FOREWORD Risk Quote: Keep your friends close, and your enemies closer. --Sun-Tzu, Chinese general and military strategist, around 400 b.c. Risk Quote: This was my father's study. He taught me a lot of things in this room. He taught me to keep my friends close and my enemies closer. --Michael Corleone in The Godfather (1976) Welcome to the world of enterprise risk management (ERM), one of the most popular and misunderstood of today's important business topics. It is not very complex. It is not very expensive. It does add value. We just have to get it right. Until recently, we have been getting it wrong. This is really a book about risk from a new perspective. The journey carries us into the heart of risk management and risk opportunity. It is mostly about how to do a better job of risk identification. If we define the problem correctly and share our findings, we can reduce surprises--not eliminate them, mind you, but get many of them under control. ERM tells us it is a new world of risk. No longer is risk management largely the purview of the chief financial officer. The risk picture is incomplete when limited to the financial component, which actually is the scorecard, not the driver, for risk mitigation. This realization has encouraged new approaches to manage risk and seize opportunity. Organizations have two ways to address risk. The wrong way is to assume that people can understand hundreds or even thousands of exposures. It is not possible. Risks and opportunities must be organized and accepted at various levels by risk owners. Our new paradigm will show you how to structure enterprise risks. A brief overview of the new ERM includes the following specific features: s Upside of Risk. Most people discuss risk as the possibility of loss. This is totally insufficient, as risk also has an upside. A lost opportunity is just as much a financial loss as is damage to people and property. This is a key insight. Ask Sun-Tzu or Michael Corleone. s Alignment with the Business Model. A business model is a framework for achieving goals. Within it, a single manager can supervise only a limited span of subordinates or subsidiaries. Similarly, one person can oversee a limited number of risks and key initiatives. ERM encourages us to align the hierarchy of risk categories with the business model. s Risk Owners. As someone is accountable for revenues, profits, and efficiency, a single person should be responsible for every category of risk. When questions arise, then, we will not have to deal with a committee or multiple individuals. We will go directly to the risk owner. We will see an exception to this guideline in Part Three, where we address risks with no single risk owner. s Central Risk Function. Although risks cannot be managed centrally, organizations need a central risk function. The role is to scan for changing conditions from a central vantage point and to share the findings with risk owners. In addition, some risks cross units and responsibilities, so that risk can be overlooked. In a change to traditional thinking, this book argues that such a central risk function should not, itself, have any responsibility for risk management. Risk goes with the risk owners. Risks that cross units or responsibilities are identified centrally and dealt with using customized solutions. s High-Tech ERM Knowledge Warehouse. ERM encourages the use of new technologies to clarify risks and opportunities. This book describes in detail a cutting-edge technology platform to help understand risk mitigation efforts and the status of risk opportunities. The book is organized into five parts, starting with the basics of a new approach to ERM: s Part One--Essentials of Enterprise Risk Management. We first ask several important questions: What is ERM? What is not ERM? What are the key components needed to manage enterprise risk? Why do we need a central risk function and risk identification and sharing using a high-tech platform? Then, we address black swans, unexpected and unforeseen major crises or disaster that are virtually unpredictable. Where do black swans fit into the ERM picture? How could we have highly developed ERM in place in financial institutions and still have the 2008 financial crisis? s Part Two--ERM Technology. This is big. We finally are getting the technology to visualize risk relationships and to back up the view with supporting detail. Here we cover the elements of an ultramodern technology platform that brings together risks, the factors that affect them, and the status of activities to mitigate them. We employ a tool, seamless and easy to use, which has been developed by a company called Riskonnect�. Large companies have or will soon have their own systems. Other vendors are likely to enter the market. s Part Three--Risks Without Risk Owners. Some risks depend upon collaboration, crossing, as they do, the silos of the modern bureaucracy. With a central risk function and modern technology, we deal with such risks. We start with strategic risk. How do we monitor conflicting plans and goals? We address subculture risk, in which beliefs, assumptions, biases, and weak management practices endanger success. We recognize leadership risk, where the absence of a clear and achievable vision can be destructive. We acknowledge life cycle risk; a failure to understand this can be devastating. Finally, we deal with horizon risk to keep everyone informed on changing external conditions. s Part Four--ERM Stories. Risk management is a broad-brush category, with the details often filled in by a focus on narrower topics. Our stories range from avoiding business disruption to a discussion of the future of ERM. What are different applications? How does ERM relate to Sarbanes-Oxley? Where do we find new risk management concepts? In this part, we present stories of ERM. s Part Five--The People of Risk Management. Risk management is a people business. It takes knowledge, street smarts, and experience to do it right. Now we get up close and personal, introducing by name risk influencers and managers. In addition, we describe the positions and skills needed for ERM as we listen to ideas directly from individuals who advocate ERM. Our journey covers a mixture of concepts, tools, and stories that add richness and depth to managing enterprise risk. ERM is both popular and misunderstood, but, as we have said, it is not very complex. It is not very expensive. It does add value. We just have to get it right. Is ERM a science? An art? A mystery? Or is it plain old common sense? In the following pages we answer these questions. Contributors Before we begin the journey, we wish to acknowledge the many people who contributed to this book. Ellen Thrower, former president of the College of Insurance in New York City, showed me the importance of risk management as a tool for dealing with hazard risk. Chris Mandel and Susan Meltzer, former presidents of the Risk and Insurance Management Society (RIMS), encouraged me to understand risk from a holistic viewpoint. Felix Kloman and Beaumont Vance were role models for creativity in risk discussions. Nathan Sambul, formerly with Marsh, and Valery Vyatkin, my Russian partner, contributed ideas that shaped the book. Bob Morrell, CEO of Riskonnect,�was inspirational in his work to build technology to support a new approach to ERM. MBA candidates at Saint Peter's College in New Jersey served as test subjects for readings. Their projects and ideas contributed heavily to the evolution of my thinking as the book went through six revisions. Thanks also to an assortment of critical thinkers and risk practitioners, including Lance Ewing, John Bayeux, George Niwa, Paul Buckley, Roger Egan, Pat Gallagher, Laurie Brooks, Ralph Russo, Anthony Terracciano, and Tom Ruggieri. Thanks also to Business Insurance magazine. Regis Coccia seeks the highest quality understanding of risk. Marty Ross and Paul Winston have been totally supportive of all our efforts. Finally, thanks to Bob Shuman, Mike Sivilli, Jerilyn Famighetti, and Jeremiah Binnbaum of AMACOM books. Bob understood immediately the message of the book and was a wise and steady motivator to tell it as best I can. Mike was a pleasant surprise as he guided me through the editorial/production process to completion of the book. Jerilyn did a marvelous job of smoothing out rough spots and bringing clarity to the writing during the copyediting stage. Last but not least, my administrative assistant, Mary Sullivan, and my graduate assistants, Juan Peng (Adele) and Yu Miao (Grace), were invaluable in creating the final product. My bride, Doreen, a book author in her own right, read the final three manuscripts and contributed many suggestions to help people understand the key points. John J. Hampton Litchfield, Connecticut January 2009 Excerpted from Fundamentals of Enterprise Risk Management: How Top Companies Assess Risk, Manage Exposure, and Seize Opportunity by John J. Hampton All rights reserved by the original copyright owners. Excerpts are provided for display purposes only and may not be reproduced, reprinted or distributed without the written permission of the publisher.
