It’s a two-hour train ride from the tranquility of eastern Connecticut
into the maelstrom of Manhattan where people perpetually rush from point
to point and the decibel level never drops below 80, but where new ideas
fill the air. Four or five times a year I subject myself to this masochistic
stimulation in order to be sure that I’m not missing new developments
in risk management. This autumn it was the 4th annual day-and-a-half “Enterprise
Risk Management” Conference of The Conference Board, held on October 20
Per usual, it was a bag of old and tired jargon, repetitive presentations,
labored Power Point displays, and unanswered questions mixed with those
few gems of insight and contrarian thinking that make attendance at these
The planners asked the speakers to focus consecutively on risk and strategy,
risk analysis, process design and implementation, performance measurement
and benefits. This outline worked to a point. The basic themes that I
Approaching, understanding and responding to risk are parts of an
organization’s culture, something that changes as much as risk itself.
Most organizations respond to outside stimuli, such as Sarbanes-Oxley,
financial scandals, and stock exchange requirements, rather than adopting
risk management because it is inherent good practice.
Implementing a broad and inclusive risk management function requires
at least three years. It can’t be created overnight.
The proper role of internal audit in risk management continues to
challenge us. The idea requires a catalyst, especially one with existing
access to both senior management and the Board, but risk management
cannot be seen as a “policeman” or “controller.” Does coordinating
this discipline compromise an auditor’s independence?
This year’s session drew 102 registrants, down sharply from the 179 of
last year (see RMR December 2002),
and 29 speakers. The best presenters were those who spoke extemporaneously,
referring only incidentally to their Power Point slides. Too many committed
the unpardonable sin of reading each slide. Remember Edward Tufte’s savaging
of this mode of lecture (RMR July 2003)!
I saw only one case study and no one mentioned the use of an Intranet
site for internal communication on forms, processes, framework and reporting.
Most of the speakers agreed that a “common language” for risk is necessary
but few reported any progress in reaching this goal, although Barry Macklin,
of JPMorganChase stated his organization’s software system, Horizon, is
its common language.
This conference failed to answer three nagging questions:
What are the benefits of risk management? Several
speakers cited its “value,” but only in terms of vague generalizations.
Professors William Shenkir and Paul Walker, of the University of Virginia’s
McIntire School of Commerce, suggested ten reasons why ERM adds value.
Such items as “critical to running an organization,” “ managing financial
shock,” “integration,” “better risk awareness,” “improved predictability
of cash flow and earning,” “consistency,” and “greater focus” are
laudable results but don’t give stakeholders anything measurable to
grab. Only one speaker (Mark Kontos, the CFO of Battelle Memorial
Institute) suggested that “enhanced confidence” is a possible benefit,
and even he referred only to management, not to other, and outside,
stakeholders. Using this conference as a guide, we remain a long way
from producing a tangible measure of benefits. Saying that “it feels
good” in current management jargon doesn’t carry credibility.
How do we communicate risk management? Almost every
speaker commented on the need to relate knowledge of risks and responses
to senior management and the board, but few suggested going beyond
these two groups, and no one commented on the idea of generating an
actual two-way dialogue with key stakeholder groups. How should we
do it? When? With whom? What information should be shared? What new
risks do we create in the act of communication? This is still the
most under-appreciated area of the discipline.
Is risk good or bad? At last, a few organizations
begin to understand that decisions involving uncertainty require a
conscious and intelligent assessment ofboth upside and downside potentials.
Battelle’s Mark Kontos concluded that one major benefit is “the ability
to look at risk as opportunity.” Larry Warner wants Mars, Inc., as
a result of risk management, to “take on more risk.” Steve Byone,
the CRO at Progress Energy Inc., believes that “risk management is
not risk elimination.” I see encouraging signs of these broader and
more realistic views.
The leadoff batter for this year’s conference was Michael Chagares, from
Marsh. He failed to define risk itself although it was obvious that, in
his mind, it is a negative threat. His suggested phrase for risk management
was an exercise in tautology. Even worse, he saddled his audience with
a 39-page Power Point presentation replete with unreadable masses of data,
clichés and dreadful business jargon (proactive; align; add value; one
size fits all; win-win, etc.) After several opening slides that addressed
“enterprise risk management,” (the subject of the conference), he managed
to shift the term to “business risk management,” the preferred nomenclature
for the Marsh consultancy. He then presented the idea of a “Business Risk
Management Framework,” with its acronym of “BRMF.” This is ludicrously
close to that wonderful English word “bumf.” I suspect Marsh will eliminate
this acronym. Yet hiding in all his material were several valuable insights.
Chagares showed a slide of organizational structure that demonstrated
the necessity for inter-linkage among the Board of Directors, Executive
Management, the Chief Risk Officer and Line Managers. It was simple and
useful. He also listed critical success factors, many of which were echoed
in the actual experience of speakers who followed:
Leadership and sponsorship
Cultural and behavioral change
Ownership and commitment
Discipline and open approach
Time and resource dedication
Continuous process improvement and feedback
Comments on some of the other speakers:
Kathryn Dindo, Chief Risk Officer for FirstEnergy
Corporation: She focuses on “developing a risk awareness culture”
through educating all employees. Her techniques are (1) completion
of a questionnaire asking employees to list the five most important
risks affecting both a business unit’s and the FirstEnergy’s broader
goals, with a 1 to 10 rating of the effectiveness of current responses,
(2) completion of a “risk exposure map” ranking likelihood and severity,
using four qualitative estimates, and (3) a “risk action plan” that
lists responsive strategies for each risk and its “owner.” These simple
but practical tools echo the approaches suggested first in 1987 by
Dr. Vernon Grose, in his book Managing Risk: Systematic Loss Prevention
for Executives (see RMR November
1994 and April 1997). This book has
never lost its value!
Laura Langone, Assistant Treasurer, Genentech, Inc:
Her practical case study on assessing operational risk addressed the
possibility of an adverse event at a sole source supplier, interrupting
the company’s business. She started with a portfolio analysis of all
raw materials and suppliers, continued with aggregated “supply chain
risk” based on mean present value loss estimates per supplier, and
concluded with investment options for different risk responses (such
as inventory buildup and partial second source qualification). These
data were summarized in a model showing the base loss estimate, the
cost of mitigation and the net present value of the result. This highly
quantitative approach contrasted with the qualitative one of Kathryn
Gideon Pell, Chief Risk Officer, New York Life Insurance
Company: Pell addressed the problem of the aggregation of dissimilar
different risks into a common “portfolio.” Many are quantifiable,
some can only be calculated qualitatively, and all are interactive.
Most companies use a combination of risk measurement methods, such
as VaR, net interest income sensitivity, unexpected default loss,
stress testing, scenario analyses, loss event databases and selfassessments.
New York Life tries to consolidate these into a single risk metric:
economic capital for long-term risks and earnings-at-risk for shorter-term
events. It’s still a developing idea and it faces daunting technical
challenges: “the quality and availability of data; many risks (operational,
strategic, reputational) are not easily quantifiable; the need to
simulate earnings and cash-flows over a long horizon; reconciling
accounting, statutory and economic values; and judging critical relationships
between assets and liabilities.” Pell’s intelligent and thoughtful
analysis of the quantification and aggregation problem was a highlight
of the conference.
Enders Wimbush, Senior Associate of Booz Allen Hamilton
Inc: Perhaps the single best presentation came from this long-time
advocate and practitioner of aggressive scenario development. He first
acknowledged the pre-eminent goal of risk management: enterprise resilience.
This begins with “understanding the new operating realities that increase
complexity in the risk environment; building risk in strategies and
governance; and adopting an earnings driver approach to risk assessment.”
Scenario planning is his basic approach. As an example, Wimbush reviewed
demographic, energy usage, economic, trade, political, military, technological
and ideological projections for Asia over the next fifty years, stressing
the importance of developing longer-term views of alternative futures.
He concluded that scenario planning “reveals the complexity of the
operating environment, identifies and explores discontinuities, pushes
thinking beyond linear projections of today’s world, takes uncertainty
into account rather than assuming it away, provides a basis for hedging
strategies, and is the first step toward enterprise resilience.” But
his best slide showed the “Three Temptations” to be avoided: (1) The
future is a projection of today’s trends, (2) Support preferred outcomes,
and (3) Bet the company strategy: direct resources at the ‘most probable’
future.” We are all guilty of these faults! (For more on scenario
analyses, see RMR April 2003.)
A practical response to the Wimbush thesis came from two risk managers
sitting with me. Both said that this form of scenario planning has
little application in their firms, where the planning horizon is only
about five years, the normal CEO lifespan. They are wrong. To succeed
and survive, organizations must look ten, twenty, even fifty
years into the future to infuse their cultures with the flexibility
that is the critical ingredient of resilience.
- Robert Quail, Senior Manager, Corporate Risk, Hydro
One Networks Inc: Quail started the idea of enterprise risk management
in this Ontario company in 1999, facing the conservative culture of
a utility owned by the Province. Over the past four years his team successfully
incorporated risk assessments into business planning, using color codes
of red for “just tolerable risk,” yellow for “materially lower risk,”
and green for “reasonable, sound and prudent risks.” His listed three
“lessons learned:” (1) It is essential to “condition” decision-makers,
(2) Link risk management to “what comes next:” actions and budgets,
and 3) Applying ERM to planning helps people sort out the “meaning”
of the objectives. Quail prefaced his remarks with the statement that
the implementation of risk management is so successful within Hydro
One that he is now able to reduce his function. This is an intriguing
idea: the ultimate “withering away” of risk management as its precepts
and processes become so engrained within the organizational culture
that internal champions and catalysts are not necessary. Shouldn’t this
be the goal of the discipline?
I have one last critical comment directed at this and many other risk
management conferences. It is the growing and insidious specter of commercialization.
This conference, like many of its peers, featured a single corporate sponsor.
Others succumb to multiple sponsors. I will not name this session’s sponsor
because I do not criticize this company for taking advantage of a publicity
opportunity. But its sponsorship left a sour impression. In the space
of two and a half days, sponsor employees ran both halfday workshops,
spoke three times, moderated two other panel discussions, and paid for
a cocktail party. Of the other 26 speakers, at least four confirmed that
they were clients of the sponsor. All this led to the sense that we were
on the receiving end of an infomercial, a sentiment supported by five
of my co-registrants whom I queried. While only one of the sponsor speakers
actively pushed the services of his firm, the fact of sponsorship created,
at least in some of us, a sense of attending a muted sales pitch.
Why do we need commercial sponsors for these conferences especially
when many organizers are nonprofits? The fees charged by The Conference
Board certainly are more than adequate, even excessive: $1,695 for members
and $1,895 for nonmembers for a day- and-a-half. In contrast, the annual
two-day meeting of the Society for Risk Analysis costs only $385, with
no sponsors! Yes, New York is expensive, and The Conference Board also
depends on conference income to support its valuable work. I acknowledge
that I attended on a complimentary press pass, so perhaps I shouldn’t
be biting the hand that fed me. Yet am I alone in believing that over-commercialization
of conferences seriously detracts from their value and credibility? In
New York in October an otherwise first-rate conference was marred by commercial
. . . it’s not worry I feel but weariness as I watch the approach
of one more episode in the old, tired story of the men who try
and beat life, the smart ones who think they know it all and die
with the look of surprise on their faces: at the final moment
they always see the truth—they never really understood anything,
never held anything in their hands. An odd story, old and boring.
Alvaro Mutis, The Adventures and Misadventures of Maqroll,
New York Review of Books, New York 2002