“So, how are we doing?” is the question many in the board and C-suites are probably asking of their enterprise risk management team. The answers will likely vary from, “We are just getting started and it is too soon for results”; “While it isn't perfect, we are getting results”; or even, “I believe we have exceeded expectations.” All three answers may also be appropriate for any given ERM implementation, for like any other strategic initiative operated by people, the take-up rate will vary from department to department. There is, of course, an answer in the other extreme: “It's gone off the rails …”.

As of yet there is no agreed upon definition for Enterprise Risk Management (ERM). The ISO 31000 and Guide 73 define risk management as “coordinated activities to direct and control an organization with regard to risk”. Enterprise or enterprise-wide risk management has grown out of the need for financial and non-financial organizations to direct and control risks outside of the traditional operational hazards and events. Financial institutions (and some other enterprises) have, on the other hand, long been using risk management techniques of another sort to direct and control financial, credit, and market related risks. Enterprise-wide risk management has been expressed as a way to bring the direction and control of all categories of risks under one umbrella so that all critical risks to the organization are identified and directed and controlled. Towards this end, more and more organizations are locating their risk management (ERM) efforts at the senior levels of the organization and are linking risk management efforts towards critical risks that can impact the strategies and strategic goals of the organization. “Grafting risk management onto strategy” is a phrase that has been used to identify this change in focus. Unlike hazard risk where there is only the opportunity for loss, ERM also considers the possibilities of the positive effects of risks of outperforming strategies that may arise from unanticipated events, conditions, or opportunities. While traditional operational and financial risk management techniques are often retained in an ERM installation because they are effective, organizations are finding that other types of risks (some of these not anticipated) require unique risk management strategies that do not have traditional methods of treatment or control. Some of the cases in this book reflect the broadening horizon of risks that ERM has begun to identify and control.

This book has three purposes. The first purpose in the articles section is to address certain key issues of ERM implementations that may need greater explanation. The second is to provide a number of case studies of organizations in the midst of their strategic ERM implementations. Cases include mature implementations as well as organizations that are in the early stages of inculcating ERM into their organizations. No attempt was made to connect the articles section with the case studies section. Many of the topics addressed in the articles section are from issues raised in the broader risk management community or from discussions with individual risk managers who were not part of the case studies presented in this text. The third purpose of the text is to provide a more recent bibliography of resources for risk management professionals who are in the midst of, or are contemplating, ERM implementations.

The book was designed for the practicing risk professional and those who aspire to become risk professionals, including university students. The case studies in this book are appropriate for these readers as well as senior leadership in organizations in the midst of, or considering, adopting ERM. This said, there are other texts, white papers, and journal articles that will provide more extensive development and examination of sophisticated financial and other quantitative risk identification and analysis tools. Many of the sophisticated tools appropriate for quantitative risk identification and analysis have been used by risk management teams showcased in the case studies and are appropriate for certain of the processes and activities outlined in the articles. Risk managers have used these tools to identify the likelihood and probability of risk as well as its impact. However this text was written in response to one of the identified issues in ERM, and that is the need to provide accessible methods that all stakeholders in the organization can use to identify and assess the impact of critical risks. Risk managers have found that they can use sophisticated tools to quantify probability and impact, but it is crucial that all risk owners understand the “critical risks” and that they and the organization are engaged in the dialog necessary to begin the process of managing these risks. For this purpose, many are using “expert” methods to identify and assess the impact of critical risks. These “expert” methods require a combination of the analysis of quantitative data prepared by and from different sources as well as an ongoing dialog towards understanding the specific enterprise in context with its local and global ecology.

The other issue that risk managers are discovering is that they must prepare the organization to collect good and relevant data in sufficient quantities for these sophisticated tools to have any credibility. If critical risks are identified, this narrows the scope of data required to understand these risks. However, all are in agreement that ERM risk identification and quantification is a continual process, so over time, required data and the tools to analyse data will evolve. This is one of the distinct advantages of ERM because it continually develops the understanding of critical risks the organization is and will be facing.

Case Studies

There was no attempt to try to find a case study for every industry or in every part of the world. Case studies in the US include a hospital system, a health insurer, and a university system. There is a biomedical trust case from the UK, a public housing office agency in France, and an analysis of ERM implementations in various public sectors in China. Finally, there are observations from a veteran risk manager about negotiating the CRO job and establishing the scope both of the job and the ERM project in an organization. These case studies by no means represent a complete spectrum of the ERM environment today. However, we hope to show in this text the importance of collecting more case study data on more ERM installations simply because there are so many different approaches to the process. In addition it is likely that each organization that engages an ERM installation will have its own issues with change management and the actual environment of managing risks. The fact that no two ERM installations are likely to be the same is a reason why more case studies are required to broaden the available data on the issues that organizations can face in the ERM process.

Frankly, some organizations we approached declined to speak on the record because they have found that their ERM initiative has uncovered areas of improvement that at this point they would not want to make public. Others have been unwilling to explain how their ERM initiative went off the rails. While the cases in this text are limited in industry breadth and depth, and there is not more than one case for any one industry, there are some common threads in these cases that should be explored further.

One of the cornerstone requirements of ERM is strong management support. Case study participants agreed that this is important. However, many participants observed that management support will vary over time. There will be changes in leadership or priorities and like any initiative sometimes support can become stale. ERM is not like a project to develop a new product. Unlike most projects with end-stage goals, ERM does not have an end product – it is a process that never concludes. What risk managers must do is to find ways to keep the initiative on track even when the organization strays or priorities change.

The second observation gleaned from these case studies is that quite often the simpler the better. There is a time and place for sophisticated risk analysis using Monte Carlo and other tools but, by and large, the risk needs to be understood by managers, employees, and stakeholders. The case study participants provide a number of examples of how they have simplified processes, calculations, and explanations in a way that those who are not risk management professionals can understand and adopt specific practices in their departments and throughout the organization. What risk managers are finding is that if they have solid ERM practices in place that managers feel comfortable with, and it benefits them and their departments directly, they will continue to utilize these tools and techniques with little prodding. The goal, as risk managers explain it, is to have these practices become part of the everyday activity of the organization. This said, all of the quantitative and qualitative tools risk managers have traditionally used (and others are beginning to use) are available to the organization engaged in ERM. In fact, many of the successful ongoing operational risk management practices that mitigate workers' compensation, liability claims and the like are often retained in an ERM installation because they are already effective. However, ERM identifies broader areas of risk beyond the operational and with such categories as financial, strategic, and competitive risk. As a result, risk managers have had to learn new processes and procedures and find new tools to accomplish the task of ERM to manage risks to strategy.

A third observation is that there will be setbacks. Risk managers have had to first understand and then manage the risks of their ERM initiative. This means anticipating organizational, economic, and other changes that could derail an ERM initiative or make it more difficult to manage. This is codetermined with the first and second observations and it means that enterprise risk professionals must understand that management commitment will vary over time; keeping it simple helps to maintain the initiative even during periods when management attention is drawn to other areas.

The fourth observation is that the risk management job must be properly defined to meet the expectations of the risk manager and leadership but also should be designed so as to have the authority to do what is required to graft ERM onto the organization's strategy. This means having a seat at the highest leadership table. As ERM is a strategic initiative it should be at the same level as other strategic leaders in the organization.

While some of the risk management professionals who participated in the case studies have JDs and/or report up through the legal department, this may not be appropriate in all organizations. Where there are significant contractual obligations and litigation this may be proper. With other organizations that have heavy property and operational hazards, someone with considerable loss control experience might be a better fit. Suffice to say that the job must be structured to meet the requirements of the organization and the risk management team must draw its expertise from talented individuals both within and outside the organization. Specialty expertise can include legal, financial, credit, engineering, process improvement, actuarial, security, and other professionals where required. It may also make sense, as it has in some of the cases, to restructure the organization so that members from different but important departments such as legal, audit, and finance be aligned so that resources necessary to meet ERM expectations work together and through a single leader.

A fifth observation is data. Having good, available, and distributed data was deemed critical by participating risk managers. For some, building better and more robust data gathering techniques was the first task.

Each case study poses different challenges to the risk manager and to the organization. While operational risk management remains a mainstay in ERM implementations, case study participants quite often found that the operational risks that are important to the traditional risk manager may not be as critical to the organization as other risks. This is a good sign because discovering and managing risks from whatever source critical to the organization and its strategy is a key objective for any properly constituted ERM initiative.

Participating risk managers were also asked to speak about issues associated with research that needs to be done to make ERM a more robust process. Responses from risk managers included the need for additional research in: the analysis of decision making under uncertainty, the differences in risk appetite at different organizational levels, ways of improving empathy towards students in the collegiate setting, challenges facing ERM initiatives in China, and better business intelligence processes.

At the end of each case are “Questions for Students and Practitioners”. These are intended for a university audience but can also be used by risk managers in their consultative and coaching role when the case is being used to help the risk management team or others in the organization better understand some of the issues that companies face in an ERM installation. There is sufficient diversity in these cases to provide most risk managers with a case study that can help exemplify an issue that their enterprises are confronting or will be confronted with.

The Articles

There have been many books and articles written about ERM. The articles in this book are intended to respond to issues being raised in the ERM community or as a result of discussions with individuals involved in ERM implementations. No attempt was made to correlate these articles with the issues raised in the cases although there are some issues such as group decision making, strategy, healthcare risks and risk uncertainty that were addressed in specific case studies found in this book.

• Particular attention has been paid to emphasizing that ERM is associated with managing risks to strategy – by Jean-Paul Louisot, Chris Ketcham, and Kevin W. Knight.
• There is also a need to understand how organizations and leaders and others make decisions under uncertainty. Towards this end, Daniel A. Gaus discusses some of the risk issues associated with group decision-making.
• In the US, recent healthcare legislation has altered the risk landscape for most companies, not just hospitals and health insurers. Robert L. Snyder reviews the emerging risks in the healthcare industry.
• Jean-Paul Louisot brings to the fore ERM basics with separate discussions on GRC (Governance Risk and Compliance), communication, risk identification, risk quantification, and risk assessment.
• Georges-Yves Kervern and Jean-Paul Louisot remind us through the science of Cindynics to be aware of the unknown risks and how to prepare for an uncertain future.
• Richard Connelly and Jean-Paul Louisot provide an update on advances in business intelligence.
• Sophie Gaultier Gaillard, Jean-Paul Louisot, and Jenny Rayner offer a rubric for assessing and managing risk to reputation, an asset that is not easily measured.
• Managing the different levels of disturbance requires different strategies, which Jean-Paul Louisot explains.
• Marc Ronez considers the ethical implications of ERM and risk management.
• Sophie Gaultier Gaillard provides suggestions on how to structure and conduct questionnaires to gather data for risk identification and analysis.

The References

Many articles in this book have references associated with specific topics. We also provide a manageable list of ERM-related references from the past five years and others that have stood the test of time. This list is by no means exhaustive and we apologize if a favorite article or book of yours has been left off the list. Over time and as ERM matures we hope to expand this list into a more robust resource for practitioners and others.

ISO 31000 and Guide 73: 2009 Definitions

ISO 31000 provides risk professionals with an internationally recognized framework for enterprise risk management. Associated with this framework is a list of key risk management terms that have been carefully defined by the committees working on this project. As ERM evolves, the group working on ISO 31000 will have the opportunity to revise these definitions when the science of risk improves. Following this introduction is a list of some of the key terms that will be helpful to those who read this book. Unless a particular article or case otherwise defines a term in this list differently please consider the ISO 31000 and Guide 73: 2009 definition as your guide. Remember this is not a reproduction of the entire ISO 31000/Guide 73, only select terms that the editors considered to be especially relevant to the topics and cases explored in this text.