Risk Management Reports

It’s a two-hour train ride from the tranquility of eastern Connecticut into the maelstrom of Manhattan where people perpetually rush from point to point and the decibel level never drops below 80, but where new ideas fill the air. Four or five times a year I subject myself to this masochistic stimulation in order to be sure that I’m not missing new developments in risk management. This autumn it was the 4th annual day-and-a-half “Enterprise Risk Management” Conference of The Conference Board, held on October 20 and 21.

Per usual, it was a bag of old and tired jargon, repetitive presentations, labored Power Point displays, and unanswered questions mixed with those few gems of insight and contrarian thinking that make attendance at these events worthwhile.

The planners asked the speakers to focus consecutively on risk and strategy, risk analysis, process design and implementation, performance measurement and benefits. This outline worked to a point. The basic themes that I heard were:

• Approaching, understanding and responding to risk are parts of an organization’s culture, something that changes as much as risk itself.

• Most organizations respond to outside stimuli, such as Sarbanes-Oxley, financial scandals, and stock exchange requirements, rather than adopting risk management because it is inherent good practice.

• Implementing a broad and inclusive risk management function requires at least three years. It can’t be created overnight.

• The proper role of internal audit in risk management continues to challenge us. The idea requires a catalyst, especially one with existing access to both senior management and the Board, but risk management cannot be seen as a “policeman” or “controller.” Does coordinating this discipline compromise an auditor’s independence?

This year’s session drew 102 registrants, down sharply from the 179 of last year (see RMR December 2002), and 29 speakers. The best presenters were those who spoke extemporaneously, referring only incidentally to their Power Point slides. Too many committed the unpardonable sin of reading each slide. Remember Edward Tufte’s savaging of this mode of lecture (RMR July 2003)! I saw only one case study and no one mentioned the use of an Intranet site for internal communication on forms, processes, framework and reporting. Most of the speakers agreed that a “common language” for risk is necessary but few reported any progress in reaching this goal, although Barry Macklin, of JPMorganChase stated his organization’s software system, Horizon, is its common language.

This conference failed to answer three nagging questions:

1. What are the benefits of risk management? Several speakers cited its “value,” but only in terms of vague generalizations. Professors William Shenkir and Paul Walker, of the University of Virginia’s McIntire School of Commerce, suggested ten reasons why ERM adds value. Such items as “critical to running an organization,” “ managing financial shock,” “integration,” “better risk awareness,” “improved predictability of cash flow and earning,” “consistency,” and “greater focus” are laudable results but don’t give stakeholders anything measurable to grab. Only one speaker (Mark Kontos, the CFO of Battelle Memorial Institute) suggested that “enhanced confidence” is a possible benefit, and even he referred only to management, not to other, and outside, stakeholders. Using this conference as a guide, we remain a long way from producing a tangible measure of benefits. Saying that “it feels good” in current management jargon doesn’t carry credibility.

2. How do we communicate risk management? Almost every speaker commented on the need to relate knowledge of risks and responses to senior management and the board, but few suggested going beyond these two groups, and no one commented on the idea of generating an actual two-way dialogue with key stakeholder groups. How should we do it? When? With whom? What information should be shared? What new risks do we create in the act of communication? This is still the most under-appreciated area of the discipline.

3. Is risk good or bad? At last, a few organizations begin to understand that decisions involving uncertainty require a conscious and intelligent assessment ofboth upside and downside potentials. Battelle’s Mark Kontos concluded that one major benefit is “the ability to look at risk as opportunity.” Larry Warner wants Mars, Inc., as a result of risk management, to “take on more risk.” Steve Byone, the CRO at Progress Energy Inc., believes that “risk management is not risk elimination.” I see encouraging signs of these broader and more realistic views.

The leadoff batter for this year’s conference was Michael Chagares, from Marsh. He failed to define risk itself although it was obvious that, in his mind, it is a negative threat. His suggested phrase for risk management was an exercise in tautology. Even worse, he saddled his audience with a 39-page Power Point presentation replete with unreadable masses of data, clichés and dreadful business jargon (proactive; align; add value; one size fits all; win-win, etc.) After several opening slides that addressed “enterprise risk management,” (the subject of the conference), he managed to shift the term to “business risk management,” the preferred nomenclature for the Marsh consultancy. He then presented the idea of a “Business Risk Management Framework,” with its acronym of “BRMF.” This is ludicrously close to that wonderful English word “bumf.” I suspect Marsh will eliminate this acronym. Yet hiding in all his material were several valuable insights. Chagares showed a slide of organizational structure that demonstrated the necessity for inter-linkage among the Board of Directors, Executive Management, the Chief Risk Officer and Line Managers. It was simple and useful. He also listed critical success factors, many of which were echoed in the actual experience of speakers who followed:

• Leadership and sponsorship

• Cultural and behavioral change

• Ownership and commitment

• Discipline and open approach

• Time and resource dedication

• Continuous process improvement and feedback

Comments on some of the other speakers:

• Kathryn Dindo, Chief Risk Officer for FirstEnergy Corporation: She focuses on “developing a risk awareness culture” through educating all employees. Her techniques are (1) completion of a questionnaire asking employees to list the five most important risks affecting both a business unit’s and the FirstEnergy’s broader goals, with a 1 to 10 rating of the effectiveness of current responses, (2) completion of a “risk exposure map” ranking likelihood and severity, using four qualitative estimates, and (3) a “risk action plan” that lists responsive strategies for each risk and its “owner.” These simple but practical tools echo the approaches suggested first in 1987 by Dr. Vernon Grose, in his book Managing Risk: Systematic Loss Prevention for Executives (see RMR November 1994 and April 1997). This book has never lost its value!

• Laura Langone, Assistant Treasurer, Genentech, Inc: Her practical case study on assessing operational risk addressed the possibility of an adverse event at a sole source supplier, interrupting the company’s business. She started with a portfolio analysis of all raw materials and suppliers, continued with aggregated “supply chain risk” based on mean present value loss estimates per supplier, and concluded with investment options for different risk responses (such as inventory buildup and partial second source qualification). These data were summarized in a model showing the base loss estimate, the cost of mitigation and the net present value of the result. This highly quantitative approach contrasted with the qualitative one of Kathryn Dindo.

• Gideon Pell, Chief Risk Officer, New York Life Insurance Company: Pell addressed the problem of the aggregation of dissimilar different risks into a common “portfolio.” Many are quantifiable, some can only be calculated qualitatively, and all are interactive. Most companies use a combination of risk measurement methods, such as VaR, net interest income sensitivity, unexpected default loss, stress testing, scenario analyses, loss event databases and selfassessments. New York Life tries to consolidate these into a single risk metric: economic capital for long-term risks and earnings-at-risk for shorter-term events. It’s still a developing idea and it faces daunting technical challenges: “the quality and availability of data; many risks (operational, strategic, reputational) are not easily quantifiable; the need to simulate earnings and cash-flows over a long horizon; reconciling accounting, statutory and economic values; and judging critical relationships between assets and liabilities.” Pell’s intelligent and thoughtful analysis of the quantification and aggregation problem was a highlight of the conference.

• Enders Wimbush, Senior Associate of Booz Allen Hamilton Inc: Perhaps the single best presentation came from this long-time advocate and practitioner of aggressive scenario development. He first acknowledged the pre-eminent goal of risk management: enterprise resilience. This begins with “understanding the new operating realities that increase complexity in the risk environment; building risk in strategies and governance; and adopting an earnings driver approach to risk assessment.” Scenario planning is his basic approach. As an example, Wimbush reviewed demographic, energy usage, economic, trade, political, military, technological and ideological projections for Asia over the next fifty years, stressing the importance of developing longer-term views of alternative futures. He concluded that scenario planning “reveals the complexity of the operating environment, identifies and explores discontinuities, pushes thinking beyond linear projections of today’s world, takes uncertainty into account rather than assuming it away, provides a basis for hedging strategies, and is the first step toward enterprise resilience.” But his best slide showed the “Three Temptations” to be avoided: (1) The future is a projection of today’s trends, (2) Support preferred outcomes, and (3) Bet the company strategy: direct resources at the ‘most probable’ future.” We are all guilty of these faults! (For more on scenario analyses, see RMR April 2003.)

  A practical response to the Wimbush thesis came from two risk managers sitting with me. Both said that this form of scenario planning has little application in their firms, where the planning horizon is only about five years, the normal CEO lifespan. They are wrong. To succeed and survive, organizations must look ten, twenty, even fifty years into the future to infuse their cultures with the flexibility that is the critical ingredient of resilience.

• Robert Quail, Senior Manager, Corporate Risk, Hydro One Networks Inc: Quail started the idea of enterprise risk management in this Ontario company in 1999, facing the conservative culture of a utility owned by the Province. Over the past four years his team successfully incorporated risk assessments into business planning, using color codes of red for “just tolerable risk,” yellow for “materially lower risk,” and green for “reasonable, sound and prudent risks.” His listed three “lessons learned:” (1) It is essential to “condition” decision-makers, (2) Link risk management to “what comes next:” actions and budgets, and 3) Applying ERM to planning helps people sort out the “meaning” of the objectives. Quail prefaced his remarks with the statement that the implementation of risk management is so successful within Hydro One that he is now able to reduce his function. This is an intriguing idea: the ultimate “withering away” of risk management as its precepts and processes become so engrained within the organizational culture that internal champions and catalysts are not necessary. Shouldn’t this be the goal of the discipline?

I have one last critical comment directed at this and many other risk management conferences. It is the growing and insidious specter of commercialization. This conference, like many of its peers, featured a single corporate sponsor. Others succumb to multiple sponsors. I will not name this session’s sponsor because I do not criticize this company for taking advantage of a publicity opportunity. But its sponsorship left a sour impression. In the space of two and a half days, sponsor employees ran both halfday workshops, spoke three times, moderated two other panel discussions, and paid for a cocktail party. Of the other 26 speakers, at least four confirmed that they were clients of the sponsor. All this led to the sense that we were on the receiving end of an infomercial, a sentiment supported by five of my co-registrants whom I queried. While only one of the sponsor speakers actively pushed the services of his firm, the fact of sponsorship created, at least in some of us, a sense of attending a muted sales pitch.

Why do we need commercial sponsors for these conferences especially when many organizers are nonprofits? The fees charged by The Conference Board certainly are more than adequate, even excessive: $1,695 for members and $1,895 for nonmembers for a day- and-a-half. In contrast, the annual two-day meeting of the Society for Risk Analysis costs only $385, with no sponsors! Yes, New York is expensive, and The Conference Board also depends on conference income to support its valuable work. I acknowledge that I attended on a complimentary press pass, so perhaps I shouldn’t be biting the hand that fed me. Yet am I alone in believing that over-commercialization of conferences seriously detracts from their value and credibility? In New York in October an otherwise first-rate conference was marred by commercial sponsorship.