Enterprise Risk Management Leadership

timer Asked: Jan 4th, 2018
account_balance_wallet $60

Question description

Enterprise Risk Management Leadership & Culture

Leadership and Culture

(Minimum of 750 words for each question, this excludes the reference section at the bottom from your word count. You are also required to use a minimum of FOUR scholarly external sources references. Use proper APA guidelines, you only have to make reference to the author and year of publication in your in-text reference, but APA guidelines encourage you to also provide the page number. Failure to do so will result in an incomplete with 0 points for the question)

Explain two specific enterprise risk management strategies that a Board of Directors would use to delete their responsibilities of ERM. (750 word minimum)

Explain the meaning of the phrase “companies must incur risk in order to run their business and maximize returns for stakeholders.” Give two specific examples. (750 word minimum)

Enterprise Risk Management Leadership & Culture Leadership and Culture (Minimum of 750 words for each question, this excludes the reference section at the bottom from your word count. You are also required to use a minimum of FOUR scholarly external sources references. Use proper APA guidelines, you only have to make reference to the author and year of publication in your in-text reference, but APA guidelines encourage you to also provide the page number. Failure to do so will result in an incomplete with 0 points for the question) 1. Explain two specific enterprise risk management strategies that a Board of Directors would use to delete their responsibilities of ERM. (750 word minimum) 2. Explain the meaning of the phrase “companies must incur risk in order to run their business and maximize returns for stakeholders.” Give two specific examples. (750 word minimum)
P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton CHAPTER 4 The Role of the Board of Directors and Senior Management in Enterprise Risk Management D A BRUCE C. BRANSON Professor of Accounting and Associate Director, North Carolina State University I Enterprise Risk Management Initiative L Y , INTRODUCTION R The oversight of the enterprise risk management (ERM) process employed by an Y organization is one of the most important and challenging functions of a corpoA senior management of the company, ration’s board of directors. In concert with the board must establish the appropriate “tone N at the top” to ensure that risk and risk management considerations remain at the forefront of strategic and operating decisions made within the business. The 2008–2009 global financial crisis and the rapidly deteriorating global economy has2created a context in which companies now face risks that are more complex, more interconnected, and potentially more 6 devastating than ever before. Failure to adequately acknowledge and effectively manage risks associated with decisions being 7 made throughout the organization can and often do lead to potentially catastrophic results. We need look no further than to the5current status of the financial services sector to observe the devastation associated B with poorly monitored and managed risk taking. Risks associated with credit quality, liquidity, market disruptions, and U reputation have all contributed to unprecedented bankruptcies, bank failures, federal government intervention, and rapid (and forced) consolidation within the industry. The fallout from this financial cataclysm spread quickly to the broader economy, as companies in almost every industry have suffered from the effects of a global credit freeze, dramatic reductions in consumer demand, and extreme volatility in commodity, currency, and equity markets. The perception that aggressive and unchecked risk taking has been central to the breakdown of the financial and credit markets has led to increased legislative and regulatory focus on risk management and risk prevention. In this environment, boards and companies must be aware that regulators and the legal system may apply new standards of conduct, or reinterpret existing standards, to increase board 51 Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins 52 October 24, 2009 9:17 Printer Name: Hamilton Overview responsibility for risk management. Boards cannot and should not be involved in the actual day-to-day management of risks encountered by the companies they serve. The role of the board is to ensure that the risk management processes designed and implemented by senior executives and risk management professionals employed by the company act in concert with the organization’s strategic vision, as articulated by the board and executed by senior management. As well, the board must exercise significant oversight to be confident that risk management processes are functioning as designed and that adequate attention is paid to the development of a culture of risk-aware decision making throughout the organization. By actively exercising its oversight role, the board sends an important signal to the company’s senior management and its employees that corporate risk management activities are not roadblocks to the conduct of business nor a mere D ERM can and should become an inte“check-the-box” activity. Executed properly, gral component of the firm’s corporate strategy, A culture, and value-creation process. The board can provide direction and support for the ERM effort, but without one I leadership, most ERM programs are or more risk champions within the executive destined to fail. Thus, there is a shared responsibility between the members of the L board and the senior management team to nurture a risk-aware culture in the orY within an appetite for risk that aligns ganization that embraces prudent risk taking with the organization’s strategic plan. , The company’s ERM system should function to bring to the board’s attention the company’s most significant risks and allow the board to understand and evaluate how these risks may be correlated, R the manner in which they may affect the company and management’s mitigation or response strategies. It is critically Y important for board members to have the experience, training, and intimate knowlA meaningful assessments of the risks edge of the business required in order to make that the company encounters. The board must N also consider the best organizational structure to give risk oversight sufficient attention at the board level. In some companies, this has driven the creation of a separate risk management committee of the board. For other organizations, it may 2 be reasonable for these discussions of risk to occur as a regular agenda item for an existing committee such as the audit 6 the full board level. No one size fits all, committee, enhanced by periodic review at but it is vitally important that risk management oversight be a board priority. 7 This chapter addresses the proper role of the board of directors in corporate risk 5 management. It identifies the legal and regulatory framework that drives the risk oversight responsibilities of the board. It also clarifies the separate roles of the board B and its committees vis-à-vis senior management in the development, approval, and U implementation of an enterprise-wide approach to risk management. Finally, the chapter explores optimal board structures to best discharge their risk oversight responsibilities. GOVERNANCE EXPECTATIONS FOR BOARD OVERSIGHT OF RISK MANAGEMENT The risk oversight responsibility of boards of directors is driven by a variety of factors. These factors include the fiduciary duty owed to corporate shareholders, which is a function of state law; U.S. and foreign laws and regulations such as the Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 53 recently enacted Emergency Economic Stabilization Act of 2008 (EESA) and the Sarbanes-Oxley Act; New York Stock Exchange (NYSE) listing requirements; and certain established corporate best practices. As well, the risk of damage to corporate reputation from shareholder activism or adverse media coverage for companies believed or found to possess inadequate risk management capabilities also strongly contributes to the desirability of sound risk oversight by corporate boards. The Delaware courts (which serve to establish law for a wide swath of corporate America) have developed guidelines for board oversight responsibilities through a series of court cases that have dealt with purported violations of the fiduciary duties of care and loyalty that are owed to the company by members of the board. The Delaware Chancery Court has stated1 that director liability for a failure of board oversight requires a “sustained or systemic failure of the board to exercise oversight—such as an utter failure to assureDa reasonable information and reporting system exists.” To avoid liability, boards A should ensure that their organizations have implemented comprehensive monitoring systems tailored to each category I these monitoring systems and make of risk. The board should periodically review inquiries of management as to their robustness. The board should also consider L retaining outside consultants for an independent assessment of the adequacy of Y The company’s general counsel may the methodology that has been implemented. also be utilized to provide an assessment,as to whether the board has effectively fulfilled their oversight responsibility for the ERM program. The board should be especially sensitive to so-called “red flags,” or violations of existing risk limits established by the risk R management team. These violations must be investigated by the board or delegated to the appropriate manager for Y investigation, and the board should document their actions in minutes that accuAthe board in reviewing the deviation rately convey the time and effort spent by from established policies. To preserve theirN liability shield, boards must ensure that the monitoring system in place includes reports on significant regulatory matters (such as fines that have been levied against the company), that may be used as evidence in shareholder litigation. The board 2 should treat such a report as a red flag and investigate appropriately. 6 recently appeared in two important Corporate risk management issues have examples of federal regulatory oversight—the 7 EESA and the Sarbanes-Oxley Act. Also, companies with foreign operations must be cognizant of the legal requirements in each of the locales in which they 5 do business. Whether or not a particular piece of legislative rule making that relatesBto risk management directly applies to the company and board, such laws and regulations will undoubtedly influence the Uthe current environment and enhanced activities that a company undertakes. Given focus on risk management and risk oversight, a failure by the board to adequately oversee a system of compliance with legal requirements can raise issues under state law with respect to the board’s fiduciary duties, but also can provide opportunities for litigators to highlight such failures in other claims against the company and board, such as tort liability or even criminal liability. It is imperative that the board is aware of all material legal requirements applicable to the company, and the company should take care to include these risks in the development of their ERM program. The most recent example of federal legislation that includes an explicit focus on risk management is the Troubled Asset Relief Program (TARP) contained in Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins 54 October 24, 2009 9:17 Printer Name: Hamilton Overview the EESA. The act requires that boards of financial institutions participating in the TARP Capital Purchase Program (CPP) institute certain restrictions on executive compensation that relate to corporate risk taking. Specifically, participants in the TARP CPP must comply with the requirements illustrated in Box 4.1. Although these requirements apply only to financial institutions participating in the CPP, they do provide insight into federal concern over the issue of how compensation programs may contribute to excessive risk taking. Because of this concern, companies that are not directly affected by these requirements should still consider reviewing their compensation plans to determine whether the compensation structure encourages excessive risk taking. To the extent that incentive compensation is externally viewed as a source of inappropriate risk, the interaction between compensation and risk may inevitably find its way into other legislative D a focus of shareholder activism and and regulatory responses and/or become undesirable media attention. A I L Box 4.1 Executive Pay Requirements under Y the Troubled Asset Relief Program Capital , Purchase Program* R of EESA for purposes of particiIn order to comply with Section 111(b)(2)(A) pation in the program, a financial institution Y must comply with the following three rules: A (1) Promptly, and in no case more than 90 days, after the purchase under N the program, the financial institution’s compensation committee, or a committee acting in a similar capacity, must review the [senior executive officer (SEO)] incentive compensation arrangements with such financial 2 institution’s senior risk officers, or other personnel acting in a similar ca6 pacity, to ensure that the SEO incentive compensation arrangements do not encourage SEO’s to take unnecessary and excessive risks that threaten 7 the value of the financial institution. 5 (2) Thereafter, the compensation committee, or a committee acting in a similar capacity, must meet at least annually with senior risk officers, B or individuals acting in a similar capacity, to discuss and review the relationship between the financial U institution’s risk management policies and practices and the SEO incentive compensation arrangements. (3) The compensation committee, or a committee acting in a similar capacity, must certify that it has completed the reviews of the SEO incentive compensation arrangements required under (1) and (2) above. These rules apply while the Treasury holds an equity or debt position acquired under the program. * Excerpted from Treasury Department Notice 2008-PSSFI. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 55 The Sarbanes-Oxley Act of 2002 imposes significant requirements on companies and their boards, including audit committee oversight of internal and external auditors, certification of quarterly and annual financial statements and periodic reports by the chief executive officer and chief financial officer, maintenance of well-functioning financial reporting and disclosure controls, enhanced disclosure of financial measures not based on generally accepted accounting principles (GAAP), and a ban on personal loans to directors and officers. Although not directly tied to the risk oversight responsibilities of boards, compliance with Sarbanes-Oxley requirements involves risk management issues. As an example, in determining the effectiveness of controls over financial reporting, or in the financial statement certification process, the company should focus on whether material risks are identified and disclosed. In their review of the company’s compliance D should make inquiries as to whether with Sarbanes-Oxley requirements, the board these risk management issues have been acknowledged. A The New York Stock Exchange (NYSE) imposes specific risk oversight obliI gations on the audit committee of an NYSE-listed company. These NYSE rules require that an audit committee “discuss L policies with respect to risk assessment and risk management.”2 Box 4.2 provides an excerpt from the NYSE corporate Y These discussions should address governance rules germane to this requirement. major financial risk exposures and the steps , the board has taken to monitor and R Y Box 4.2 Excerpt from the NYSE’s 2004 * A Final Corporate Governance Rules N Among numerous other responsibilities, duties, and responsibilities of the audit committee include: 2 (D) Discuss policies with respect to risk assessment and risk management; Commentary: While it is the job of 6the CEO and senior management to assess and manage the company’s exposure 7 to risk, the audit committee must discuss guidelines and policies to govern the process by which this is han5 dled. The audit committee should discuss the company’s major financial risk B taken to monitor and control such exposures and the steps management has exposures. The audit committee is not required to be the sole body responsible U for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee. * “Final Corporate Governance Rules,” New York Stock Exchange (2004) www.nyse.com. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins 56 October 24, 2009 9:17 Printer Name: Hamilton Overview control these exposures, including a general review of the company’s risk management programs. As the NYSE commentary indicates, the rules permit a company to create a separate committee or subcommittee (often a separate risk committee of the board) to be charged with the primary risk oversight responsibility. This is subject to the need for the risk oversight processes conducted by that separate committee or subcommittee to be reviewed in a general manner by the audit committee, and for the audit committee to continue to discuss policies with respect to risk assessment and management. As in our earlier discussion concerning the TARP certification requirements for those financial institutions participating in the CPP, these rules only apply to NYSE-listed firms. Yet, it seems prudent for all boards to acknowledge that they may be subject to “best practice” standards in the eyes of their shareholders and the general public. Boards should also take advantage ofD industry-specific regulators (such as the Federal Reserve and the FDIC in the banking A industry) and specialized risk management organizations that have published best practice guidance. The Committee I of Sponsoring Organizations of the Treadway Commission (COSO), a privatesector organization sponsored by professional L accounting associations and institutes, has developed an ERM framework that promotes an enterprise-wide perY emphasizes the role of the board in spective on risk management. That document risk management in its definition of ERM:, Enterprise risk management is a process, effected by the entity’s board of directors, management, and other personnel, applied inR strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within Y regarding the achievement of objectives. the risk appetite, to provide reasonable assurance 3 (emphasis added) A N a valuable benchmarking tool and The COSO integrated framework provides offers detailed guidance on how a company may implement enterprise risk management procedures in its strategic planning efforts and across the entire organization. The COSO ERM framework 2 presents eight interrelated components of risk management: (1) the internal environment (the tone of the organization), 6 (2) objective-setting, (3) event identification, (4) risk assessment, (5) risk response, 7 (6) control activities, (7) information and communications, and (8) monitoring. The 5 has become well accepted as a deCOSO enterprise risk management framework velopment tool for organizations seeking to initiate and/or improve on an ERM B program. U In 2007, Standard & Poor’s (S&P) announced a major initiative to incorporate an explicit evaluation of ERM programs as part of their credit ratings analysis of companies. S&P has actively evaluated the ERM practices of financial institutions, insurance companies, and the trading operations of many large energy companies for some time. Beginning in late 2008, S&P extended this evaluation to nonfinancial issuers. Box 4.3 provides an excerpt from the S&P announcement that highlights their expectations for board involvement in risk management activities. It is clear that they expect active and engaged board-level participation in the establishment of the proper “tone at the top” as well as in the approval and monitoring of specific risk policies the firm develops. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 57 Box 4.3 Excerpt from Standard & Poor’s “PIM Framework for Assessing ERM Practices”* In November 2007, Standard & Poor’s issued a request for comment titled, Criteria: Request For Comment: Enterprise Risk Management Analysis For Credit Ratings Of Nonfinancial Companies, which announced S&P’s proposal to expand its analysis of ERM processes as part of its credit-rating assessments into 17 different industries.** S&P has developed an ERM assessment framework—the “PIM Framework” denoting policies, infrastructure, and methodology—to assess the robustness of enterprise risk management practices within an entity as part of the credit evaluation process. D Within the PIM framework, S&P views “risk governance” as the foundation of the evaluation structure. SevA activities involving the board of eral components of risk governance include directors: I r In consultation with the business,L the institution has established risk policies that would be approved by the board’s risk committee. Y dialogue takes place among the r The institution ensures that periodic board, business heads, and group ,risk management on the appropriateness and relevance of the various key financial and nonfinancial risk metrics. r Ensure that the board is well engaged R with ERM initiatives within the organization and is to some degreeYsetting the tone. * A “Assessing Enterprise Risk Management Practices of Financial Institutions,” Standard N & Poor’s (2006). www.standardandpoors.com. ** “Criteria: Request for Comment: Enterprise Risk Management Analysis For Credit Ratings on Nonfinancial Companies,” Standard & Poor’s (2007). www.standardandpoors .com. 2 6 7 Reputational damage resulting from the lack of adequate risk oversight 5 is present even without mandated requirements to adhere to specific risk management–related laws, regulations, stock exchange listing rules, and best pracB tices. Even absent any actual legal exposure, the board of a company whose excesU and/or operating performance will sive risk taking leads to a crisis or poor financial likely face significant criticism in the press and from shareholders. In these circumstances, the board may also be faced with proxy contests, either from a competing slate of directors standing for election or through other shareholder resolution campaigns. Proxy attacks against directors viewed as responsible for failures of risk oversight have become more and more common. The business press has also highlighted and targeted directors that they view as underperforming. With the enhanced attention being paid to risk oversight and management, one can expect increased pressure on companies perceived to have taken on excessive levels of risk or who have been found to lack robust risk oversight capabilities. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins 58 October 24, 2009 9:17 Printer Name: Hamilton Overview DELEGATION OF RISK OVERSIGHT TO BOARD COMMITTEES Many boards find it helpful to assign primary risk oversight responsibility to a committee of the full board. This committee is charged with directly overseeing the risk management function and should receive regular reports on the status of the ERM process from those members of senior management responsible for risk management for the enterprise. This committee, in turn, should make regular reports to the full board to ensure that the board as a whole has an understanding of the risk profile of the entity and can then engage in strategic, risk-informed decision making appropriate to their leadership role. In many instances, boards delegate primary responsibility for risk oversight D committee’s seemingly overwhelmto the audit committee, in spite of the audit ing list of responsibilities related to financial A reporting and the internal/external audit function. Audit committees are the most common board committee to be I charged with performance of oversight duties over management’s risk policies and guidelines, and they are being askedLto discuss with management the enterprise’s key risk exposures—including risk exposures beyond financial reporting Y of audit committee charters of Forrelated risks. A recent Conference Board study tune 100 companies reported that 66 percent , of these companies place primary risk oversight responsibility on the audit committee, using language similar to the examples illustrated in Box 4.4 for the Coca-Cola Company, Wal-Mart Stores, and Apple.4 R Audit committees (or other board committees) that have been charged with Y this responsibility for risk oversight are increasing their demands on management A processes and for up-to-date infor more information about risk management formation about management’s assessment N of key risk exposures. Within senior management, it is often the chief financial officer (CFO) or chief audit executive (CAE) who has been asked to take the lead in risk management efforts for the organization. The 2006 Conference Board report, 2 “The Role of U.S. Corporate Boards in Enterprise Risk Management,” reports that the executive most frequently cited 6 board on risk issues is the CFO—with by directors as responsible for informing the more than 70 percent reporting this relationship. However, in growing numbers, 7 organizations are creating Chief Risk Officer (CRO) positions to serve as the risk 5 leader or “champion,” while others are creating executive-level risk committees comprised of the CFO, CRO, general counsel, executives in charge of strategy and B internal audit, and/or other key business unit leaders to lead the ERM effort. U FORMALIZING RISK MANAGEMENT PROCESSES The complexity and sheer number of risks affecting organizations has expanded at a rapid pace over the past decade. Boards and senior executives are increasingly feeling the pressure to respond to these increased demands on their time and expertise. A 2007 study, “Board Members on Risk,”5 reports that 72 percent of board members who participated in the survey believe that the overall level of risk that the organizations they serve currently faces has increased in the past two to three years, with 41 percent indicating that the overall level of risk has increased significantly. Senior executives and their boards are realizing that the practice of Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 59 Box 4.4 Illustrative Language from Audit Committee Charters Below are excerpts from three audit committee charters that provide examples of audit committee involvement in risk oversight: 1. The Coca-Cola Company’s Audit Committee Charter states that one of the 14 responsibilities of the Audit Committee of the Board of Directors includes: Risk Assessment and Risk Management. The committee will review and discuss with management, the Dinternal auditors, and the independent auditors the company’s policies and procedures with respect to A risk assessment and risk management. 2. Wal-Mart Stores includes the following I language in their Audit Committee Charter: L Discuss with management the company’s major financial risk exposures and the steps management has taken to monitor and control such Y exposures, including the company’s risk assessment and risk man, agement policies. 3. The Audit and Finance Committee Charter of Apple states that one of the responsibilities of the committee is: R Review and discuss with Management (i) Management’s financial risk assessment and risk management Y policies, (ii) the Corporation’s major financial risk exposures and the steps Management has taken A to monitor and control such exposures. N managing risk informally or on an ad hoc 2 basis is no longer tolerable and that, in many instances, current processes have proved inadequate in today’s rapidly 6 evolving business world. To address these concerns, many boards 7 have adopted ERM as a process to develop a more robust and holistic top-down view of key risks facing the organization. 5 response to emerging expectations for Although the adoption of ERM is largely in greater risk oversight, recent data shows that B entities that outperform their peers are more likely to have developed a more formal risk management process.6 PropoU ERM is not to lower risk. Rather, ERM nents of ERM stress that the goal of effective is designed to more effectively manage risks on an enterprise-wide basis so that stakeholder value is at least preserved, but hopefully enhanced. Said differently, ERM allows management and the board to make better, more “risk-intelligent,” strategic decisions. Recent evidence, cited above, seems to support this notion. An ERM focus is assisting boards and senior executives to think about risks more holistically. This is far different than traditional approaches to risk where management has historically assigned risk oversight responsibilities to individual functions or business units (these are often referred to as “silos” or “stove-pipes” of the business in the language of ERM). The common result of a stove-pipe approach to risk management is that risks are often managed inconsistently or within Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins 60 October 24, 2009 9:17 Printer Name: Hamilton Overview each individual risk manager’s personal tolerance for risk. More importantly, these risks may be effectively managed within an individual business unit to acceptable levels, but the risk responses or treatments selected by the manager may unknowingly create or add to risks for other units within the organization. Furthermore, traditional silo-based approaches to risk management often fail to anticipate that certain risk events may be correlated with other risk events, triggering a cascading series of risk exposures. Often the net result when risks are managed in this manner is an increase (rather than reduction) in the overall risk exposure for the enterprise. SENIOR EXECUTIVE LEADERSHIP IN RISK MANAGEMENT D An ERM approach to risk management requires a top-down view of risks faced A by the organization. Visible leadership from and embrace by the senior executive I ERM process. Those organizations team is a critical component to an effective that have started down the ERM path attest L to the reality that the adoption of a holistic view of risks, which requires that risk information be shared transparently Y a significant change in the corporate across silos within the organization, requires culture or mindset of management at all levels , within the enterprise. As employees across the organization are held accountable for the ownership of risks within their areas of responsibility, senior executive leadership is needed to reinforce the importance of this movement toward a more R transparent, enterprise-wide view of risk management. Y The CFOs are uniquely positioned to lead the overall enterprise risk manageA ment effort. CFOs are already intricately involved in providing an overall view of the organization from a financial risk perspective, which gives them an enterpriseN wide understanding of the key activities that drive performance. CFOs also have an existing relationship with the audit committee. Thus, as audit committees turn to management to strengthen the enterprise’s 2 approach to risk management, they are naturally turning to CFOs to kick-start the process. 6 CFOs have responded to these new challenges by designing basic structures for identifying and assessing risks across the enterprise. For many, this begins 7 by defining risk terminology or developing common definitions of key risk con5 are implemented consistently across cepts so that risk management approaches the enterprise. Providing a clear definitionBof risk terms (including a discussion of whether “risk” represents both risky opportunities and downside risks) is often U senior management can then survey the required first step. Once risk is defined, the organization to identify potential risk drivers and risk events through questionnaires, interviews, risk workshops, and external risk scanning to generate an inventory of risks that may pose potential threats and/or opportunities for the enterprise. Leadership is needed to ensure that risks are assessed consistently across the organization. Risk champions at the senior executive level must develop procedures to govern how risks are to be assessed, not only from a likelihood or probability perspective, but also from an impact perspective in order to prioritize those risks most important for senior executive and board oversight. Based on risk rankings, reflecting probability and impact assessments, management is now in a position to Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 61 identify those risks with the greatest need for the development of an appropriate risk response. Senior executives should then identify key risk indicators that can be included in management information reports to allow for proactive management of these risks on an ongoing basis. The above discussion provides an abbreviated overview of the core elements of an ERM approach, and also illustrates the nature of risk management leadership that the audit committee and board are expecting from the senior executive team. Later chapters are devoted to a thorough discussion of tools and techniques that identify and assess risks and that develop appropriate treatment strategies tailored to the specific risks encountered. THE ROLE OF THE INTERNAL D AUDIT FUNCTION IN ERM A The CFO and other senior executives formally lead the ERM effort, but internal I audit plays a major role in supporting the risk management process. In many cases, L function have often initiated the ERM audit executives who lead the internal audit launch within their organizations. Although Y internal audit is naturally involved in risk management activities, there are specific roles the internal audit function should and should not assume throughout, the ERM process. Internal audit should provide an assurance service on risk management processes, giving assurance that risks are evaluated correctly, evaluating risk management processes, evaluating the R reporting of key risks, and reviewing the management of key risks. However, inY ternal audit should not be involved in developing the risk management process for board approval, imposing risk management processes, making decisions on risk A responses, managing identified risks, or establishing the enterprise’s risk appetite. N the effectiveness of ERM processes The internal audit’s role should be to monitor designed and implemented by senior management. Direct reporting of the internal audit function’s monitoring activities puts audit committees in a position to be 2 more objectively informed about the effectiveness of management’s risk management processes, including the accuracy and completeness of risk information they 6 receive directly from senior management. 7 5 EXTERNAL AUDIT AS AN INDEPENDENT B SOURCE OF KEY RISK IDENTIFICATION Audit committees also exert pressure on U their external auditors to share risk in- formation they glean from audits of financial statements and, for publicly traded entities, the audit of internal controls over financial reporting required by the Sarbanes-Oxley Act. In the process of understanding the entity and its environment (a requirement for financial statement audits to be conducted in conformance with auditing standards), external auditors are likely to identify key business risks affecting the enterprise. Auditors of publicly traded companies may also identify deficiencies in risk responses as they assess the effectiveness of internal controls surrounding core business processes that affect financial reporting. Proactive audit committees recognize that the external auditor can serve as a rich source of risk information that can assist the audit committee in challenging the completeness Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 62 Printer Name: Hamilton Overview of risk inventories prepared by management. External auditors recognize that this contribution is a value-added activity for their clients and respond with greater dialogue about key risks when participating in executive sessions with the audit committee. While boards and senior executives are strengthening their risk oversight processes at a rapid pace, few entities are currently able to claim that they have fully developed ERM processes in place. Most recognize that the implementation of ERM is an evolutionary process, whereby risk oversight improves over time. Most ERM proponents believe there is no “one size fits all” approach to enterprise risk management. As boards and senior management strive to make real progress toward developing ERM processes into more mature business operating models, they will need to be patient. Immediate success is rare—ERM must be viewed as a long-term cultural change and realistic D expectations must be established for its implementation. A I ERM IMPLEMENTATION STRATEGIES L In fulfilling its obligation to exercise oversight over risk management, the board or Y responsibility for oversight should foboard committee charged with the primary cus on the adequacy of the organization’s enterprise risk management system. Risk , management must be tailored to the specific entity, but in general an effective ERM process will identify the significant risks that the organization faces in a timely manner, implement appropriate risk management strategies that are in concert R with the company’s risk appetite and specific risk exposures, integrate the conY sideration of risk and risk management into strategic decision making throughout A procedures that adequately transmit the company, and feature explicit policies and necessary information with respect to significant risks to senior management and, N as appropriate, to the board or relevant committee. To accomplish these objectives, there are certain implementation strategies that can help the board and the senior executives delegate responsibility for the ERM 2 program in designing and modifying the risk management function. The sections that follow discuss the following 6 strategies: r r r r r r r Role of the audit committee Role of the board Training Board composition Reporting Compliance Culture 7 5 B U Role of the Audit Committee As discussed earlier in the chapter, most boards delegate primary oversight of risk management to the audit committee, which is consistent with the NYSE corporate governance rules illustrated in Box 4.2. That rule requires the audit committee to discuss policies with respect to risk assessment and risk management. For many companies, however, the scope and complexity of enterprise risk management may Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 63 dictate consideration of establishing a dedicated risk management committee of the board in order to force increased attention at the board level on risk management and oversight. The NYSE listing requirement permits boards to so delegate the primary risk oversight function to a different board committee, subject to limited continuing audit committee oversight. The audit committee may not always be the best choice for providing direct oversight of the ERM program at the board level. Given the significant responsibilities specifically mandated or delegated to it by the Sarbanes-Oxley Act, the audit committee typically has a crowded meeting agenda and may not have sufficient time and resources to devote to the optimal level of risk oversight. In addition, the audit committee’s focus on compliance with financial reporting rules and auditing standards is not necessarily the best approach for understanding the broad array of risks faced by their organization. In fact, itD may be argued that an intense focus on compliance may hinder certain risk awareness A because once satisfaction is reached that a standard has been correctly followed, it is natural to then turn to new issues I on an issue seemingly resolved. A rather than to continue spending scarce time recent example of this phenomenon may be L found in the banking industry, where the creation of off-balance sheet entities (structured investment vehicles and trusts) Y but, in hindsight, clearly contributed conformed to applicable accounting guidance to the catastrophic escalation of risk that has , led to financial ruin for many financial institutions. If primary responsibility for risk oversight remains with the audit committee instead of a newly constituted risk committee, R the audit committee should explicitly include dedicated agenda time for the periodic review of risk management Y policies and the status of key risks apart from its review of the financial statements and compliance issues. Although this willAundoubtedly further burden the audit committee, it is critical to allocate necessary Ntime and attention to the risk oversight role specifically. The goal should be to facilitate serious and thoughtful board-level discussion of the organization’s ERM process, the trends in the key risks the company encounters, and the robustness of the 2 company’s policies, procedures, and actions designed to respond to and treat these risks. 6 7 Role of the Board 5 is typically delegated to a commitThe primary board-level risk oversight role tee, but the full board is ultimately responsible B for monitoring the ERM program. Hence, the board should devote meeting time to discuss and analyze information U significant risks impacting the comabout the entity’s ERM program and the most pany’s ability to achieve its strategic objectives. This can be accomplished through reports delivered by the committee charged with risk management oversight and by appropriately summarized versions of the materials provided by senior management and advisors to that committee. Risk management issues also commonly arise in the context of the work of other committees. For example, the compensation committee is charged with approval and oversight of the incentive compensation arrangements for senior management personnel. These compensation agreements must be carefully structured to ensure that they do not create incentives for the senior management team to take on risky projects (that breach the board-approved risk tolerance or appetite of the organization) in an attempt Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 64 9:17 Printer Name: Hamilton Overview to maximize bonus compensation. Specialized committees may also be charged with specific areas of risk exposure. Within financial institutions, for example, credit, market, and asset/liability management committees are common, while some boards of energy and manufacturing companies have committees largely devoted to environmental and safety issues. Training In-depth knowledge of the organization’s fundamental operations is required for understanding the implications of the key risks a company is exposed to and then assessing the company’s planned responses to these risks. Director orientation and training programs should be reviewed to ensure they provide enough substance for directors to develop an understandingD of the company’s businesses. These programs should also discuss the company’s A risk inventory and provide an overview of the ERM process employed by the entity. In addition to orientation programs I for new directors, a company should consider the development of continuing education materials for directors on an ongoing basis, to supplement board and L committee meetings. Participation in workshops offered through various organizations can help keep directors abreast ofYcurrent industry and company-specific developments and specialized issues. Site , visits by directors, either within the framework of the board meeting schedule or as part of a continuing education program, can be valuable for companies where a physical inspection is important for appreciating the business-unit risks that Rthe company faces. These visits should allow directors to assess firsthand some of the health and safety, operational, and Y other risks facing the company much better than a prepared presentation or written A communication. Director training should be tailored toNthe issues most relevant and important to the particular company and its business. For example, investment banks that issue and trade complex securities and derivatives generally monitor their financial exposure to market risk through daily value 2 at risk (VaR) calculations. Workshops or Web-based presentations to inform bank board members about the underlying 6 the VaR statistic can be critical for assumptions and the approach to calculating understanding the risks the bank faces. Most 7 business decisions are made in the context of the economic and political environments in which the various business 5 units operate, and presentations that illuminate key aspects of these differences across the company will be useful to the board’s understanding of the company’s B operations. Although there are presently no legal requirements that mandate conU can be extremely valuable in helping tinuing education for the board, these efforts directors to discharge their duties and to avoid negative media attention that may follow announcements of bad news events. Board Composition Recent changes to corporate governance requirements and best practices guidance have led many companies to enhance the independence and diversity of their boards. There has also been a downward trend in the participation of senior executives on boards of unaffiliated entities. Because of this, companies are often confronted with the fact that a significant portion of their boards may lack detailed Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 65 knowledge of the industry in which the company operates. Under these conditions, the importance of well-designed and executed orientation programs for new directors and the creation of opportunities for continuing education for all members of the board are critical. As a function of this new environment, boards should pay particular attention to the background and experience of the individual board members asked to serve on the committee charged with oversight of the ERM function. As seats on the board open up due to retirements or the creation of additional directorships, the board should aggressively recruit new members with relevant industry expertise and, if possible, with a background that includes risk management experience. For boards on which the CEO serves as the sole representative of the senior management team, it may be prudent to consider adding a second or third management representative, suchDas the COO, CFO, or chief risk officer (if a separate CRO position has been established), to provide an additional source A of information in the boardroom on the company’s business, operations, and risk I non-CEO executives and the board profile. Direct lines of communication between or relevant board committee should already L be present. Actual membership on the board is likely to allow for more consistent and timely input from these senior Y executives to the board. The board’s ability to perform its oversight , role effectively is largely dependent on the flow of information that occurs among the directors, senior management, and the risk management executives in the organization. If the board is unsure whether they are receiving sufficient information R to discharge their responsibilities, they need to be aggressive in their requests for that data. Directors must have Y adequate knowledge of such information as: r r r r r A The external and internal risk environment faced by the firm. N The key material risk exposures affecting the company. The methodology employed to assess and prioritize risks. Treatment strategies for key risks. 2 Status of implementation efforts for risk management procedures and 6 infrastructure. r The strengths and weaknesses of the overall ERM program. 7 5 B If the board has delegated primary risk oversight responsibility to a committee of the board, that committee should meet inU executive sessions with the designated Reporting ERM leader in a manner analogous to the audit committee and its regular sessions with the company’s internal auditor, and with senior management in connection with CEO and CFO certifications of the financial statements. Senior risk managers and the senior executive team need to be comfortable in informing the board or relevant committee of rapidly emerging risk exposures that require the immediate attention of the board. These reporting channels must be open at all times as a complement to regular reporting procedures. As previously discussed, the committee charged with risk oversight should make regular reports to the full board to keep them apprised of important changes in the organization’s risk profile and/or exposure to key risks. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 66 9:17 Printer Name: Hamilton Overview Compliance Senior management should also provide the board with a comprehensive review of the company’s legal compliance programs and how they affect the company’s risk profile. There are a number of principles to consider when assessing the adequacy of compliance efforts. There should be a strong and visible “tone at the top” emanating from both the board and senior management that emphasizes that noncompliance with corporate policy will not be tolerated. Actions of the board and the senior executive team should provide an unambiguous signal to the organization that policies and procedures are to be followed scrupulously. The compliance program should be designed by individuals with the appropriate level of expertise and will typically include workshops and written materials. The full board should review compliance policies periodically in Dorder to assess their effectiveness and to make any revisions deemed prudent or necessary to conform to changes in A respected, it is essential that there be applicable laws. To ensure that policies are consistency in enforcement through appropriate disciplinary measures. Finally, I there should be a clear reporting system in place so that employees understand L when and to whom they should report suspected violations. Culture Y , In addition to the formal compliance program, the board must also encourage management to promote a corporate culture R that understands the business case for risk management and incorporates it into its overall corporate strategy and Y risk management function cannot day-to-day business operations. The enterprise be viewed as a drag on the achievementA of corporate objectives or isolated as a specialized corporate function, but instead should be established as an integral part N of everyday decision making within the business units. Companies must incur risk in order to run their businesses and maximize returns for stakeholders. The board must recognize that there can be significant danger in excessive risk aversion, just 2 as there is danger in unchecked risk taking. But the assessment of risk, the accurate 6 informed response to risk exposures weighing of risks versus rewards, and the should be incorporated into all business decision making. 7 The company’s enterprise risk management structure should enable ongoing 5 areas of future risk for the company. efforts to assess and analyze the most likely This process, often referred to as environmental scanning, is a key element of B avoiding or successfully mitigating those risks before they become crises. In their U review of the organization’s risk management processes, the board should ask senior management directing the ERM program to discuss with them the most likely sources of significant far-horizon risks and how the company is planning for any significant potential vulnerability. CONCLUSION As stated at the opening of this chapter, the oversight of the enterprise risk management (ERM) processes employed by an organization is one of the most important and challenging functions of a corporation’s board of directors. It is the board’s responsibility to work in concert with senior management of the company to Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 67 establish the appropriate “tone at the top” to ensure that risk and risk management remain at the forefront of strategic and operating decisions made within the business. As a simple survey of the financial press would indicate, we find ourselves today in an environment in which companies face risk exposures that are more complex, more interconnected, and potentially more devastating than ever before. To ensure that they are faithfully discharging their fiduciary duties, boards must adequately acknowledge and manage risks associated with decisions being made throughout the organization and operate with the understanding that these risks can and often do lead to potentially catastrophic results. NOTES 1. In re Caremark International Inc. DerivativeD Litigation, 698 A.2d 959, 971. 2. “Final Corporate Governance Rules,” New A York Stock Exchange (2004) www.nyse.com. 3. Committee of Sponsoring Organizations of I the Treadway Commission (COSO), Enterprise Risk Management – Integrated Framework, September 2004, www.coso.org, L New York, NY. 4. “The Role of U.S. Corporate Boards in Enterprise Risk Management,” the Conference Y Board (2006). , 5. “Board Members on Risk,” Ernst & Young (2007). 6. See “Balancing Risk and Performance with an Integrated Finance Organization – The Global CFO Study 2008,” IBM Global Business Services. R Y A N 2 6 7 5 B U Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton D A I L Y , R Y A N 2 6 7 5 B U Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton PART II ERM Management, Culture, and Control D A I L Y , R Y A N 2 6 7 5 B U Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton D A I L Y , R Y A N 2 6 7 5 B U Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton CHAPTER 5 Becoming the Lamp Bearer The Emerging Roles of the Chief Risk Officer ANETTE MIKES Assistant Professor of Business Administration, Harvard Business School D A I L One of the greatest contributions of risk managers—arguably the single greatest—is just carrying a torch around and providing transparency. Y —Chief Risk Officer, interviewed on November 17, 2006 , Opinion has a significance proportioned to the sources that sustain it. —Benjamin Cardozo (1870–1938) D R Y espite the widespread adoption A of enterprise risk management (ERM) in the financial services industry, banks suffered hundreds of billions of N dollars of losses during 2007–2008, stemming from risks that few exec- utives had understood (Treasury Committee 2007a, 2007b). Under the shock of the first subprime-related loss disclosures, industry observers raised the question: 2 “Where were the risk managers?” (Bookstaber 2007). In February 2008, a joint 6 study by the Senior Supervisors Group—representatives of eight banking supervisory bodies—noted that, while “some firms recognized the emerging additional 7 risks and took deliberate actions to limit or mitigate them . . . other firms did not 5them adequately” (Senior Supervisors fully recognize the risks in time to mitigate Group 2008, 2). The group emphasized significant differences in firms’ approaches B to risk management, particularly in the design and scope of risk assessment and U reporting practices. Further, regulators and industry observers continue to call for the appointment of executives who are exclusively devoted to the role of enterprise-wide risk oversight, particularly since one early victim of the subprime credit debacle, Merrill Lynch, lacked a chief risk officer and another, Citigroup, was immediately blamed for its ineffective risk oversight (American Banker 2008). Going forward, many argue that the role of the chief risk officer is going to be further emphasized in corporate governance. As Peter Raskind, National City Bank’s chief executive officer, argued in an interview in the pages of the American Banker toward the end of the first year of the subprime credit crisis: “This environment has absolutely underscored the 71 Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins 72 October 24, 2009 9:17 Printer Name: Hamilton ERM Management, Culture, and Control need for that person. But it’s not just credit risk. It’s operational risk, reputation risk, and so on.”1 Risk management in banks is a relatively recent function. Under the leadership of chief risk officers, risk-management staff groups are currently carving out their territory in response to uncertainties ranging from adverse asset-price movements to borrower defaults and threats to the financial health of the enterprise. The visibility of risk management and, in particular, of the Chief Risk Officer (CRO) has increased outside the banking industry, too. In a 2008 survey, consulting firm McKinsey tracked the diffusion of CRO appointments by industry in the United States (Winokur 2009). McKinsey found that 43 percent of insurance companies had appointed a senior risk officer with enterprise-wide risk oversight, in contrast to 19 percent in 2002. Other industries with a significant number of CRO appointments include energy and utilitiesD(50 percent of companies had a CRO in 2008), health care, and metals and miningA(20 percent to 25 percent of companies were reported to have a CRO). Furthermore, it is widely expected that rating agenI as part of their rating process going cies will assess the quality and scope of ERM forward (Standard & Poor’s 2008; Ernst &LYoung 2008). Enterprise risk management, under the leadership of CROs, has the promise to Y the achievement of the firm’s strategic bring enterprise-wide risks, which threaten objectives, into the open and under control. , Its organizational significance is that, by providing a process to identify, measure, monitor, and manage uncertainty in strategic decision making, strategic planning, performance management, and deal-approval processes, it enables top management to maintain or alter patterns in R risk taking. Y This chapter addresses the question: How may chief risk officers realize that Aexisting practitioner and academic litorganizational significance? I draw on the erature on the role of chief risk officers and N on a number of case studies from my ongoing research program on the evolution of the role of the CRO. The first section deals with the origins and rise of the CRO and outlines four major roles that senior risk officers may fulfill. The following sections 2 discuss and illustrate those roles. 6 7 In 1956, Harvard Business Review published “Risk Management: A New Phase of 5 called for a “workable program for Cost Control,” in which Russell Gallagher ‘risk management’ . . . putting it under one B executive, who in a large company might be a full-time ‘risk manager.’” The article proposed that, in the face of U the “postwar battle for tighter cost increasingly expensive insurance premiums, THE ORIGINS OF THE CRO controls” required a “concerted method of attack” on the management of risks and hazards—namely, the appointment of a professional insurance manager. So began the saga of the chief risk officer in the world of insurance. Indeed, until recently, most nonfinancial firms considered buying insurance to be the core task of the risk-management function (Butterworth 2001). The seeds of a more strategic role for the chief risk officer were sown in the 1970s. The publication of the Black-Scholes options-pricing model in 1973 triggered the staggering rise of derivatives markets (Buehler et al. 2008) by enabling more effective pricing and mitigation of risk. Over the next three decades, the world of risk management in the financial services sector changed profoundly as banks Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton BECOMING THE LAMP BEARER 73 and securities houses created a “gigantic clearinghouse for packaging, trading and transferring risks” (Buehler et al. 2008). Financial firms both created and took advantage of many important innovations to contain financial risks; the arsenal of risk management was no longer limited to insurance policies. Increasing financial sophistication resulted in two new risk-management strategies: (1) portfolio diversification, and (2) hedging. Energy companies, food producers, and other firms followed suit in widening their risk-management toolkits as markets opened for the trading of various industry-specific risks. However, as Merton observed, top executives in most industries persistently regarded the application of derivatives and other risk-management tools as essentially tactical and therefore delegated the management of financial risk to a host of in-house financial experts such as insurance managers and corporate treasurers (Merton 2005). The dangers of delegation Druthlessly exposed by a number of corand the resultant “silo” approach have been porate scandals over the last two decades and A during the credit crisis of 2007–2008, as it became clear that many firms had taken large risks without an appropriate unI derstanding of the long-term, firm-wide consequences, which, by 2009, had spread far beyond their organizations onto millions L of stunned stakeholders and innocent bystanders. Y The creation of the CRO role with a dedicated risk-management unit occurred intermittently at first; some of the earliest, attempts took place in large financial services firms, often as a reaction to excessive investment losses. In 1987, Merrill Lynch, having suffered large losses on mortgage-backed securities in March of that year, appointed Mark Lawrence, a senior R executive, to establish a dedicated riskmanagement unit. But because there was, as yet, no pressure to institutionalize this Y new organizational function, the role of CRO lacked credibility (Wood 2002) and the unit gradually lost power (Power 2005). GEACapital’s risk-management unit was an exception. James Lam, appointed chief risk Nofficer in 1993, became the first to hold the role of integrated risk oversight with that title (Lam 2000). His unit, designed as an integral part of GE’s finance function, displayed a “rigorous process approach,” allocating risk-based approval authority down 2 the business lines, applying datadriven analytics to identify and monitor risk, and strictly enforcing risk limits.2 In the early 2000s, Deutsche Bank created the6position of CRO (Hugo Banziger) with the mandate to make the risk and profit 7implications of business-line decisions transparent. By then, the concept of a risk-management head had evolved from a defensive administrative “cop” to—at 5 least in aspiration—a business partner and advisor in risk taking (Power 2005, B 134; Wood 2002). This shifted the riskmanagement model (and the CRO) out of the back office and into the front line U capital adequacy reform (Basel II) with a more strategic role. As the new risk-based gathered momentum, calls for assembling risk-management practices under the umbrella of a dedicated risk organization and under the oversight of a high-level executive intensified. The rise of the CRO was not confined to the financial sector: Sulzer Medica appointed a CRO in 2001, following legal losses, and Delta Airlines employed a CRO in 2002 in response to the heightened concern for risks in the airline industry following the 9/11 terrorist attacks (Power 2005). Nevertheless, it was the increasing codification of enterprise risk management into various risk-management standards that accelerated the appointment of senior risk officers with an enterprise-wide risk oversight. Multi-disciplinary Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins 74 October 24, 2009 9:17 Printer Name: Hamilton ERM Management, Culture, and Control task forces in Australia and New Zealand published the first Risk Management Standard in 1995 (revised in 1999 and 2004) and other standard-setters followed suit (Ferma 2002; COSO 2003), successfully spreading the notion that enterprise risk management was good management. Several companies aspiring to be bestpractice organizations adopted enterprise risk management and appointed chief risk officers to oversee its implementation (Aabo et al. 2005). McKinsey’s 2008 survey found that 10 percent of nonfinancial firms had CROs, up from 4 percent in 2002 (Winokur 2009). In tandem with the rise of the chief risk officer and the dedicated riskmanagement function, the internal auditing profession also staked a claim on the risk-management domain (Koleman 2003). The Institute of Internal Auditors, an international professional association of certified internal auditors, included D risk management as part of the audit profession’s competencies and stimulated the development of control risk self-assessment as the bedrock of enterprise risk A management. Furthermore, external auditors had reinvented the financial audit I to be more perceptive of the client’s business risk and associated risks, offering business-risk assessments simultaneouslyLas an audit-planning tool and as an advisory mechanism. Overall, the shape of a risk-management services industry had Y become visible, with risk professionals, internal auditors, and external auditors competing to design and service the internal , risk-management space of corporations (Power 2000). Not surprisingly, CROs come from many walks of life, including internal audit, external audit, financial management, R business management, and consulting. Industry surveys (PricewaterhouseCoopers 2007; Deloitte 2007; IBM 2005) Y show that CROs fulfill a variety of roles that nevertheless fall into two categories: A hand, and (2) a more strategic “busi(1) a compliance and control function on one ness partner” role on the other hand. Much N of the industry debate prior to the subprime-credit crisis focused on how CROs ought to balance their compliance champion role with that of an active participant in business decision making. The credit crisis directed attention to a series of 2risk-management failures (Stulz 2009), particularly the gaps in financial institutions’ internal risk-assessment practices. 6 Indeed, there is wide variation in the usefulness and reliability of the risk models used by various financial institutions (Tett72008). My recent research indicates that firms’ risk-modeling initiatives vary in style and quantitative sophistication and 5 that senior risk officers exercise a large degree of discretion in determining the use and mix of quantitative and qualitative risk-management tools (Mikes 2005, B 2007b). This finding highlights the role of the CRO as a modeling expert who deU ploys a certain degree of quantitative enthusiasm or quantitative skepticism in the management of different risk categories (Mikes 2008b). Further, different CROs interpret their “business partner” roles differently. In a study of 15 chief risk officers, I found that some CROs strive to grasp the key strategic uncertainties affecting their organizations (whether measurable or not) and proactively help top management anticipate emerging strategic risks; these CROs play the role of strategic advisor. Other CROs confine their attention to the measurable risk universe and the production of “catch-all” metrics for aggregate risk taking and risk-adjusted performance; they enact the role of the strategic controller. In sum, the role of the chief risk officer is not only multifaceted but also varies according to the industry, the emphasis the risk function places on compliance with Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton BECOMING THE LAMP BEARER 75 regulatory and risk-management standards, and the extent and sophistication of the firm’s risk modeling. The next four sections turn in detail to the four major CRO roles, namely (1) compliance champion, (2) modeling expert, (3) strategic controller, and (4) strategic advisor. THE CRO AS COMPLIANCE CHAMPION The role of compliance champion entails advocating and policing compliance with pressing stakeholder requirements and keeping up with new regulations and standards affecting the design and roles of the risk-management function. Many CROs initiate a “risk policy framework”—a determination of what risks need to be addressed and by whom—on which the board and a senior executive then sign off. D roles: The risk policy framework fulfills several First, it sets the boundaries of acceptable A risk taking by ensuring that the appropriate standards and controls are in place. As one senior risk officer put it, I the framework tells the business lines “the rules of engagement, making sure that the do’s and the don’ts are sufficiently clear.” L 3 It is now widely recognized in riskmanagement circles that “both Barings’s and Société Générale’s losses were created Y by employees not following the processes.”4 Research on so-called man-made dis, asters has long established that complex organizations (in any industry) generate “normal accidents” (Perrow 1984) and routine errors that are suited to—and, indeed, called for—the creation of a specialist CRO role (Power 2004, 141). In such R territory between risk controlling settings, CROs are pressure points in the border and risk taking; “the risk officer is not necessarily responsible for each risk type, Y but is responsible to ensure each risk-type owner has set appropriate standards.”5 Athe management of risk, detailed risk Although the CRO supports and enhances management remains the responsibility ofN line management. Second, the risk policy framework advocates a shared understanding of the spectrum of risks the organization cares about; naturally, this spectrum changes over time. Some chief risk officers consider2the creation of this shared understanding to be the key benefit of their work because it reinforces the company’s shared 6 One’s chief risk officer, John Fraser, understanding of its strategic priorities. Hydro is a case in point. He maintains that enterprise risk management starts with top 7 management agreeing about strategic objectives; then they develop a shared un5 derstanding of the principal risks (Mikes 2008a). Fraser acknowledges that his role was “not to give the answers” to the problems of the business but to facilitate B the emergence of a shared understanding among managers. He achieved this in U interactive risk workshops: Enterprise risk management is a contact sport. Success comes from making contact with people. Magic occurs in risk workshops. People enjoy them. Some say, “I have always worried about this topic, and now I am less worried, because I see that someone else is dealing with it, or I have learned it is a low probability event.” Other people said, “I could put forward my point and get people to agree that it is something we should be spending more time on, because it is a high risk.”6 Third, the risk policy framework gives chief risk officers a plan, a language, and the authority with which to oversee the development of risk-measurement and Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins 76 October 24, 2009 9:17 Printer Name: Hamilton ERM Management, Culture, and Control monitoring tools for each risk type. At a basic level, every risk function operates a host of templates with which to collect risk information, establish risk-assessment guidelines, and construct risk models that collect loss and other risk-related data to track the firm’s evolving risk profile. But there is a plethora of tools and practices for measuring and communicating risk and wide variation in their application even within a particular industry. THE CRO AS MODELING EXPERT In general, chief risk officers play a powerful role in selecting the people, processes, and systems that will define the scope of risk measurement and control in their organizations. The infrastructure of most modern risk-management functions conD and information systems, the design tains a wide variety of risk models, processes, of which requires the CRO to play the roleAof the modeling expert. Deutsche Bank’s CRO, Hugo Banziger, recalled his early experiences with I system-building: L I . . . had to build an entirely new organization Y from scratch. We designed a dedicated credit process; hired and trained credit staff, as there were no credit people with derivatives , with the help of traders; and created know-how in the market; built credit-risk engines our own Potential Future Exposure model, using Monte Carlo simulations and stresstesting portfolios. After that, we had to build a credit system that could integrate all these functions and aggregate our derivative counterparty R exposure globally. These were six very challenging years.7 Y A who emphasize risk aggregation as Banziger is one of several chief risk officers well as risk measurement. As they see it, the N creation of an aggregate view of quan- tified risks is the key benefit of implementing firm-wide risk models. Aggregating risk exposures had been a challenge to risk practitioners for a long time, largely due to the variety of risk measures applied 2 to the different risk types and insufficient knowledge of the correlations between risk exposures, the diversification benefits, and the concentration penalties.6 The recent development of economic capital as a common-denominator measure 7 for market, credit, and operational risks enables firms to aggregate their quantifiable risks into a total risk estimate.8 5 of the CRO is to fine-tune the calcuIndeed, Wood (2002) argues that the key role lation of economic capital for organizational-control purposes. Accordingly, recent B works in the risk-management literature advocate risk-based internal capital alloU performance measurement and concations (measured by economic capital) for trol. The ideal of introducing risk-based performance measurement in banks has emerged in tandem with developments in risk quantification and, importantly, risk aggregation. Risk aggregation requires a high degree of modeling expertise on the part of the risk-management function; it entails the extension of risk analytics to uncertainties with explicable (but not yet known) properties and the adjustment of the measurement approaches as further data become available. In a recent study, however, CROs voiced divergent opinions on the benefits and limitations of the available menu of risk-modeling initiatives (Mikes 2008b, 2009). Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton BECOMING THE LAMP BEARER 77 One group of CROs took a skeptical view, emphasizing that risk models were useful tools for managing a narrow set of risks, such as those that lend themselves to conventional statistical analysis (e.g., credit-card risks in a given geography and consumer segment). Due to the homogeneity of such risk profiles and the large number of data points, decisions in such areas could be automated. But these CROs felt that, in less homogeneous business segments, such as lending to both small enterprises and large corporations, risk models were intrinsically less reliable (quantitative skepticism) and the judgment of veteran experts was essential. They did not consider risk modeling accurate enough to produce an objective picture of the underlying risk profiles, only to indicate the underlying trends. Another group of CROs, however, were committed to extensive risk modeling and fostered a culture in which risk models were regarded as robust and relevant D tools in decision making (quantitative enthusiasm), particularly in strategic planning and performance management. In these banks, A risk experts gradually expanded the modeling infrastructure to uncover the natures and distributions of hitherto I as lending to small and mediumunknown uncertainties (including such risks size enterprises), classifying and measuring L these as part of the economic-capital framework. They quantified many operational risks as well, in order to make the Y These additional risk assessments, aggregate risk profile more comprehensive. once aggregated into the total risk profile,, influenced the calculation of economic capital for control purposes. However, linking these risk calculations to planning and performance measurement was not automatic. Several senior risk officers were aware that simply wielding aggregate R risk numbers would not convince business lines to change the way they did business. As one senior risk officer Y explained: “There is still an argument that the methodology and data underlying A are not sufficiently reliable. . . . An the quantification measurements themselves aggregate view has to evolve. We have toN be more confident in the quality of it. I wouldn’t like to run the business on the aggregate view as we see it today.”9 2 THE CRO AS STRATEGIC CONTROLLER 6 The evolution of the aggregate view has paved 7 the way for the role of the CRO as strategic controller. This role assumes that the risk function, having built firm-wide 5 a formal risk-adjusted performance risk models, enables the company to operate management system. Chief risk officers B in this category preside over the close integration of risk and performance measurement and ensure that risk-adjusted metrics are deemed reliable and are relied U on. They advise top management on the absolute and relative risk-return performance of various businesses and influence how capital and investments are committed. A senior risk officer who fulfilled this role described the risk-adjusted planning process as follows: “We obviously get involved with risk appetite. The businesses put forward their proposals, having linked in with [the group risk-management department]. They generate appropriate figures upon which we make the choices about where to bet the bank. The calculations are done by the businesses initially. They work it through with the risk department.”10 Another CRO emphasized the importance of risk-adjusted performance measurement as a way of making business managers accountable for risk taking: “If Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins 78 October 24, 2009 9:17 Printer Name: Hamilton ERM Management, Culture, and Control we align the incentives correctly, then I don’t have a job. The aim is getting the business units accountable for risk and the risk correctly charged and visible.”11 The strategic controller role requires a legitimate risk-modeling capability, which is foundational to risk-based performance management. However, the construction of risk-adjusted performance measurement is inherently political. Riskadjusted performance measures do not work by themselves; they have to be made to work. The CRO needs to be aware that a new, risk-adjusted view of performance will inherently affect resource and reward allocations; internal jurisdictions may therefore resist it. For both political and theoretical reasons, CROs must also be modest in their claims of “objectivity.” There can be no genuine objectivity in the measurement or management of that which has not yet happened and may never happen; other D this as the soft underbelly of the riskparts of the organization will easily recognize management function. Field studies on CROs A in action show that, time and again, distrust of risk numbers and critique from other organizational groups require the CRO and the risk-management function Ito reconstitute and revise risk-adjusted performance metrics. Such objectivity as these L calculations can achieve may well be the result of an organizational consensus, emerging from the process of challenge Y shown that, in the face of challenge and revision. On the other hand, it has been and critique from well-established organizational control groups, chief risk officers’ , “dreams of measurement” for control purposes may turn out to be just that (Mikes 2005, 2009; Power 2004). R Y THE CRO AS STRATEGIC ADVISOR In the role of strategic advisor, senior risk A officers command board-level visibility and influence, predominantly as a resultNof their grasp of emerging risks and nonquantifiable strategic and operational uncertainties. They bring judgment into high-level risk decisions, challenge the assumptions underlying business plans, and use traditional risk controls and lending 2 constraints to alter the risk profiles of particular businesses. Many senior risk officers aspiring to 6 this role do not regard risk modeling as sufficiently accurate to produce an objective 7 picture of the underlying risk profiles; they rely on risk calculations mainly to indicate underlying trends (quantitative skepticism). They are therefore reluctant 5 to link risk measurements to planning and performance management, leaving these B control practices to their traditional realm, the finance function. Instead, they seek to mobilize their own experience U to help decision makers understand with other expert views from the organization emerging risks, the nature of which is not explicable by modeling. As one such senior risk officer explained: “The key decisions you make are not based on what you put in the model and what gets spat out. . . . The way I think of it: Risk is chemistry, it’s not particle physics. You cannot separate the risks.”12 Key to the strategic advisor role is the CRO’s ability to create processes that channel risk information to key decision makers and thus prevent “risk incubation.” While acknowledging that this role is new to them, several CROs are now championing practices of risk anticipation such as risk-based scenario planning and devil’s-advocate systems. Looking beyond the risk silos and “taking a 30,000-foot view of the world,”13 these CROs conduct forecasts and assessments in order to find vulnerabilities and problem areas and alert the executive and supervisory boards. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton BECOMING THE LAMP BEARER 79 Risk anticipation often surfaces multiple and conflicting views. As one senior risk officer explained with a hint of self-mockery, the role of the senior risk manager is like that of the “medieval licensed jester, allowed to be more skeptical about what is going on, constantly challenging existing assumptions and views, and scrutinizing strategic decisions before they are made. The difficulty is to challenge without causing offence” (Mikes 2009). This role requires the senior risk officer to build a track record and credibility; as Hydro One’s CRO, John Fraser, put it, “You have to earn your spurs.”14 Some senior risk officers in banks who came through the ranks of line management believe they are better positioned to play the role of the strategic advisor than their risk-specialist peers. Having earned the trust and respect of line management, they can negotiate the conditions of good business by understanding both viewpoints, that of the target-focused business originator and thatDof the risk-conscious controller. As one senior risk officer explained: A I You need to know the business generators well enough to know . . . that their own stance L their judgment. Most people, most very and emotion and the fervor for a deal will impair successful deal-doers, will always push the envelope. The issue is to understand how they Y operate within their values. So not only do you understand where they’re likely to over-egg it because the rewards are there, but also you know , how to approach them when you want to slow them down. One, they have to trust you. And two, they have to respect your judgment. But you don’t achieve that overnight. You generally get it by being encouraging of what you believe is good business.15 R Y The development of the strategic advisor role is partially driven by governance demands for organizational resilience and A the management of extreme events, such as fundamental surprises, sudden losses of Nmeaning (sudden events that make no sense to the people involved), and events that are inconceivable, hidden, or incomprehensible (Weick 1993). The specter of “black swan events” (Taleb 2007) raises fundamental questions about the role of 2 risk management and that of the CRO: Should low-probability events be understood under the rubric of risk modeling or 6 The shift in focus from probabilities rather as fundamental surprise (Power 2007)? and statistical loss distributions to facilitating 7 organizational resilience and sensemaking under stress marks the difference between the role of the CRO as strategic controller and that of the CRO as strategic5advisor. B U WHICH CRO ROLE TO PLAY? The compliance role tends to be well-defined by the environment; within an industry, there is not much room for variation in that role. The modeling role, however, presents risk functions with a practical choice of processes and models and a philosophical choice of where to draw the line between what can be reliably measured and modeled and what must be placed in the hands of qualitative judgment. It is this line that divides (although never absolutely) the role of strategic controller from the role of strategic advisor (see Exhibit 5.1 for a summary of the strategic CRO roles). Both assume a high degree of path dependency; the requisite resources and capabilities can only be obtained over time (recall Deutsche Bank’s six-year effort). Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 80 9:17 Printer Name: Hamilton ERM Management, Culture, and Control Exhibit 5.1 Summary of the Business-Partner Roles of the CRO Modeling capabilities Primary objective of risk modeling The role of judgment in risk modeling Strategic capabilities Span of risk control The essence of the business partner role Strategic controller Strategic advisor Measuring the aggregate risk profile of products and business lines Model design contains the modeler’s judgment of complex relationships between variables Anticipating changes in the risk environment D Quantifiable risks A I The integration of risk L planning management with and performanceY management , The CRO as the advocate R of risk-adjusted performance Modeling attitudes Calculative culture Y A Quantitative enthusiasm: N Risk numbers are deemed representative of the underlying economic 2 reality Emphasis on the “robust” and 6 “hard” nature of modeling 7 Risk-adjusted performance 5 measures are recognized Source: Mikes (2008b). B U Model design is deliberately simple. Managerial judgment is exercised to adjust model implications to reflect additional complexities Quantifiable and nonquantifiable risks The risk function’s ability to influence discretionary strategic decisions and to articulate to line managers the long-term risk-implications of their decisions The CRO as a seasoned business executive and “devil’s advocate” Quantitative skepticism: Risk numbers are taken as trend indicators Emphasis on learning about the underlying risk profile from the trend signals Risk-adjusted performance measures are discussed, but are open to challenge The strategic advisory role requires an intimate knowledge of the business and what can go wrong—experience that risk officers can only gain by having lived through many organizational successes, losses, and crises. The strategic controller role, on the other hand, calls for building a sophisticated risk-modeling capability, which is foundational to risk-based performance management. But risk-adjusted performance measures do not work by themselves—they must be made to work. To make risk numbers count in planning and performance management requires leadership, political flair, communication, and well-chosen allies—all of which can only be developed over time. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton BECOMING THE LAMP BEARER 81 It is possible that some CROs may develop the strategic advisor and the strategic controller roles successively if they can negotiate the path dependencies involved. Once models are tasked with accounting for risk-adjusted performance, the room for managerial judgment shrinks as that judgment is built into the model design up front. Quantitative skeptics are presently reluctant to delegate their understanding of risk-adjusted performance to models. However, some of them recognize that, over time, much of their judgment may be fed into the model design and that careful organizational positioning and packaging will eventually make risk-adjusted performance metrics legitimate and acceptable for control purposes. Although quantitative enthusiasts maintain that models are capable of accommodating complex relationships between numerous variables, these risk officers also face important judgment calls; they must anticipate when even the most adD vanced of risk models will cease to be accurate as a result of major shifts in the environment. Given that most risk modelsA in use at the time of this study had been developed in an unusually favorable credit environment (1998–2007), modeling I “prolonged stress events” are hard experts whose career trajectory spans several to come by. L CONCLUSION Y , Chief risk officers, no matter what type of calculative culture they foster, are balancing at least two conflicting objectives: (1) to produce an aggregate view of risks, and (2) to retain case-by-case business knowledge R and model familiarity with which to inform expert judgment. Striking the right balance remains a challenge for all CROs Y and their choice must be congruent with their organizations’ decision making, risk A taking, and modeling cultures. With a new regulatory era and a severe N and protracted financial crisis upon us, senior risk officers are under pressure to demonstrate how they are realizing the risk-oversight potential of their function. No professional realm can operate indefinitely if it clashes with the requirements 2 of stakeholders (Gardner et al. 2001). As a professional group, chief risk officers need to accommodate the demands 6 of a wide diversity of stakeholders—including regulators, corporate executives, shareholders, debt holders, and the general public—which in turn requires that 7 the risk function have a clear, well-defined position in the organizational gover5 consider the CEO and the board to nance process. Senior risk officers increasingly be their primary customers. However, many Brisk functions have been caught by the credit crisis in a work-in-progress compliance-champion mode, while others have been in transition toward their particularU understanding of the business-partner role. The ideas and practices of risk management, unlike those of long-established professions, have not yet been codified into a unified domain, leaving chief risk officers with a fuzzy role in corporate governance. But lack of codification is an opportunity for definition. This fuzziness is a historic opportunity for the profession to improve business decision making by defining and amalgamating the strengths of the compliance-champion, modeling expert, strategic-advisor, and strategic-controller roles and by incorporating both good risk analytics and expert judgment. Yet the ultimate test remains the ability of risk managers to influence risk-taking behavior in the business lines. As one CRO participant, quoted at the outset of this chapter, remarked: “One of the greatest Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 82 9:17 Printer Name: Hamilton ERM Management, Culture, and Control contributions of risk managers—arguably the single greatest—is just carrying a torch around and providing transparency.”16 The art of successful risk management is in getting the executive team to see the light and value the lamp bearer. NOTES 1. Risk Chiefs: “As the Bar Rises, So Does Demand.” American Banker (January 31, 2008) 48. 2. Author’s interview on September 9, 2008. The identity of the interviewee is disguised for confidentiality reasons. 3. Author’s interview on August 31, 2008. The identity of the interviewee is disguised for confidentiality reasons. D 4. Private communication to the author, received October 16, 2008. The identity of the source is disguised for confidentiality reasons. A 5. Private communication to the author, received I November 11, 2008. The identity of the source is disguised for confidentiality reasons. 6. Mikes, A. “Enterprise Risk Management atLHydro One.” Harvard Business School Case No. 9-109-001. (2008). Y 7. Hayes, N. “People, processes, systems: Deutsche Bank’s Hugo Banziger knows it takes , Available on http://findarticles.com/p/ all three.” RMA Journal (December 2002). articles/mi m0ITW/is 4 85/ai n14897213/pg 2?tag=artBody;col1. 8. Economic capital is a statistically estimated amount of capital that could cover all R liabilities in a worst-case scenario, be it an unexpected market, credit, or operational loss. For risk practitioners and regulators,Ythe conceptual appeal of economic-capital methods is that “they can provide a single metric along which all types of risks can be A 2003, 6). measured.” (Bank for International Settlements, 9. Author’s interview on March 3, 2008. TheN identity of the interviewee is disguised for confidentiality reasons. 10. Mikes (2005, 170). 11. Author’s interview on November 17, 2006.2The identity of the interviewee is disguised for confidentiality reasons. 6 12. Author’s interview on August 17, 2006. The identity of the interviewee is disguised for 7 confidentiality reasons. 13. Mikes (2005, 205). 5 14. Mariga, Vanessa. “Moving into the C-Suite.” B Canadian Underwriter (March 2008) 10–16. 15. Author’s interview on 22 November 2007. The identity of the interviewee is disguised U for confidentiality reasons. 16. Author’s interview on November 17, 2006. The identity of the interviewee is disguised for confidentiality reasons. REFERENCES Aabo et al. 2005. The rise and evolution of the chief risk officer: Enterprise risk management at Hydro One. Journal of Applied Corporate Finance, 17, 62–75. American Banker. 2008. Risk Chiefs: As the bar raises, so does demand. Publication date: January 31. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton BECOMING THE LAMP BEARER 83 Bank for International Settlements (BIS) Joint Forum. 2003. Trends in risk integration and aggregation. (August). Accessed on www.bis.org on May 13, 2004. Bookstaber, R. 2007. Where were the risk managers? Accessed October 17, 2007, on http://blogs.wsj.com/economics/2007/10/16/bookstaber-asks-where-were-the-riskmanagers/. Buehler, K., Freeman, A., and Hulme, R. 2008. The new arsenal of risk management. Harvard Business Review (September). Butterworth, M. 2001. The emerging role of the risk manager. In Pickford, J. (ed.), Mastering Risk, vol. 1: Concepts. (London, UK: Financial Times-Prentice Hall. COSO. 2003. Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Framework. Crouhy, M., Galai, D., and Mark, R. 2000. Risk management. New York: McGraw-Hill. Deloitte, 2007. Global risk management survey: Accelerating risk management practices. D 5th ed. Available on www.deloitte.com/dtt/research/0,1015,cid%253D151389,00.html. Drzik, J., Nakada P., and Schuermann, T. 2004. Risk capital measurement in financial A institutions–Part one. (May 14). Accessed on www.Erisk.com. Economist Intelligence Unit. 2005. Global RiskIBriefing. Ernst & Young. 2008. Making a difference: Rating enterprise risk management. Accessed on L www.ey.com on September 10, 2008. Federation of European Risk Management Associations (FERMA). 2002. A risk management Y standard. (Brussels). , of cost control. Harvard Business Review. Gallagher, R.B. 1956. Risk management: New phase Gardner, H., Csikszentmihalyi, M., and Damon, W. 2001. Good work: When excellence and ethics meet. New York: Basic Books. Garside, T., and Nakada, P. 1999. Enhancing risk R measurement capabilities. Available on www.erisk.com. Previously published in Balance Sheet, vol. 8, no. 3, 12–17. Y Bank’s Hugo Banziger knows it takes all Hayes, N. People, processes, systems: Deutsche three. RMA Journal, December 2002. Available A on http://findarticles.com/p/articles/ mi m0ITW/is 4 85/ai n14897213/pg 2?tag=artBody;col1. N clairvoyant CRO. Available on www. IBM Business Consulting Services. 2005. The ibm.com/industries/financialservices/doc/content/bin/fss clairvoyant cro.pdf. Knight, Frank H. 1921. Risk, uncertainty, and profit. Mineola, NY: Dover Publications. Kloman, H.F. 2003. Enterprise risk management: 2 Past, present and future. Reprinted in Kloman, H.F., Mumpsimus revisited: Essays on risk management. Lyme, CT: Seawrack Press. Lam, J. 2000. Enterprise-wide risk management6 and the role of the chief risk officer. Accessed on www.erisk.com on May 14, 2004. 7 Liebenberg, A.P., and Hoyt, R.E. 2003. The determinants of enterprise risk management: 5 officers. Risk Management and Insurance Evidence from the appointment of chief risk Review, 37–52. B Lore, M., and Borodovsky, L. 2000. The professional’s handbook of financial risk management. New York: Butterworth-Heinemann Finance. U Marrison, C. 2002. The fundamentals of risk measurement. New York: McGraw-Hill. Marshall, C. 2001. Measuring and managing operational risks in financial institutions: Tools, techniques and other resources. New York: John Wiley & Sons. Merton, R.C. 2005. You have more capital than you think. Harvard Business Review (November). Mikes, A. 2005. Enterprise risk management in action. PhD Thesis, London School of Economics. Mikes, A. 2007a. Convictions, conventions and the operational risk maze—The Cases of three financial services institutions. International Journal of Risk Assessment and Management 7, no. 8: 1027–1056. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins 84 October 24, 2009 9:17 Printer Name: Hamilton ERM Management, Culture, and Control Mikes, A., and Townsend, D. 2007b. Beyond compliance: The maturation of CROs and other senior risk executives. GARP Risk Review, 39 (November–December): 12–18. Mikes, A. 2008a. Enterprise risk management at Hydro One. Harvard Business School Case 9-109-001. Mikes, A. 2008b. Chief risk officers at crunch time: Compliance champions or business partners? Journal of Risk Management in Financial Institutions, 2, no. 1 (November–December): 7–24. Mikes, A. 2009. Risk management and calculative cultures. Management Accounting Research, 20: 18–40. Perrow, C. 1984. Normal accidents: Living with high risk technologies. New York: Basic Books. Power, M.K. 2000. The audit implosion: regulating risk from the inside. The Institute of Chartered Accountants in England and Wales. Power, M.K. 2003. The invention of operational risk. London: London School of Economics D and Political Science, ESCR Centre for the Analysis of Risk and Regulation, Discussion Paper, no. 16. A Power, M.K. 2004. Counting, control and calculation: Reflections on measuring and management. Human Relations, 765–783. I Power, M.K. 2005. Organizational responses to risk: The rise of the chief risk officer. In L encounters with risk. Cambridge, UK: B. Hutter, and M.K. Power. Organizational Cambridge University Press. Y Power, M.K. 2007. Organized uncertainty – Designing a world of risk management. Oxford, UK: , Oxford University Press. PricewaterhouseCoopers. 2007. Creating value: Effective risk management in financial services. Risk Management. 2007. A view from the top. R (September). Online publication, accessed in October 2008 on www.allbusiness.com/company-activities-management/managementY risk/8911274-1.html. Standard & Poor’s. 2008. Enterprise risk management: A Standard & Poor’s to apply enterprise risk analysis to corporate ratings. Ratings Direct, (May). Stulz, R. 2009. Six ways companies mismanageNrisk. Harvard Business Review, (March). Taleb, N.N. 2007. The black swan. London, UK: Penguin. Tett, G. 2008. Cindarella role moves to the centre of attention. Financial Times, (April 28). Treasury Committee (of the United Kingdom 2 Parliament House of Commons). 2007a. Minutes of Evidence Taken before Treasury Committee, Tuesday, December 4, 2007 6 by Mr. E. Gerald Corrigan, Managing (Uncorrected transcript of Oral Evidence given Director and Co-Chair of the Firmwide Risk 7 Management Committee, Goldman Sachs; Lord Charles Aldington, Chairman, Deutsche Bank; Mr. Jeremy Palmer, Chairman and CEO, Europe, Middle East and Africa, UBS;5and Mr. William Mills, Chairman and Chief Executive of City Markets and Banking, Europe, Middle East and Africa, Citigroup). B Accessed on www.publications.parliament.uk/pa/cm/cmtreasy.htm on January 10, 2008. U Treasury Committee (of the United Kingdom Parliament House of Commons). 2007b. Minutes of Evidence Taken before Treasury Committee, Tuesday, October 16, 2007 (Corrected transcript of Oral Evidence given by Dr. Matt Ridley, Chairman, Mr. Adam Applegarth, Chief Executive, Sir Ian Gibson, Senior Non-Executive Director, and Sir Derek Wanless, Non-Executive Director, Northern Rock). Accessed on www.publications.parliament.uk/ pa/cm200607/cmselect/cmtreasy/cmtreasy.htm on January 10, 2008. Weick, K. 1993. The collapse of sensemaking in organizations: The Mann Gulch disaster. Administrative Science Quarterly, 38: 628–652. Winokur, L.A. 2009. The rise of the risk executive. Risk Professional, (February) 10–17. Wood, D. 2002. From cop to CRO. Accessed on www.erisk.com on May 14, 2004. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton BECOMING THE LAMP BEARER 85 ACKNOWLEDGMENTS I am grateful to Robert Kaplan, John Fraser, and Betty Simkins for their comments on earlier drafts of this chapter. I am also indebted to Roxanna Myhrum, David Newman, and John Elder for their enthusiasm, perceptive questions, and thorough editing work. ABOUT THE AUTHOR Anette Mikes received her PhD from the London School of Economics in 2006. Her thesis “Enterprise Risk Management in Action” is the first field-based research study on risk management in financial institutions. She holds an MSc in Economics and Finance from the Budapest UniversityD of Economics and an MSc in Accounting and Finance (with distinction) from the London School of Economics. She held a A Tutorial Fellowship at the London School of Economics (2004–2005) and was an Associate (Executive Education) at London I Business School (2002–2005). Having spent 18 months as an Advisor to the Group Risk function at Standard L Chartered Bank, Mikes instigated and directs the Risk Futures research initiative. Yrisk officers contributing to the British With the cooperation of a number of senior Bankers’ Association’s Risk Advisory Panel, , this ongoing research program investigates evolving directions in risk management and the emerging roles of senior risk officers. Mikes has spoken at numerous international conferences and published reR search papers in the International Journal of Risk Assessment and Management, the Y Journal of Risk Management in Financial Institutions, and Management Accounting Research. A Her current work focuses on risk governance and the role of risk management N in strategy formulation. 2 6 7 5 B U Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton D A I L Y , R Y A N 2 6 7 5 B U Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins October 24, 2009 9:27 Printer Name: Hamilton CHAPTER 28 The Rise and Evolution of the Chief Risk Officer Enterprise Risk Management at Hydro One TOM AABO D Associate Professor, Aarhus School of Business (Denmark) A I JOHN R.S. FRASER Chief Risk Officer, Hydro One, Inc. L Y BETTY J. SIMKINS Professor of Finance, Oklahoma State University , R Y A N he Chinese symbols for risk shown2here capture a key aspect of enterprise risk management. The first symbol represents “danger” and the second “opportunity.” Taken together, they6suggest that risk is a strategic combination of vulnerability and opportunity. Viewed 7 in this light, enterprise risk management represents a tool for managing risk in a way that enables the corporation to 5 take advantage of value-enhancing opportunities. A missed strategic opportunity can result in a greater loss of (potential)B value than an unfortunate incident or adverse change in prices or markets. U to address risk in “silos,” with the As in the past, many organizations continue management of insurance, foreign exchange risk, operational risk, credit risk, and commodity risks each conducted as narrowly focused and fragmented activities. Under the new enterprise risk management (ERM) approach, all would function as parts of an integrated, strategic, and enterprise-wide system.1 And while risk management is coordinated with senior-level oversight, employees at all levels of the organization are encouraged to view risk management as an integral and ongoing part of their jobs. Although there are theoretical arguments for corporate risk management,2 the main drivers for the implementation of ERM systems have been studies such as the Joint Australian/New Zealand Standard for Risk Management, Committee T 531 Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins 532 October 24, 2009 9:27 Printer Name: Hamilton Special Topics and Case Studies of Sponsoring Organizations of the Treadway Commission (COSO) in the United States (in response to the control problems in the S&L industry), the Group of Thirty Report in the United States (following derivatives disasters in the early 1990s), CoCo (the Criteria of Control model developed by the Canadian Institute of Chartered Accountants), the Toronto Stock Exchange Dey Report in Canada following major bankruptcies, and the Cadbury report in the United Kingdom.3 In addition, large pension funds have become more vocal about the need for improved corporate governance, including risk management, and have stated their willingness to pay premiums for stocks of firms with strong independent board governance.4 These studies point out that boards of directors need to have a thorough understanding of the key risks in the organization and what is being done to manage such risks. What’s more, security rating agenciesD such as Moody’s and Standard & Poor’s have recently begun to take account of ERM A systems in their ratings methodology. As reported in a recent study by Moody’s: I L enterprise-level approaches to risk—a Increasing numbers of companies are undertaking more encompassing and systematic review of potential risks and their mitigation than most Y companies have undertaken in the past. Business units are tasked with identifying risks and, where possible, quantifying and determining , how to mitigate them. These assessments typically are rolled up to a corporate level, sometimes with direct input from the board or audit committee. These assessments have often been relatively broad, focusing on reputation, litigation, product development, and health and Rsafety risks, rather than focusing solely on financial risks. Where we have seen these assessments implemented we have commented Y committee is actively involved.5 favorably, particularly when the board or the audit A Given the overwhelming incentives N and pressures to employ an enterprise- wide approach to risk management, we are surprised that more firms are not doing so. One deterrent is the scarcity of case studies describing successful implementations of ERM. A recent study by the Association of Financial Professionals noted 2 that although most senior financial professionals see their activities evolving into 6 education and training are needed a more strategic role, most also feel that more to meet these future challenges.6 The Joint7Australian/New Zealand Standard for Risk Management provides the first practical prescription for implementation of 5 and reports provide examples and ERM using generic examples. Some articles insights into the potential benefits of ERM, Bbut most lack a useful framework and sufficient practical detail to guide other firms.7 One case study published in this journal in 2002 by Scott Harrington, GregUNiehaus, and Kenneth Risko describes how United Grain Growers combined protection against financial (such as currency and interest rate) risk and conventional insurance risk using an integrated risk management policy provided by Swiss Re.8 However, there is a crucial need for case studies that help firms to better understand the totality of risks faced—that is, a more holistic view of ERM—and not just those that are easier to quantify.9 Although there is no “one size fits all” approach to ERM, companies can benefit by following the best practices of successful firms. The purpose of this case study is to fill this gap in the literature by providing the process by which one firm, Hydro One Inc., has successfully implemented ERM. This firm is at the forefront of ERM, especially in the comprehensive management of risks faced. Risk managers from Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins October 24, 2009 9:27 Printer Name: Hamilton THE RISE AND EVOLUTION OF THE CHIEF RISK OFFICER 533 the World Bank, the Auditor General of Canada, Fluor Corporation, Toronto General Hospital/Universal Health Network, and other firms from various economic sectors have visited Hydro One in order to learn from its experiences. This case study examines the implementation of ERM at Hydro One by describing the process the firm followed, beginning with the creation of the chief risk officer position (the rise of the CRO). We describe the steps of implementation, which started with a pilot study involving workshops conducted with one of the subsidiaries. The purpose of the pilot study was to determine if ERM should be deployed throughout the firm. We next analyze the ERM process and describe various tools and techniques such as the “Delphi” method, risk trends, risk maps, risk tolerances, risk profiles, and risk ranking as it relates to the capital expenditure process. Finally, we note that ERM has become such an integral part of the D is now becoming a low-maintenance workplace that the corporate chief risk officer position (the evolution of the CRO) withinAthe company. I HYDRO ONE L Hydro One Inc. is the largest electricity delivery Y company in Ontario, Canada, and one of the 10 largest such companies in North America. Its predecessor, Ontario Hydro, was founded nearly a century ago,, principally to build transmission lines to supply municipal utilities with power generated at Niagara Falls. Hydro One came into being in 1999 after legislation divided Ontario Hydro’s delivery and R generation functions into two separate companies. Hydro One today consists of Y three businesses—(1) transmission, (2) distribution, and (3) telecom. Its main business (contributing 99 percent of revenue) is the transportation of electricity through A the high-voltage provincial grid and low-voltage distribution system to municipal Nmillion end-use customers. utilities, large industrial customers, and 1.2 Hydro One has total revenues of CAD 4.1 billion,10 total assets of CAD 11.3 billion, and approximately 4,000 employees. Total equity is CAD 4.3 billion, or 38 percent of total assets, and all the shares are2owned by the Ontario government. In 2001, the Ontario government announced6its intention to proceed with an initial public offering (IPO). However, special interest groups successfully challenged the IPO in the Supreme Court of Ontario, and7the prospectus was withdrawn. Longterm financing for Hydro One is provided5 by access to the debt markets, including a medium-term note program. Short-term liquidity is provided through a comB mercial paper program. The company’s long-term debt is rated A2 by Moody’s and A by Standard & Poor’s, and its commercial paper is rated Prime-1 and A-2. U GETTING STARTED WITH ERM Enterprise risk management was established at Hydro One in 1999. As part of the firm’s spinoff from the previous Ontario Hydro, the management and board of Hydro One set high goals for being a best-practices organization with superior corporate governance and business conduct. Hydro One wanted to look at risks and opportunities in an integrated way that would lead to a better overall allocation of corporate resources. At the same time, the scheduled deregulation of the electricity markets posed a new external challenge that had to be addressed. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins October 24, 2009 534 9:27 Printer Name: Hamilton Special Topics and Case Studies Finally, the increased scrutiny on corporate governance called for a comprehensive risk management program. Corporate Risk Management Group At first, the attempts to implement ERM were led by external consultants, but no lasting benefits or transfer of knowledge appeared to result from those initiatives. Then, in late 1999, the head of internal audit, John Fraser (one of the authors of this article), was asked to take on the additional role of chief risk officer (CRO). The Corporate Risk Management Group was established consisting of the CRO (parttime) and two full-time professionals, one with a degree in industrial engineering and one with an MBA in process reengineering and organizational effectiveness. The group was given six months to proveDits worth. If it failed to demonstrate its value during this period, the idea of implementing ERM would be abandoned and A the Corporate Risk Management Group dissolved. I In early 2000, the Corporate Risk Management Group prepared two documents with the help of experienced consultants:L (1) an ERM policy (Box 28.1) and (2) an ERM framework (Exhibit 28.1). The ERM policy set forth the governing principles Y of risk management activities, and the and who was responsible for specific aspects ERM framework set out the procedures for , ERM in greater detail. The Corporate Risk Management Group took the ERM policy and ERM framework to the Executive Risk Committee for discussion and approval. The committee, which consisted of the CEO and the most senior executives, Rsuggested that a pilot study be undertaken with one of the small subsidiaries before formal approval of the policy and Y framework was sought from the audit and finance committee of the board. Pilot Study A N With some consulting assistance, the Corporate Risk Management Group planned the first ERM workshop in the subsidiary. 2 Using its own staff, the group executed the first ERM workshop in spring 2000. 6 format. Prior to the workshop, a list of The workshop followed a conventional some 80 potential risks or threats to the business was developed and e-mailed to 7 the management team of the subsidiary. Each member of the team was asked to choose the 10 most critical risks facing the5company—and based on these choices, a list of the top eight was prepared. Then, B at the workshop, these eight risks were discussed one at a time and their relative importance voted upon by the U using the Delphi method,11 which management team. Voting was accomplished involves a combination of facilitated discussions and iterative anonymous voting technology designed to quickly identify and prioritize risks based on magnitude and probability and to evaluate the quality of controls. The first vote on the perceived magnitude of a particular risk—with risk defined on a five-point scale: Minor, Moderate, Major, Severe, and Worst Case—often showed wide dispersion. In each case, the initial vote was followed by discussion of the definition of the particular risk, and of its causes and consequences. Depending on the dispersion of votes in the first voting session, the discussion could be long or short. A second vote was then taken; and until a clear alignment or a clearly defined cause of disagreement was established, this sequence of discussion Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins October 24, 2009 9:27 Printer Name: Hamilton THE RISE AND EVOLUTION OF THE CHIEF RISK OFFICER Box 28.1 Hydro One Inc.: Enterprise Risk Management Policy D A I L Y , R Y A N 2 6 7 5 B U Copyright ©2010 John Wiley & Sons, Inc. 535 P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins 536 October 24, 2009 9:27 Printer Name: Hamilton Special Topics and Case Studies D A I L Y , R Y A N 2 6 7 5 B U Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins October 24, 2009 9:27 Printer Name: Hamilton THE RISE AND EVOLUTION OF THE CHIEF RISK OFFICER 537 Establish the Business Context • • • • • Hydro One strategy Hydro One business objectives Hydro One risk tolerances Risk owners, stakeholders Risk language Identify Risks What can happen? How can it happen? D A Assess Risks and Controls I Determine consequence L Y Assess Current Controls , Confirm Determine existence Monitor and Review Communicate and Consult • • effectiveness R Y A Determine likelihood N Estimate strength of controls 2 6 7 Tolerable 5 Risk? (Risk Owner) B U Estimate level of risk Yes No Mitigate/Treat Risks • • • • • • Identify treatment options Assess effectiveness Assess cost Assess ease of implementation Prepare/approve treatment plans Implement plans Exhibit 28.1 Risk Management Process Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins 538 October 24, 2009 9:27 Printer Name: Hamilton Special Topics and Case Studies and voting might be repeated (usually no more than three votes were needed in practice). Then, with the voting and prioritization of risks completed, preliminary action plans were discussed and managers identified as “Champions” with the responsibility of developing more concrete action plans. The discussions proved to be valuable. Issues that managers had thought about but never openly discussed were addressed. Concerns about some risks were allayed and new risks were identified; but in any case there was the beginning of a common understanding of risks and of a corporate plan for prioritizing action and resources to manage such risks. Since this was a pilot study for the Corporate Risk Management Group, the participants were asked to evaluate the quality and benefits of each workshop. The programs received high ratings and the managers of the subsidiary requested a follow-up session to discuss and rank the next eight D risks that had been identified. A Final Approval I Following the pilot study in the subsidiary,Lthe Corporate Risk Management Group returned to the Executive Risk Committee for debriefing. The pilot study was Y considered a success, and the chief risk officer presented the ERM policy and the ERM framework to the audit and finance,committee of the board for approval. In the summer of 2000, the audit and finance committee approved the documents, and a roadmap for implementing ERM at Hydro One was established. R PROCESSES AND TOOLS Y A The overall aim of Hydro One’s ERM framework (Exhibit 28.1) is not risk elimination or risk reduction per se, but rather attainment of an optimal balance between N business risks and business returns. 2 The ERM Policy of Hydro One in Box 28.16defines risk as follows: 7 The potential that an event, action, or inaction will threaten Hydro One’s ability to achieve 5 its business objectives. Risk is described in terms of its likelihood of occurrence and potential impact or magnitude. Broad categories of riskB in Hydro One include strategic, regulatory, financial, and operational risks. U The Business Context Since risk is defined by its potential to threaten the achievement of business objectives, it is imperative to clearly state these objectives and how they contribute to Hydro One’s overall strategy. The Corporate Risk Management Group found that objectives were not always clearly articulated, and that the workshop process from the pilot study helped in achieving clarity of business objectives needed to achieve the corporate mission. The same was true of risk tolerances. Risk tolerances are guidelines that establish levels of acceptable and unacceptable exposures to any given risk (Exhibit 28.2 shows risk tolerances for 3 categories of risk out of 16). Tolerances define the range of possible impacts (on a five-point scale from Minor to Worst Case) of specific Copyright ©2010 John Wiley & Sons, Inc. Major: Copyright ©2010 John Wiley & Sons, Inc. One of: 40k-100k Customers Dx or 400-1000 MW Tx for 4-7 Days or Failure to Meet Some of NERC Minimum Standards One of: >100,000 Customers Distribution or >1000MW Tx for More Than Seven Days or Failure to Meet NERC Minimum Standards 2 Moderate $5-25M Shortfall 3 Major $25-75M Shortfall Local Profile One of: 1k-10k Customers Dx or 10-100MW Tx for 4-24 Hrs or Near Threshold of Many NERC Standards Provincial Profile; Several Opinion Leaders/ Customers Publicly Critical One of: 10k-40k Customers Dx or 100-400MW Tx for 2-4 Days or Concern Expressed by NERC One of: <1000 Customers Dx or <10MW Tx for <4 Hrs or Near Threshold for One NERC Standard Letter to Government or Senior Management <$5M Shortfall 1 Minor Exhibit 28.2 Risk Tolerances Definition of Risk Tolerances: (1) Minor: Noticeable disruption to results; manageable; (2) Moderate: Material deterioration in results; a concern; may not be acceptable; management response would be considered; (3) Major: Significant deterioration in results; not acceptable; management response required; (4) Severe: Fundamental threat to operating results; immediate senior management attention; (5) Worst Case: Results threaten survival of company in current form, potentially full-time senior management response until resolved. Outages on the Hydro One System National Media Attention; Most Opinion Leaders/Customers Publicly Critical R Y A N International Media Attention; Opinion Leaders/Customers Nearly Unanimous in Public Criticism 2 6 7 5 B U Negative Media Attention; Opinion Leader and Public Criticism $75-150M Shortfall 4 Severe D A I L Y , System Reliability $>150M Shortfall 5 Worst Case Risk T o ler anc es Noticeable Deterioration in Results 9:27 Reputation Net Income Shortfall (After Tax, in One Year) Event Impact Description Deterioration in Results Minor: October 24, 2009 Financial Business Objectives Survival of Hydro One Inc. in Its Current Form Example of HOI risk tolerances Significant Threatens the Worst Case: P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins Printer Name: Hamilton 539 P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins 540 October 24, 2009 9:27 Printer Name: Hamilton Special Topics and Case Studies risks on business objectives. Through the workshops, a common understanding was developed as to how to categorize impacts from a particular risk on the firm’s ability to accomplish key business objectives.12 As an example, Hydro One has a financial objective related to earnings stability—namely, to limit the risk of a major shortfall in net income and the associated possibility of financial distress costs. One source of the risk to net income is loss of competitiveness; another is the volatility of financial markets. A second important corporate objective of Hydro One is maintaining its reputation and public profile. One potential source of reputational risk is pollution damage; another is inappropriate employment contracts. In this case, the magnitude of the risk is not measured in dollar terms, but in terms of the extent of public criticism both on a local as well as an international basis. D states that “risk management is everyAlthough the ERM policy of Hydro One one’s responsibility, from the Board of Directors A to individual employees,” the risk facing a specific project or line of business will typically fall under the accountability of a primary risk “owner,” typically theI project manager or the business’s CEO. L Identification and Assessment of Y Risks and Controls The approach to risk identification depends , on the depth and breadth of the activities under review and the extent to which these activities are “new” to Hydro One. As described above, however, the process typically involves the identification of 50 to 70 business risks, which are then narrowed down to the 10 most significant R risks through interviews and focus groups. In assessing risks, the aim is to unY derstand both the size of the potential losses as well as the associated probability of occurrence. In theory, the correct way A to portray the estimated effect of a risk is to use a probability curve that reflectsN the potential outcomes and associated probabilities. But given the practical difficulties of “building” such a curve, Hydro One has instead chosen to focus on the “worst credible” outcome within a given time frame and its associated probability2of occurrence. This has proven to be a practical and efficient way to focus on major risks while avoiding excessive detail 6 and complex calculations. For all risks deemed to be “major,” Hydro One defines the “worst credible” 7 outcome as the greatest loss that can result in the event that certain key controls fail. 5 both from “inherent magnitudes,” (As so defined, worst credible outcomes differ which assume that all controls fail or are absent, B and “residual magnitudes,” which assume that all key controls are in place and functioning.) The probability of such U generally two to five years, though outcomes is evaluated for a specific time frame, for special projects the period is as short as six or nine months. As shown in Exhibit 28.3, Hydro One uses a probability rating scale from “Remote” (a 5 percent probability that the event will occur in the stipulated time frame) to “Virtually Certain” (95 percent probability). After the Corporate Risk Management Group has helped management estimate the “worst credible” outcome, the impact on various objectives, and the associated probabilities for each risk (by workshops and the Delphi method), the next step is to produce a “risk map” like the one presented in Exhibit 28.4. The bubbles in the figure represent the expected effect of the risk on a certain objective in terms of its estimated impact (reflected on the horizontal axis) and the Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins October 24, 2009 9:27 Printer Name: Hamilton THE RISE AND EVOLUTION OF THE CHIEF RISK OFFICER Score Rating Description 5 Virtually Certain 95% probability that the event will occur in the next five years 4 Very Likely 75% probability that the event will occur in the next five years 3 Even Odds 50% probability that the event will occur in the next five years 2 Unlikely 25% probability that the event will occur in the next five years 541 D A I Exhibit 28.3 Probability Rating Scale L Y estimated probability that the impact materializes (on the vertical axis). In the case of each risk, the estimated probabilities represent the relevant experts’ best guess , 1 Remote 5% probability that the event will occur in the next five years that the “worst credible” outcome will materialize. Management also uses the risk map to track the historical development of particular risks and to project expected future developments.13 R Y A Corporate Risk N Map 5 Growth 2 6 7 5 B U Probability 4 3 Regulatory Uncertainty Organizational Readiness Network Services Launch Asset Condition Catastrophic Events Environmental Contamination 2 NOTE: Size of bubbles is proportional to control strength. Bigger bubbles = stronger controls Hazardous Operating Environment Market Ready Project 1 1 2 3 4 Magnitude Exhibit 28.4 Risk Map Copyright ©2010 John Wiley & Sons, Inc. 5 New Electricity Marketplace Economy/Financial Markets P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins 542 October 24, 2009 9:27 Printer Name: Hamilton Special Topics and Case Studies The size of the bubbles in the figure indicates the extent of management’s confidence in the effectiveness of the company’s controls and efforts to limit individual exposures. Control assessment involves the strength of existing organizations, processes, systems, and feedback loops that are in place to manage the risk. The company has developed a “control strength” model that is designed to complement its risk tolerances. For any given magnitude of risk (from Minor to Worst Case), there is a corresponding strength of control, with “1” representing few controls and “5” representing full prescriptive controls with executive oversight. Tolerability of Risk—and Risk Mitigation Once risks and controls are assessed, a rank-ordered list of “residual risks” is asD sembled. The risk owner (for example, the subsidiary CEO or the project manager) A then determines the firm’s tolerance for each risk. Within the limits of the risk owner’s accountability, the risk owner decides either to accept the risk as is or to I take (further) steps to mitigate it. If the risk owner accepts the risk as is, the risk L is monitored and reviewed in the normal future course of risk management proY the risk, the process of risk mitigation cesses. If the risk owner decides to mitigate is defined. , Risk owners thus have seven possible ways of dealing with significant risks: Ris without further mitigation, since the 1. Retain: Risk exposure is accepted as potential return is viewed as desirable Y and the downside exposure is not significant. 2. Retain, but change mitigation: AApartially mitigated exposure is maintained, but a change in mitigation reduces the cost of control. N 3. Increase: Risk exposure is increased, either because the potential return is viewed as desirable or the controls in place are not cost-effective. 2 4. Avoid: Risk exposure will be eliminated entirely (perhaps by withdrawal from a business area or ceasing the activity), since the potential return does 6 not offset the downside exposure. 7 5. Reduce the likelihood: Risk exposure will be reduced cost-effectively through new or enhanced preventive controls. 5 6. Reduce the consequences: The impact of any risk that materializes will be B reduced through emergency preparedness or crisis response. 7. Transfer: Risk exposure will be transferred to others (perhaps through an U insurance policy or an outsourcing arrangement). As can be seen from the list, risk mitigation is not necessarily the same as risk elimination or risk reduction. As previously mentioned, the purpose of strategic risk management at Hydro One is to balance business risks and business returns by taking into account the potential upside as well as the downside associated with a particular risk. Thus, a balancing act may involve an increase in risk. In practical terms, however, an increase in risk at Hydro One is most likely to be decided at the strategic level. Once the strategic plan is set, the primary focus is on limiting the downside risk of failure to achieve stated business objectives. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins October 24, 2009 9:27 Printer Name: Hamilton THE RISE AND EVOLUTION OF THE CHIEF RISK OFFICER 543 Monitor and Review Risks do not remain static. The magnitude and probability of a certain risk is affected by internal controls (mitigation) as well as external changes in the environment. Monitoring and reporting are fundamental to effective management of business risks. Furthermore, risks may not always be categorized correctly in the first place. Risks are notoriously hard to predict, and assessing risks is to a large extent a matter of qualitative guesswork. As physicist Niels Bohr observed, “Prediction is very difficult, especially about the future.” An example of changing risk tolerances is Hydro One’s decision to issue shares on the New York Stock Exchange. During the period leading up to the scheduled offering, one of management’s greatest fears was the possibility of an unfavorable news story in the international press. As things D turned out, however, the IPO was shelved. Then, in October 2003, the company had an oil spill that overflowed into a small stream and received a lot ofApress in Ontario.14 When this got the attention of both the Ontario Government I (Hydro One’s shareholder) and the company’s board of directors, the Corporate Risk Management Group quickly L realized that their greatest reputational exposure was not to the international press, but to the local press and its power to inflame the sensitivities of Hydro One’s Y primary stakeholders. As a consequence, negative provincial press stories are now , identified as a worst-case scenario—considerably worse than their international counterparts—and strong measures are taken to avoid them. R CORPORATE RISK PROFILEY The risk management process described inAthe previous section serves as the basic framework for managing risks at Hydro One. The framework can be used in the N normal conduct of business or for new projects. To aggregate the information from these processes in a form suitable for the senior management and board of directors, the Risk Management Group prepares 2 a Corporate Risk Profile twice a year. Exhibit 28.5 provides an illustration of the 6 risk profile using the same risk sources contained in the risk map in Exhibit 28.4. The purpose of the Corporate Risk Profile is to ensure that the senior man7 agement team shares a common understanding of the principal risks facing the 5 organization and to provide a basis for allocating resources to address risks based on their priority. The Corporate Risk Profile is based on structured interviews with B the top 40 to 50 executives together with databases from other sources (such as U profile reflects the executives’ assessannual business plans and workshops). The ments of both previously identified risks and risks that may have been identified since the last profile in workshops, media scans, or other sources. Description of Risk Sources The June 2000 Corporate Risk Profile in Exhibit 28.5 shows the list of the top risks ranked as “Very High,” “High,” and “Medium.” As of June 2000, 11 key risks had been identified. The figure also shows how these risks were rated in the previous profile and the estimated trend. And as the changes and trends suggest, the Corporate Risk Profile is by no means a static document. New risks arise Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins October 24, 2009 544 9:27 Printer Name: Hamilton Special Topics and Case Studies Mid-Year 2000 Corporate Risk Profile Risk Rating Dec. 1999 Risk Rating June 2000 Growth Very High Very High Regulatory Uncertainty Very High Very High Organizational Readiness High High Network Services Launch N/A High Asset Condition High High Catastrophic Events High New Electricity Marketplace D High A I Medium L Medium Y Medium , Economy/Financial Markets Medium Risk Source High Environmental Contamination Hazardous Operating Environment Market Ready Project Risk Trend New High Medium Medium Medium Medium R Y A with legislation or new initiatives. The severity of some risks can be reduced by N Exhibit 28.5 Corporate Risk Profile mitigation efforts or changes in external factors. And the estimated severity of some risks can also change because the risks (and the consequences of mitigation) are better understood. 2 In addition to the major sources of risk and their trends, the Corporate Risk 6 that are likely to be most affected Profile also describes the corporate objectives by such risks and the corporate controls being 7 used to mitigate such risks. Below we describe each of the 11 major risks as evaluated in June 2000 and the corporate 5 measures to manage such risks. 1. B Growth: Hydro One has plans for U significant growth through acquisitions of both existing and related businesses within and beyond Ontario. This is a major risk source because there are many substantial barriers to the achievement of the planned growth. Business development and financial results are the objectives most likely to be affected. The actions of the government (as owner) create the largest part of this risk because the degree of owner support for the acquisition strategy is not always clear and firm. Hydro One has limited experience in identifying, negotiating, and integrating significant acquisitions. The exposure to government actions is mitigated by senior management participation in government review processes and a proactive government relations function. Acquisition risks are mitigated by various Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins October 24, 2009 9:27 Printer Name: Hamilton THE RISE AND EVOLUTION OF THE CHIEF RISK OFFICER 2. 3. 4. 5. 6. 7. 545 means, including careful planning and analysis, staff skill development, and external advisors. Regulatory uncertainty: The objectives of Hydro One are greatly influenced by the actions of regulators. The rules under which regulators operate will likely change as experience in the restructured industry is gained. Also, other stakeholder groups will influence regulatory decisions. The objectives most likely affected are financial results, legal/regulatory status, and reputation. Methods for mitigating this risk include increased and more effective interactions with the government and the Ontario Energy Board, increased priority and profile for regulatory matters within the company, and restoration of the company’s regulatory staff capability through the addition of senior regulatory staff. D Organizational readiness: Organizational readiness reflects the ability of the company to provide effective A services to customers and to improve operating efficiency in the new business environment. Many systems and processes are recognized to be lessI than optimally efficient and some inefficiencies are amenable to IT solutions. Readiness has been both helped L and made more complex by the departure of 1,400 of the most seasoned Y retirement program (see Box 28.2). employees through the recent voluntary This risk source impacts competitiveness and customer service. Methods , being used to mitigate this risk source include performance contracting, compensation programs, labor relations strategies, and improved technology prioritization processes. R Network services launch: The risks associated with the creation of a sepY arate subsidiary to provide wire network services in the open market are A about the form of the future commany and varied, including uncertainty petitive market, the ability of the N business to achieve a competitive cost structure, and the regulatory treatment of the business’s reorganization costs. Possible consequences of such risks are reductions in competitiveness, reliability of customer service, 2 and financial results. Mitigating this risk source involves a carefully crafted strategy and transition plan. 6 wires and the possibility of underAsset conditions: The aging of asset funded maintenance and incomplete 7 information about the condition of assets represent risks to customer service and reputation. Ways to mitigate this risk include redundancy 5 on the transmission system, emergency response capability, and increasedBattention to this issue through higher planning priority. U assets covering a large geographical Catastrophic events: Hydro One has area, and the firm thus faces some exposure to destructive natural events such as tornadoes, which damage facilities every year, and ice storms, which are less frequent but can cause widespread damage and disruption of service. These events affect customer service, reputation, and financial results. Methods used to mitigate this risk include those listed under asset conditions (see above), as well as emergency preparedness plans and rehearsals, weather forecasting, and insurance. Environmental contamination: This risk is largely driven by lands owned by the company that are contaminated with arsenic trioxide. Other contaminants are penta poles, transformer oils, and PCBs. To mitigate such Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins 546 October 24, 2009 9:27 Printer Name: Hamilton Special Topics and Case Studies 8. 9. 10. 11. risks to the firm’s reputation and financial results, as well as to the environment itself, the firm uses a combination of limited insurance coverage with initiatives designed to prevent such contamination. Hazardous operating environment: Essentially all Hydro One facilities are electrically energized and so represent a threat to employees, contractors, and the public. In order to protect the firm’s reputation as well as ensure employee and public safety, risk mitigation is accomplished through facilities design, asset maintenance, safe work practices, and employee training and supervision. Market Ready Project: The Market Ready Project is a major complex undertaking with uncertain requirements and has the potential to cause Hydro One to delay the province’s market opening, to cause significant customer or regulator dissatisfaction, or to wellD exceed its projected budget. Mitigation is provided by giving the project aAhigh priority and profile. The recently announced delay in market opening reduces this risk, although it does not I eliminate it, as even the delayed schedule is seen as tight. New electricity market: The evolving L electricity market exposes Hydro One to a wide range of unpredictable actions by competitors, customers, generators, and regulators. Any oneYof these parties may be able to erode the company’s market position or increase , its costs, thereby harming financial results. To limit this risk, the company’s management is active on the IMO Board (the Independent electricity Market Operator) and is negotiating a comprehensive operating agreement R with the IMO. Economy/financial markets: Changes in commodity prices, exchange Y rates, or interest rates can have adverse effects on net income and cash A risk and does not trade in energy flows. Hydro One has no commodity derivatives. The direct effect of fluctuations in exchange rates is considered N insignificant, although this may change in the future if the company issues foreign currency debt. (All debt is currently denominated in local currency.) The company is, however, exposed2to fluctuations in interest rates through its floating-rate debt (though corporate policy specifies that at most 15 6 rates) and through the refinancing percent of total debt can have floating of its maturing longer-term debt. 7 Besides limiting its use of floating-rate debt, the company also periodically uses interest rate swap agreements 5 to manage interest rate risk. Management estimates that a 100-basis-point increase in interest rates would reduce net income by roughly CAD 25 B million—a risk deemed to be “Minor” or “Moderate” on the risk tolerance U interest, are part of the rate base and scale. All prudent expenses, including recoverable through billing rates, so that any interest rate increase would eventually be recovered, but it would not be regarded as good management by the board and would show up as a reduction of profits in the current year. Hydro One has some exposure to credit risk, both from its customers and from the possibility of counterparty default on its interest rate swaps. The credit risk associated with customers is effectively managed through a broadly diversified customer base. The counterparty default risk is limited by the company’s policy of transacting only with highly rated counterparties, limiting total exposure levels Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins October 24, 2009 9:27 Printer Name: Hamilton THE RISE AND EVOLUTION OF THE CHIEF RISK OFFICER 547 with individual counterparties, and entering into master agreements that allow “net settlement.” Box 28.2 Strategic Risk Management Analysis of Voluntary Retirement Package In the early summer of 2000, the Risk Management Group was asked to perform an enterprise risk management analysis of the risks related to a Voluntary Retirement Package (VRP) that was offered to employees at Hydro One. The purpose of the Voluntary Retirement Package was to reduce staff and related D the Voluntary Retirement Package costs in preparation for an IPO. However, turned out to be almost too much of a success. A Hydro One lost 1,300 employees out of a total of more than 6,000 employees—far more than the 800 that were I employees were in most cases seexpected to take the package. And the 1,300 nior and experienced personnel. The senior L management of Hydro One feared that without a rigorous analysis, some unjustified requests for personnel to reY place those who had left would eradicate the economic benefits of the program. , In risk map terms, the purpose of the enterprise risk analysis was to address the bubbles in the far right-hand corner and move these bubbles toward the lower left-hand corner as cost effectively as possible. (See Exhibit 28.4 for an R illustration of this concept.) The Corporate Risk Management Group Y discussed business objectives and related risk tolerances with about 40 managers whose groups had experienced material VRP losses. The group asked theA managers what actions they had taken or planned to compensate for VRP lossesN(such as efficiency improvements or dropping activities) and where they felt they still had a resource gap that could impact corporate objectives. The interviews allowed the Corporate Risk Management Group to identify units where the 2 VRP losses resulted in material risk and what the impacts of those risks might be. The group vetted this feedback 6 management responsible for each through a series of interviews with senior major functional area (finance, regulatory, 7 and so on) to validate middle management’s assessment of both the gap and the impacts. For areas of material risk 5 (“Major” or higher), the group asked managers what could be done in order to reduce risk to a “Moderate” level or lower. B The managers indicated that they had taken actions or had plans underway U to compensate for the loss of some of the employees. The most important mitigating technique was from planned efficiency gains, but the possibility of hiring contract/temporary workers was also planned. Overall, managers estimated that they could compensate for 1,100 employees out of the 1,300 employees lost, thus leaving a gap of some 200 employees to mitigate excessive levels of risks. The Corporate Risk Management Group developed a draft list of VRP risk sources, which the senior management team assessed and ranked at a twohour facilitated workshop, using electronic voting technology and the Delphi method. The result was a list of 11 risk sources ranked according to their significance. “Customer Relations” and “Network Services” topped the list with a risk Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins 548 October 24, 2009 9:27 Printer Name: Hamilton Special Topics and Case Studies score of 3.9 and 3.8 on a five-point scale integrating both magnitude and probability. For example, “Customer Relations” was voted as having a magnitude of 3.8 and a probability of 4.1, which gave an ultimate risk score of 3.9. Some of the risk sources pertained to specific organization units while other risk sources were generic (organization-wide). For the unit-specific risks, the Corporate Risk Management Group calculated on the basis of input from managers that a mitigation process that reduced all risks to a “Moderate” level or lower (1 or 2 on a five-point scale—see Exhibit 28.2) would require 126 full-time employees and CAD 4.4 million. For the generic risks, a combination of monitoring, planning, and risk assessment programs was proposed. The mitigation as to unit-specific risks as well as generic risks was not intended to eliminate the VRP as a source of risk but to reduce D the risks to acceptable levels in a cost-effective way. A I L QUANTIFYING THE UNQUANTIFIABLE YOne is to prioritize the use of resources The final step of the ERM process at Hydro for investment planning based on the risks , identified. Hydro One is inherently an asset management company in the sense that most of its assets have a life expectancy of 30 to 70 years. The Investment Planning Department of Hydro One collaborated with the Corporate Risk Management Group to develop a risk-based R approach for allocating resources. Using this approach, the company has managed to find an innovative way of “quantifyingYthe unquantifiable.” The approach rests on three pillars: A N 1. The five-point risk tolerance scale (from Minor to Worst Case) for assessing the estimated impact of a given risk on a given corporate objective (illustrated earlier in Exhibits 28.2 and 28.4). 2 2. The five-point probability rating scale (from Remote to Virtually Certain) for evaluating the probability that6 a given impact will materialize (shown in Exhibit 28.3 and 28.4). 7 3. The quality of controls (or other risk management mechanisms) designed 5 to reduce the residual risks. B Exhibit 28.6 illustrates this risk-based approach for determining capital expenU ditures. Each class of asset or type of expenditure is categorized into different levels 15 as follows: r Highest Risk Exposure: an unacceptable level of risk that must be funded as a priority (and shown in color in Exhibit 28.6). r Minimum Funding Level: the level of service at which the risk to the company’s business objectives is considered barely tolerable. r Level 1: at this level of funding, the risk to business objectives is materially lower than at the Minimum Funding Level. r Levels 2 and 3 (not illustrated in the figure): At these levels of funding, the risk to business objectives is materially lower than at Level 1. A description Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins October 24, 2009 9:27 Printer Name: Hamilton THE RISE AND EVOLUTION OF THE CHIEF RISK OFFICER Program Level Cost Cuml. Cost Tree Trim Lines Poles Tree Trim Lines Tree Trim Lines Poles $2 $6 $1 $1 $3 $2 $5 $12 $2 $8 $9 $10 $13 $15 $20 $32 Red Red Red Minimum Level Level 1 Level 1 Minimum Level Minimum Level 549 Risk If Not Bang for Done the Buck 4.6 4.5 3.9 2.8 3.0 1.9 3.2 2.3 Intolerable Risk 2.80 1.00 0.95 0.64 0.19 "Bang for the Buck" This illustrates Hydro One’s risk-based structural approach for determining capital expenditures. The three projects in the box have the highest risk exposure measure and will have the top priority for resource allocation. This type of ranking of projects across work programs is very useful for resource allocation prioritization in the capital expenditures process. “Bang for the Buck” equals “Risk if not done” divided by dollar cost. D A I Exhibit 28.6 A Risk-Based Structural Approach to Investment Planning at Hydro One L of the expenditures and associated Y risks is provided for each level. The investment levels are associated with specific accomplishments—for example, , numbers of kilometers of line cleared, or numbers of calls answered within 30 seconds. R As also shown in Exhibit 28.6, all investment levels for each asset class are riskY rated based on magnitude and probability for the major corporate objectives using A levels of magnitude and probability a grid. This grid defines intolerable combined (shown as Highest Risk in Exhibit 28.6), and N assigns a risk rating based on a scale for the combined rating. Each class of asset is stratified into different levels of risk (Highest Risk, Minimum Funding Level, Level 1, and so on). As an example, “Tree Trim” is broken down into several categories, each with its own risk rating. 2 Highest Risk might be minimum clearance near urban centers, while Level 2 might correspond to a deeper clearance on small6lines with lower risk. Hydro One has applied a method named 7 “Bang for the Buck” to be used in prioritizing expenditures for non–Highest Risk risks. The Bang for the Buck index 5 per dollar spent. For example, at the prioritizes by calculating the risk reduction top of the Bang for the Buck index in Exhibit B 28.6 is “Tree Trim” (Minimum Level), which shows 2.8 risk units (“Risk if not done”) eliminated by spending one dollar U of 2.8. At the other end of the scale, (“Cost”). This gives a Bang for the Buck value the elimination of 2.3 risk units in relation to Poles (Minimum Level) by spending $12 gives a more modest Bang for the Buck value of 0.18. At the point where the cumulative expenditures reach the level of the available resources, the planned work for the year is determined. The documented prioritization of planned investments in assets is then the subject of a formal two-day meeting between the senior asset managers and the executives that is designed to probe and validate assumptions before the investment plan is presented to the board of directors as part of the annual business planning process. Using this approach to enterprise risk management, the company then attempts to combine the qualitative, imaginative strengths of scenario planning with Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins 550 October 24, 2009 9:27 Printer Name: Hamilton Special Topics and Case Studies the quantitative rigor associated with real options analysis.16 Scenario planning is a well-established approach (the origins of which are generally traced to practices at Royal Dutch/Shell)17 for thinking about major sources of corporate uncertainty. Real options, on the other hand, is a more scientific, finance-oriented approach that, at least in well-defined cases, can be used to quantify possible outcomes and the value of different strategies for dealing with such outcomes. In the case of an oil exploration company, for example, scenario planning might be used to help management anticipate the set of political and economic events that could lead to $100 per barrel oil prices. Real options could be used to estimate how much the firm would be worth while also providing management with a value-maximizing schedule for developing its reserves. D BENEFITS OF ERM AND OUTCOMES A AT HYDRO ONE I Hydro One’s 2003 Annual Report summarizes L the benefits of ERM as follows: “An enterprise-wide approach enables regulatory, strategic, operational, and financial risks to be managed and aligned with Y our strategic business objectives.” Exhibit 28.7 reflects our attempt to list and, elaborate on some of the key benefits. Although most are qualitative and difficult to quantify, all are perceived as valuable. From a finance perspective, the most direct evidence of a benefit from ERM is the positive reaction of the credit rating R agencies and the resulting reduction in the company’s cost of debt.18 In 2000, Hydro One issued $1 billion of debt, its Y first issue as a new company after the split-up of Ontario Hydro. According to A recent conversations with senior ratings analysts at Moody’s, ERM was then (and continues to be) a significant factor in theNratings process for the company.19 The firm reportedly received a higher rating on this initial issue (AA− from S&P and A+ from Moody’s) than initially anticipated, and the issue was oversubscribed by approximately 50 percent. To quantify the 2 potential yield savings, consider that since 2000, the long-term mean yield spread between AA and A has averaged 6 approximately 20 basis points. And if we conservatively credit ERM with reducing the company’s debt costs by, say, 10 basis points, this translates into annual savings 7 in interest costs of $1 million on the $1 billion in new debt. 5 improvement of Hydro One’s capital Another clearly important benefit is the expenditure process using the risk mitigation B prioritization index. As described in the previous section, this process takes into account the benefit of risk reduction in Ufinancial, reliability, safety, reputation, all major risk categories (that is, regulatory, and so on) by allocating capital expenditures according to the greatest overall risk reduction per dollar spent. While the system is complex and involves extensive computer modeling, the result is a capital allocation process that is much more likely to lead the firm toward the optimal (viewed on a risk-adjusted basis) portfolio of capital projects. In addition to a lower cost of capital and improved capital allocation, our discussions with Hydro One’s management also suggest a number of less tangible benefits, some of which are described in Exhibit 28.7. Perhaps most important, top management seems convinced that employees at all levels of the organization now have a much better understanding of the firm’s risks and what they can do to Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins October 24, 2009 9:27 Printer Name: Hamilton THE RISE AND EVOLUTION OF THE CHIEF RISK OFFICER 551 Exhibit 28.7 Benefits of ERM and Outcomes at Hydro One Examples of ERM Benefits Hydro One Experiences Achieve lower cost of debt Realized higher debt rating and lower interest costs than expected on $1 billion debt issue, which was the first issue as a new company. Issue was heavily oversubscribed. Ratings analysts stated ERM was a significant factor in the ratings process for Hydro One. Focus capital expenditures process on managing/ allocating capital based on greatest mitigation of risk per $ spent Capital expenditures are allocated and prioritized based on a risk-based structural approach. An “optimal portfolio” of capital investments is achieved providing the greatest risk reduction per $ spent. Also, ERMD has been used in the management of major projects such as the 88 corporate utility acquisitions A during 2000 and the potential building of an I cable to the USA. underground LERM, there have been many unusual Since starting occurrences at the company. Two significant ones Y were spelled out in the Corporate Risk Tolerances ahead of time: , the dismissal of the Board of Directors and the reaction to a large oil spill. Avoid “land mines” and other surprises Reassure stakeholders that the business is well managed with—stakeholders defined to include investors, analysts, rating agencies, regulators, and the press During the IPO road shows, the Corporate Risk R Management Group was told that the ERM workshops Yhad greatly assisted the executive team in articulating the risks they faced and what was being Athem. There are many other examples. done about Improve corporate governance via best practices guidelines Hydro One has moved from the Board Committees 2 these risk summaries were being brought asking why to them to a point at which they now routinely expect 6 this information. Directors recognize that Hydro One is ahead of7other companies on whose boards they sit. Implement a formalized system of risk management that includes an ERM system (a required component of the 1995/1999/2004 Australian Standard for Risk Management) 5 a formalized system that drives periodic Hydro One has assessment, documentation, and reporting of all risks. Identify which risks the company can pursue better than its peers Although not necessarily attributable solely to ERM: • A subsidiary involved in marketing electricity was sold due to high commodity risks. • Several processing and administrative functions were outsourced to transfer labor union and labor cost risks. N B U Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins October 24, 2009 552 9:27 Printer Name: Hamilton Special Topics and Case Studies manage them. And, as described in the next section, this process appears to have led to an impressive change in the company’s corporate culture. Current Status Instead of the title “Current Status,” we could have substituted “The Evolution of the CRO.” At the outset of the ERM initiative, the Corporate Risk Management Group consisted of the CRO (part-time) and two full-time professionals. To date, the group has conducted more than 180 workshops and authored numerous internal reports on strategic risk management. Some of these reports were prepared in the normal conduct of business and were issued regularly. Other reports were requested ad hoc, such as the strategic risk management analysis of a voluntary D retirement program at Hydro One that is summarized in the box insert. Athere have been no full-time members From the end of 2003 until the present, of the Corporate Risk Management Group.I The CRO devotes 20 percent of his time to this role, and his previous staff have been reassigned to other jobs, although they are occasionally “borrowed back” forLcertain specific high-risk ERM projects. This reduction in personnel is not a sign Y of failure, but rather of two notable accomplishments: , 1. The transfer and generation of knowledge on strategic risk management throughout the organization hasRbeen so effective that strategic risk management is considered to be embedded in the various subsidiaries and Y need for extensive central planning, divisions to such an extent that the implementation, and monitoring is Asignificantly reduced. As evidence of Hydro One’s success in making “risk management everyone’s responsibility,” in 2002 the Corporate Risk N Management Group received the firm’s “Sir Graham Day Award for Excellence in Culture Change.”20 In the words of the then CEO and President of the company, Thanks to this team, Hydro One 2is becoming a leader in enterprise risk management—a key best-practice in 6 the energy industry, and a critical element of good corporate governance . . . This group’s progress to date has also garnered 7 fact, the risk managers from the World attention from other organizations. In Bank and Toronto General Hospital5have visited Hydro One to learn about our methods. B 2. Hydro One has become a well-established company both internally and U externally. In 1999 it was a “new” company operating in a market that was to be deregulated and it was scheduled for privatization through an IPO. Today Hydro One has more than five years of experience as an independent company. It has demonstrated its ability to compete in a market that had been deregulated (but is now moving toward more regulation), and its ownership structure is now considered stable. Thus, the extent to which Hydro One faces internal and external changes has been markedly reduced. The CRO continues to provide support for senior managers and develop risk management policies, frameworks, processes, and other analyses as needed. But thanks to the success of the program, the demand for hosting numerous workshops Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins October 24, 2009 9:27 Printer Name: Hamilton THE RISE AND EVOLUTION OF THE CHIEF RISK OFFICER 553 and establishing a risk management culture is greatly diminished. In short, risk management and awareness has become a mature operation at Hydro One.21 CONCLUSION This chapter describes the implementation over a five-year period of enterprise risk management at Hydro One, a Canadian electric utility company that has experienced significant changes in its industry and business. Starting with the creation of the position of chief risk officer and the deployment of a pilot study involving one of the firm’s subsidiaries, the ERM implementation process has made use of a variety of tools and techniques, including the “Delphi Method,” risk trends, risk maps, risk tolerances, risk profiles, and risk rankings. Among the most tangible benefits of D ERM at Hydro One are a more rational and better-coordinated process for allocating A capital and the favorable reaction of Moody’s and Standard & Poor’s, which has arguably led to an increase in its credit rating and a reduction of its cost of Icapital. But perhaps just as important is the company’s progress in realizing the first L principle of its ERM policy—namely, that “risk management is everyone’s responsibility, from the board of directors to Y individual employees. Each is expected to understand the risks that fall within the limits of his or her accountabilities and is, expected to manage these risks within approved risk tolerances.” The implementation process itself has helped make risk awareness an important part of the corporate culture. R One feels that the company is much As a result, the management of Hydro better positioned today than five years ago Y to respond to new developments in the business environment, favorable as well as unfavorable. Indeed, ERM can be A current business model. As Charles viewed as an integral part of the company’s Darwin noted more than 150 years ago, in Na world where mutability is the only permanent feature of the landscape, “It’s not the strongest of the species that survive, nor the most intelligent, but those that are the most responsive to change.” 2 6 We view the terms “integrated,” “strategic,” 7 and “enterprise-wide” as interchangeable in what we call enterprise risk management. 5 In the hypothetical Modigliani and Miller world of corporate finance, risk management does not add value. However, in the nonfrictionless environment of the real world, risk B management by the firm can create value in one or more of the following ways that investors cannot duplicate for themselves:U (1) facilitate the risk management efforts of NOTES 1. 2. the firm’s equity holders; (2) decrease financial distress costs; (3) lower the risk faced by important nondiversified investors (such as managers and employees); (4) reduce taxes; (5) reduce the firm’s capital costs through better performance evaluation and reduced monitoring costs; and (6) provide internal funding for investment projects and facilitate capital planning. Refer to “A Senior Manager’s Guide to Integrated Risk Management” by Lisa Meulbroek, Journal of Applied Corporate Finance, vol. 14, no. 4 (Winter 2002) for more information on these benefits. Another view of how risk management can maximize firm value is that risk management should eliminate costly “lower-tail outcomes,” while preserving as much of the upside as possible; see R. Stulz, “Rethinking Risk Management,” Journal of Applied Corporate Finance, vol. 9, no. 3 (Fall 1996). Corporate risk management should include choosing the optimal mixture of securities and risk Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins 554 October 24, 2009 9:27 Printer Name: Hamilton Special Topics and Case Studies management products and solutions to give the company access to capital at the lowest possible cost; see Christopher Culp, “The Revolution in Corporate Risk Management: A Decade of Innovations in Process and Products,” Journal of Applied Corporate Finance, vol. 14, no. 4 (Winter 2002). 3. The Joint Australian/New Zealand Standard for Risk Management (AS/NSZ 4360: 1999), first edition published in 1995, provides the first articulation of practical enterprise risk management. This guide covers the establishment and implementation of the risk management process involving the identification, analysis, evaluation, treatment, and ongoing monitoring of risks. Committee of Sponsoring Organizations of the Treadway Commission (COSO) (September 1992); Group of Thirty, Derivatives: Practices and Principles (Washington, DC, 1993); “Where Were the Directors”—Guidelines for Improved Corporate Governance in Canada, Report of the Toronto Stock Exchange Committee on Corporate Governance in Canada (December 1994); CoCo (Criteria of Control Board of the Canadian Institute ofD Chartered Accountants); and Committee on the Financial Aspects of Corporate Governance A (Cadbury Committee, final report and Code of Best Practices issued December 1, 2002). I 4. In McKinsey & Company and Institutional Investor, “Corporate Boards: New Strategies for Adding Value at the Top,” a 1996 studyLof 50 money managers. 5. Refer to Moody’s “Findings on Corporate Governance in the United States and Canada: Y August 2003–September 2004.” (New York: Moody’s Investors Service, October 2004). , “The Evolving Role of Treasury: Report 6. See the Association for Financial Professionals, of Survey Results,” (November 2003). 7. See, for example, “University of Georgia Roundtable on Enterprise-Wide Risk Management,” Journal of Applied Corporate Finance, R vol. 15, no. 4 (Fall 2003); “Strategic Risk Management: New Disciplines, New Opportunities,” CFO Publishing Corporation (2002); Y Marie Hollein, “Measuring Risk: A Strategic Review and Step-by-Step Approach,” AFP Exchange, vol. 23, no. 6 (Nov./Dec. 2003); A and James C. Lam and Brian M. Kawamoto, “Emergence of the Chief Risk Officer,” Risk Management (September 1997); and similar N articles in CFO magazine (www.cfo.com). 8. See S. Harrington, G. Niehaus, and K. Risko, “Enterprise Risk Management: The Case of United Grain Growers,” Journal of Applied Corporate Finance, vol. 14, no. 4 (Winter 2002), 2 and Chapter 6 of T.L. Barton, W.G. Shenkir, and P.L. Walker, “Making Enterprise Risk Management Pay Off,” Financial Executives 6 Research Foundation, Inc. (2002). 9. As reported in a recent survey, companies 7 indicated that quantifiable risks are still absorbing too much of their attention and that they need to better understand the totality 5Tamed? The Evolution of Risk Management of the risks their firm faces. See “Uncertainty in the Financial Services Industry,” a joint project by PricewaterhouseCoopers and the B Economist Intelligence Unit (2004). 10. CAD = Canadian dollars. U 11. The Delphi method, originally developed by the RAND Corporation in 1964 for technological forecasting, is a way of estimating future measures by asking a group of experts to make estimates, recirculating the estimates back to the group, and repeating the process until the numbers converge. It is a formal method used to generate expert collective decisions. The Delphi method recognizes human judgment as legitimate and useful inputs in generating forecasts. Single experts sometimes suffer biases and group meetings may suffer from “follow the leader” syndromes and/or reluctance to abandon previously stated opinions. The Delphi method is characterized by anonymity, controlled feedback, and statistical response. The Rand report is still interesting to read and contains many innovations that are used in the analysis and describes Delphi results. For instance, the report presents arguments for using median values rather than the mean values of the Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins October 24, 2009 9:27 Printer Name: Hamilton THE RISE AND EVOLUTION OF THE CHIEF RISK OFFICER 555 group’s responses and also illustrates how ranges of opinions can be presented graphically (see T.J. Gordon and Olaf Helmer, “Report on a Long Range Forecasting Study,” R-2982, Rand Corporation, 1964). For a broad review of the literature on Delphi and references to the method and past studies, refer to Fred Woudenberg, “An Evaluation of Delphi,” Technological Forecasting and Social Change (September 1991). For further information on practical applications, see Michael Adler and Erio Ziglio (eds.), Gazing into the Oracle: The Delphi Method and its Application to Social Policy and Public Health (Jessica Kingsley Publishers, 1996). 12. The two scales (risk tolerance and probability rating) form the backbone of the quantification of risks at Hydro One and make comparisons possible between impacts that are easily quantifiable in monetary terms (e.g., shortfall in net income) with impacts that are more qualitative in nature (e.g., extent of criticism). For example, a risk that has an impact of 3 in relation to objective A and an impact of 2 in relation to objective B D to objective A than it is in relation to is a more serious threat to Hydro One in relation objective B. A 13. For another example of how a firm uses risk maps in enterprise risk management, refer I to Chapter 5 on Microsoft Corporation, in T.L. Barton, W.G. Shenkir, and P.L. Walker (2002), cited earlier. L 14. Refer to Hydro One news releases on October 1 and 2, 2003, about the oil spill in Y Pickering. Initially, the city of Pickering was upset about the oil spill from a station, the largest single transformer station in North , America, in a residential community (see “Hydro Plant Oil Spill Riles Mayor of Pickering” in Bell Globemedia, October 2, 2003). Later, the mayor praised Hydro One’s quick response to the clean up (see “Hydro One Picks Up Tab for Oil Spill,” Electricity Forum RNews, October 2003). 15. A useful analogy for this methodology is to consider in a typical household that each Y asset (e.g., house, car, kids’ education) has certain expenditure requirements that are broken down into levels of expenditure; for Aexample, the car has levels defined as Red Zone = fixing brakes (impacts safety objectives), Minimum Funding Level = changing N oil to lengthen life (long-term financial objective; could also be viewed as Level 1), Level 3 = paint job (improve the family’s social image). 16. See, for example, Kent D. Miller and H. Gregory Waller, “Scenarios, Real Options and Integrated Risk Management,” Long Range2Planning, vol. 36 (2003) 93–107, for a good general discussion. 6 17. See, for example, Paul J. H. Schoemaker and Cornelius A.J.M. van der Heijden, “Integrating Scenarios into Strategic Planning at7 Royal Dutch/Shell,” Planning Review, vol. 20, no. 3 (May–June 1992) 41–46. 5 18. For additional discussion and examples of ERM and its effect on the cost of capital, see B “University of Georgia Roundtable on Enterprise-Wide Risk Management,” Journal of Applied Corporate Finance, vol. 15, no. 4 (FallU2003) 18–20. 19. On September 13, 2004, telephone interviews were conducted with senior ratings analysts at Moody’s to verify the importance of Hydro One’s ERM program in the credit rating process on their long-term debt. Moreover, as part of Moody’s Enhanced Analysis Initiative, ratings methodologies measuring the quality of corporate governance and risk management include specific questions related to enterprise risk management. See, for example, Questions 16, 17, and 18 of Moody’s Corporate Governance Assessment and Moody’s research methodology. 20. See Hydro One Inc.’s 2002 President’s Awards. 21. Interestingly, the outcome of ERM at Hydro One is consistent with the predictions of a survey by the Conference Board of Canada in which respondents felt that the need Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c28 JWBT177-Simkins 556 October 24, 2009 9:27 Printer Name: Hamilton Special Topics and Case Studies for a specific risk officer may decline as it is more widely implemented in organizations and the CRO’s responsibilities would then be distributed to the operating units or assimilated into the CFO’s duties; see the Conference Board of Canada, “A Composite Sketch of a Chief Risk Officer” (2001). ABOUT THE AUTHORS Tom Aabo is an Associate Professor at the Aarhus School of Business in Denmark. He has taught courses in corporate finance, international business finance, foreign direct investment, and internationalization of the firm at the Aarhus School of Business. His areas of research are strategic risk management, exchange rate exposure management, real options analysis, and international corporate finance. He is published in the Journal of Applied Corporate Finance, International Journal of Managerial D Finance, European Financial Management, and Review of Financial Economics (among A others). Tom also serves on the editorial board of the Asian Journal of Finance and Accounting. Prior to getting his PhD, Tom I worked in industry for Amersk and Gudme Raaschou. Tom received a BA in Business Administration from Aarhus L School of Business (Denmark), a MS in Business Administration, and PhD from Y Aarhus School of Business. , John Fraser is the Vice President, Internal Audit & Chief Risk Officer of Hydro One Networks Inc., one of North America’s largest electricity transmission and distribution companies. He is an OntarioR and Canadian Chartered Accountant, a Fellow of the Association of Chartered Certified Accountants (U.K.), a Certified Y Systems Auditor. He has more than Internal Auditor, and a Certified Information 30 years experience in the risk and control A field mostly in the financial services sector, including areas such as finance, fraud, derivatives, safety, environmental, Nthe Chair of the Advisory Committee computers and operations. He is currently of the Conference Board of Canada’s Strategic Risk Council, a Practitioner Associate Editor of the Journal of Applied Finance, and a past member of the Risk 2 Canadian Institute of Chartered AcManagement and Governance Board of the countants. He is a recognized authority on 6 Enterprise Risk Management and has co-authored three academic papers on ERM—published in the Journal of Applied 7 Corporate Finance and the Journal of Applied Finance. 5 Betty J. Simkins is Williams Companies Professor of Business and Professor of B Finance at Oklahoma State University (OSU). She received her BS in Chemical EnUher MBA from OSU, and her PhD from gineering from the University of Arkansas, Case Western Reserve University. Betty is also very active in the finance profession and currently serves as Vice-Chairman of the Trustees (previously President) of the Eastern Finance Association, on the Board of Directors for the Financial Management Association (FMA), as co-editor of the Journal of Applied Finance, and as Executive Editor of FMA Online (the online journal for the FMA). She has coauthored more than 30 journal articles in publications including the Journal of Finance, Financial Management, Financial Review, Journal of International Business Studies, Journal of Futures Markets, Journal of Applied Corporate Finance, and the Journal of Financial Research and has won a number of best paper awards at academic conferences. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c06 JWBT177-Simkins October 24, 2009 9:18 Printer Name: Hamilton CHAPTER 6 Creating a Risk-Aware Culture DOUGLAS W. BROOKS President and Chief Executive Officer of AEGON Canada, Transamerica Life Canada and AEGON Fund Management, and Chairman of AEGON Capital Management D A THE IMPORTANCE OF CULTURE I There is nothing more crucial to the success L of enterprise risk management (ERM) efforts in an organization than an informed and supportive culture. Furthermore, Y culture is not merely an intangible concept—its elements can be defined and , can be measured. progress in moving toward a desired culture Information, technical skills, and processes are important, and some processes are necessary to assist in developing an appropriate culture. However, an orgaR capabilities and strong processes for nization could possess world-class technical collecting and reporting information, but Y still have a bankrupt culture so that no value was added through ERM efforts. A N Defining Culture The definition of culture used for this chapter is based on a question: “What 2 organization?” The key to culture, in determines how decisions are made in an the context of ERM, is the impact it has on 6 business decisions. A strong culture is one in which decisions are made in a disciplined way, taking into account considerations of risk and reward on an7informed basis. This decision-making culture extends throughout the organization, 5 from the largest strategic decisions to the most routine day-to-day business decisions. B in an ERM context does not mean Note that “disciplined decision making” that no risk is taken, or that risk is minimized. U Rather, it means that decisions that create undue risk—either because they take the organization out of its defined risk appetite, or because the reward is not sufficient for the risk taken—are avoided. That does not mean that mistakes or misjudgments may not occur, but it means that the process ensured the consideration of the correct elements with the goal of optimizing the risk-return profile of the organization. The Goals of Culture The goal of a risk-aware culture is to ensure that all business decision makers understand and behave, recognizing: 87 Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c06 JWBT177-Simkins October 24, 2009 88 9:18 Printer Name: Hamilton ERM Management, Culture, and Control r The importance of identifying and assessing risks in current and potential business activities. r The importance of communicating current and potential risks. r The importance of taking risk and reward into account in business decisions. Again, it is worth stating that the goal is to ensure that decisions taken throughout the organization are taken with these goals in mind. That means that the riskaware culture must extend throughout the organization, and not be limited to a group either outside of—or even senior to—the individuals responsible for making business decisions for the organization. The Importance of Culture D If one accepts that the goal of ERM is to ensure that business decisions are made A to optimize stakeholder value through optimizing risk and reward, then a strong risk-aware culture is a necessary conditionI for success in ERM. If any elements are missing, then: L Y and assessed. r Not all relevant risks may be identified r Decision makers may not be aware , of some risks as decisions are being made. r Decisions may be made ignoring certain risks. R Clearly, if these circumstances were to occur, then the organization cannot Y be sure that good risk-adjusted business decisions were consistently being made. Therefore, the organization cannot have aA strong ERM framework. N When the Chips Are Down Culture can be observed in a positive sense—that is, a decision-making process 2 may be mapped out that reflects considerations about risk: risks involved with the business decision are identified, and 6 sound risk-adjusted decisions that add value may be observed. This kind of process 7 may, and often does, occur in almost every organization, either deliberately as the result of the creation of a risk-aware culture (whether explicitly recognized as5such), or simply because organizations must have some processes that involve disciplined approaches. B However, the telling point occurs when there is pressure to make a decision that U and long-term risk-adjusted value. involves trade-offs between short-term gains Short-term gains may involve sales—meeting or exceeding sales targets and market expectations; accounting gains resulting from transactions that create accounting earnings; or even personal incentive targets. If there is significant pressure to relax the organization’s risk requirements, and the organization makes a decision that is clearly counter to the risk policies and desired risk profile of the organization, it cannot have a strong risk culture. This may occur at any level of an organization. It may occur at the top of an organization if an acquisition is being considered, and considerations of risk fall victim to the ego of the participants. They may be put aside because the participants in the transaction have “fallen in love with the deal,” and cannot bear Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c06 JWBT177-Simkins October 24, 2009 9:18 Printer Name: Hamilton CREATING A RISK-AWARE CULTURE 89 the thought of backing out of the transaction given the work that has been put into it and the potential benefits of the transaction. These benefits may already be crystallizing in individuals’ minds as they contemplate the shape of the posttransaction business. Rewards may also incent this type of behavior. These may be tangible rewards—bonuses and salary increases—or they may be intangible because the participants in successful transactions are those recognized in the organization, given higher profiles and promotions. At lower levels of an organization, incentives may also play a part in rewarding behaviors that involve undue risk. Individuals seeking to maximize their bonuses may take risks, particularly if their bonus is based on immediate results and downplays long-term profitability and risk. For example, a sales manager whose bonus is entirely or largely based on sales results alone has no motivation to look at risk D and reward. In fact, the organization is implicitly telling the sales manager that it is sales results that are important to the organization and that by achieving and A exceeding his sales targets, he has every right to believe that he is adding value to I the organization. For example, in the insurance industry L certain products have substantially more risk than other products. They may also have significantly different profY to the agent or distributor may be the itability profiles. However, the commission same. The message to the agent is that sales , of the different products are equally valuable to the organization. This may be completely false, but it is not the distributor’s role to question the organization with respect to its products. If the sales manager’s income is based on an override R of the commissions that the agents receive for selling the products, then the message to him or her is the same. Y Naturally, there is a point at which simplicity of compensation structures and comparative structures within an industryAmust be recognized. However, organizations must have the information to determine what the consequences of their N compensation structures are likely to be. In the insurance example, it may not be practical or realistic for the company to offer lower commissions on its riskier or less-profitable products to the selling agent. 2 However, the sales managers should certainly be compensated based on the risk-adjusted profitability of the business. 6 and uses the information to measure That again implies that the organization has the risk-adjusted profitability of the business. 7 Other motivations for poor risk taking may be externally driven. Competitor 5 organizations may—apparently successfully—be taking risk. Stock analysts and other commentators may give these companies credit for this business, and their B stock values may increase as a result. Additionally, just because an inappropriate risk is taken does not mean that it will U not pay off. It is annoying to see poor decisions lead to good results! Nevertheless, an organization that wishes to create a strong risk culture must continue to be disciplined in the face of these pressures. That will necessarily entail strong internal and external communications— identifying why decisions that appear successful are not being taken. There is much discussion about the cause of the subprime mortgage lending crisis and the associated and widespread market disruptions that have occurred. This is not an attempt to provide a comprehensive view of the causes of the crisis. However, at its core, the crisis resulted from plain and simple bad business. This business should not have been done in disciplined organizations. Making loans to individuals who do not have the resources to pay the true costs of the loan, and Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c06 JWBT177-Simkins 90 October 24, 2009 9:18 Printer Name: Hamilton ERM Management, Culture, and Control who are inappropriately leveraging their assets is fundamentally bad business. As organizations experienced success with this model (as property values increased, hiding the degree of exposure and leverage), other organizations were pressured to enter the game by the short-term thinking of the financial markets, which reward short-term business growth at the expense of long-term value and risk. Financial and risk management models, rating agencies, regulators, and many others may take, and may legitimately share in some of the blame for the crisis, but the underlying causes were related to bad business motivated by short-term gains that were rewarded in the financial markets. How does an organization stay disciplined in the face of the market pressures that exist? It is extremely difficult to stand firm in the face of these pressures, particularly when an organization is public, and the markets determine who is deemed successful using inappropriate criteria. D Organizations must communicate effectively, both within the organization and to external stakeholders, the reasons for decisions to avoid businesses that are deA termined to be poor risks. Internally, this can be reinforced through compensation I value. systems that reward long-term risk-adjusted L Culture Can Discourage Good Risk Y Taking Culture may also result in suboptimization , by discouraging appropriate risk taking. This can occur by punishing people for taking risks that do not work out, whether or not they were correct to make the decision to take the risk. A well-known example of this in a sports R context took place during the 1980 baseball playoffs between the New York Yankees and the Kansas City Royals. The Y Yankees had a speedy runner (Willie Randolph) on first base representing the run that would tie the game. There were two A outs in the eighth inning. A ball was hit to the corner of the outfield, and the runner Non first base got a good start. The third base coach recognized that the runner was a strong runner, and that the fielder who was fielding the ball was a weak thrower. The fielder would have to throw the ball to another fielder who would then 2 relay the ball to the catcher to try to tag out the runner. Given that there were two outs, the chances of another hitter 6 the runner were he to stop at third being successful in hitting safely and scoring were much less than 50 percent. In other words, the third base coach made a good 7 risk-based decision to send the runner around third base toward home plate to 5 the fielder made a good throw to the try to score. However, in the actual event, infielder who made a perfect relay to the catcher, just tagging out the runner before B he would have scored. The result was that the third base coach was fired the next day. Clearly, this type of good risk-based U decision making was not encouraged in the New York Yankees organization. Similar instances occur in business. For example, decisions taken to hedge exposures to certain risks may be criticized when the risk does not materialize, particularly if other companies have taken the risk and been rewarded for doing so. This may lead to inappropriate risk taking to avoid the criticism of having spent time and resources on hedging. Good risk-taking organizations recognize that not all well-thought-out risks will succeed. Farson and Keyes (Harvard Business Review, August 2002) refer to leaders in organizations that encourage strong risk taking as “failure-tolerant” leaders. Such leaders recognize that good decisions based on disciplined approaches are Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c06 JWBT177-Simkins October 24, 2009 9:18 Printer Name: Hamilton CREATING A RISK-AWARE CULTURE 91 the right decisions, whether they work out, while sloppy, undisciplined decisions are wrong regardless of whether they result in profit. ELEMENTS OF A RISK-AWARE CULTURE An organization wishing to have a risk-aware culture must encourage certain behaviors and reward them, as well as putting various processes into place. Culture is all about behavior. Processes are necessary to encourage and reinforce desired behaviors. Behavioral Elements Actions speak louder than words. This isD a simple but profound expression, and it applies directly in the area of organizational culture. Processes that exist on A paper, but are not applied in practice, will be viewed as unimportant within an I seriously that it actually reinforces organization. It is only when a process is taken the desired culture. L Organizations must expect the results that are encouraged both explicitly and Y If, for example, bonuses and proimplicitly through behaviors that are rewarded. motions result from achieving sales targets , at the expense of organizational risk, then the implicit message to staff is that the risk discipline of the organization is second to sales results, and the company must expect that staff will behave in a way consistent with the results that are rewarded, regardless of what may exist R on paper with respect to risk discipline. In order to create and sustain a strong Y risk-aware culture, it is important to be deliberate and explicit about the behaviors A that are expected in the organization. N Process Elements Having stated above that behavioral elements are primary, it is vital to create 2 robust processes that encourage the defined behaviors. These processes include measurement, monitoring, reporting, and6 governance. 7 HOW TO CREATE A RISK-AWARE CULTURE 5 Creating a risk-aware culture requires a deliberate approach. It will not happen B by accident. The following steps and approaches are suggested to accomplish the U introduction of a strong risk-aware culture. Defining the Elements The first step to creating a risk-aware culture is to know what elements that culture should contain. There have been attempts to define the elements of a risk-aware culture. Risk Manager magazine (Issue 3, February 2004) contained the following list of characteristics: r Strong leadership within the organization and its projects. r Devolving risk management to the workplace. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c06 JWBT177-Simkins 92 October 24, 2009 9:18 Printer Name: Hamilton ERM Management, Culture, and Control r r r r Participative management style. Utilizing knowledge of all staff and team members. Encouraging staff to be accountable for their actions. Enabling capture of risk at all levels of the organization or area/project chosen for the risk assessment. r Determining controls before risks occur. r Improving communication and teamwork. r Encouraging risk awareness across the organization. This list describes some of the attributes of an organization that has a risk-aware culture. Another approach is to define the elements of a culture that should result in these desirable characteristics. The following is a list of elements developed as D part of an ERM framework in one organization that the author of this chapter worked in: A r r r r r r I Acting with integrity. Understanding impacts on customers. L Embedded risk management—discipline. Y Full and transparent communication. Collaborative decision making. , Alignment of incentives and rewards. It is important that an organization develop cultural elements that it believes R will lead to sound decision making and that it is willing to commit to encouraging Y and rewarding within the organization. Measuring and Monitoring A N Results in most business endeavors are achieved by having measures of success and monitoring progress toward goals using these 2 measures. The same can be true for progress toward cultural goals as well as financial objectives or the implementation 6 be based on nonfinancial information, of operational objectives. Measurement can and on information that is not in the organization’s financial accounts. For example, 7 if a defined element of an organization’s risk culture is “participative management 5 there is likely no source of informastyle,” or “collaborative decision making,” tion available except to ask people within Bthe organization about how decisions are made. U to glean information about such The structure and handling of a survey processes in an organization is critical to its success. The survey must be nonthreatening—individuals must be free to give honest answers to questions without fear of reprisal. Guaranteed anonymity is an important characteristic of a successful survey. The survey must also be repeatable—that is, consistent responses producing reliable trends should be generated when the survey is repeated. To measure progress, it is necessary to perform the survey periodically. The survey must also pose questions that are designed to get at the heart of the cultural elements that it is designed to identify and measure. It is beyond the scope of this chapter to determine how to best structure a survey to get the desired objective results. However, such expertise is available, and should be sought to ensure valid results. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c06 JWBT177-Simkins October 24, 2009 9:18 Printer Name: Hamilton CREATING A RISK-AWARE CULTURE 93 Involvement and Buy-In Implementing a strong risk-aware culture requires the buy-in of those in the organization. A step that can significantly increase the success of the buy-in process is the involvement of the organization, or at least key people within the organization, in the definition of the desired culture. Involvement in the creation of an objective is one of the best ways to create buy-in for any goal. People will generally develop ownership of goals and objectives that they work to create. Openness A strong risk culture cannot exist in an organization that discourages open communication. Full and transparent communication is an integral part of a risk-aware D culture. Ideas and questions must be encouraged, and not explicitly or implicitly A discouraged. Negative behavior can occur in many ways: I r Individuals, particularly senior-level ones, may dominate discussions with L the implication that other points of view are discouraged. r There may be topics that are “taboo” Y in organizations, discouraging openness in questioning business models or approaches. , r Models may be seen as “unquestionable,” or answers about their functioning and use may be brushed off by technical specialists. r Organizations may get tunnel vision as a result of the overly homogeneous R composition of decision-making groups, when it is often a question from a different perspective that causes anY “ah ha” in understanding. r Shooting the messenger is an obvious way of discouraging people from A bringing issues to the fore. N r Decisions may be made based on emotion, or pleasing senior-level people, rather than based on facts—clearly discussions should not be closed without fact-based evidence. 2 6 Strong organizations will display the opposites of these approaches, encouraging the raising of issues and questioning from differing perspectives on any topics, 7 and basing decisions as far as possible on fact. 5 B Tone from the Top U will identify “tone from the top” as Virtually every organizational change objective a key element. With culture, tone is critical, and the support must be behavioral as well as simply providing funding or resources. It is up to leadership to effectively define the culture of the organization by encouraging, discouraging, and exhibiting certain behaviors. Alignment of Incentives and Rewards—Walking the Talk Incentives and rewards, and the importance of their alignment with corporate objectives, cannot be overemphasized. Employees will exhibit behaviors that are rewarded and/or that minimize stress in the workplace. Incentive compensation Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c06 JWBT177-Simkins 94 October 24, 2009 9:18 Printer Name: Hamilton ERM Management, Culture, and Control systems implicitly put value on certain results. Employees have every right to assume that the goals identified in the incentive compensation system are those that the employer wishes them to achieve to add value to the organization. If these goals do not include proper recognition of risk and reward, then the organization will reap what it sows, and take on inappropriate risk. Rewards cannot always be in the form of compensation. Organizations reward behaviors through promotions and recognition. While an organization may give lip service to risk, and to risk-based decision making, the stronger messages are given by those behaviors that are actually rewarded within the organization. WHAT DOES RISK MANAGEMENT HAVE TO DO? Dof the responsibility for developing an The risk management function bears some appropriate risk-aware culture within an A organization. This goes beyond defining the elements of the culture, monitoring them, and determining new initiatives and I characteristics of the culture. It has to directions intended to promote the desired do with the risk management area’s own L behaviors. Those within risk management departments in organizations, particularly in Ystrong technicians. Training has been technical and financial industries, will be largely technical, and rewarded behaviors, have been largely technically oriented. However, communication and even marketing skills are also important attributes for those in risk management functions. Risk managers must be able to provide rationale for their decisions and input to R business decisions. It may be necessary to veto a new product, if it does not satisfy the organization’s risk-weighted Y return objectives, or if it involves risks that the company is not capable of takA in doing so, the risk manager must ing on and managing effectively. However, be able to clearly explain the reasons forNthe recommendation, as well as show empathy for the business personnel who may have invested significant time in the project. Involving risk management early in development processes is another key characteristic of a risk-aware organization. 2 Those in risk management areas must also appreciate the business that they 6 opinions of risk managers and others are in. Business managers will respect the outside their businesses if those individuals 7 demonstrate an understanding of the business and its objectives. People who have no experience in business will lack 5 leaders. credibility and will be dismissed by business Solid and reliable data is another requirement to gaining credibility within an B organization. Data that is suspect, or that can be challenged, will be ignored and conclusions drawn from it will rightly beU disregarded. Therefore, a risk management function must do its own diligence on its information. Risk management areas must also be wary of being perceived as “crying wolf.” The issues raised must be real issues, and of sufficient importance to warrant changes to business plans and projects. Again, understanding the business will assist in determining the relevance and magnitude of issues, as well as the ability to communicate their importance to those making the business decisions. Not all issues that are raised as potential risks will actually play out as real risks. The market or other conditions that may lead to a risk materializing may not occur, which does not mean that the risk identified and raised was not appropriate. However, it is a challenge that risk management areas must overcome. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c06 JWBT177-Simkins October 24, 2009 9:18 Printer Name: Hamilton CREATING A RISK-AWARE CULTURE 95 Risk management should not run the organization. It is the function of the risk management area to provide information, analysis, and processes to management that will allow good risk-based decision making. This was the approach taken at Hydro One, where the Corporate Risk Management Group received the Sir Graham Day Award for Excellence in Culture Change in 2002 as a result of helping to embed enterprise risk management throughout the organization. CONCLUSION To be successful in risk management, organizations must recognize the importance of encouraging and rewarding disciplined behaviors, as well as openness in communication. In his book Strategic Risk Taking: A Framework for Risk Management, Aswath Damodaran concludes in ChapterD12 with a number of principles that affect the success of risk management. It is noAsurprise that several of these principles speak directly to culture: I r Managing risk well is the essence of L good business practice and is everyone’s responsibility. Y have to embed it in the organization r To succeed at risk management, you through its structure and culture and , get the right people. REFERENCES R Damodaran, Aswath. 2008. Strategic risk taking: A framework for risk management. (Upper Y Saddle River, NJ: Wharton School Publishing). ABOUT THE AUTHOR A N Doug Brooks was appointed President and CEO of AEGON Canada, Transamerica Life Canada, and AEGON Fund Management, 2 and Chairman of AEGON Capital Management on September 24, 2008. Mr. Brooks has extensive experience in the 6 Mr. Brooks was Chief Risk Officer of life insurance industry. From 2002 to 2006, Sun Life Financial. A graduate of the University of Waterloo in mathematics and 7 actuarial science, Mr. Brooks has been active in the insurance industry and served 5 in numerous leadership positions, particularly the Society of Actuaries and the Canadian Institute of Actuaries, where he isBa past member of the board of directors. He was chair of the Joint Risk Management Section of the Canadian Institute of Actuaries, Casualty Actuarial Society, andUSociety of Actuaries in 2006–2007. Mr. Brooks is a Fellow of the Society of Actuaries (FSA), a Chartered Enterprise Risk Analyst (CERA), a Fellow of the Canadian Institute of Actuaries (FCIA) and a Member of the American Academy of Actuaries (MAAA). Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c06 JWBT177-Simkins October 24, 2009 9:18 Printer Name: Hamilton D A I L Y , R Y A N 2 6 7 5 B U Copyright ©2010 John Wiley & Sons, Inc.

Tutor Answer

School: University of Maryland



Enterprise Risk Management Leadership
Institution Affiliation




1. Specific Enterprise Risk Management Strategies Used By the Board of Directors
The board of directors in a company represents the third line of defense, with the support
from the audit department. They are responsible for the oversight of organization processes,
challenging, approving and reviewing risk policies (Bromiley, et al., 2015). The board members
also oversee strategy development, implementation, and management of executive
compensation programs. They have a responsibility in making key business and risk
management decisions, including approval of the business strategies and providing
recommendations for capital structure. Consequently, they manage the company dividend
policy; oversee targeted debt levels and approval of major business investments and
Risk management is a continuous process, therefore, a company leadership embeds
control measures through policies and procedures to deal with current and potential risks, and
these policies are frequently subjected to audit to ensure effectiveness. An organization
describes its approach for managing risks through its strategies and protocols, by setting roles
and responsibilities of individuals and frequent communication on risk issues. A company board
of directors is responsible for the overall risk management program, in line with the best
practices (Lam, 2014). This allows the company to concentrate on seizing opportunities to
achieve envisaged business results. Successful ERM involves a dynamic process which is fully
supported by the company board of directors.
The board holds a critical responsibility in nurturing the risk management framework
and providing the strategic direction of the organization. Other board roles in ERM include
establishing the risk management structure, understanding the most common and critical risks



and managing the organization in cases of crisis (Bromiley, et al., 2015). The board of directors
is able to reduce its burden of managing risks by first, managing the risk appetite and tolerance.
In most large organizations, the board sets rules regarding taking risks, to control the company’s
level of exposure. It is possible for a company to confirm low appetite for risk; however, it is
quite practical that business requirements may demand some level...

flag Report DMCA

The best tutor out there!!!!

Similar Questions
Hot Questions
Related Tags

Brown University

1271 Tutors

California Institute of Technology

2131 Tutors

Carnegie Mellon University

982 Tutors

Columbia University

1256 Tutors

Dartmouth University

2113 Tutors

Emory University

2279 Tutors

Harvard University

599 Tutors

Massachusetts Institute of Technology

2319 Tutors

New York University

1645 Tutors

Notre Dam University

1911 Tutors

Oklahoma University

2122 Tutors

Pennsylvania State University

932 Tutors

Princeton University

1211 Tutors

Stanford University

983 Tutors

University of California

1282 Tutors

Oxford University

123 Tutors

Yale University

2325 Tutors