This expository is based on an interview and commentary from veteran Risk Manager, Franck Baron, and his recent experience of negotiating the scope of his responsibilities during and after the hiring process as General Manager, Risk Management with the leaders of the privately owned company he is working for now. He recounts his experiences from pre-hire negotiations into the identification phase of the organization's ERM project. He offers suggestions on how to negotiate the job and set the stage for ERM with senior leadership. The views expressed here result from a sharing of experience with the authors of the book and do not represent the views of Mr. Franck's current employer.

8.1 SCOPE OF THE PROJECT

When an organization determines that it is ready to explore an ERM enterprise-wide risk management initiative there are a number of items that must be considered. First, the change from traditional risk management to ERM is more than a phase change – it is a re-learning process about the nature of risk. The organization's strategy is the cornerstone of ERM. Organizations that do not have a robust strategic plan and consistent strategic message, goals, and objectives will need to develop these first, involving RM in the process in order to determine critical risks to strategy. Identifying, assessing, managing, and monitoring risks with impacts on strategy is the central task of ERM. To accomplish this requires a recasting of the organization's mindset towards risk and the selection of a capable risk manager who is attuned to the process of ERM, understands what is required for a successful ERM implementation, and is familiar with issues associated with sustaining ERM over time. This process begins even before the ERM initiative leader accepts the responsibility and accountability for the job.

Many who become chief risk officers will not be employees of the organization when interviewing for the job to build an ERM initiative. The CRO candidate will need to make it clear that the chosen CRO will need to have a better understanding of where the organization wants to go with ERM before any program can be implemented. Whether the candidate to run the ERM project is an employee or a new hire or whether the firm is public, private, or not-for-profit, that candidate must have a candid conversation with senior executives to make sure that all have a common understanding of what the ERM project will achieve. If the organization says yes to the ERM project, leadership must understand what has to happen and what the commitments are to the project. The ERM initiative leader must get agreement from senior management on the project's goals. At the same time, while there are ERM protocols, maturity models and other tools to help the risk manager begin an implementation, there is no one-size-fits all protocol, process, or solution for an ERM initiative. The person in charge of the ERM initiative first must take time to learn – to begin to understand the company and its history.

One of the concerns with any ERM implementation is that it may have been initiated because management understands that the seriousness of one or more issues affecting the organization requires a rethinking of the risk management process. There will be pressure to solve this (these) problems first as quickly as possible. Executives may lose interest in ERM after these situations are addressed, when what is needed is a more thorough understanding of the organization's strategy, its risk appetite, and its leadership capabilities towards the understanding of and management of risk to strategy. It is a very real possibility that the organization's culture and leadership may not be tuned towards understanding risk to strategy in the most fundamental sense. There may be real problems that need to be addressed immediately in the nascent ERM project. However, there must be an understanding within the organization that for the ERM initiative to be sustained the organization must be tuned towards the strategic and the identification, assessment, management, and monitoring of critical risks that can affect the strategic goals and objectives of the organization.

Candidates from outside the company may find it easier to ask these tough questions than internal candidates. If the ERM initiative leader candidate is internal, that person must have or develop a relationship with senior officers to ask the tough questions, even tough questions that extend far beyond the realm of responsibilities the employee now has. Whoever the person selected to run the ERM initiative is, that person must have the authority to consider the organization from a position outside of the hierarchy – to speak truth to power. Towards this end the ERM initiative leader needs to understand that on the route to learning “everything about the organization” there will be reluctance by proprietary owners or other leaders to share some information that heretofore has been privileged. It is the job of the risk manager to obtain the necessary information about risk to determine how the ERM initiative can best manage the risk. Without the transparency of information critical risks may be overlooked, underestimated, or ignored.

8.2 JOB DESCRIPTION FOR ERM

There are specific competencies that a good ERM initiative leader must possess. First, the CRO (or equivalent) must take the time to learn – to understand the company and how it runs – all aspects of the company. The leader must be interested and show initiative towards this end. The leader must possess strong project management skills. This includes how to ask the right questions and how to communicate to all employee levels whether blue collar, professional, or field or office workers. This communication process includes the message to others, “I don't know and I am here to listen.” The initiative leader by the same token must be a good listener who does not have pre-conceived or prepared answers. The initiative leader must be innately curious and have the ability to ask questions even when inconvenient to executives and others.

To avoid having ERM become a checkbox exercise, or a compliance issue, the initiative leader needs to be able to identify and assess situations or processes which may not have been scrutinized to any great extent in the past and ask questions that may not have been asked before. The aim of any ERM program must not be to administratively manage risk but strategically manage risk and the risk manager must be prepared to think strategically.

Therefore, it is the responsibility of each person in the organization to manage risks. The CRO must see the job partly as a consultant to risk managers. A good CRO does not want managers to view the CRO as managing risk. Risk owners manage risk. The risk manager's job is to facilitate the process and coach risk owners.

However, if the CRO is to be successful local risk managers and risk owners must provide him/her with appropriate information. One of the CRO's challenges is how to structure the performance review and incentives so that risk management is part of the responsibility. At the same time the RM professional must understand that a certain amount of risk is good for any organization, so leadership will need to build a performance incentive program that comports with the company's risk appetite, so that the incentive programs do not create risk-averse risk managers. Ultimately some risk is good because it provides opportunities.

One issue that is critically important for ERM: there is a need for the risk management community to better understand how people make decisions under uncertainty. More research is needed on how people think; how to help people learn how to make good risk decisions.

Second, the risk management community must do a better job at explaining how to sustain an ERM initiative over time. There is now a good body of literature on starting a project and success stories in beginning ERM, but there is an obvious lack of articles about success stories in sustaining ERM. In too many situations ERM becomes a compliance checkbox and is never integrated within strategy. In these situations, it is all too frequent that ERM develops its own bureaucracy but never is truly grafted onto strategy nor is it deeply embedded into the culture of the organization. To deliver the full value it can, a true ERM initiative should help an organization developing risk agility and not just compliance. The ERM leader supports the business and should be the catalyst for the business (not its conscience).

8.3 QUESTIONS FOR STUDENTS AND PRACTITIONERS

1. The case asks the risk management community to do a better job explaining how to sustain an ERM initiative over time. List what you believe are the critical requirements to sustain an ERM initiative over time.
2. Scenario: The current operational risk manager probably is not be the right candidate to become chief risk officer but that operational risk manager is very good at his/her job and knows the company well. You will become the company's first CRO. What role do you see this operational risk manager having in an ERM installation and what would be your plan to retain this person (if you will retain the person) and train this person for operating in an ERM environment?
3. Do a “Google Scholar” search of “Decision Making Under Uncertainty”. Identify key research articles in this area of research and provide a brief summary of the issues and the empirical data that are part of this research paradigm to date.
4. The board of directors has just hired you as a consultant to analyze the company to see whether it is ready to commence an ERM implementation. What circumstances or conditions in a business or enterprise would cause you to recommend that the company NOT pursue an ERM implementation at this time?
5. Develop a template for building a job description for a chief risk officer in a for-profit enterprise. This should include a list of questions that must be answered and a list of critical skills that must be a part of every CRO's job. Also include questions that will identify competencies required for the particular industry and business that the CRO job description will be designed for.