Enterprise Risk Management Leadership

User Generated

Ohgxhf65

Business Finance

Description

Enterprise Risk Management Leadership & Culture

Leadership and Culture

(Minimum of 750 words for each question, this excludes the reference section at the bottom from your word count. You are also required to use a minimum of FOUR scholarly external sources references. Use proper APA guidelines, you only have to make reference to the author and year of publication in your in-text reference, but APA guidelines encourage you to also provide the page number. Failure to do so will result in an incomplete with 0 points for the question)

Explain two specific enterprise risk management strategies that a Board of Directors would use to delete their responsibilities of ERM. (750 word minimum)

Explain the meaning of the phrase “companies must incur risk in order to run their business and maximize returns for stakeholders.” Give two specific examples. (750 word minimum)


Unformatted Attachment Preview

Enterprise Risk Management Leadership & Culture Leadership and Culture (Minimum of 750 words for each question, this excludes the reference section at the bottom from your word count. You are also required to use a minimum of FOUR scholarly external sources references. Use proper APA guidelines, you only have to make reference to the author and year of publication in your in-text reference, but APA guidelines encourage you to also provide the page number. Failure to do so will result in an incomplete with 0 points for the question) 1. Explain two specific enterprise risk management strategies that a Board of Directors would use to delete their responsibilities of ERM. (750 word minimum) 2. Explain the meaning of the phrase “companies must incur risk in order to run their business and maximize returns for stakeholders.” Give two specific examples. (750 word minimum) P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton CHAPTER 4 The Role of the Board of Directors and Senior Management in Enterprise Risk Management D A BRUCE C. BRANSON Professor of Accounting and Associate Director, North Carolina State University I Enterprise Risk Management Initiative L Y , INTRODUCTION R The oversight of the enterprise risk management (ERM) process employed by an Y organization is one of the most important and challenging functions of a corpoA senior management of the company, ration’s board of directors. In concert with the board must establish the appropriate “tone N at the top” to ensure that risk and risk management considerations remain at the forefront of strategic and operating decisions made within the business. The 2008–2009 global financial crisis and the rapidly deteriorating global economy has2created a context in which companies now face risks that are more complex, more interconnected, and potentially more 6 devastating than ever before. Failure to adequately acknowledge and effectively manage risks associated with decisions being 7 made throughout the organization can and often do lead to potentially catastrophic results. We need look no further than to the5current status of the financial services sector to observe the devastation associated B with poorly monitored and managed risk taking. Risks associated with credit quality, liquidity, market disruptions, and U reputation have all contributed to unprecedented bankruptcies, bank failures, federal government intervention, and rapid (and forced) consolidation within the industry. The fallout from this financial cataclysm spread quickly to the broader economy, as companies in almost every industry have suffered from the effects of a global credit freeze, dramatic reductions in consumer demand, and extreme volatility in commodity, currency, and equity markets. The perception that aggressive and unchecked risk taking has been central to the breakdown of the financial and credit markets has led to increased legislative and regulatory focus on risk management and risk prevention. In this environment, boards and companies must be aware that regulators and the legal system may apply new standards of conduct, or reinterpret existing standards, to increase board 51 Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins 52 October 24, 2009 9:17 Printer Name: Hamilton Overview responsibility for risk management. Boards cannot and should not be involved in the actual day-to-day management of risks encountered by the companies they serve. The role of the board is to ensure that the risk management processes designed and implemented by senior executives and risk management professionals employed by the company act in concert with the organization’s strategic vision, as articulated by the board and executed by senior management. As well, the board must exercise significant oversight to be confident that risk management processes are functioning as designed and that adequate attention is paid to the development of a culture of risk-aware decision making throughout the organization. By actively exercising its oversight role, the board sends an important signal to the company’s senior management and its employees that corporate risk management activities are not roadblocks to the conduct of business nor a mere D ERM can and should become an inte“check-the-box” activity. Executed properly, gral component of the firm’s corporate strategy, A culture, and value-creation process. The board can provide direction and support for the ERM effort, but without one I leadership, most ERM programs are or more risk champions within the executive destined to fail. Thus, there is a shared responsibility between the members of the L board and the senior management team to nurture a risk-aware culture in the orY within an appetite for risk that aligns ganization that embraces prudent risk taking with the organization’s strategic plan. , The company’s ERM system should function to bring to the board’s attention the company’s most significant risks and allow the board to understand and evaluate how these risks may be correlated, R the manner in which they may affect the company and management’s mitigation or response strategies. It is critically Y important for board members to have the experience, training, and intimate knowlA meaningful assessments of the risks edge of the business required in order to make that the company encounters. The board must N also consider the best organizational structure to give risk oversight sufficient attention at the board level. In some companies, this has driven the creation of a separate risk management committee of the board. For other organizations, it may 2 be reasonable for these discussions of risk to occur as a regular agenda item for an existing committee such as the audit 6 the full board level. No one size fits all, committee, enhanced by periodic review at but it is vitally important that risk management oversight be a board priority. 7 This chapter addresses the proper role of the board of directors in corporate risk 5 management. It identifies the legal and regulatory framework that drives the risk oversight responsibilities of the board. It also clarifies the separate roles of the board B and its committees vis-à-vis senior management in the development, approval, and U implementation of an enterprise-wide approach to risk management. Finally, the chapter explores optimal board structures to best discharge their risk oversight responsibilities. GOVERNANCE EXPECTATIONS FOR BOARD OVERSIGHT OF RISK MANAGEMENT The risk oversight responsibility of boards of directors is driven by a variety of factors. These factors include the fiduciary duty owed to corporate shareholders, which is a function of state law; U.S. and foreign laws and regulations such as the Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 53 recently enacted Emergency Economic Stabilization Act of 2008 (EESA) and the Sarbanes-Oxley Act; New York Stock Exchange (NYSE) listing requirements; and certain established corporate best practices. As well, the risk of damage to corporate reputation from shareholder activism or adverse media coverage for companies believed or found to possess inadequate risk management capabilities also strongly contributes to the desirability of sound risk oversight by corporate boards. The Delaware courts (which serve to establish law for a wide swath of corporate America) have developed guidelines for board oversight responsibilities through a series of court cases that have dealt with purported violations of the fiduciary duties of care and loyalty that are owed to the company by members of the board. The Delaware Chancery Court has stated1 that director liability for a failure of board oversight requires a “sustained or systemic failure of the board to exercise oversight—such as an utter failure to assureDa reasonable information and reporting system exists.” To avoid liability, boards A should ensure that their organizations have implemented comprehensive monitoring systems tailored to each category I these monitoring systems and make of risk. The board should periodically review inquiries of management as to their robustness. The board should also consider L retaining outside consultants for an independent assessment of the adequacy of Y The company’s general counsel may the methodology that has been implemented. also be utilized to provide an assessment,as to whether the board has effectively fulfilled their oversight responsibility for the ERM program. The board should be especially sensitive to so-called “red flags,” or violations of existing risk limits established by the risk R management team. These violations must be investigated by the board or delegated to the appropriate manager for Y investigation, and the board should document their actions in minutes that accuAthe board in reviewing the deviation rately convey the time and effort spent by from established policies. To preserve theirN liability shield, boards must ensure that the monitoring system in place includes reports on significant regulatory matters (such as fines that have been levied against the company), that may be used as evidence in shareholder litigation. The board 2 should treat such a report as a red flag and investigate appropriately. 6 recently appeared in two important Corporate risk management issues have examples of federal regulatory oversight—the 7 EESA and the Sarbanes-Oxley Act. Also, companies with foreign operations must be cognizant of the legal requirements in each of the locales in which they 5 do business. Whether or not a particular piece of legislative rule making that relatesBto risk management directly applies to the company and board, such laws and regulations will undoubtedly influence the Uthe current environment and enhanced activities that a company undertakes. Given focus on risk management and risk oversight, a failure by the board to adequately oversee a system of compliance with legal requirements can raise issues under state law with respect to the board’s fiduciary duties, but also can provide opportunities for litigators to highlight such failures in other claims against the company and board, such as tort liability or even criminal liability. It is imperative that the board is aware of all material legal requirements applicable to the company, and the company should take care to include these risks in the development of their ERM program. The most recent example of federal legislation that includes an explicit focus on risk management is the Troubled Asset Relief Program (TARP) contained in Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins 54 October 24, 2009 9:17 Printer Name: Hamilton Overview the EESA. The act requires that boards of financial institutions participating in the TARP Capital Purchase Program (CPP) institute certain restrictions on executive compensation that relate to corporate risk taking. Specifically, participants in the TARP CPP must comply with the requirements illustrated in Box 4.1. Although these requirements apply only to financial institutions participating in the CPP, they do provide insight into federal concern over the issue of how compensation programs may contribute to excessive risk taking. Because of this concern, companies that are not directly affected by these requirements should still consider reviewing their compensation plans to determine whether the compensation structure encourages excessive risk taking. To the extent that incentive compensation is externally viewed as a source of inappropriate risk, the interaction between compensation and risk may inevitably find its way into other legislative D a focus of shareholder activism and and regulatory responses and/or become undesirable media attention. A I L Box 4.1 Executive Pay Requirements under Y the Troubled Asset Relief Program Capital , Purchase Program* R of EESA for purposes of particiIn order to comply with Section 111(b)(2)(A) pation in the program, a financial institution Y must comply with the following three rules: A (1) Promptly, and in no case more than 90 days, after the purchase under N the program, the financial institution’s compensation committee, or a committee acting in a similar capacity, must review the [senior executive officer (SEO)] incentive compensation arrangements with such financial 2 institution’s senior risk officers, or other personnel acting in a similar ca6 pacity, to ensure that the SEO incentive compensation arrangements do not encourage SEO’s to take unnecessary and excessive risks that threaten 7 the value of the financial institution. 5 (2) Thereafter, the compensation committee, or a committee acting in a similar capacity, must meet at least annually with senior risk officers, B or individuals acting in a similar capacity, to discuss and review the relationship between the financial U institution’s risk management policies and practices and the SEO incentive compensation arrangements. (3) The compensation committee, or a committee acting in a similar capacity, must certify that it has completed the reviews of the SEO incentive compensation arrangements required under (1) and (2) above. These rules apply while the Treasury holds an equity or debt position acquired under the program. * Excerpted from Treasury Department Notice 2008-PSSFI. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 55 The Sarbanes-Oxley Act of 2002 imposes significant requirements on companies and their boards, including audit committee oversight of internal and external auditors, certification of quarterly and annual financial statements and periodic reports by the chief executive officer and chief financial officer, maintenance of well-functioning financial reporting and disclosure controls, enhanced disclosure of financial measures not based on generally accepted accounting principles (GAAP), and a ban on personal loans to directors and officers. Although not directly tied to the risk oversight responsibilities of boards, compliance with Sarbanes-Oxley requirements involves risk management issues. As an example, in determining the effectiveness of controls over financial reporting, or in the financial statement certification process, the company should focus on whether material risks are identified and disclosed. In their review of the company’s compliance D should make inquiries as to whether with Sarbanes-Oxley requirements, the board these risk management issues have been acknowledged. A The New York Stock Exchange (NYSE) imposes specific risk oversight obliI gations on the audit committee of an NYSE-listed company. These NYSE rules require that an audit committee “discuss L policies with respect to risk assessment and risk management.”2 Box 4.2 provides an excerpt from the NYSE corporate Y These discussions should address governance rules germane to this requirement. major financial risk exposures and the steps , the board has taken to monitor and R Y Box 4.2 Excerpt from the NYSE’s 2004 * A Final Corporate Governance Rules N Among numerous other responsibilities, duties, and responsibilities of the audit committee include: 2 (D) Discuss policies with respect to risk assessment and risk management; Commentary: While it is the job of 6the CEO and senior management to assess and manage the company’s exposure 7 to risk, the audit committee must discuss guidelines and policies to govern the process by which this is han5 dled. The audit committee should discuss the company’s major financial risk B taken to monitor and control such exposures and the steps management has exposures. The audit committee is not required to be the sole body responsible U for risk assessment and management, but, as stated above, the committee must discuss guidelines and policies to govern the process by which risk assessment and management is undertaken. Many companies, particularly financial companies, manage and assess their risk through mechanisms other than the audit committee. The processes these companies have in place should be reviewed in a general manner by the audit committee, but they need not be replaced by the audit committee. * “Final Corporate Governance Rules,” New York Stock Exchange (2004) www.nyse.com. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins 56 October 24, 2009 9:17 Printer Name: Hamilton Overview control these exposures, including a general review of the company’s risk management programs. As the NYSE commentary indicates, the rules permit a company to create a separate committee or subcommittee (often a separate risk committee of the board) to be charged with the primary risk oversight responsibility. This is subject to the need for the risk oversight processes conducted by that separate committee or subcommittee to be reviewed in a general manner by the audit committee, and for the audit committee to continue to discuss policies with respect to risk assessment and management. As in our earlier discussion concerning the TARP certification requirements for those financial institutions participating in the CPP, these rules only apply to NYSE-listed firms. Yet, it seems prudent for all boards to acknowledge that they may be subject to “best practice” standards in the eyes of their shareholders and the general public. Boards should also take advantage ofD industry-specific regulators (such as the Federal Reserve and the FDIC in the banking A industry) and specialized risk management organizations that have published best practice guidance. The Committee I of Sponsoring Organizations of the Treadway Commission (COSO), a privatesector organization sponsored by professional L accounting associations and institutes, has developed an ERM framework that promotes an enterprise-wide perY emphasizes the role of the board in spective on risk management. That document risk management in its definition of ERM:, Enterprise risk management is a process, effected by the entity’s board of directors, management, and other personnel, applied inR strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within Y regarding the achievement of objectives. the risk appetite, to provide reasonable assurance 3 (emphasis added) A N a valuable benchmarking tool and The COSO integrated framework provides offers detailed guidance on how a company may implement enterprise risk management procedures in its strategic planning efforts and across the entire organization. The COSO ERM framework 2 presents eight interrelated components of risk management: (1) the internal environment (the tone of the organization), 6 (2) objective-setting, (3) event identification, (4) risk assessment, (5) risk response, 7 (6) control activities, (7) information and communications, and (8) monitoring. The 5 has become well accepted as a deCOSO enterprise risk management framework velopment tool for organizations seeking to initiate and/or improve on an ERM B program. U In 2007, Standard & Poor’s (S&P) announced a major initiative to incorporate an explicit evaluation of ERM programs as part of their credit ratings analysis of companies. S&P has actively evaluated the ERM practices of financial institutions, insurance companies, and the trading operations of many large energy companies for some time. Beginning in late 2008, S&P extended this evaluation to nonfinancial issuers. Box 4.3 provides an excerpt from the S&P announcement that highlights their expectations for board involvement in risk management activities. It is clear that they expect active and engaged board-level participation in the establishment of the proper “tone at the top” as well as in the approval and monitoring of specific risk policies the firm develops. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 57 Box 4.3 Excerpt from Standard & Poor’s “PIM Framework for Assessing ERM Practices”* In November 2007, Standard & Poor’s issued a request for comment titled, Criteria: Request For Comment: Enterprise Risk Management Analysis For Credit Ratings Of Nonfinancial Companies, which announced S&P’s proposal to expand its analysis of ERM processes as part of its credit-rating assessments into 17 different industries.** S&P has developed an ERM assessment framework—the “PIM Framework” denoting policies, infrastructure, and methodology—to assess the robustness of enterprise risk management practices within an entity as part of the credit evaluation process. D Within the PIM framework, S&P views “risk governance” as the foundation of the evaluation structure. SevA activities involving the board of eral components of risk governance include directors: I r In consultation with the business,L the institution has established risk policies that would be approved by the board’s risk committee. Y dialogue takes place among the r The institution ensures that periodic board, business heads, and group ,risk management on the appropriateness and relevance of the various key financial and nonfinancial risk metrics. r Ensure that the board is well engaged R with ERM initiatives within the organization and is to some degreeYsetting the tone. * A “Assessing Enterprise Risk Management Practices of Financial Institutions,” Standard N & Poor’s (2006). www.standardandpoors.com. ** “Criteria: Request for Comment: Enterprise Risk Management Analysis For Credit Ratings on Nonfinancial Companies,” Standard & Poor’s (2007). www.standardandpoors .com. 2 6 7 Reputational damage resulting from the lack of adequate risk oversight 5 is present even without mandated requirements to adhere to specific risk management–related laws, regulations, stock exchange listing rules, and best pracB tices. Even absent any actual legal exposure, the board of a company whose excesU and/or operating performance will sive risk taking leads to a crisis or poor financial likely face significant criticism in the press and from shareholders. In these circumstances, the board may also be faced with proxy contests, either from a competing slate of directors standing for election or through other shareholder resolution campaigns. Proxy attacks against directors viewed as responsible for failures of risk oversight have become more and more common. The business press has also highlighted and targeted directors that they view as underperforming. With the enhanced attention being paid to risk oversight and management, one can expect increased pressure on companies perceived to have taken on excessive levels of risk or who have been found to lack robust risk oversight capabilities. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins 58 October 24, 2009 9:17 Printer Name: Hamilton Overview DELEGATION OF RISK OVERSIGHT TO BOARD COMMITTEES Many boards find it helpful to assign primary risk oversight responsibility to a committee of the full board. This committee is charged with directly overseeing the risk management function and should receive regular reports on the status of the ERM process from those members of senior management responsible for risk management for the enterprise. This committee, in turn, should make regular reports to the full board to ensure that the board as a whole has an understanding of the risk profile of the entity and can then engage in strategic, risk-informed decision making appropriate to their leadership role. In many instances, boards delegate primary responsibility for risk oversight D committee’s seemingly overwhelmto the audit committee, in spite of the audit ing list of responsibilities related to financial A reporting and the internal/external audit function. Audit committees are the most common board committee to be I charged with performance of oversight duties over management’s risk policies and guidelines, and they are being askedLto discuss with management the enterprise’s key risk exposures—including risk exposures beyond financial reporting Y of audit committee charters of Forrelated risks. A recent Conference Board study tune 100 companies reported that 66 percent , of these companies place primary risk oversight responsibility on the audit committee, using language similar to the examples illustrated in Box 4.4 for the Coca-Cola Company, Wal-Mart Stores, and Apple.4 R Audit committees (or other board committees) that have been charged with Y this responsibility for risk oversight are increasing their demands on management A processes and for up-to-date infor more information about risk management formation about management’s assessment N of key risk exposures. Within senior management, it is often the chief financial officer (CFO) or chief audit executive (CAE) who has been asked to take the lead in risk management efforts for the organization. The 2006 Conference Board report, 2 “The Role of U.S. Corporate Boards in Enterprise Risk Management,” reports that the executive most frequently cited 6 board on risk issues is the CFO—with by directors as responsible for informing the more than 70 percent reporting this relationship. However, in growing numbers, 7 organizations are creating Chief Risk Officer (CRO) positions to serve as the risk 5 leader or “champion,” while others are creating executive-level risk committees comprised of the CFO, CRO, general counsel, executives in charge of strategy and B internal audit, and/or other key business unit leaders to lead the ERM effort. U FORMALIZING RISK MANAGEMENT PROCESSES The complexity and sheer number of risks affecting organizations has expanded at a rapid pace over the past decade. Boards and senior executives are increasingly feeling the pressure to respond to these increased demands on their time and expertise. A 2007 study, “Board Members on Risk,”5 reports that 72 percent of board members who participated in the survey believe that the overall level of risk that the organizations they serve currently faces has increased in the past two to three years, with 41 percent indicating that the overall level of risk has increased significantly. Senior executives and their boards are realizing that the practice of Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 59 Box 4.4 Illustrative Language from Audit Committee Charters Below are excerpts from three audit committee charters that provide examples of audit committee involvement in risk oversight: 1. The Coca-Cola Company’s Audit Committee Charter states that one of the 14 responsibilities of the Audit Committee of the Board of Directors includes: Risk Assessment and Risk Management. The committee will review and discuss with management, the Dinternal auditors, and the independent auditors the company’s policies and procedures with respect to A risk assessment and risk management. 2. Wal-Mart Stores includes the following I language in their Audit Committee Charter: L Discuss with management the company’s major financial risk exposures and the steps management has taken to monitor and control such Y exposures, including the company’s risk assessment and risk man, agement policies. 3. The Audit and Finance Committee Charter of Apple states that one of the responsibilities of the committee is: R Review and discuss with Management (i) Management’s financial risk assessment and risk management Y policies, (ii) the Corporation’s major financial risk exposures and the steps Management has taken A to monitor and control such exposures. N managing risk informally or on an ad hoc 2 basis is no longer tolerable and that, in many instances, current processes have proved inadequate in today’s rapidly 6 evolving business world. To address these concerns, many boards 7 have adopted ERM as a process to develop a more robust and holistic top-down view of key risks facing the organization. 5 response to emerging expectations for Although the adoption of ERM is largely in greater risk oversight, recent data shows that B entities that outperform their peers are more likely to have developed a more formal risk management process.6 PropoU ERM is not to lower risk. Rather, ERM nents of ERM stress that the goal of effective is designed to more effectively manage risks on an enterprise-wide basis so that stakeholder value is at least preserved, but hopefully enhanced. Said differently, ERM allows management and the board to make better, more “risk-intelligent,” strategic decisions. Recent evidence, cited above, seems to support this notion. An ERM focus is assisting boards and senior executives to think about risks more holistically. This is far different than traditional approaches to risk where management has historically assigned risk oversight responsibilities to individual functions or business units (these are often referred to as “silos” or “stove-pipes” of the business in the language of ERM). The common result of a stove-pipe approach to risk management is that risks are often managed inconsistently or within Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins 60 October 24, 2009 9:17 Printer Name: Hamilton Overview each individual risk manager’s personal tolerance for risk. More importantly, these risks may be effectively managed within an individual business unit to acceptable levels, but the risk responses or treatments selected by the manager may unknowingly create or add to risks for other units within the organization. Furthermore, traditional silo-based approaches to risk management often fail to anticipate that certain risk events may be correlated with other risk events, triggering a cascading series of risk exposures. Often the net result when risks are managed in this manner is an increase (rather than reduction) in the overall risk exposure for the enterprise. SENIOR EXECUTIVE LEADERSHIP IN RISK MANAGEMENT D An ERM approach to risk management requires a top-down view of risks faced A by the organization. Visible leadership from and embrace by the senior executive I ERM process. Those organizations team is a critical component to an effective that have started down the ERM path attest L to the reality that the adoption of a holistic view of risks, which requires that risk information be shared transparently Y a significant change in the corporate across silos within the organization, requires culture or mindset of management at all levels , within the enterprise. As employees across the organization are held accountable for the ownership of risks within their areas of responsibility, senior executive leadership is needed to reinforce the importance of this movement toward a more R transparent, enterprise-wide view of risk management. Y The CFOs are uniquely positioned to lead the overall enterprise risk manageA ment effort. CFOs are already intricately involved in providing an overall view of the organization from a financial risk perspective, which gives them an enterpriseN wide understanding of the key activities that drive performance. CFOs also have an existing relationship with the audit committee. Thus, as audit committees turn to management to strengthen the enterprise’s 2 approach to risk management, they are naturally turning to CFOs to kick-start the process. 6 CFOs have responded to these new challenges by designing basic structures for identifying and assessing risks across the enterprise. For many, this begins 7 by defining risk terminology or developing common definitions of key risk con5 are implemented consistently across cepts so that risk management approaches the enterprise. Providing a clear definitionBof risk terms (including a discussion of whether “risk” represents both risky opportunities and downside risks) is often U senior management can then survey the required first step. Once risk is defined, the organization to identify potential risk drivers and risk events through questionnaires, interviews, risk workshops, and external risk scanning to generate an inventory of risks that may pose potential threats and/or opportunities for the enterprise. Leadership is needed to ensure that risks are assessed consistently across the organization. Risk champions at the senior executive level must develop procedures to govern how risks are to be assessed, not only from a likelihood or probability perspective, but also from an impact perspective in order to prioritize those risks most important for senior executive and board oversight. Based on risk rankings, reflecting probability and impact assessments, management is now in a position to Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 61 identify those risks with the greatest need for the development of an appropriate risk response. Senior executives should then identify key risk indicators that can be included in management information reports to allow for proactive management of these risks on an ongoing basis. The above discussion provides an abbreviated overview of the core elements of an ERM approach, and also illustrates the nature of risk management leadership that the audit committee and board are expecting from the senior executive team. Later chapters are devoted to a thorough discussion of tools and techniques that identify and assess risks and that develop appropriate treatment strategies tailored to the specific risks encountered. THE ROLE OF THE INTERNAL D AUDIT FUNCTION IN ERM A The CFO and other senior executives formally lead the ERM effort, but internal I audit plays a major role in supporting the risk management process. In many cases, L function have often initiated the ERM audit executives who lead the internal audit launch within their organizations. Although Y internal audit is naturally involved in risk management activities, there are specific roles the internal audit function should and should not assume throughout, the ERM process. Internal audit should provide an assurance service on risk management processes, giving assurance that risks are evaluated correctly, evaluating risk management processes, evaluating the R reporting of key risks, and reviewing the management of key risks. However, inY ternal audit should not be involved in developing the risk management process for board approval, imposing risk management processes, making decisions on risk A responses, managing identified risks, or establishing the enterprise’s risk appetite. N the effectiveness of ERM processes The internal audit’s role should be to monitor designed and implemented by senior management. Direct reporting of the internal audit function’s monitoring activities puts audit committees in a position to be 2 more objectively informed about the effectiveness of management’s risk management processes, including the accuracy and completeness of risk information they 6 receive directly from senior management. 7 5 EXTERNAL AUDIT AS AN INDEPENDENT B SOURCE OF KEY RISK IDENTIFICATION Audit committees also exert pressure on U their external auditors to share risk in- formation they glean from audits of financial statements and, for publicly traded entities, the audit of internal controls over financial reporting required by the Sarbanes-Oxley Act. In the process of understanding the entity and its environment (a requirement for financial statement audits to be conducted in conformance with auditing standards), external auditors are likely to identify key business risks affecting the enterprise. Auditors of publicly traded companies may also identify deficiencies in risk responses as they assess the effectiveness of internal controls surrounding core business processes that affect financial reporting. Proactive audit committees recognize that the external auditor can serve as a rich source of risk information that can assist the audit committee in challenging the completeness Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 62 Printer Name: Hamilton Overview of risk inventories prepared by management. External auditors recognize that this contribution is a value-added activity for their clients and respond with greater dialogue about key risks when participating in executive sessions with the audit committee. While boards and senior executives are strengthening their risk oversight processes at a rapid pace, few entities are currently able to claim that they have fully developed ERM processes in place. Most recognize that the implementation of ERM is an evolutionary process, whereby risk oversight improves over time. Most ERM proponents believe there is no “one size fits all” approach to enterprise risk management. As boards and senior management strive to make real progress toward developing ERM processes into more mature business operating models, they will need to be patient. Immediate success is rare—ERM must be viewed as a long-term cultural change and realistic D expectations must be established for its implementation. A I ERM IMPLEMENTATION STRATEGIES L In fulfilling its obligation to exercise oversight over risk management, the board or Y responsibility for oversight should foboard committee charged with the primary cus on the adequacy of the organization’s enterprise risk management system. Risk , management must be tailored to the specific entity, but in general an effective ERM process will identify the significant risks that the organization faces in a timely manner, implement appropriate risk management strategies that are in concert R with the company’s risk appetite and specific risk exposures, integrate the conY sideration of risk and risk management into strategic decision making throughout A procedures that adequately transmit the company, and feature explicit policies and necessary information with respect to significant risks to senior management and, N as appropriate, to the board or relevant committee. To accomplish these objectives, there are certain implementation strategies that can help the board and the senior executives delegate responsibility for the ERM 2 program in designing and modifying the risk management function. The sections that follow discuss the following 6 strategies: r r r r r r r Role of the audit committee Role of the board Training Board composition Reporting Compliance Culture 7 5 B U Role of the Audit Committee As discussed earlier in the chapter, most boards delegate primary oversight of risk management to the audit committee, which is consistent with the NYSE corporate governance rules illustrated in Box 4.2. That rule requires the audit committee to discuss policies with respect to risk assessment and risk management. For many companies, however, the scope and complexity of enterprise risk management may Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 63 dictate consideration of establishing a dedicated risk management committee of the board in order to force increased attention at the board level on risk management and oversight. The NYSE listing requirement permits boards to so delegate the primary risk oversight function to a different board committee, subject to limited continuing audit committee oversight. The audit committee may not always be the best choice for providing direct oversight of the ERM program at the board level. Given the significant responsibilities specifically mandated or delegated to it by the Sarbanes-Oxley Act, the audit committee typically has a crowded meeting agenda and may not have sufficient time and resources to devote to the optimal level of risk oversight. In addition, the audit committee’s focus on compliance with financial reporting rules and auditing standards is not necessarily the best approach for understanding the broad array of risks faced by their organization. In fact, itD may be argued that an intense focus on compliance may hinder certain risk awareness A because once satisfaction is reached that a standard has been correctly followed, it is natural to then turn to new issues I on an issue seemingly resolved. A rather than to continue spending scarce time recent example of this phenomenon may be L found in the banking industry, where the creation of off-balance sheet entities (structured investment vehicles and trusts) Y but, in hindsight, clearly contributed conformed to applicable accounting guidance to the catastrophic escalation of risk that has , led to financial ruin for many financial institutions. If primary responsibility for risk oversight remains with the audit committee instead of a newly constituted risk committee, R the audit committee should explicitly include dedicated agenda time for the periodic review of risk management Y policies and the status of key risks apart from its review of the financial statements and compliance issues. Although this willAundoubtedly further burden the audit committee, it is critical to allocate necessary Ntime and attention to the risk oversight role specifically. The goal should be to facilitate serious and thoughtful board-level discussion of the organization’s ERM process, the trends in the key risks the company encounters, and the robustness of the 2 company’s policies, procedures, and actions designed to respond to and treat these risks. 6 7 Role of the Board 5 is typically delegated to a commitThe primary board-level risk oversight role tee, but the full board is ultimately responsible B for monitoring the ERM program. Hence, the board should devote meeting time to discuss and analyze information U significant risks impacting the comabout the entity’s ERM program and the most pany’s ability to achieve its strategic objectives. This can be accomplished through reports delivered by the committee charged with risk management oversight and by appropriately summarized versions of the materials provided by senior management and advisors to that committee. Risk management issues also commonly arise in the context of the work of other committees. For example, the compensation committee is charged with approval and oversight of the incentive compensation arrangements for senior management personnel. These compensation agreements must be carefully structured to ensure that they do not create incentives for the senior management team to take on risky projects (that breach the board-approved risk tolerance or appetite of the organization) in an attempt Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 64 9:17 Printer Name: Hamilton Overview to maximize bonus compensation. Specialized committees may also be charged with specific areas of risk exposure. Within financial institutions, for example, credit, market, and asset/liability management committees are common, while some boards of energy and manufacturing companies have committees largely devoted to environmental and safety issues. Training In-depth knowledge of the organization’s fundamental operations is required for understanding the implications of the key risks a company is exposed to and then assessing the company’s planned responses to these risks. Director orientation and training programs should be reviewed to ensure they provide enough substance for directors to develop an understandingD of the company’s businesses. These programs should also discuss the company’s A risk inventory and provide an overview of the ERM process employed by the entity. In addition to orientation programs I for new directors, a company should consider the development of continuing education materials for directors on an ongoing basis, to supplement board and L committee meetings. Participation in workshops offered through various organizations can help keep directors abreast ofYcurrent industry and company-specific developments and specialized issues. Site , visits by directors, either within the framework of the board meeting schedule or as part of a continuing education program, can be valuable for companies where a physical inspection is important for appreciating the business-unit risks that Rthe company faces. These visits should allow directors to assess firsthand some of the health and safety, operational, and Y other risks facing the company much better than a prepared presentation or written A communication. Director training should be tailored toNthe issues most relevant and important to the particular company and its business. For example, investment banks that issue and trade complex securities and derivatives generally monitor their financial exposure to market risk through daily value 2 at risk (VaR) calculations. Workshops or Web-based presentations to inform bank board members about the underlying 6 the VaR statistic can be critical for assumptions and the approach to calculating understanding the risks the bank faces. Most 7 business decisions are made in the context of the economic and political environments in which the various business 5 units operate, and presentations that illuminate key aspects of these differences across the company will be useful to the board’s understanding of the company’s B operations. Although there are presently no legal requirements that mandate conU can be extremely valuable in helping tinuing education for the board, these efforts directors to discharge their duties and to avoid negative media attention that may follow announcements of bad news events. Board Composition Recent changes to corporate governance requirements and best practices guidance have led many companies to enhance the independence and diversity of their boards. There has also been a downward trend in the participation of senior executives on boards of unaffiliated entities. Because of this, companies are often confronted with the fact that a significant portion of their boards may lack detailed Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 65 knowledge of the industry in which the company operates. Under these conditions, the importance of well-designed and executed orientation programs for new directors and the creation of opportunities for continuing education for all members of the board are critical. As a function of this new environment, boards should pay particular attention to the background and experience of the individual board members asked to serve on the committee charged with oversight of the ERM function. As seats on the board open up due to retirements or the creation of additional directorships, the board should aggressively recruit new members with relevant industry expertise and, if possible, with a background that includes risk management experience. For boards on which the CEO serves as the sole representative of the senior management team, it may be prudent to consider adding a second or third management representative, suchDas the COO, CFO, or chief risk officer (if a separate CRO position has been established), to provide an additional source A of information in the boardroom on the company’s business, operations, and risk I non-CEO executives and the board profile. Direct lines of communication between or relevant board committee should already L be present. Actual membership on the board is likely to allow for more consistent and timely input from these senior Y executives to the board. The board’s ability to perform its oversight , role effectively is largely dependent on the flow of information that occurs among the directors, senior management, and the risk management executives in the organization. If the board is unsure whether they are receiving sufficient information R to discharge their responsibilities, they need to be aggressive in their requests for that data. Directors must have Y adequate knowledge of such information as: r r r r r A The external and internal risk environment faced by the firm. N The key material risk exposures affecting the company. The methodology employed to assess and prioritize risks. Treatment strategies for key risks. 2 Status of implementation efforts for risk management procedures and 6 infrastructure. r The strengths and weaknesses of the overall ERM program. 7 5 B If the board has delegated primary risk oversight responsibility to a committee of the board, that committee should meet inU executive sessions with the designated Reporting ERM leader in a manner analogous to the audit committee and its regular sessions with the company’s internal auditor, and with senior management in connection with CEO and CFO certifications of the financial statements. Senior risk managers and the senior executive team need to be comfortable in informing the board or relevant committee of rapidly emerging risk exposures that require the immediate attention of the board. These reporting channels must be open at all times as a complement to regular reporting procedures. As previously discussed, the committee charged with risk oversight should make regular reports to the full board to keep them apprised of important changes in the organization’s risk profile and/or exposure to key risks. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 66 9:17 Printer Name: Hamilton Overview Compliance Senior management should also provide the board with a comprehensive review of the company’s legal compliance programs and how they affect the company’s risk profile. There are a number of principles to consider when assessing the adequacy of compliance efforts. There should be a strong and visible “tone at the top” emanating from both the board and senior management that emphasizes that noncompliance with corporate policy will not be tolerated. Actions of the board and the senior executive team should provide an unambiguous signal to the organization that policies and procedures are to be followed scrupulously. The compliance program should be designed by individuals with the appropriate level of expertise and will typically include workshops and written materials. The full board should review compliance policies periodically in Dorder to assess their effectiveness and to make any revisions deemed prudent or necessary to conform to changes in A respected, it is essential that there be applicable laws. To ensure that policies are consistency in enforcement through appropriate disciplinary measures. Finally, I there should be a clear reporting system in place so that employees understand L when and to whom they should report suspected violations. Culture Y , In addition to the formal compliance program, the board must also encourage management to promote a corporate culture R that understands the business case for risk management and incorporates it into its overall corporate strategy and Y risk management function cannot day-to-day business operations. The enterprise be viewed as a drag on the achievementA of corporate objectives or isolated as a specialized corporate function, but instead should be established as an integral part N of everyday decision making within the business units. Companies must incur risk in order to run their businesses and maximize returns for stakeholders. The board must recognize that there can be significant danger in excessive risk aversion, just 2 as there is danger in unchecked risk taking. But the assessment of risk, the accurate 6 informed response to risk exposures weighing of risks versus rewards, and the should be incorporated into all business decision making. 7 The company’s enterprise risk management structure should enable ongoing 5 areas of future risk for the company. efforts to assess and analyze the most likely This process, often referred to as environmental scanning, is a key element of B avoiding or successfully mitigating those risks before they become crises. In their U review of the organization’s risk management processes, the board should ask senior management directing the ERM program to discuss with them the most likely sources of significant far-horizon risks and how the company is planning for any significant potential vulnerability. CONCLUSION As stated at the opening of this chapter, the oversight of the enterprise risk management (ERM) processes employed by an organization is one of the most important and challenging functions of a corporation’s board of directors. It is the board’s responsibility to work in concert with senior management of the company to Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton THE ROLE OF THE BOARD OF DIRECTORS AND SENIOR MANAGEMENT IN ERM 67 establish the appropriate “tone at the top” to ensure that risk and risk management remain at the forefront of strategic and operating decisions made within the business. As a simple survey of the financial press would indicate, we find ourselves today in an environment in which companies face risk exposures that are more complex, more interconnected, and potentially more devastating than ever before. To ensure that they are faithfully discharging their fiduciary duties, boards must adequately acknowledge and manage risks associated with decisions being made throughout the organization and operate with the understanding that these risks can and often do lead to potentially catastrophic results. NOTES 1. In re Caremark International Inc. DerivativeD Litigation, 698 A.2d 959, 971. 2. “Final Corporate Governance Rules,” New A York Stock Exchange (2004) www.nyse.com. 3. Committee of Sponsoring Organizations of I the Treadway Commission (COSO), Enterprise Risk Management – Integrated Framework, September 2004, www.coso.org, L New York, NY. 4. “The Role of U.S. Corporate Boards in Enterprise Risk Management,” the Conference Y Board (2006). , 5. “Board Members on Risk,” Ernst & Young (2007). 6. See “Balancing Risk and Performance with an Integrated Finance Organization – The Global CFO Study 2008,” IBM Global Business Services. R Y A N 2 6 7 5 B U Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c04 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton D A I L Y , R Y A N 2 6 7 5 B U Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton PART II ERM Management, Culture, and Control D A I L Y , R Y A N 2 6 7 5 B U Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton D A I L Y , R Y A N 2 6 7 5 B U Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton CHAPTER 5 Becoming the Lamp Bearer The Emerging Roles of the Chief Risk Officer ANETTE MIKES Assistant Professor of Business Administration, Harvard Business School D A I L One of the greatest contributions of risk managers—arguably the single greatest—is just carrying a torch around and providing transparency. Y —Chief Risk Officer, interviewed on November 17, 2006 , Opinion has a significance proportioned to the sources that sustain it. —Benjamin Cardozo (1870–1938) D R Y espite the widespread adoption A of enterprise risk management (ERM) in the financial services industry, banks suffered hundreds of billions of N dollars of losses during 2007–2008, stemming from risks that few exec- utives had understood (Treasury Committee 2007a, 2007b). Under the shock of the first subprime-related loss disclosures, industry observers raised the question: 2 “Where were the risk managers?” (Bookstaber 2007). In February 2008, a joint 6 study by the Senior Supervisors Group—representatives of eight banking supervisory bodies—noted that, while “some firms recognized the emerging additional 7 risks and took deliberate actions to limit or mitigate them . . . other firms did not 5them adequately” (Senior Supervisors fully recognize the risks in time to mitigate Group 2008, 2). The group emphasized significant differences in firms’ approaches B to risk management, particularly in the design and scope of risk assessment and U reporting practices. Further, regulators and industry observers continue to call for the appointment of executives who are exclusively devoted to the role of enterprise-wide risk oversight, particularly since one early victim of the subprime credit debacle, Merrill Lynch, lacked a chief risk officer and another, Citigroup, was immediately blamed for its ineffective risk oversight (American Banker 2008). Going forward, many argue that the role of the chief risk officer is going to be further emphasized in corporate governance. As Peter Raskind, National City Bank’s chief executive officer, argued in an interview in the pages of the American Banker toward the end of the first year of the subprime credit crisis: “This environment has absolutely underscored the 71 Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins 72 October 24, 2009 9:17 Printer Name: Hamilton ERM Management, Culture, and Control need for that person. But it’s not just credit risk. It’s operational risk, reputation risk, and so on.”1 Risk management in banks is a relatively recent function. Under the leadership of chief risk officers, risk-management staff groups are currently carving out their territory in response to uncertainties ranging from adverse asset-price movements to borrower defaults and threats to the financial health of the enterprise. The visibility of risk management and, in particular, of the Chief Risk Officer (CRO) has increased outside the banking industry, too. In a 2008 survey, consulting firm McKinsey tracked the diffusion of CRO appointments by industry in the United States (Winokur 2009). McKinsey found that 43 percent of insurance companies had appointed a senior risk officer with enterprise-wide risk oversight, in contrast to 19 percent in 2002. Other industries with a significant number of CRO appointments include energy and utilitiesD(50 percent of companies had a CRO in 2008), health care, and metals and miningA(20 percent to 25 percent of companies were reported to have a CRO). Furthermore, it is widely expected that rating agenI as part of their rating process going cies will assess the quality and scope of ERM forward (Standard & Poor’s 2008; Ernst &LYoung 2008). Enterprise risk management, under the leadership of CROs, has the promise to Y the achievement of the firm’s strategic bring enterprise-wide risks, which threaten objectives, into the open and under control. , Its organizational significance is that, by providing a process to identify, measure, monitor, and manage uncertainty in strategic decision making, strategic planning, performance management, and deal-approval processes, it enables top management to maintain or alter patterns in R risk taking. Y This chapter addresses the question: How may chief risk officers realize that Aexisting practitioner and academic litorganizational significance? I draw on the erature on the role of chief risk officers and N on a number of case studies from my ongoing research program on the evolution of the role of the CRO. The first section deals with the origins and rise of the CRO and outlines four major roles that senior risk officers may fulfill. The following sections 2 discuss and illustrate those roles. 6 7 In 1956, Harvard Business Review published “Risk Management: A New Phase of 5 called for a “workable program for Cost Control,” in which Russell Gallagher ‘risk management’ . . . putting it under one B executive, who in a large company might be a full-time ‘risk manager.’” The article proposed that, in the face of U the “postwar battle for tighter cost increasingly expensive insurance premiums, THE ORIGINS OF THE CRO controls” required a “concerted method of attack” on the management of risks and hazards—namely, the appointment of a professional insurance manager. So began the saga of the chief risk officer in the world of insurance. Indeed, until recently, most nonfinancial firms considered buying insurance to be the core task of the risk-management function (Butterworth 2001). The seeds of a more strategic role for the chief risk officer were sown in the 1970s. The publication of the Black-Scholes options-pricing model in 1973 triggered the staggering rise of derivatives markets (Buehler et al. 2008) by enabling more effective pricing and mitigation of risk. Over the next three decades, the world of risk management in the financial services sector changed profoundly as banks Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton BECOMING THE LAMP BEARER 73 and securities houses created a “gigantic clearinghouse for packaging, trading and transferring risks” (Buehler et al. 2008). Financial firms both created and took advantage of many important innovations to contain financial risks; the arsenal of risk management was no longer limited to insurance policies. Increasing financial sophistication resulted in two new risk-management strategies: (1) portfolio diversification, and (2) hedging. Energy companies, food producers, and other firms followed suit in widening their risk-management toolkits as markets opened for the trading of various industry-specific risks. However, as Merton observed, top executives in most industries persistently regarded the application of derivatives and other risk-management tools as essentially tactical and therefore delegated the management of financial risk to a host of in-house financial experts such as insurance managers and corporate treasurers (Merton 2005). The dangers of delegation Druthlessly exposed by a number of corand the resultant “silo” approach have been porate scandals over the last two decades and A during the credit crisis of 2007–2008, as it became clear that many firms had taken large risks without an appropriate unI derstanding of the long-term, firm-wide consequences, which, by 2009, had spread far beyond their organizations onto millions L of stunned stakeholders and innocent bystanders. Y The creation of the CRO role with a dedicated risk-management unit occurred intermittently at first; some of the earliest, attempts took place in large financial services firms, often as a reaction to excessive investment losses. In 1987, Merrill Lynch, having suffered large losses on mortgage-backed securities in March of that year, appointed Mark Lawrence, a senior R executive, to establish a dedicated riskmanagement unit. But because there was, as yet, no pressure to institutionalize this Y new organizational function, the role of CRO lacked credibility (Wood 2002) and the unit gradually lost power (Power 2005). GEACapital’s risk-management unit was an exception. James Lam, appointed chief risk Nofficer in 1993, became the first to hold the role of integrated risk oversight with that title (Lam 2000). His unit, designed as an integral part of GE’s finance function, displayed a “rigorous process approach,” allocating risk-based approval authority down 2 the business lines, applying datadriven analytics to identify and monitor risk, and strictly enforcing risk limits.2 In the early 2000s, Deutsche Bank created the6position of CRO (Hugo Banziger) with the mandate to make the risk and profit 7implications of business-line decisions transparent. By then, the concept of a risk-management head had evolved from a defensive administrative “cop” to—at 5 least in aspiration—a business partner and advisor in risk taking (Power 2005, B 134; Wood 2002). This shifted the riskmanagement model (and the CRO) out of the back office and into the front line U capital adequacy reform (Basel II) with a more strategic role. As the new risk-based gathered momentum, calls for assembling risk-management practices under the umbrella of a dedicated risk organization and under the oversight of a high-level executive intensified. The rise of the CRO was not confined to the financial sector: Sulzer Medica appointed a CRO in 2001, following legal losses, and Delta Airlines employed a CRO in 2002 in response to the heightened concern for risks in the airline industry following the 9/11 terrorist attacks (Power 2005). Nevertheless, it was the increasing codification of enterprise risk management into various risk-management standards that accelerated the appointment of senior risk officers with an enterprise-wide risk oversight. Multi-disciplinary Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins 74 October 24, 2009 9:17 Printer Name: Hamilton ERM Management, Culture, and Control task forces in Australia and New Zealand published the first Risk Management Standard in 1995 (revised in 1999 and 2004) and other standard-setters followed suit (Ferma 2002; COSO 2003), successfully spreading the notion that enterprise risk management was good management. Several companies aspiring to be bestpractice organizations adopted enterprise risk management and appointed chief risk officers to oversee its implementation (Aabo et al. 2005). McKinsey’s 2008 survey found that 10 percent of nonfinancial firms had CROs, up from 4 percent in 2002 (Winokur 2009). In tandem with the rise of the chief risk officer and the dedicated riskmanagement function, the internal auditing profession also staked a claim on the risk-management domain (Koleman 2003). The Institute of Internal Auditors, an international professional association of certified internal auditors, included D risk management as part of the audit profession’s competencies and stimulated the development of control risk self-assessment as the bedrock of enterprise risk A management. Furthermore, external auditors had reinvented the financial audit I to be more perceptive of the client’s business risk and associated risks, offering business-risk assessments simultaneouslyLas an audit-planning tool and as an advisory mechanism. Overall, the shape of a risk-management services industry had Y become visible, with risk professionals, internal auditors, and external auditors competing to design and service the internal , risk-management space of corporations (Power 2000). Not surprisingly, CROs come from many walks of life, including internal audit, external audit, financial management, R business management, and consulting. Industry surveys (PricewaterhouseCoopers 2007; Deloitte 2007; IBM 2005) Y show that CROs fulfill a variety of roles that nevertheless fall into two categories: A hand, and (2) a more strategic “busi(1) a compliance and control function on one ness partner” role on the other hand. Much N of the industry debate prior to the subprime-credit crisis focused on how CROs ought to balance their compliance champion role with that of an active participant in business decision making. The credit crisis directed attention to a series of 2risk-management failures (Stulz 2009), particularly the gaps in financial institutions’ internal risk-assessment practices. 6 Indeed, there is wide variation in the usefulness and reliability of the risk models used by various financial institutions (Tett72008). My recent research indicates that firms’ risk-modeling initiatives vary in style and quantitative sophistication and 5 that senior risk officers exercise a large degree of discretion in determining the use and mix of quantitative and qualitative risk-management tools (Mikes 2005, B 2007b). This finding highlights the role of the CRO as a modeling expert who deU ploys a certain degree of quantitative enthusiasm or quantitative skepticism in the management of different risk categories (Mikes 2008b). Further, different CROs interpret their “business partner” roles differently. In a study of 15 chief risk officers, I found that some CROs strive to grasp the key strategic uncertainties affecting their organizations (whether measurable or not) and proactively help top management anticipate emerging strategic risks; these CROs play the role of strategic advisor. Other CROs confine their attention to the measurable risk universe and the production of “catch-all” metrics for aggregate risk taking and risk-adjusted performance; they enact the role of the strategic controller. In sum, the role of the chief risk officer is not only multifaceted but also varies according to the industry, the emphasis the risk function places on compliance with Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton BECOMING THE LAMP BEARER 75 regulatory and risk-management standards, and the extent and sophistication of the firm’s risk modeling. The next four sections turn in detail to the four major CRO roles, namely (1) compliance champion, (2) modeling expert, (3) strategic controller, and (4) strategic advisor. THE CRO AS COMPLIANCE CHAMPION The role of compliance champion entails advocating and policing compliance with pressing stakeholder requirements and keeping up with new regulations and standards affecting the design and roles of the risk-management function. Many CROs initiate a “risk policy framework”—a determination of what risks need to be addressed and by whom—on which the board and a senior executive then sign off. D roles: The risk policy framework fulfills several First, it sets the boundaries of acceptable A risk taking by ensuring that the appropriate standards and controls are in place. As one senior risk officer put it, I the framework tells the business lines “the rules of engagement, making sure that the do’s and the don’ts are sufficiently clear.” L 3 It is now widely recognized in riskmanagement circles that “both Barings’s and Société Générale’s losses were created Y by employees not following the processes.”4 Research on so-called man-made dis, asters has long established that complex organizations (in any industry) generate “normal accidents” (Perrow 1984) and routine errors that are suited to—and, indeed, called for—the creation of a specialist CRO role (Power 2004, 141). In such R territory between risk controlling settings, CROs are pressure points in the border and risk taking; “the risk officer is not necessarily responsible for each risk type, Y but is responsible to ensure each risk-type owner has set appropriate standards.”5 Athe management of risk, detailed risk Although the CRO supports and enhances management remains the responsibility ofN line management. Second, the risk policy framework advocates a shared understanding of the spectrum of risks the organization cares about; naturally, this spectrum changes over time. Some chief risk officers consider2the creation of this shared understanding to be the key benefit of their work because it reinforces the company’s shared 6 One’s chief risk officer, John Fraser, understanding of its strategic priorities. Hydro is a case in point. He maintains that enterprise risk management starts with top 7 management agreeing about strategic objectives; then they develop a shared un5 derstanding of the principal risks (Mikes 2008a). Fraser acknowledges that his role was “not to give the answers” to the problems of the business but to facilitate B the emergence of a shared understanding among managers. He achieved this in U interactive risk workshops: Enterprise risk management is a contact sport. Success comes from making contact with people. Magic occurs in risk workshops. People enjoy them. Some say, “I have always worried about this topic, and now I am less worried, because I see that someone else is dealing with it, or I have learned it is a low probability event.” Other people said, “I could put forward my point and get people to agree that it is something we should be spending more time on, because it is a high risk.”6 Third, the risk policy framework gives chief risk officers a plan, a language, and the authority with which to oversee the development of risk-measurement and Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins 76 October 24, 2009 9:17 Printer Name: Hamilton ERM Management, Culture, and Control monitoring tools for each risk type. At a basic level, every risk function operates a host of templates with which to collect risk information, establish risk-assessment guidelines, and construct risk models that collect loss and other risk-related data to track the firm’s evolving risk profile. But there is a plethora of tools and practices for measuring and communicating risk and wide variation in their application even within a particular industry. THE CRO AS MODELING EXPERT In general, chief risk officers play a powerful role in selecting the people, processes, and systems that will define the scope of risk measurement and control in their organizations. The infrastructure of most modern risk-management functions conD and information systems, the design tains a wide variety of risk models, processes, of which requires the CRO to play the roleAof the modeling expert. Deutsche Bank’s CRO, Hugo Banziger, recalled his early experiences with I system-building: L I . . . had to build an entirely new organization Y from scratch. We designed a dedicated credit process; hired and trained credit staff, as there were no credit people with derivatives , with the help of traders; and created know-how in the market; built credit-risk engines our own Potential Future Exposure model, using Monte Carlo simulations and stresstesting portfolios. After that, we had to build a credit system that could integrate all these functions and aggregate our derivative counterparty R exposure globally. These were six very challenging years.7 Y A who emphasize risk aggregation as Banziger is one of several chief risk officers well as risk measurement. As they see it, the N creation of an aggregate view of quan- tified risks is the key benefit of implementing firm-wide risk models. Aggregating risk exposures had been a challenge to risk practitioners for a long time, largely due to the variety of risk measures applied 2 to the different risk types and insufficient knowledge of the correlations between risk exposures, the diversification benefits, and the concentration penalties.6 The recent development of economic capital as a common-denominator measure 7 for market, credit, and operational risks enables firms to aggregate their quantifiable risks into a total risk estimate.8 5 of the CRO is to fine-tune the calcuIndeed, Wood (2002) argues that the key role lation of economic capital for organizational-control purposes. Accordingly, recent B works in the risk-management literature advocate risk-based internal capital alloU performance measurement and concations (measured by economic capital) for trol. The ideal of introducing risk-based performance measurement in banks has emerged in tandem with developments in risk quantification and, importantly, risk aggregation. Risk aggregation requires a high degree of modeling expertise on the part of the risk-management function; it entails the extension of risk analytics to uncertainties with explicable (but not yet known) properties and the adjustment of the measurement approaches as further data become available. In a recent study, however, CROs voiced divergent opinions on the benefits and limitations of the available menu of risk-modeling initiatives (Mikes 2008b, 2009). Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton BECOMING THE LAMP BEARER 77 One group of CROs took a skeptical view, emphasizing that risk models were useful tools for managing a narrow set of risks, such as those that lend themselves to conventional statistical analysis (e.g., credit-card risks in a given geography and consumer segment). Due to the homogeneity of such risk profiles and the large number of data points, decisions in such areas could be automated. But these CROs felt that, in less homogeneous business segments, such as lending to both small enterprises and large corporations, risk models were intrinsically less reliable (quantitative skepticism) and the judgment of veteran experts was essential. They did not consider risk modeling accurate enough to produce an objective picture of the underlying risk profiles, only to indicate the underlying trends. Another group of CROs, however, were committed to extensive risk modeling and fostered a culture in which risk models were regarded as robust and relevant D tools in decision making (quantitative enthusiasm), particularly in strategic planning and performance management. In these banks, A risk experts gradually expanded the modeling infrastructure to uncover the natures and distributions of hitherto I as lending to small and mediumunknown uncertainties (including such risks size enterprises), classifying and measuring L these as part of the economic-capital framework. They quantified many operational risks as well, in order to make the Y These additional risk assessments, aggregate risk profile more comprehensive. once aggregated into the total risk profile,, influenced the calculation of economic capital for control purposes. However, linking these risk calculations to planning and performance measurement was not automatic. Several senior risk officers were aware that simply wielding aggregate R risk numbers would not convince business lines to change the way they did business. As one senior risk officer Y explained: “There is still an argument that the methodology and data underlying A are not sufficiently reliable. . . . An the quantification measurements themselves aggregate view has to evolve. We have toN be more confident in the quality of it. I wouldn’t like to run the business on the aggregate view as we see it today.”9 2 THE CRO AS STRATEGIC CONTROLLER 6 The evolution of the aggregate view has paved 7 the way for the role of the CRO as strategic controller. This role assumes that the risk function, having built firm-wide 5 a formal risk-adjusted performance risk models, enables the company to operate management system. Chief risk officers B in this category preside over the close integration of risk and performance measurement and ensure that risk-adjusted metrics are deemed reliable and are relied U on. They advise top management on the absolute and relative risk-return performance of various businesses and influence how capital and investments are committed. A senior risk officer who fulfilled this role described the risk-adjusted planning process as follows: “We obviously get involved with risk appetite. The businesses put forward their proposals, having linked in with [the group risk-management department]. They generate appropriate figures upon which we make the choices about where to bet the bank. The calculations are done by the businesses initially. They work it through with the risk department.”10 Another CRO emphasized the importance of risk-adjusted performance measurement as a way of making business managers accountable for risk taking: “If Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins 78 October 24, 2009 9:17 Printer Name: Hamilton ERM Management, Culture, and Control we align the incentives correctly, then I don’t have a job. The aim is getting the business units accountable for risk and the risk correctly charged and visible.”11 The strategic controller role requires a legitimate risk-modeling capability, which is foundational to risk-based performance management. However, the construction of risk-adjusted performance measurement is inherently political. Riskadjusted performance measures do not work by themselves; they have to be made to work. The CRO needs to be aware that a new, risk-adjusted view of performance will inherently affect resource and reward allocations; internal jurisdictions may therefore resist it. For both political and theoretical reasons, CROs must also be modest in their claims of “objectivity.” There can be no genuine objectivity in the measurement or management of that which has not yet happened and may never happen; other D this as the soft underbelly of the riskparts of the organization will easily recognize management function. Field studies on CROs A in action show that, time and again, distrust of risk numbers and critique from other organizational groups require the CRO and the risk-management function Ito reconstitute and revise risk-adjusted performance metrics. Such objectivity as these L calculations can achieve may well be the result of an organizational consensus, emerging from the process of challenge Y shown that, in the face of challenge and revision. On the other hand, it has been and critique from well-established organizational control groups, chief risk officers’ , “dreams of measurement” for control purposes may turn out to be just that (Mikes 2005, 2009; Power 2004). R Y THE CRO AS STRATEGIC ADVISOR In the role of strategic advisor, senior risk A officers command board-level visibility and influence, predominantly as a resultNof their grasp of emerging risks and nonquantifiable strategic and operational uncertainties. They bring judgment into high-level risk decisions, challenge the assumptions underlying business plans, and use traditional risk controls and lending 2 constraints to alter the risk profiles of particular businesses. Many senior risk officers aspiring to 6 this role do not regard risk modeling as sufficiently accurate to produce an objective 7 picture of the underlying risk profiles; they rely on risk calculations mainly to indicate underlying trends (quantitative skepticism). They are therefore reluctant 5 to link risk measurements to planning and performance management, leaving these B control practices to their traditional realm, the finance function. Instead, they seek to mobilize their own experience U to help decision makers understand with other expert views from the organization emerging risks, the nature of which is not explicable by modeling. As one such senior risk officer explained: “The key decisions you make are not based on what you put in the model and what gets spat out. . . . The way I think of it: Risk is chemistry, it’s not particle physics. You cannot separate the risks.”12 Key to the strategic advisor role is the CRO’s ability to create processes that channel risk information to key decision makers and thus prevent “risk incubation.” While acknowledging that this role is new to them, several CROs are now championing practices of risk anticipation such as risk-based scenario planning and devil’s-advocate systems. Looking beyond the risk silos and “taking a 30,000-foot view of the world,”13 these CROs conduct forecasts and assessments in order to find vulnerabilities and problem areas and alert the executive and supervisory boards. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton BECOMING THE LAMP BEARER 79 Risk anticipation often surfaces multiple and conflicting views. As one senior risk officer explained with a hint of self-mockery, the role of the senior risk manager is like that of the “medieval licensed jester, allowed to be more skeptical about what is going on, constantly challenging existing assumptions and views, and scrutinizing strategic decisions before they are made. The difficulty is to challenge without causing offence” (Mikes 2009). This role requires the senior risk officer to build a track record and credibility; as Hydro One’s CRO, John Fraser, put it, “You have to earn your spurs.”14 Some senior risk officers in banks who came through the ranks of line management believe they are better positioned to play the role of the strategic advisor than their risk-specialist peers. Having earned the trust and respect of line management, they can negotiate the conditions of good business by understanding both viewpoints, that of the target-focused business originator and thatDof the risk-conscious controller. As one senior risk officer explained: A I You need to know the business generators well enough to know . . . that their own stance L their judgment. Most people, most very and emotion and the fervor for a deal will impair successful deal-doers, will always push the envelope. The issue is to understand how they Y operate within their values. So not only do you understand where they’re likely to over-egg it because the rewards are there, but also you know , how to approach them when you want to slow them down. One, they have to trust you. And two, they have to respect your judgment. But you don’t achieve that overnight. You generally get it by being encouraging of what you believe is good business.15 R Y The development of the strategic advisor role is partially driven by governance demands for organizational resilience and A the management of extreme events, such as fundamental surprises, sudden losses of Nmeaning (sudden events that make no sense to the people involved), and events that are inconceivable, hidden, or incomprehensible (Weick 1993). The specter of “black swan events” (Taleb 2007) raises fundamental questions about the role of 2 risk management and that of the CRO: Should low-probability events be understood under the rubric of risk modeling or 6 The shift in focus from probabilities rather as fundamental surprise (Power 2007)? and statistical loss distributions to facilitating 7 organizational resilience and sensemaking under stress marks the difference between the role of the CRO as strategic controller and that of the CRO as strategic5advisor. B U WHICH CRO ROLE TO PLAY? The compliance role tends to be well-defined by the environment; within an industry, there is not much room for variation in that role. The modeling role, however, presents risk functions with a practical choice of processes and models and a philosophical choice of where to draw the line between what can be reliably measured and modeled and what must be placed in the hands of qualitative judgment. It is this line that divides (although never absolutely) the role of strategic controller from the role of strategic advisor (see Exhibit 5.1 for a summary of the strategic CRO roles). Both assume a high degree of path dependency; the requisite resources and capabilities can only be obtained over time (recall Deutsche Bank’s six-year effort). Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 80 9:17 Printer Name: Hamilton ERM Management, Culture, and Control Exhibit 5.1 Summary of the Business-Partner Roles of the CRO Modeling capabilities Primary objective of risk modeling The role of judgment in risk modeling Strategic capabilities Span of risk control The essence of the business partner role Strategic controller Strategic advisor Measuring the aggregate risk profile of products and business lines Model design contains the modeler’s judgment of complex relationships between variables Anticipating changes in the risk environment D Quantifiable risks A I The integration of risk L planning management with and performanceY management , The CRO as the advocate R of risk-adjusted performance Modeling attitudes Calculative culture Y A Quantitative enthusiasm: N Risk numbers are deemed representative of the underlying economic 2 reality Emphasis on the “robust” and 6 “hard” nature of modeling 7 Risk-adjusted performance 5 measures are recognized Source: Mikes (2008b). B U Model design is deliberately simple. Managerial judgment is exercised to adjust model implications to reflect additional complexities Quantifiable and nonquantifiable risks The risk function’s ability to influence discretionary strategic decisions and to articulate to line managers the long-term risk-implications of their decisions The CRO as a seasoned business executive and “devil’s advocate” Quantitative skepticism: Risk numbers are taken as trend indicators Emphasis on learning about the underlying risk profile from the trend signals Risk-adjusted performance measures are discussed, but are open to challenge The strategic advisory role requires an intimate knowledge of the business and what can go wrong—experience that risk officers can only gain by having lived through many organizational successes, losses, and crises. The strategic controller role, on the other hand, calls for building a sophisticated risk-modeling capability, which is foundational to risk-based performance management. But risk-adjusted performance measures do not work by themselves—they must be made to work. To make risk numbers count in planning and performance management requires leadership, political flair, communication, and well-chosen allies—all of which can only be developed over time. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton BECOMING THE LAMP BEARER 81 It is possible that some CROs may develop the strategic advisor and the strategic controller roles successively if they can negotiate the path dependencies involved. Once models are tasked with accounting for risk-adjusted performance, the room for managerial judgment shrinks as that judgment is built into the model design up front. Quantitative skeptics are presently reluctant to delegate their understanding of risk-adjusted performance to models. However, some of them recognize that, over time, much of their judgment may be fed into the model design and that careful organizational positioning and packaging will eventually make risk-adjusted performance metrics legitimate and acceptable for control purposes. Although quantitative enthusiasts maintain that models are capable of accommodating complex relationships between numerous variables, these risk officers also face important judgment calls; they must anticipate when even the most adD vanced of risk models will cease to be accurate as a result of major shifts in the environment. Given that most risk modelsA in use at the time of this study had been developed in an unusually favorable credit environment (1998–2007), modeling I “prolonged stress events” are hard experts whose career trajectory spans several to come by. L CONCLUSION Y , Chief risk officers, no matter what type of calculative culture they foster, are balancing at least two conflicting objectives: (1) to produce an aggregate view of risks, and (2) to retain case-by-case business knowledge R and model familiarity with which to inform expert judgment. Striking the right balance remains a challenge for all CROs Y and their choice must be congruent with their organizations’ decision making, risk A taking, and modeling cultures. With a new regulatory era and a severe N and protracted financial crisis upon us, senior risk officers are under pressure to demonstrate how they are realizing the risk-oversight potential of their function. No professional realm can operate indefinitely if it clashes with the requirements 2 of stakeholders (Gardner et al. 2001). As a professional group, chief risk officers need to accommodate the demands 6 of a wide diversity of stakeholders—including regulators, corporate executives, shareholders, debt holders, and the general public—which in turn requires that 7 the risk function have a clear, well-defined position in the organizational gover5 consider the CEO and the board to nance process. Senior risk officers increasingly be their primary customers. However, many Brisk functions have been caught by the credit crisis in a work-in-progress compliance-champion mode, while others have been in transition toward their particularU understanding of the business-partner role. The ideas and practices of risk management, unlike those of long-established professions, have not yet been codified into a unified domain, leaving chief risk officers with a fuzzy role in corporate governance. But lack of codification is an opportunity for definition. This fuzziness is a historic opportunity for the profession to improve business decision making by defining and amalgamating the strengths of the compliance-champion, modeling expert, strategic-advisor, and strategic-controller roles and by incorporating both good risk analytics and expert judgment. Yet the ultimate test remains the ability of risk managers to influence risk-taking behavior in the business lines. As one CRO participant, quoted at the outset of this chapter, remarked: “One of the greatest Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 82 9:17 Printer Name: Hamilton ERM Management, Culture, and Control contributions of risk managers—arguably the single greatest—is just carrying a torch around and providing transparency.”16 The art of successful risk management is in getting the executive team to see the light and value the lamp bearer. NOTES 1. Risk Chiefs: “As the Bar Rises, So Does Demand.” American Banker (January 31, 2008) 48. 2. Author’s interview on September 9, 2008. The identity of the interviewee is disguised for confidentiality reasons. 3. Author’s interview on August 31, 2008. The identity of the interviewee is disguised for confidentiality reasons. D 4. Private communication to the author, received October 16, 2008. The identity of the source is disguised for confidentiality reasons. A 5. Private communication to the author, received I November 11, 2008. The identity of the source is disguised for confidentiality reasons. 6. Mikes, A. “Enterprise Risk Management atLHydro One.” Harvard Business School Case No. 9-109-001. (2008). Y 7. Hayes, N. “People, processes, systems: Deutsche Bank’s Hugo Banziger knows it takes , Available on http://findarticles.com/p/ all three.” RMA Journal (December 2002). articles/mi m0ITW/is 4 85/ai n14897213/pg 2?tag=artBody;col1. 8. Economic capital is a statistically estimated amount of capital that could cover all R liabilities in a worst-case scenario, be it an unexpected market, credit, or operational loss. For risk practitioners and regulators,Ythe conceptual appeal of economic-capital methods is that “they can provide a single metric along which all types of risks can be A 2003, 6). measured.” (Bank for International Settlements, 9. Author’s interview on March 3, 2008. TheN identity of the interviewee is disguised for confidentiality reasons. 10. Mikes (2005, 170). 11. Author’s interview on November 17, 2006.2The identity of the interviewee is disguised for confidentiality reasons. 6 12. Author’s interview on August 17, 2006. The identity of the interviewee is disguised for 7 confidentiality reasons. 13. Mikes (2005, 205). 5 14. Mariga, Vanessa. “Moving into the C-Suite.” B Canadian Underwriter (March 2008) 10–16. 15. Author’s interview on 22 November 2007. The identity of the interviewee is disguised U for confidentiality reasons. 16. Author’s interview on November 17, 2006. The identity of the interviewee is disguised for confidentiality reasons. REFERENCES Aabo et al. 2005. The rise and evolution of the chief risk officer: Enterprise risk management at Hydro One. Journal of Applied Corporate Finance, 17, 62–75. American Banker. 2008. Risk Chiefs: As the bar raises, so does demand. Publication date: January 31. Copyright ©2010 John Wiley & Sons, Inc. P1: OTA/XYZ P2: ABC c05 JWBT177-Simkins October 24, 2009 9:17 Printer Name: Hamilton BECOMING THE LAMP BEARER 83 Bank for International Settlements (BIS) Joint Forum. 2003. Trends in risk integration and aggregation. (August). Accessed on www.bis.org on May 13, 2004. Bookstaber, R. 2007. Where were the risk managers? Accessed October 17, 2007, on http://blogs.wsj.com/economics/2007/10/16/bookstaber-asks-where-were-the-riskmanagers/. Buehler, K., Freeman, A., and Hulme, R. 2008. The new arsenal of risk management. Harvard Business Review (September). Butterworth, M. 2001. The emerging role of the risk manager. In Pickford, J. (ed.), Mastering Risk, vol. 1: Concepts. (London, UK: Financial Times-Prentice Hall. COSO. 2003. Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management Framework. Crouhy, M., Galai, D., and Mark, R. 2000. Risk management. New York: McGraw-Hill. Deloitte, 2007. Global risk management survey: Accelerating risk management practices. D 5th ed. Available on www.deloitte.com/dtt/research/0,1015,cid%253D151389,00.html. Drzik, J., Nakada P., and Schuermann, T. 2004. Risk capital measurement in financial A institutions–Part one. (May 14). Accessed on www.Erisk.com. Economist Intelligence Unit. 2005. Global RiskIBriefing. Ernst & Young. 2008. Making a difference: Rating enterprise risk management. Accessed on L www.ey.com on September 10, 2008. Federation of European Risk Management Associations (FERMA). 2002. A risk management Y standard. (Brussels). , of cost control. Harvard Business Review. Gallagher, R.B. 1956. Risk management: New phase Gardner, H., Csikszentmihalyi, M., and Damon, W. 2001. Good work: When excellence and ethics meet. New York: Basic Books. Garside, T., and Nakada, P. 1999. Enhancing risk R measurement capabilities. Available on www.erisk.com. Previously published in Balance Sheet, vol. 8, no. 3, 12–17. Y Bank’s Hugo Banziger knows it takes all Hayes, N. People, processes, systems: Deutsche three. RMA Journal, December 2002. Available A on http://findarticles.com/p/articles/ mi m0ITW/is 4 85/ai n14897213/pg 2?tag=artBody;col1. N clairvoyant CRO. Available on www. IBM Business Consulting Services. 2005. The ibm.com/industries/financialservices/doc/content/bin/fss clairvoyant cro.pdf. Knight, Frank H. 1921. Risk, uncertainty, and profit. Mineola, NY: Dover Publications. Kloman, H.F. 2003. Enterprise risk management: 2 Past, present and future. Reprinted in Kloman, H.F., Mumpsimus revisited: Essays on risk management. Lyme, CT: Seawrack Press. Lam, J. 2000. Enterprise-wide risk management6 and the role of the chief risk officer. Accessed on www.erisk.com on May 14, 2004. 7 Liebenberg, A.P., and Hoyt, R.E. 2003. The determinants of enterprise risk management: 5 officers. Risk Management and Insurance Evidence from the appointment of chief risk Review, 37–52. B Lore, M., and Borodovsky, L. 2000. The professional’s handbook of financial risk management. New York: Butterworth-Heinemann Finance. U Marrison, C. 2002. The fundamentals of risk measurement. New York: McGraw-Hill. Marshall, C. 2001. Measuring and ...
Purchase answer to see full attachment
User generated content is uploaded by users for the purposes of learning and should be used following Studypool's honor code & terms of service.

Explanation & Answer

Attached.

Running head: ENTERPRISE RISK MANAGEMENT LEADERSHIP

Enterprise Risk Management Leadership
Institution Affiliation
Date

1

ENTERPRISE RISK MANAGEMENT LEADERSHIP

2

1. Specific Enterprise Risk Management Strategies Used By the Board of Directors
The board of directors in a company represents the third line of defense, with the support
from the audit department. They are responsible for the oversight of organization processes,
challenging, approving and reviewing risk policies (Bromiley, et al., 2015). The board members
also oversee strategy development, implementation, and management of executive
compensation programs. They have a responsibility in making key business and risk
management decisions, including approval of the business strategies and providing
recommendations for capital structure. Consequently, they manage the company dividend
policy; oversee targeted debt levels and approval of major business investments and
transactions.
Risk management is a continuous process, therefore, a company leadership embeds
control measures through policies and procedures to deal with current and potential risks, and
these policies are frequently subjected to audit to ensure effectiveness. An organization
describes its approach for managing risks through its strategies and protocols, by setting roles
and responsibilities of individuals and frequent communication on risk issues. A company board
of directors is responsible for the overall risk management program, in line with the best
practices (Lam, 2014). This allows the company to concentrate on seizing opportunities to
achieve envisaged business results. Successful ERM involves a dynamic process which is fully
supported by the company board of directors.
The board holds a critical responsibility in nurturing the risk management framework
and providing the strategic direction of the organization. Other board roles in ERM include
establishing the risk management structure, understanding the most common and critical risks

ENTERPRISE RISK MANAGEMENT LEADERSHIP

3

and managing the organization in cases of crisis (Bromiley, et al., 2015). The board of directors
is able to reduce its burden of managing risks by first, managing the risk appetite and tolerance.
In most large organizations, the board sets rules regarding taking risks, to control the company’s
level of exposure. It is possible for a company to confirm low appetite for risk; however, it is
quite practical that business requirements may demand some level...


Anonymous
I was struggling with this subject, and this helped me a ton!

Studypool
4.7
Trustpilot
4.5
Sitejabber
4.4

Similar Content

Related Tags