industry expertise and, if possible, with a background that includes risk management experience. For boards on which the CEO serves as the sole representative
of the senior management team, it may be prudent to consider adding a second
or third management representative, suchDas the COO, CFO, or chief risk officer
(if a separate CRO position has been established),
to provide an additional source
A
of information in the boardroom on the company’s business, operations, and risk
I non-CEO executives and the board
profile. Direct lines of communication between
or relevant board committee should already
L be present. Actual membership on
the board is likely to allow for more consistent and timely input from these senior
Y
executives to the board.
The board’s ability to perform its oversight
, role effectively is largely dependent
on the flow of information that occurs among the directors, senior management,
and the risk management executives in the organization. If the board is unsure
whether they are receiving sufficient information
R to discharge their responsibilities,
they need to be aggressive in their requests for that data. Directors must have
Y
adequate knowledge of such information as:
r
r
r
r
r
A
The external and internal risk environment
faced by the firm.
N
The key material risk exposures affecting the company.
The methodology employed to assess and prioritize risks.
Treatment strategies for key risks. 2
Status of implementation efforts for risk management procedures and
6
infrastructure.
r The strengths and weaknesses of the overall ERM program.
7
5
B
If the board has delegated primary risk oversight responsibility to a committee of
the board, that committee should meet inU
executive sessions with the designated
Reporting
ERM leader in a manner analogous to the audit committee and its regular sessions
with the company’s internal auditor, and with senior management in connection
with CEO and CFO certifications of the financial statements. Senior risk managers
and the senior executive team need to be comfortable in informing the board or
relevant committee of rapidly emerging risk exposures that require the immediate
attention of the board. These reporting channels must be open at all times as a
complement to regular reporting procedures. As previously discussed, the committee charged with risk oversight should make regular reports to the full board to
keep them apprised of important changes in the organization’s risk profile and/or
exposure to key risks.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
October 24, 2009
66
9:17
Printer Name: Hamilton
Overview
Compliance
Senior management should also provide the board with a comprehensive review
of the company’s legal compliance programs and how they affect the company’s
risk profile. There are a number of principles to consider when assessing the adequacy of compliance efforts. There should be a strong and visible “tone at the top”
emanating from both the board and senior management that emphasizes that noncompliance with corporate policy will not be tolerated. Actions of the board and
the senior executive team should provide an unambiguous signal to the organization that policies and procedures are to be followed scrupulously. The compliance
program should be designed by individuals with the appropriate level of expertise
and will typically include workshops and written materials. The full board should
review compliance policies periodically in
Dorder to assess their effectiveness and
to make any revisions deemed prudent or necessary to conform to changes in
A respected, it is essential that there be
applicable laws. To ensure that policies are
consistency in enforcement through appropriate
disciplinary measures. Finally,
I
there should be a clear reporting system in place so that employees understand
L
when and to whom they should report suspected violations.
Culture
Y
,
In addition to the formal compliance program, the board must also encourage
management to promote a corporate culture
R that understands the business case
for risk management and incorporates it into its overall corporate strategy and
Y risk management function cannot
day-to-day business operations. The enterprise
be viewed as a drag on the achievementA
of corporate objectives or isolated as a
specialized corporate function, but instead should be established as an integral part
N
of everyday decision making within the business
units. Companies must incur risk
in order to run their businesses and maximize returns for stakeholders. The board
must recognize that there can be significant danger in excessive risk aversion, just
2
as there is danger in unchecked risk taking. But the assessment of risk, the accurate
6 informed response to risk exposures
weighing of risks versus rewards, and the
should be incorporated into all business decision making.
7
The company’s enterprise risk management structure should enable ongoing
5 areas of future risk for the company.
efforts to assess and analyze the most likely
This process, often referred to as environmental
scanning, is a key element of
B
avoiding or successfully mitigating those risks before they become crises. In their
U
review of the organization’s risk management
processes, the board should ask
senior management directing the ERM program to discuss with them the most
likely sources of significant far-horizon risks and how the company is planning for
any significant potential vulnerability.
CONCLUSION
As stated at the opening of this chapter, the oversight of the enterprise risk management (ERM) processes employed by an organization is one of the most important
and challenging functions of a corporation’s board of directors. It is the board’s
responsibility to work in concert with senior management of the company to
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM
67
establish the appropriate “tone at the top” to ensure that risk and risk management remain at the forefront of strategic and operating decisions made within the
business. As a simple survey of the financial press would indicate, we find ourselves today in an environment in which companies face risk exposures that are
more complex, more interconnected, and potentially more devastating than ever
before. To ensure that they are faithfully discharging their fiduciary duties, boards
must adequately acknowledge and manage risks associated with decisions being
made throughout the organization and operate with the understanding that these
risks can and often do lead to potentially catastrophic results.
NOTES
1. In re Caremark International Inc. DerivativeD
Litigation, 698 A.2d 959, 971.
2. “Final Corporate Governance Rules,” New A
York Stock Exchange (2004) www.nyse.com.
3. Committee of Sponsoring Organizations of
I the Treadway Commission (COSO), Enterprise Risk Management – Integrated Framework, September 2004, www.coso.org,
L
New York, NY.
4. “The Role of U.S. Corporate Boards in Enterprise
Risk Management,” the Conference
Y
Board (2006).
,
5. “Board Members on Risk,” Ernst & Young (2007).
6. See “Balancing Risk and Performance with an Integrated Finance Organization – The
Global CFO Study 2008,” IBM Global Business Services.
R
Y
A
N
2
6
7
5
B
U
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c04
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
D
A
I
L
Y
,
R
Y
A
N
2
6
7
5
B
U
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c05
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
PART II
ERM Management,
Culture, and Control
D
A
I
L
Y
,
R
Y
A
N
2
6
7
5
B
U
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c05
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
D
A
I
L
Y
,
R
Y
A
N
2
6
7
5
B
U
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c05
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
CHAPTER 5
Becoming the Lamp Bearer
The Emerging Roles of the Chief Risk Officer
ANETTE MIKES
Assistant Professor of Business Administration, Harvard Business School
D
A
I
L
One of the greatest contributions of risk managers—arguably
the single greatest—is just
carrying a torch around and providing transparency.
Y
—Chief Risk Officer, interviewed on November 17, 2006
,
Opinion has a significance proportioned to the sources that sustain it.
—Benjamin Cardozo (1870–1938)
D
R
Y
espite the widespread adoption A
of enterprise risk management (ERM)
in the financial services industry, banks suffered hundreds of billions of
N
dollars of losses during 2007–2008, stemming from risks that few exec-
utives had understood (Treasury Committee 2007a, 2007b). Under the shock of
the first subprime-related loss disclosures, industry observers raised the question:
2
“Where were the risk managers?” (Bookstaber 2007). In February 2008, a joint
6
study by the Senior Supervisors Group—representatives
of eight banking supervisory bodies—noted that, while “some firms recognized the emerging additional
7
risks and took deliberate actions to limit or mitigate them . . . other firms did not
5them adequately” (Senior Supervisors
fully recognize the risks in time to mitigate
Group 2008, 2). The group emphasized significant
differences in firms’ approaches
B
to risk management, particularly in the design and scope of risk assessment and
U
reporting practices.
Further, regulators and industry observers continue to call for the appointment
of executives who are exclusively devoted to the role of enterprise-wide risk oversight, particularly since one early victim of the subprime credit debacle, Merrill
Lynch, lacked a chief risk officer and another, Citigroup, was immediately blamed
for its ineffective risk oversight (American Banker 2008). Going forward, many argue
that the role of the chief risk officer is going to be further emphasized in corporate
governance. As Peter Raskind, National City Bank’s chief executive officer, argued
in an interview in the pages of the American Banker toward the end of the first year
of the subprime credit crisis: “This environment has absolutely underscored the
71
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c05
JWBT177-Simkins
72
October 24, 2009
9:17
Printer Name: Hamilton
ERM Management, Culture, and Control
need for that person. But it’s not just credit risk. It’s operational risk, reputation
risk, and so on.”1
Risk management in banks is a relatively recent function. Under the leadership of chief risk officers, risk-management staff groups are currently carving
out their territory in response to uncertainties ranging from adverse asset-price
movements to borrower defaults and threats to the financial health of the enterprise. The visibility of risk management and, in particular, of the Chief Risk Officer
(CRO) has increased outside the banking industry, too. In a 2008 survey, consulting firm McKinsey tracked the diffusion of CRO appointments by industry in the
United States (Winokur 2009). McKinsey found that 43 percent of insurance companies had appointed a senior risk officer with enterprise-wide risk oversight, in
contrast to 19 percent in 2002. Other industries with a significant number of CRO
appointments include energy and utilitiesD(50 percent of companies had a CRO in
2008), health care, and metals and miningA(20 percent to 25 percent of companies
were reported to have a CRO). Furthermore, it is widely expected that rating agenI as part of their rating process going
cies will assess the quality and scope of ERM
forward (Standard & Poor’s 2008; Ernst &LYoung 2008).
Enterprise risk management, under the leadership of CROs, has the promise to
Y the achievement of the firm’s strategic
bring enterprise-wide risks, which threaten
objectives, into the open and under control.
, Its organizational significance is that,
by providing a process to identify, measure, monitor, and manage uncertainty
in strategic decision making, strategic planning, performance management, and
deal-approval processes, it enables top management
to maintain or alter patterns in
R
risk taking.
Y
This chapter addresses the question: How may chief risk officers realize that
Aexisting practitioner and academic litorganizational significance? I draw on the
erature on the role of chief risk officers and
N on a number of case studies from my
ongoing research program on the evolution of the role of the CRO. The first section
deals with the origins and rise of the CRO and outlines four major roles that senior
risk officers may fulfill. The following sections
2 discuss and illustrate those roles.
6
7
In 1956, Harvard Business Review published “Risk Management: A New Phase of
5 called for a “workable program for
Cost Control,” in which Russell Gallagher
‘risk management’ . . . putting it under one
B executive, who in a large company
might be a full-time ‘risk manager.’” The article proposed that, in the face of
U the “postwar battle for tighter cost
increasingly expensive insurance premiums,
THE ORIGINS OF THE CRO
controls” required a “concerted method of attack” on the management of risks and
hazards—namely, the appointment of a professional insurance manager. So began
the saga of the chief risk officer in the world of insurance. Indeed, until recently,
most nonfinancial firms considered buying insurance to be the core task of the
risk-management function (Butterworth 2001).
The seeds of a more strategic role for the chief risk officer were sown in the
1970s. The publication of the Black-Scholes options-pricing model in 1973 triggered
the staggering rise of derivatives markets (Buehler et al. 2008) by enabling more
effective pricing and mitigation of risk. Over the next three decades, the world
of risk management in the financial services sector changed profoundly as banks
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c05
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
BECOMING THE LAMP BEARER
73
and securities houses created a “gigantic clearinghouse for packaging, trading and
transferring risks” (Buehler et al. 2008). Financial firms both created and took advantage of many important innovations to contain financial risks; the arsenal of
risk management was no longer limited to insurance policies. Increasing financial
sophistication resulted in two new risk-management strategies: (1) portfolio diversification, and (2) hedging. Energy companies, food producers, and other firms
followed suit in widening their risk-management toolkits as markets opened for
the trading of various industry-specific risks. However, as Merton observed, top
executives in most industries persistently regarded the application of derivatives
and other risk-management tools as essentially tactical and therefore delegated the
management of financial risk to a host of in-house financial experts such as insurance managers and corporate treasurers (Merton 2005). The dangers of delegation
Druthlessly exposed by a number of corand the resultant “silo” approach have been
porate scandals over the last two decades and
A during the credit crisis of 2007–2008,
as it became clear that many firms had taken large risks without an appropriate unI
derstanding of the long-term, firm-wide consequences,
which, by 2009, had spread
far beyond their organizations onto millions
L of stunned stakeholders and innocent
bystanders.
Y
The creation of the CRO role with a dedicated
risk-management unit occurred
intermittently at first; some of the earliest, attempts took place in large financial
services firms, often as a reaction to excessive investment losses. In 1987, Merrill
Lynch, having suffered large losses on mortgage-backed securities in March of that
year, appointed Mark Lawrence, a senior R
executive, to establish a dedicated riskmanagement unit. But because there was, as yet, no pressure to institutionalize this
Y
new organizational function, the role of CRO lacked credibility (Wood 2002) and the
unit gradually lost power (Power 2005). GEACapital’s risk-management unit was an
exception. James Lam, appointed chief risk
Nofficer in 1993, became the first to hold
the role of integrated risk oversight with that title (Lam 2000). His unit, designed as
an integral part of GE’s finance function, displayed a “rigorous process approach,”
allocating risk-based approval authority down
2 the business lines, applying datadriven analytics to identify and monitor risk, and strictly enforcing risk limits.2 In
the early 2000s, Deutsche Bank created the6position of CRO (Hugo Banziger) with
the mandate to make the risk and profit 7implications of business-line decisions
transparent. By then, the concept of a risk-management head had evolved from
a defensive administrative “cop” to—at 5
least in aspiration—a business partner
and advisor in risk taking (Power 2005, B
134; Wood 2002). This shifted the riskmanagement model (and the CRO) out of the back office and into the front line
U capital adequacy reform (Basel II)
with a more strategic role. As the new risk-based
gathered momentum, calls for assembling risk-management practices under the
umbrella of a dedicated risk organization and under the oversight of a high-level
executive intensified.
The rise of the CRO was not confined to the financial sector: Sulzer Medica
appointed a CRO in 2001, following legal losses, and Delta Airlines employed a
CRO in 2002 in response to the heightened concern for risks in the airline industry
following the 9/11 terrorist attacks (Power 2005).
Nevertheless, it was the increasing codification of enterprise risk management into various risk-management standards that accelerated the appointment
of senior risk officers with an enterprise-wide risk oversight. Multi-disciplinary
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c05
JWBT177-Simkins
74
October 24, 2009
9:17
Printer Name: Hamilton
ERM Management, Culture, and Control
task forces in Australia and New Zealand published the first Risk Management
Standard in 1995 (revised in 1999 and 2004) and other standard-setters followed
suit (Ferma 2002; COSO 2003), successfully spreading the notion that enterprise
risk management was good management. Several companies aspiring to be bestpractice organizations adopted enterprise risk management and appointed chief
risk officers to oversee its implementation (Aabo et al. 2005). McKinsey’s 2008 survey found that 10 percent of nonfinancial firms had CROs, up from 4 percent in
2002 (Winokur 2009).
In tandem with the rise of the chief risk officer and the dedicated riskmanagement function, the internal auditing profession also staked a claim on
the risk-management domain (Koleman 2003). The Institute of Internal Auditors,
an international professional association of certified internal auditors, included
D
risk management as part of the audit profession’s
competencies and stimulated
the development of control risk self-assessment
as the bedrock of enterprise risk
A
management. Furthermore, external auditors had reinvented the financial audit
I
to be more perceptive of the client’s business
risk and associated risks, offering
business-risk assessments simultaneouslyLas an audit-planning tool and as an advisory mechanism. Overall, the shape of a risk-management services industry had
Y
become visible, with risk professionals, internal
auditors, and external auditors
competing to design and service the internal
, risk-management space of corporations (Power 2000).
Not surprisingly, CROs come from many walks of life, including internal
audit, external audit, financial management,
R business management, and consulting. Industry surveys (PricewaterhouseCoopers 2007; Deloitte 2007; IBM 2005)
Y
show that CROs fulfill a variety of roles that nevertheless fall into two categories:
A hand, and (2) a more strategic “busi(1) a compliance and control function on one
ness partner” role on the other hand. Much
N of the industry debate prior to the
subprime-credit crisis focused on how CROs ought to balance their compliance
champion role with that of an active participant in business decision making. The
credit crisis directed attention to a series of
2risk-management failures (Stulz 2009),
particularly the gaps in financial institutions’ internal risk-assessment practices.
6
Indeed, there is wide variation in the usefulness
and reliability of the risk models
used by various financial institutions (Tett72008). My recent research indicates that
firms’ risk-modeling initiatives vary in style and quantitative sophistication and
5
that senior risk officers exercise a large degree
of discretion in determining the
use and mix of quantitative and qualitative
risk-management
tools (Mikes 2005,
B
2007b). This finding highlights the role of the CRO as a modeling expert who deU
ploys a certain degree of quantitative enthusiasm
or quantitative skepticism in the
management of different risk categories (Mikes 2008b). Further, different CROs interpret their “business partner” roles differently. In a study of 15 chief risk officers,
I found that some CROs strive to grasp the key strategic uncertainties affecting
their organizations (whether measurable or not) and proactively help top management anticipate emerging strategic risks; these CROs play the role of strategic
advisor. Other CROs confine their attention to the measurable risk universe and
the production of “catch-all” metrics for aggregate risk taking and risk-adjusted
performance; they enact the role of the strategic controller.
In sum, the role of the chief risk officer is not only multifaceted but also varies
according to the industry, the emphasis the risk function places on compliance with
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c05
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
BECOMING THE LAMP BEARER
75
regulatory and risk-management standards, and the extent and sophistication of
the firm’s risk modeling. The next four sections turn in detail to the four major
CRO roles, namely (1) compliance champion, (2) modeling expert, (3) strategic
controller, and (4) strategic advisor.
THE CRO AS COMPLIANCE CHAMPION
The role of compliance champion entails advocating and policing compliance with
pressing stakeholder requirements and keeping up with new regulations and standards affecting the design and roles of the risk-management function. Many CROs
initiate a “risk policy framework”—a determination of what risks need to be addressed and by whom—on which the board and a senior executive then sign off.
D roles:
The risk policy framework fulfills several
First, it sets the boundaries of acceptable
A risk taking by ensuring that the appropriate standards and controls are in place. As one senior risk officer put it,
I
the framework tells the business lines “the rules of engagement, making sure that
the do’s and the don’ts are sufficiently clear.”
L 3 It is now widely recognized in riskmanagement circles that “both Barings’s and Société Générale’s losses were created
Y
by employees not following the processes.”4 Research on so-called man-made dis,
asters has long established that complex organizations
(in any industry) generate
“normal accidents” (Perrow 1984) and routine errors that are suited to—and, indeed, called for—the creation of a specialist CRO role (Power 2004, 141). In such
R territory between risk controlling
settings, CROs are pressure points in the border
and risk taking; “the risk officer is not necessarily
responsible for each risk type,
Y
but is responsible to ensure each risk-type owner has set appropriate standards.”5
Athe management of risk, detailed risk
Although the CRO supports and enhances
management remains the responsibility ofN
line management.
Second, the risk policy framework advocates a shared understanding of the
spectrum of risks the organization cares about; naturally, this spectrum changes
over time. Some chief risk officers consider2the creation of this shared understanding to be the key benefit of their work because it reinforces the company’s shared
6 One’s chief risk officer, John Fraser,
understanding of its strategic priorities. Hydro
is a case in point. He maintains that enterprise
risk management starts with top
7
management agreeing about strategic objectives; then they develop a shared un5
derstanding of the principal risks (Mikes 2008a).
Fraser acknowledges that his role
was “not to give the answers” to the problems
of the business but to facilitate
B
the emergence of a shared understanding among managers. He achieved this in
U
interactive risk workshops:
Enterprise risk management is a contact sport. Success comes from making contact with
people. Magic occurs in risk workshops. People enjoy them. Some say, “I have always
worried about this topic, and now I am less worried, because I see that someone else is
dealing with it, or I have learned it is a low probability event.” Other people said, “I could
put forward my point and get people to agree that it is something we should be spending
more time on, because it is a high risk.”6
Third, the risk policy framework gives chief risk officers a plan, a language,
and the authority with which to oversee the development of risk-measurement and
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c05
JWBT177-Simkins
76
October 24, 2009
9:17
Printer Name: Hamilton
ERM Management, Culture, and Control
monitoring tools for each risk type. At a basic level, every risk function operates a
host of templates with which to collect risk information, establish risk-assessment
guidelines, and construct risk models that collect loss and other risk-related data to
track the firm’s evolving risk profile. But there is a plethora of tools and practices
for measuring and communicating risk and wide variation in their application
even within a particular industry.
THE CRO AS MODELING EXPERT
In general, chief risk officers play a powerful role in selecting the people, processes,
and systems that will define the scope of risk measurement and control in their
organizations. The infrastructure of most modern risk-management functions conD and information systems, the design
tains a wide variety of risk models, processes,
of which requires the CRO to play the roleAof the modeling expert.
Deutsche Bank’s CRO, Hugo Banziger, recalled his early experiences with
I
system-building:
L
I . . . had to build an entirely new organization
Y from scratch. We designed a dedicated
credit process; hired and trained credit staff, as there were no credit people with derivatives
, with the help of traders; and created
know-how in the market; built credit-risk engines
our own Potential Future Exposure model, using Monte Carlo simulations and stresstesting portfolios. After that, we had to build a credit system that could integrate all these
functions and aggregate our derivative counterparty
R exposure globally. These were six very
challenging years.7
Y
A who emphasize risk aggregation as
Banziger is one of several chief risk officers
well as risk measurement. As they see it, the
N creation of an aggregate view of quan-
tified risks is the key benefit of implementing firm-wide risk models. Aggregating
risk exposures had been a challenge to risk practitioners for a long time, largely
due to the variety of risk measures applied
2 to the different risk types and insufficient knowledge of the correlations between risk exposures, the diversification
benefits, and the concentration penalties.6 The recent development of economic
capital as a common-denominator measure
7 for market, credit, and operational
risks enables firms to aggregate their quantifiable risks into a total risk estimate.8
5 of the CRO is to fine-tune the calcuIndeed, Wood (2002) argues that the key role
lation of economic capital for organizational-control
purposes. Accordingly, recent
B
works in the risk-management literature advocate risk-based internal capital alloU performance measurement and concations (measured by economic capital) for
trol. The ideal of introducing risk-based performance measurement in banks has
emerged in tandem with developments in risk quantification and, importantly, risk
aggregation.
Risk aggregation requires a high degree of modeling expertise on the part of
the risk-management function; it entails the extension of risk analytics to uncertainties with explicable (but not yet known) properties and the adjustment of the
measurement approaches as further data become available.
In a recent study, however, CROs voiced divergent opinions on the benefits and limitations of the available menu of risk-modeling initiatives (Mikes
2008b, 2009).
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c05
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
BECOMING THE LAMP BEARER
77
One group of CROs took a skeptical view, emphasizing that risk models were
useful tools for managing a narrow set of risks, such as those that lend themselves
to conventional statistical analysis (e.g., credit-card risks in a given geography and
consumer segment). Due to the homogeneity of such risk profiles and the large
number of data points, decisions in such areas could be automated. But these
CROs felt that, in less homogeneous business segments, such as lending to both
small enterprises and large corporations, risk models were intrinsically less reliable
(quantitative skepticism) and the judgment of veteran experts was essential. They
did not consider risk modeling accurate enough to produce an objective picture of
the underlying risk profiles, only to indicate the underlying trends.
Another group of CROs, however, were committed to extensive risk modeling
and fostered a culture in which risk models were regarded as robust and relevant
D
tools in decision making (quantitative enthusiasm),
particularly in strategic planning
and performance management. In these banks,
A risk experts gradually expanded
the modeling infrastructure to uncover the natures and distributions of hitherto
I as lending to small and mediumunknown uncertainties (including such risks
size enterprises), classifying and measuring
L these as part of the economic-capital
framework. They quantified many operational risks as well, in order to make the
Y These additional risk assessments,
aggregate risk profile more comprehensive.
once aggregated into the total risk profile,, influenced the calculation of economic
capital for control purposes. However, linking these risk calculations to planning
and performance measurement was not automatic. Several senior risk officers
were aware that simply wielding aggregate
R risk numbers would not convince
business lines to change the way they did business. As one senior risk officer
Y
explained: “There is still an argument that the methodology and data underlying
A are not sufficiently reliable. . . . An
the quantification measurements themselves
aggregate view has to evolve. We have toN
be more confident in the quality of it. I
wouldn’t like to run the business on the aggregate view as we see it today.”9
2
THE CRO AS STRATEGIC CONTROLLER
6
The evolution of the aggregate view has paved
7 the way for the role of the CRO as
strategic controller. This role assumes that the risk function, having built firm-wide
5 a formal risk-adjusted performance
risk models, enables the company to operate
management system. Chief risk officers B
in this category preside over the close
integration of risk and performance measurement and ensure that risk-adjusted
metrics are deemed reliable and are relied U
on. They advise top management on the
absolute and relative risk-return performance of various businesses and influence
how capital and investments are committed.
A senior risk officer who fulfilled this role described the risk-adjusted planning
process as follows: “We obviously get involved with risk appetite. The businesses
put forward their proposals, having linked in with [the group risk-management
department]. They generate appropriate figures upon which we make the choices
about where to bet the bank. The calculations are done by the businesses initially.
They work it through with the risk department.”10
Another CRO emphasized the importance of risk-adjusted performance measurement as a way of making business managers accountable for risk taking: “If
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c05
JWBT177-Simkins
78
October 24, 2009
9:17
Printer Name: Hamilton
ERM Management, Culture, and Control
we align the incentives correctly, then I don’t have a job. The aim is getting the
business units accountable for risk and the risk correctly charged and visible.”11
The strategic controller role requires a legitimate risk-modeling capability,
which is foundational to risk-based performance management. However, the construction of risk-adjusted performance measurement is inherently political. Riskadjusted performance measures do not work by themselves; they have to be made
to work. The CRO needs to be aware that a new, risk-adjusted view of performance
will inherently affect resource and reward allocations; internal jurisdictions may
therefore resist it.
For both political and theoretical reasons, CROs must also be modest in their
claims of “objectivity.” There can be no genuine objectivity in the measurement or
management of that which has not yet happened and may never happen; other
D this as the soft underbelly of the riskparts of the organization will easily recognize
management function. Field studies on CROs
A in action show that, time and again,
distrust of risk numbers and critique from other organizational groups require the
CRO and the risk-management function Ito reconstitute and revise risk-adjusted
performance metrics. Such objectivity as these
L calculations can achieve may well be
the result of an organizational consensus, emerging from the process of challenge
Y shown that, in the face of challenge
and revision. On the other hand, it has been
and critique from well-established organizational
control groups, chief risk officers’
,
“dreams of measurement” for control purposes may turn out to be just that (Mikes
2005, 2009; Power 2004).
R
Y
THE CRO AS STRATEGIC ADVISOR
In the role of strategic advisor, senior risk A
officers command board-level visibility
and influence, predominantly as a resultNof their grasp of emerging risks and
nonquantifiable strategic and operational uncertainties. They bring judgment into
high-level risk decisions, challenge the assumptions underlying business plans,
and use traditional risk controls and lending
2 constraints to alter the risk profiles of
particular businesses.
Many senior risk officers aspiring to 6
this role do not regard risk modeling as
sufficiently accurate to produce an objective
7 picture of the underlying risk profiles;
they rely on risk calculations mainly to indicate underlying trends (quantitative
skepticism). They are therefore reluctant 5
to link risk measurements to planning
and performance management, leaving these
B control practices to their traditional
realm, the finance function. Instead, they seek to mobilize their own experience
U to help decision makers understand
with other expert views from the organization
emerging risks, the nature of which is not explicable by modeling. As one such
senior risk officer explained: “The key decisions you make are not based on what
you put in the model and what gets spat out. . . . The way I think of it: Risk is
chemistry, it’s not particle physics. You cannot separate the risks.”12
Key to the strategic advisor role is the CRO’s ability to create processes that
channel risk information to key decision makers and thus prevent “risk incubation.” While acknowledging that this role is new to them, several CROs are now
championing practices of risk anticipation such as risk-based scenario planning and
devil’s-advocate systems. Looking beyond the risk silos and “taking a 30,000-foot
view of the world,”13 these CROs conduct forecasts and assessments in order to find
vulnerabilities and problem areas and alert the executive and supervisory boards.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c05
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
BECOMING THE LAMP BEARER
79
Risk anticipation often surfaces multiple and conflicting views. As one senior risk
officer explained with a hint of self-mockery, the role of the senior risk manager is
like that of the “medieval licensed jester, allowed to be more skeptical about what
is going on, constantly challenging existing assumptions and views, and scrutinizing strategic decisions before they are made. The difficulty is to challenge without
causing offence” (Mikes 2009).
This role requires the senior risk officer to build a track record and credibility; as
Hydro One’s CRO, John Fraser, put it, “You have to earn your spurs.”14 Some senior
risk officers in banks who came through the ranks of line management believe they
are better positioned to play the role of the strategic advisor than their risk-specialist
peers. Having earned the trust and respect of line management, they can negotiate
the conditions of good business by understanding both viewpoints, that of the
target-focused business originator and thatDof the risk-conscious controller. As one
senior risk officer explained:
A
I
You need to know the business generators well enough to know . . . that their own stance
L their judgment. Most people, most very
and emotion and the fervor for a deal will impair
successful deal-doers, will always push the envelope. The issue is to understand how they
Y
operate within their values. So not only do you understand where they’re likely to over-egg
it because the rewards are there, but also you know
, how to approach them when you want to
slow them down. One, they have to trust you. And two, they have to respect your judgment.
But you don’t achieve that overnight. You generally get it by being encouraging of what
you believe is good business.15
R
Y
The development of the strategic advisor role is partially driven by governance
demands for organizational resilience and A
the management of extreme events, such
as fundamental surprises, sudden losses of
Nmeaning (sudden events that make no
sense to the people involved), and events that are inconceivable, hidden, or incomprehensible (Weick 1993). The specter of “black swan events” (Taleb 2007) raises
fundamental questions about the role of 2
risk management and that of the CRO:
Should low-probability events be understood under the rubric of risk modeling or
6 The shift in focus from probabilities
rather as fundamental surprise (Power 2007)?
and statistical loss distributions to facilitating
7 organizational resilience and sensemaking under stress marks the difference between the role of the CRO as strategic
controller and that of the CRO as strategic5advisor.
B
U
WHICH CRO ROLE TO PLAY?
The compliance role tends to be well-defined by the environment; within an industry, there is not much room for variation in that role. The modeling role, however,
presents risk functions with a practical choice of processes and models and a philosophical choice of where to draw the line between what can be reliably measured
and modeled and what must be placed in the hands of qualitative judgment. It
is this line that divides (although never absolutely) the role of strategic controller
from the role of strategic advisor (see Exhibit 5.1 for a summary of the strategic
CRO roles).
Both assume a high degree of path dependency; the requisite resources and
capabilities can only be obtained over time (recall Deutsche Bank’s six-year effort).
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c05
JWBT177-Simkins
October 24, 2009
80
9:17
Printer Name: Hamilton
ERM Management, Culture, and Control
Exhibit 5.1 Summary of the Business-Partner Roles of the CRO
Modeling capabilities
Primary objective of
risk modeling
The role of judgment in
risk modeling
Strategic capabilities
Span of risk control
The essence of the
business partner role
Strategic controller
Strategic advisor
Measuring the aggregate risk
profile of products and
business lines
Model design contains the
modeler’s judgment of
complex relationships
between variables
Anticipating changes in the
risk environment
D
Quantifiable risks A
I
The integration of risk
L planning
management with
and performanceY
management
,
The CRO as the advocate
R of
risk-adjusted performance
Modeling attitudes
Calculative culture
Y
A
Quantitative enthusiasm:
N
Risk numbers are deemed
representative of the
underlying economic
2
reality
Emphasis on the “robust”
and
6
“hard” nature of modeling
7
Risk-adjusted performance
5
measures are recognized
Source: Mikes (2008b).
B
U
Model design is deliberately
simple. Managerial
judgment is exercised to
adjust model implications
to reflect additional
complexities
Quantifiable and
nonquantifiable risks
The risk function’s ability to
influence discretionary
strategic decisions and to
articulate to line managers
the long-term
risk-implications of their
decisions
The CRO as a seasoned
business executive and
“devil’s advocate”
Quantitative skepticism: Risk
numbers are taken as trend
indicators
Emphasis on learning about
the underlying risk profile
from the trend signals
Risk-adjusted performance
measures are discussed, but
are open to challenge
The strategic advisory role requires an intimate knowledge of the business and
what can go wrong—experience that risk officers can only gain by having lived
through many organizational successes, losses, and crises. The strategic controller
role, on the other hand, calls for building a sophisticated risk-modeling capability,
which is foundational to risk-based performance management. But risk-adjusted
performance measures do not work by themselves—they must be made to work.
To make risk numbers count in planning and performance management requires
leadership, political flair, communication, and well-chosen allies—all of which can
only be developed over time.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c05
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
BECOMING THE LAMP BEARER
81
It is possible that some CROs may develop the strategic advisor and the strategic controller roles successively if they can negotiate the path dependencies involved. Once models are tasked with accounting for risk-adjusted performance,
the room for managerial judgment shrinks as that judgment is built into the model
design up front. Quantitative skeptics are presently reluctant to delegate their
understanding of risk-adjusted performance to models. However, some of them
recognize that, over time, much of their judgment may be fed into the model design
and that careful organizational positioning and packaging will eventually make
risk-adjusted performance metrics legitimate and acceptable for control purposes.
Although quantitative enthusiasts maintain that models are capable of accommodating complex relationships between numerous variables, these risk officers
also face important judgment calls; they must anticipate when even the most adD
vanced of risk models will cease to be accurate
as a result of major shifts in the
environment. Given that most risk modelsA
in use at the time of this study had been
developed in an unusually favorable credit environment (1998–2007), modeling
I “prolonged stress events” are hard
experts whose career trajectory spans several
to come by.
L
CONCLUSION
Y
,
Chief risk officers, no matter what type of calculative culture they foster, are balancing at least two conflicting objectives: (1) to produce an aggregate view of risks, and
(2) to retain case-by-case business knowledge
R and model familiarity with which to
inform expert judgment. Striking the right balance remains a challenge for all CROs
Y
and their choice must be congruent with their organizations’ decision making, risk
A
taking, and modeling cultures.
With a new regulatory era and a severe
N and protracted financial crisis upon
us, senior risk officers are under pressure to demonstrate how they are realizing
the risk-oversight potential of their function. No professional realm can operate indefinitely if it clashes with the requirements
2 of stakeholders (Gardner et al. 2001).
As a professional group, chief risk officers need to accommodate the demands
6
of a wide diversity of stakeholders—including
regulators, corporate executives,
shareholders, debt holders, and the general
public—which
in turn requires that
7
the risk function have a clear, well-defined position in the organizational gover5 consider the CEO and the board to
nance process. Senior risk officers increasingly
be their primary customers. However, many
Brisk functions have been caught by the
credit crisis in a work-in-progress compliance-champion mode, while others have
been in transition toward their particularU
understanding of the business-partner
role. The ideas and practices of risk management, unlike those of long-established
professions, have not yet been codified into a unified domain, leaving chief risk
officers with a fuzzy role in corporate governance.
But lack of codification is an opportunity for definition. This fuzziness is a
historic opportunity for the profession to improve business decision making by
defining and amalgamating the strengths of the compliance-champion, modeling
expert, strategic-advisor, and strategic-controller roles and by incorporating both
good risk analytics and expert judgment. Yet the ultimate test remains the ability of
risk managers to influence risk-taking behavior in the business lines. As one CRO
participant, quoted at the outset of this chapter, remarked: “One of the greatest
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c05
JWBT177-Simkins
October 24, 2009
82
9:17
Printer Name: Hamilton
ERM Management, Culture, and Control
contributions of risk managers—arguably the single greatest—is just carrying a
torch around and providing transparency.”16 The art of successful risk management
is in getting the executive team to see the light and value the lamp bearer.
NOTES
1. Risk Chiefs: “As the Bar Rises, So Does Demand.” American Banker (January 31, 2008)
48.
2. Author’s interview on September 9, 2008. The identity of the interviewee is disguised
for confidentiality reasons.
3. Author’s interview on August 31, 2008. The identity of the interviewee is disguised for
confidentiality reasons.
D
4. Private communication to the author, received October 16, 2008. The identity of the
source is disguised for confidentiality reasons.
A
5. Private communication to the author, received
I November 11, 2008. The identity of the
source is disguised for confidentiality reasons.
6. Mikes, A. “Enterprise Risk Management atLHydro One.” Harvard Business School Case
No. 9-109-001. (2008).
Y
7. Hayes, N. “People, processes, systems: Deutsche Bank’s Hugo Banziger knows it takes
, Available on http://findarticles.com/p/
all three.” RMA Journal (December 2002).
articles/mi m0ITW/is 4 85/ai n14897213/pg 2?tag=artBody;col1.
8. Economic capital is a statistically estimated amount of capital that could cover all
R
liabilities in a worst-case scenario, be it an unexpected market, credit, or operational
loss. For risk practitioners and regulators,Ythe conceptual appeal of economic-capital
methods is that “they can provide a single metric along which all types of risks can be
A 2003, 6).
measured.” (Bank for International Settlements,
9. Author’s interview on March 3, 2008. TheN
identity of the interviewee is disguised for
confidentiality reasons.
10. Mikes (2005, 170).
11. Author’s interview on November 17, 2006.2The identity of the interviewee is disguised
for confidentiality reasons.
6
12. Author’s interview on August 17, 2006. The identity of the interviewee is disguised for
7
confidentiality reasons.
13. Mikes (2005, 205).
5
14. Mariga, Vanessa. “Moving into the C-Suite.”
B Canadian Underwriter (March 2008) 10–16.
15. Author’s interview on 22 November 2007. The identity of the interviewee is disguised
U
for confidentiality reasons.
16. Author’s interview on November 17, 2006. The identity of the interviewee is disguised
for confidentiality reasons.
REFERENCES
Aabo et al. 2005. The rise and evolution of the chief risk officer: Enterprise risk management
at Hydro One. Journal of Applied Corporate Finance, 17, 62–75.
American Banker. 2008. Risk Chiefs: As the bar raises, so does demand. Publication date:
January 31.
Copyright ©2010 John Wiley & Sons, Inc.
P1: OTA/XYZ
P2: ABC
c05
JWBT177-Simkins
October 24, 2009
9:17
Printer Name: Hamilton
BECOMING THE LAMP BEARER
83
Bank for International Settlements (BIS) Joint Forum. 2003. Trends in risk integration and
aggregation. (August). Accessed on www.bis.org on May 13, 2004.
Bookstaber, R. 2007. Where were the risk managers? Accessed October 17, 2007, on
http://blogs.wsj.com/economics/2007/10/16/bookstaber-asks-where-were-the-riskmanagers/.
Buehler, K., Freeman, A., and Hulme, R. 2008. The new arsenal of risk management. Harvard
Business Review (September).
Butterworth, M. 2001. The emerging role of the risk manager. In Pickford, J. (ed.), Mastering
Risk, vol. 1: Concepts. (London, UK: Financial Times-Prentice Hall.
COSO. 2003. Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Framework.
Crouhy, M., Galai, D., and Mark, R. 2000. Risk management. New York: McGraw-Hill.
Deloitte, 2007. Global risk management survey: Accelerating risk management practices.
D
5th ed. Available on www.deloitte.com/dtt/research/0,1015,cid%253D151389,00.html.
Drzik, J., Nakada P., and Schuermann, T. 2004. Risk capital measurement in financial
A
institutions–Part one. (May 14). Accessed on www.Erisk.com.
Economist Intelligence Unit. 2005. Global RiskIBriefing.
Ernst & Young. 2008. Making a difference: Rating enterprise risk management. Accessed on
L
www.ey.com on September 10, 2008.
Federation of European Risk Management Associations
(FERMA). 2002. A risk management
Y
standard. (Brussels).
, of cost control. Harvard Business Review.
Gallagher, R.B. 1956. Risk management: New phase
Gardner, H., Csikszentmihalyi, M., and Damon, W. 2001. Good work: When excellence and
ethics meet. New York: Basic Books.
Garside, T., and Nakada, P. 1999. Enhancing risk
R measurement capabilities. Available on
www.erisk.com. Previously published in Balance Sheet, vol. 8, no. 3, 12–17.
Y Bank’s Hugo Banziger knows it takes all
Hayes, N. People, processes, systems: Deutsche
three. RMA Journal, December 2002. Available
A on http://findarticles.com/p/articles/
mi m0ITW/is 4 85/ai n14897213/pg 2?tag=artBody;col1.
N clairvoyant CRO. Available on www.
IBM Business Consulting Services. 2005. The
ibm.com/industries/financialservices/doc/content/bin/fss clairvoyant cro.pdf.
Knight, Frank H. 1921. Risk, uncertainty, and profit. Mineola, NY: Dover Publications.
Kloman, H.F. 2003. Enterprise risk management:
2 Past, present and future. Reprinted in
Kloman, H.F., Mumpsimus revisited: Essays on risk management. Lyme, CT: Seawrack Press.
Lam, J. 2000. Enterprise-wide risk management6
and the role of the chief risk officer. Accessed
on www.erisk.com on May 14, 2004.
7
Liebenberg, A.P., and Hoyt, R.E. 2003. The determinants of enterprise risk management:
5 officers. Risk Management and Insurance
Evidence from the appointment of chief risk
Review, 37–52.
B
Lore, M., and Borodovsky, L. 2000. The professional’s handbook of financial risk management.
New York: Butterworth-Heinemann Finance.
U
Marrison, C. 2002. The fundamentals of risk measurement. New York: McGraw-Hill.
Marshall, C. 2001. Measuring and ...
Purchase answer to see full
attachment