Read an Excerpt
FOREWORD
Risk Quote: Keep your friends close, and your enemies closer.
—Sun-Tzu, Chinese general
and military strategist,
around 400 b.c.
Risk Quote: This was my father’s study. He taught me a lot of
things in this room. He taught me to keep my friends close and
my enemies closer.
—Michael Corleone in The Godfather (1976)
Welcome to the world of enterprise risk management (ERM), one of
the most popular and misunderstood of today’s important business
topics. It is not very complex. It is not very expensive. It does
add value. We just have to get it right. Until recently, we have been
getting it wrong.
This is really a book about risk from a new perspective. The
journey carries us into the heart of risk management and risk opportunity.
It is mostly about how to do a better job of risk identification.
If we define the problem correctly and share our findings,
we can reduce surprises—not eliminate them, mind you, but get
many of them under control.
ERM tells us it is a new world of risk. No longer is risk management
largely the purview of the chief financial officer. The risk
picture is incomplete when limited to the financial component,
which actually is the scorecard, not the driver, for risk mitigation.
This realization has encouraged new approaches to manage risk
and seize opportunity.
Organizations have two ways to address risk. The wrong way
is to assume that people can understand hundreds or even thousands
of exposures. It is not possible. Risks and opportunities must
be organized and accepted at various levels by risk owners. Our
new paradigm will show you how to structure enterprise risks.
A brief overview of the new ERM includes the following specific
features:
s Upside of Risk. Most people discuss risk as the possibility of
loss. This is totally insufficient, as risk also has an upside. A
lost opportunity is just as much a financial loss as is damage
to people and property. This is a key insight. Ask Sun-Tzu or
Michael Corleone.
s Alignment with the Business Model. A business model is a
framework for achieving goals. Within it, a single manager can
supervise only a limited span of subordinates or subsidiaries.
Similarly, one person can oversee a limited number of risks
and key initiatives. ERM encourages us to align the hierarchy
of risk categories with the business model.
s Risk Owners. As someone is accountable for revenues, profits,
and efficiency, a single person should be responsible for every
category of risk. When questions arise, then, we will not have
to deal with a committee or multiple individuals. We will go
directly to the risk owner. We will see an exception to this
guideline in Part Three, where we address risks with no single
risk owner.
s Central Risk Function. Although risks cannot be managed centrally,
organizations need a central risk function. The role is to
scan for changing conditions from a central vantage point and
to share the findings with risk owners. In addition, some risks
cross units and responsibilities, so that risk can be overlooked.
In a change to traditional thinking, this book argues that such
a central risk function should not, itself, have any responsibility
for risk management. Risk goes with the risk owners. Risks
that cross units or responsibilities are identified centrally and
dealt with using customized solutions.
s High-Tech ERM Knowledge Warehouse. ERM encourages the
use of new technologies to clarify risks and opportunities. This
book describes in detail a cutting-edge technology platform to
help understand risk mitigation efforts and the status of risk
opportunities.
The book is organized into five parts, starting with the basics of a
new approach to ERM:
s Part One—Essentials of Enterprise Risk Management. We
first ask several important questions: What is ERM? What is
not ERM? What are the key components needed to manage
enterprise risk? Why do we need a central risk function and
risk identification and sharing using a high-tech platform?
Then, we address black swans, unexpected and unforeseen
major crises or disaster that are virtually unpredictable. Where
do black swans fit into the ERM picture? How could we have
highly developed ERM in place in financial institutions and still
have the 2008 financial crisis?
s Part Two—ERM Technology. This is big. We finally are getting
the technology to visualize risk relationships and to back up
the view with supporting detail. Here we cover the elements of
an ultramodern technology platform that brings together risks,
the factors that affect them, and the status of activities to mitigate
them. We employ a tool, seamless and easy to use, which
has been developed by a company called Riskonnect. Large
companies have or will soon have their own systems. Other
vendors are likely to enter the market.
s Part Three—Risks Without Risk Owners. Some risks depend
upon collaboration, crossing, as they do, the silos of the modern
bureaucracy. With a central risk function and modern technology,
we deal with such risks. We start with strategic risk.
How do we monitor conflicting plans and goals? We address
subculture risk, in which beliefs, assumptions, biases, and weak
management practices endanger success. We recognize leadership
risk, where the absence of a clear and achievable vision
can be destructive. We acknowledge life cycle risk; a failure to
understand this can be devastating. Finally, we deal with horizon
risk to keep everyone informed on changing external conditions.
s Part Four—ERM Stories. Risk management is a broad-brush
category, with the details often filled in by a focus on narrower
topics. Our stories range from avoiding business disruption to
a discussion of the future of ERM. What are different applications?
How does ERM relate to Sarbanes-Oxley? Where do we
find new risk management concepts? In this part, we present
stories of ERM.
s Part Five—The People of Risk Management. Risk management
is a people business. It takes knowledge, street smarts,
and experience to do it right. Now we get up close and personal,
introducing by name risk influencers and managers. In addition,
we describe the positions and skills needed for ERM as we
listen to ideas directly from individuals who advocate ERM.
Our journey covers a mixture of concepts, tools, and stories that
add richness and depth to managing enterprise risk. ERM is both
popular and misunderstood, but, as we have said, it is not very
complex. It is not very expensive. It does add value. We just have
to get it right. Is ERM a science? An art? A mystery? Or is it plain
old common sense? In the following pages we answer these questions.
Contributors
Before we begin the journey, we wish to acknowledge the many
people who contributed to this book. Ellen Thrower, former president
of the College of Insurance in New York City, showed me the
importance of risk management as a tool for dealing with hazard
risk. Chris Mandel and Susan Meltzer, former presidents of the
Risk and Insurance Management Society (RIMS), encouraged me
to understand risk from a holistic viewpoint. Felix Kloman and
Beaumont Vance were role models for creativity in risk discussions.
Nathan Sambul, formerly with Marsh, and Valery Vyatkin,
my Russian partner, contributed ideas that shaped the book. Bob
Morrell, CEO of Riskonnect,was inspirational in his work to build
technology to support a new approach to ERM. MBA candidates at
Saint Peter’s College in New Jersey served as test subjects for readings.
Their projects and ideas contributed heavily to the evolution
of my thinking as the book went through six revisions.
Thanks also to an assortment of critical thinkers and risk practitioners,
including Lance Ewing, John Bayeux, George Niwa, Paul
Buckley, Roger Egan, Pat Gallagher, Laurie Brooks, Ralph Russo,
Anthony Terracciano, and Tom Ruggieri. Thanks also to Business
Insurance magazine. Regis Coccia seeks the highest quality understanding
of risk. Marty Ross and Paul Winston have been totally
supportive of all our efforts. Finally, thanks to Bob Shuman, Mike
Sivilli, Jerilyn Famighetti, and Jeremiah Binnbaum of AMACOM
books. Bob understood immediately the message of the book and
was a wise and steady motivator to tell it as best I can. Mike was a
pleasant surprise as he guided me through the editorial/production
process to completion of the book. Jerilyn did a marvelous job
of smoothing out rough spots and bringing clarity to the writing
during the copyediting stage.
Last but not least, my administrative assistant, Mary Sullivan,
and my graduate assistants, Juan Peng (Adele) and Yu Miao
(Grace), were invaluable in creating the final product. My bride,
Doreen, a book author in her own right, read the final three manuscripts
and contributed many suggestions to help people understand
the key points.
John J. Hampton
Litchfield, Connecticut
January 2009