You often hear of other people who call themselves risk managers, over in finance, safety,
IT, internal audit, insurance, or in Washington measuring the probabilities of unusual
events. Did you ever wonder what they looked like, how they thought? Have you ever
made any effort to meet them, at their association meetings, or to read their publications?
For too long many of us have hunkered down within our own sub-specialties of risk
management, declining to take the time to learn from other disciplines, arguing that we
simply do not have the free time for this sort of exploration, and beside, "we" invented
risk management, didn´t we? They should come us, not us to them!
The new effort to connect all risks, favorable and unfavorable, of an organization and
build a coordinated response to them changes things. It mandates that this guild-like
reluctance to acknowledge, much less study, the work of others be no longer tolerated.
Enterprise (or as I prefer, strategic) risk management must be built on a shared knowledge
This was evident from the comments of panelists participating in a joint discussion at the
May 2-3 Third Annual ERM Conference in Chicago. The sponsorship of this event, one
of the best I´ve attended, illustrates my point: the Society of Actuaries (SOA), the
Casualty Actuarial Society (CAS), the Professional Risk Managers´ International
Association (PRMIA) and Georgia State University, four diverse organizations. I helped
moderate a panel, with Chuck Lucas, the Director of Market Risk Management at AIG,
including the current Chair of the Institute of Internal Auditors (IIA), Betty McPhilimy,
the officer of the Risk & Insurance Management Society (RIMS) charged with ERM
development, John Phelps, the Chair and Executive Director of PRMIA, David Koenig,
an officer of the Risk Management Association (RMA), Nick Hayes, and past presidents
of both the CAS and SOA, David Ingram and Jim MacGinnitie.
This alphabet soup, lacking, only representatives from the Society for Risk Analysis
(SRA) and the Global Association of Risk Professionals (GARP), stirred up provocative
ideas. I learned that both the CAS and the RMA trace their roots back to the early 1900s,
making them possibly the oldest RM groups in the world. In terms of membership, the
IIA dwarfs the others, with 107,000 globally, more than half outside North America,
followed by PRMIA at 24,000, SOA at 16,000, RMA at 15,000, RIMS at 9,200 and
CAS at 4,000. Numbers alone, of course, don’t necessarily mean influence: look at the
SRA, with less than 3,000 members worldwide, yet its public policy influence is
Chuck Lucas and I asked the panelists three questions. First, what are the principal
purposes of risk management, as identified by your members? They all referred to
published documentation, ranging from COCO in Canada and COSO in the United States,
to the standards created by individual nations, led by those of Australia and New
Zealand. Their goals, however, varied. For one it was "executive assurance" in an age of
new regulatory compliance, for others "the management of risk in systems," "to reduce
earnings volatility," "to manage insurance risk for insurers" and to recommend prudent
capital in relation to these risks. One said, "All management is risk management." The
best answer (to me, at least) was the goal of risk management is to "exploit risk and
accept volatility as natural."
A second question was how a group measures the benefits, both tangible and intangible,
of adopting enterprise risk management and whether or not a "common language" is
desirable or feasible. All agreed that measuring a benefit is difficult, although the new
risk-based capital rules for financial institutions permit managers to show that risk
management value is proven by reducing mandated capital. Other benefits are "keeping
out of the headlines" and "assuring that we will open tomorrow morning." One panelist
warned it is probably too early for a "common metric." We should learn and respect the
different terms as a starter (I agree on his latter point). Another suggested that economic
capital and the return thereon might form the basis of a new risk language and benefit
measurement. Still another emphasized that any risk language must include the potential
for upside events, as well as the more common focus on downside events.
Third, we asked what major problems they saw in ERM today. First, to be successful,
anyone pushing ERM must understand the existing power base of an organization and
how best to work within it. Second, some form of internal "champion" is necessary,
preferably a CRO reporting to the CEO and the board, but some organizations still
question the value of a CRO. Third, responding to new regulations often undermines a
broad-based ERM effort. Finally, human nature can be the greatest obstacle of all: people
like doing things the way they’ve done them in the past. Changing a habit is difficult!
The panelists showed that the differences among their organizational approaches are not
that great, suggesting that more collaboration and cooperation will speed the progress of
ERM. For example, educational institutions in both London and the United States are
building new broad-based curricula for ERM. Shouldn´t they work together? Another
US group is attempting a glossary of risk management terms, when an excellent one is
already is in use by ISO in Geneva. Cooperation can eliminate that classic problem of
So where can we go from here? I have several suggestions to stimulate more
Every organization in this alphabet soup should have an interdisciplinary panel
for a plenary session at its next annual conference. We begin by understanding
that there are others out there like us! We are not aliens.
Start reading what others have to say. Subscribe to the publications of these
organizations (see below). Start writing articles for them.
Start listening. Invite members of the alphabet soup to your annual meetings
AND your chapter meetings. Occasionally ask one to make a presentation.
If you do not already have one, create an ad hoc internal risk management committee
in your own organization to build liaison with your risk management counterparts.
No one person, nor any one group, has a lock on this evolving discipline: it´s time to open
our minds to the many new and refreshing ideas that are circulating in this marketplace. As
a start, check out the websites of these organizations (and their publications):
The goal is to bring together the ideas of those who currently practice the many different
forms of risk management on a global basis. These forms include guidance of public
policy on macro risks, risk financing and insurance for many larger commercial
organizations, managing credit, currency and interest rate risks for financial institutions, as
well as many other extensions of risk management including security, quality control, and
quality assurance within health care environments.
Felix Kloman, from "Risk Management: Expanding Horizons," at American
Nuclear Society Conference, Boston, June 8-10, 1992
(I quote this only because the
interdisciplinary problem has been with us for more than 15 years!)