CHAPTER 2
A Brief History of Risk Management

 

H. FELIX KLOMANAND (to 2008)

Retired Principal of Towers Perrin (now Willis Towers Watson)

 

JOHN R.S. FRASER, FCPA, FCA (from 2008)

Former Chief Risk Officer, Hydro One Networks Inc., Toronto, Canada

 

INTRODUCTION

What is risk management (and its alternative title “enterprise risk management”)? When and where did we begin applying its precepts? Who were the first to use it? This is a brief and highly personal study of this discipline's past and present. It is a description of some of its emotional and intellectual roots. It spans the millennia of human history and concludes with a detailed list of contributions in the past century.

RISK MANAGEMENT IN ANTIQUITY

Making good decisions in the face of uncertainty and risk probably began during the earliest human existence. Evolution favored those human creatures able to use their experience and minds to reduce the uncertainty of food, warmth, and protection. Homo sapiens survived by developing “an expression of an instinctive and constant drive for defense of an organism against the risks that are part of the uncertainty of existence.”1 This “genetic expression” can be construed as the beginning of risk management, a discipline for dealing with uncertainty.

As the millennia passed, our species developed other mechanisms for coping with each day's constant surprises. We invented a pantheon of divine creatures to blame for misfortune, praise for good luck, and to whom we offered sacrifices to mitigate the worst. These gods and goddesses, the personification of heavenly bodies, high mountains, and the deepest seas, led to a dependence on human oracles, soothsayers, priests, priestesses, and astrologers, to predict the future. We created a written language (Mesopotamia, Sumeria, Egypt, Phoenicia) in order to pass knowledge to the future. As our species used language, experience, memory, and deduction to explain random uncertainty, we created an alternative and backup explanatory system.

The classical world of the Greeks and Romans demonstrates the development of written language, providing a significant advantage over oral recitation. At first, Greek memories passed on information from the past. Their written language extrapolated it into more rational predictions. Homer, capturing memory, sang of Zeus, Hera, Athena, Apollo, and the corps of divinities responsible for the victory at Troy as well as the misadventures of Odysseus on his return home. But by 585 BC, the Greek philosopher Thales used his observations, written data, and deductions to predict an eclipse of the sun, even though he continued to profess a belief in these gods.2 A century later Herodotus used intelligent “enquiry” to write “history,” but he too persisted with the power of divinities. It was finally Thucydides, in the early 400s BC, who proposed a “new penetrating realism,” one that “removed the gods as explanations of the course of events.” Thucydides was “fascinated by the gap between expectation and outcome, intention and event.”3 Perhaps he should be called the father of risk management.

A few philosophers in classical Greece tried to emphasize observation, deduction, and prediction, but they inevitably collided with the inertia of belief in the long-standing system of divine intervention as the explanation for misfortune as well as good luck. With the growth and dominance of the new monotheistic religions in the Middle East and Mediterranean, it would take another millennium before the ideas Thucydides first advanced grew into the solid body of scientific knowledge to replace myth and superstition.

AFTER THE MIDDLE AGES

Jump ahead another 1,000 years to the emergence of the Renaissance and Enlightenment. Two changes encouraged the idea that we could actually think intelligently about the future. Peter Bernstein described the first, in his Against the Gods: “The idea of risk management emerges only when people believe they are to some degree free agents.”4 The second was our growing fascination with numbers. Our increasing disenchantment with the explanation that a “superior power” ordained everything became coupled with the capability of manipulating experience and data into numbers and thence probabilities. We could predict alternative futures! Peter Bernstein's book is a joyful and often lyrical exploration of development of the concept of risk as both threat and opportunity. We became capable of “scrutinizing the past” to suggest future possibilities. He describes those men who first advanced the ideas of probability measurement, introducing us to familiar and unfamiliar names from the Renaissance onward:

  • Leonardo Pisano (who introduced Arabic numerals)
  • Luca Paccioli (double-entry bookkeeping)
  • Girolamo Cardano (measuring the probability of dice)
  • Blaise Pascal (“fear of harm ought to be proportional not merely to the gravity of the harm, but also to the probability of the event”)
  • John Graunt (who calculated statistical tables)
  • Daniel Bernoulli (the concept of utility)
  • Jacob Bernoulli (the “law of large numbers”)
  • Abraham de Moivre (the “bell” curve and standard deviation)
  • Thomas Bayes (statistical inference)
  • Francis Galton (regression to the mean)
  • Jeremy Bentham (the law of supply and demand)

Today's risk management rests, for better or for worse, on these and other fascinating characters.

Where once philosophers and theologians attributed fortune or misfortune to the whims of gods, the efforts of those early thinkers described in Bernstein's book, “have transformed the perception of risk from chance of loss into opportunity for gain, from FATE and ORIGINAL DESIGN to sophisticated, probability-based forecasts of the future, and from helplessness to choice.”5

Bernstein contrasts the development of more rigorous quantitative approaches to probabilities with recent attempts to understand why “people yield to inconsistencies, myopia, and other forms of distortion throughout the process of decisionmaking.” His story of risk and risk management is one of rationality and human nature, fighting with each other and then cooperating, to provide a better understanding of uncertainty and how to deal with it. “. . . Any decision relating to risk involves two distinct yet inseparable elements: the objective facts and a subjective view about the desirability of what is to be gained, or lost, by the decision. Both objective measurement and subjective degrees of belief are essential; neither is sufficient by itself.”

“The essence of risk management,” Bernstein concludes, “lies in maximizing the areas where we have some control over the outcome while minimizing the areas where we have absolutely no control over the outcome and the linkage between effect and cause is hidden from us.”

THE PAST 100 YEARS

Experience and new information allowed us to think intelligently about the future and plan for potential unexpected outcomes. Many millennia contributed to our growing ability to distill and use information, but the developments since 1900 are more apparent and useful. Here is a synopsis of these critical events.

The twentieth century began with euphoria, new wealth, relative peace, and industrialization, only to descend into chaotic regional and worldwide wars. These and other catastrophes crushed illusions about the perfectibility of society and our species, leaving us less idealistic and more appreciative of the continuing uncertainty of our future.

Ideas drove change in this century. Stephen Lagerfeld cogently summed it up:6 “Apart from the almost accidental tragedy of World War I, the great clashings of our bloody century have not been provoked by the hunger for land, or riches, or other traditional sources of national desire, but by ideas—about the value of individual dignity and freedom, about the proper organization of society, and ultimately about the possibility of human perfection.”

Risk management is one of those ideas that a logical, consistent, and disciplined approach to the future's uncertainties will allow us to live more prudently and productively, avoiding unnecessary waste of resources. It goes beyond faith and luck, the former twin pillars of managing the future, before we learned to measure probability. As Peter Bernstein wrote, “If everything is a matter of luck, risk management is a meaningless exercise. Invoking luck obscures truth, because it separates an event from its cause.”7

If risk management is an extension of human nature, I should list the most notable political, economic, military, scientific, and technological events of the past 100 years. The major wars (from the Russo-Japanese, World Wars I and II, Korea, the Balkan, the first Gulf War and Iraq, to the numerous regional conflicts) and the advent of the automobile; radio; television; computer and Internet; the Great Depression; global warming; the atom bomb and nuclear power; the rise and fall of communism; housing; the dot-com, derivative, and lending bubbles; and the entire environmental movement affected the development of risk management. Major catastrophes did so more directly: the Titanic (the “unsinkable” ship sinks), the Triangle Shirtwaist fire (the failure to allow sufficient exits), Minimata Bay (mercury poisoning in Japan), Seveso (chemical poisoning of the community in Italy), Bhopal (chemical poisoning in India), Chernobyl (Russian nuclear meltdown), Three Mile Island (potential U.S. nuclear disaster that was contained), the Challenger (U.S. space shuttle breakup), the Piper Alpha (North Sea oil production platform explosion and fire), and the Exxon Valdez (Alaskan ship grounding and oil contamination), to cite some of the more obvious. Earthquakes, tsunamis, typhoons, cyclones, and hurricanes continue to devastate populous regions, and their increasing frequency and severity stimulate new studies on causes, effects, and prediction, all part of the evolution of risk management.

The most significant milestones, in our opinion, are more personal: the new ideas, books, and actions of individuals and their groups all of whom stimulated the discipline. Here's our list:

1914 Credit and lending officers in the United States create Robert Morris Associates in Philadelphia. By 2000 it changes its name to the Risk Management Association and continues to focus on credit risk in financial institutions. In 2008 it counted 3,000 institutional and 36,000 associate members.8
1915 Friedrich Leitner publishes Die Unternehmensrisiken in Berlin (Enzelwirt. Abhan. Heft 3), a dissertation on risk and some of its responses, including insurance.
1921 Frank Knight publishes Risk, Uncertainty and Profit, a book that becomes a keystone in the risk management library. Knight separates uncertainty, which is not measurable, from risk, which is. He celebrates the prevalence of “surprise” and he cautions against overreliance on extrapolating past frequencies into the future.9
1921 A Treatise on Probability, by John Maynard Keynes, appears. He too scorns dependence on the “Law of Great Numbers,” emphasizing the importance of relative perception and judgment when determining probabilities.10
1928 John von Neumann presents his first paper on a theory of games and strategy at the University of Göttingen, “Zur Theorie der Gesellschaftsspiele,” Mathematische Annalen, suggesting that the goal of not losing may be superior to that of winning. Later, in 1944, he and Oskar Morgenstern publish The Theory of Games and Economic Behavior (Princeton University Press, Princeton, NJ).

The U.S. Congress passes the Glass-Steagall Act, prohibiting common ownership of banks, investment banks, and insurance companies. This Act, finally revoked in late 1999, arguably acted as a brake on the development of financial institutions in the United States and led the risk management discipline in many ways to be more fragmented than integrated. The financial disasters after 2000 cause some to question the wisdom of revocation.
1945 Congress passes the McCarran-Ferguson Act, delegating the regulation of insurance to the various states, rather than to the federal government, even as business became more national and international. This was another needless brake on risk management, as it hamstrung the ability of the insurance industry to become more responsive to the broader risks of its commercial customers.
1952 The Journal of Finance (vol. 7, no. 1, 77–91) publishes “Portfolio Selection,” by Dr. Harry Markowitz, who later wins the Nobel Prize in 1990. It explores aspects of return and variance in an investment portfolio, leading to many of the sophisticated measures of financial risk in use today.11
1956 The Harvard Business Review publishes “Risk Management: A New Phase of Cost Control,” by Russell Gallagher, then the insurance manager of Philco Corporation in Philadelphia. This city is the focal point for new “risk management” thinking, from Dr. Wayne Snider, then of the University of Pennsylvania, who suggested in November 1955 that “the professional insurance manager should be a risk manager,” to Dr. Herbert Denenberg, another University of Pennsylvania professor who began exploring the idea of risk management using some early writings of Henri Fayol.
1962 In Toronto, Douglas Barlow, the insurance risk manager at Massey Ferguson, develops the idea of “cost-of-risk,” comparing the sum of self- funded losses, insurance premiums, loss control costs, and administrative costs to revenues, assets, and equity. This moves insurance risk management thinking away from insurance, but it still fails to cover all forms of financial and political risk.

That same year Rachel Carson's The Silent Spring challenges the public to consider seriously the degradation to our air, water, and ground from both inadvertent and deliberate pollution. Her work leads directly to the creation of the Environmental Protection Agency in the United States in 1970, the plethora of today's environmental regulations, and the global Green movement so active today.12
1965 The Corvair unmasked! Ralph Nader's Unsafe at Any Speed appears and gives birth to the consumer movement, first in the United States and later moving throughout the world, in which caveat vendor replaces the old precept of caveat emptor. The ensuing wave of litigation and regulation leads to stiffer product, occupational safety, and security regulations in most developed nations. Public outrage at corporate misbehavior also leads to the rise of litigation and the application of punitive damages in U.S. courts.13
1966 The Insurance Institute of America develops a set of three examinations that lead to the designation “Associate in Risk Management” (ARM), the first such certification. While heavily oriented toward corporate insurance management, its texts feature a broader risk management concept and are revised continuously, keeping the ARM curriculum up-to-date.14
1972 Dr. Kenneth Arrow wins the Nobel Memorial Prize in Economic Science, along with Sir John Hicks. Arrow imagines a perfect world in which every uncertainty is “insurable,” a world in which the Law of Large Numbers works without fail. He then points out that our knowledge is always incomplete—it “comes trailing clouds of vagueness”—and that we are best prepared for risk by accepting its potential as both a stimulant and penalty.
1973 In 1971, a group of insurance company executives meet in Paris to create the International Association for the Study of Insurance Economics. Two years later, the Geneva Association, its more familiar name, holds its first Constitutive Assembly and begins linking risk management, insurance, and economics. Under its first Secretary General and Director, Orio Giarini, the Geneva Association provides intellectual stimulus for the developing discipline.15

That same year, Myron Scholes and Fischer Black publish their paper on option valuation in the Journal of Political Economy and we begin to learn about derivatives.16
1974 Gustav Hamilton, the risk manager for Sweden's Statsforetag, creates a “risk management circle,” graphically describing the interaction of all elements of the process, from assessment and control to financing and communication.
1975 In the United States, the American Society of Insurance Management changes its name to the Risk & Insurance Management Society (RIMS), acknowledging the shift toward risk management first suggested by Gallagher, Snider, and Denenberg in Philadelphia 20 years earlier. By 2008, RIMS has almost 11,000 members and a wide range of educational programs and services aimed primarily at insurance risk managers in North America. It links with sister associations in many other countries around the world through IFRIMA, the International Federation of Risk & Insurance Management Associations.17

With the support of RIMS, Fortune magazine publishes a special article entitled “The Risk Management Revolution.” It suggests the coordination of formerly unconnected risk management functions within an organization and acceptance by the board of responsibility for preparing an organizational policy and oversight of the function. Twenty years lapse before many of the ideas in this paper gain general acceptance.
1979 Daniel Kahneman and Amos Tversky publish their “prospect theory,” demonstrating that human nature can be perversely irrational, especially in the face of risk, and that the fear of loss often trumps the hope of gain. Three years later they and Paul Slovic write Judgment Under Uncertainty: Heuristics and Biases, published by Cambridge University Press. Kahneman wins the Nobel Prize in Economics in 2002.
1980 Public policy, academic, and environmental risk management advocates form the Society for Risk Analysis (SRA) in Washington. Risk Analysis, its quarterly journal, appears the same year. By 2008, SRA has more than 2,500 members worldwide and active subgroups in Europe and Japan. Through its efforts, the terms risk assessment and risk management are familiar in North American and European legislatures.18
1983 William Ruckelshaus delivers his speech on “Science, Risk and Public Policy” to the National Academy of Sciences, launching the risk management idea in public policy. Ruckelshaus had been the first director of the Environmental Protection Agency, from 1970 to 1973, and returned in 1983 to lead the EPA into a more principled framework for environmental policy. Risk management reaches the national political agenda.19
1986 The Institute for Risk Management begins in London. Several years later, under the guidance of Dr. Gordon Dickson, it begins an international set of examinations leading to the designation, “Fellow of the Institute of Risk Management,” the first continuing education program looking at risk management in all its facets. This program is expanded in 2007–2008 for its 2,500 members.20

That same year the U.S. Congress passes a revision to the Risk Retention Act of 1982, substantially broadening its application, in light of an insurance cost and availability crisis. By 1999, some 73 “risk retention groups,” effectively captive insurance companies under a federal mandate, account for close to $750 million in premiums.
1987 “Black Monday,” October 19, 1987, hits the U.S. stock market. Its shock waves are global, reminding all investors of the market's inherent risk and volatility.

That same year Dr. Vernon Grose, a physicist, student of systems methodology, and former member of the National Transportation Safety Board, publishes Managing Risk: Systematic Loss Prevention for Executives, a book that remains one of the clearest primers on risk assessment and management.21
1990 The United Nations Secretariat authorizes the start of IDNDR, the International Decade for Natural Disaster Reduction, a 10-year effort to study the nature and the effects of natural disasters, particularly on the less-developed areas of the world, and to build a global mitigation effort. IDNDR concludes in 1999 but continues under a new title, ISDR, the International Strategy for Disaster Reduction. Much of its work is detailed in Natural Disaster Management, a 319-page synopsis on the nature of hazards, social and community vulnerability, risk assessment, forecasting, emergency management, prevention, science, communication, politics, financial investment, partnerships, and the challenges for the twenty-first century.22
1992 The Cadbury Committee issues its report in the United Kingdom, suggesting that governing boards are responsible for setting risk management policy, assuring that the organization understands all its risks, and accepting oversight for the entire process. Its successor committees (Hempel and Turnbull), and similar work in Canada, the United States, South Africa, Germany, and France, establish a new and broader mandate for organizational risk management.23

In 1992, British Petroleum turns conventional insurance risk financing topsy-turvy with its decision, based on an academic study by Neil Doherty of the University of Pennsylvania and Clifford Smith of the University of Rochester, to dispense with any commercial insurance on its operations in excess of $10 million. Other large, diversified, transnational corporations immediately study the BP approach.24

The Bank for International Settlements issues its Basel I Accord to help financial institutions measure their credit and market risks and set capital accordingly.

The title “Chief Risk Officer” is first used by James Lam at GE Capital to describe a function to manage “all aspects of risk,” including risk management, back-office operations, and business and financial planning.
1994 Bankers Trust, in New York, publishes a paper by its CEO, Charles Sanford, entitled “The Risk Management Revolution,” from a lecture at MIT. It identifies the discipline as a keystone for financial institution management.25
1995 A multidisciplinary task force of Standards Australia and Standards New Zealand publishes the first Risk Management Standard, AS/NZS 4360:1995 (since revised in 1999 and 2004), bringing together for the first time several of the different subdisciplines. This standard is followed by similar efforts in Canada, Japan, and the United Kingdom. While some observers think the effort premature, because of the constantly evolving nature of risk management, most hail it as an important first step toward a common global frame of reference.26

That same year Nick Leeson, a trader for Barings Bank, operating in Singapore, finds himself disastrously overextended and manages to topple the bank. This unfortunate event, a combination of greed, hubris, and inexcusable control failures, receives world headlines and becomes the “poster child” for fresh interest in operational risk management.
1996 The Global Association of Risk Professionals (GARP), representing credit, currency, interest rate, and investment risk managers, starts in New York and London. By 2008, it has more than 74,000 members, plus an extensive global certification examination program.27

Risk and risk management make the best-seller lists in North America and Europe with the publication of Peter Bernstein's Against the Gods: The Remarkable Story of Risk. Bernstein's book, while first a history of the development of the idea of risk and its management, is also, and perhaps more importantly, a warning about the overreliance on quantification: “The mathematically driven apparatus of modern risk management contains the seeds of a dehumanizing and self-destructive technology.”28 He makes a similar warning about the replacement of “old-world superstitions” with a “dangerous reliance on numbers,” in “The New Religion of Risk Management,” in the March–April 1996 issue of The Harvard Business Review.
1998 The collapse of Long-Term Capital Management, a four-year-old hedge fund, in Greenwich, Connecticut, and its bailout by the Federal Reserve, illustrate the failure of overreliance on supposedly sophisticated financial models.
2000 The widely heralded Y2K bug fails to materialize, in large measure because of billions spent to update software systems. It is considered a success for risk management.

The terrorism of September 11, 2001, and the collapse of Enron remind the world that nothing is too big for collapse. These catastrophes reinvigorate risk management.

PRMIA, the Professional Risk Manager's International Association, starts in the United States and United Kingdom. By 2008, it counts 2,500 paid and 48,000 associate members. It, too, sponsors a global certification examination program.29

In July, the U.S. Congress passes the Sarbanes-Oxley Act, in response to the Enron collapse and other financial scandals, to apply to all public companies. It is an impetus to combine risk management with governance and regulatory compliance. Opinion is mixed on this change. Some see this combination as a step backward, emphasizing only the negative side of risk, while others consider it a stimulus for risk management at the board level.
2004 The Basel Committee on Banking Supervision publishes the Basel II Accords, extending its global capital guidelines into operational risk (Basel I covered credit and market risks). Some observers argue that while worldwide adoption of these guidelines may reduce individual financial institution risk, it may increase systemic risk. These global accords may lead to similar guidelines for nonfinancial organizations.30
2005 The International Organization for Standardization creates an international working group to write a new global “guideline” for the definition, application, and practice of risk management, with a target date of 2009 for approval and publication.31
2007 Nassim Nicholas Taleb's The Black Swan is published by Random House in New York. It is a warning that “our world is dominated by the extreme, the unknown, and the very improbable . . . while we spend our time engaged in small talk, focusing on the known and the repeated.”32 Taleb's 2001 book, Fooled by Randomness (Textere, New York) was an earlier paean to the importance of skepticism on models.
2008 The United States Federal Reserve bailout of Bear Stearns appears to many to be an admission of the failure of conventional risk management in financial institutions.
2008 The global financial crisis impacted markets across the globe. Triggered by the subprime mortgage market in the United States, it spread to numerous other countries. Major companies failed, stock markets plunged, the U.S. government propped up the major automobile manufacturers, and many private homes in the United States were abandoned as they had lost their value. It was estimated that the total payouts for insurance was some $21 trillion.33
2009 The Financial Stability Board34 was established by the G20 in April 2009 as the successor to the Financial Stability Forum (FSF). The FSB has assumed a key role in promoting the reform of international financial regulation and supervision.

Bernie Madoff pleaded guilty to 11 federal felony counts, including securities fraud, wire fraud, mail fraud, perjury, and money laundering. Bernie Madoff had operated the largest Ponzi scheme in history, approximately $64 billion, and is now serving a prison sentence of 150 years.35
2012 The London Stock Exchange publishes corporate governance for main market and AIM companies39 (AIM is the London Stock Exchange's international market for smaller growing companies). It categorizes risks as the following: financial, operational, hazard, and strategic.
2013 The Financial Stability Board issues its paper “Principles for An Effective Risk Appetite Framework,”40 which, among other things, recommends creating a “risk appetite statement.”
2014 The New York Stock Exchange issues its NYSE: Corporate Governance Guide,41 which states that boards are expected to (among other things): Determine the company's reasonable risk appetite (financial, safety, cyber, political, reputation, etc.), see to the implementation by management of state-of-the-art standards for managing risk, monitor the management of those risks within the parameters of the company's risk appetite, and oversee the taking of necessary steps to foster a culture of risk-aware and risk-adjusted decision making throughout the organization.
2015 In the S&P report on 2014 ratings for enterprise risk management in North American and Bermudian companies, S&P rates 2 percent as being very strong, 18 percent as strong, 12 percent as adequate with strong risk controls, 67 percent as adequate, and 1 percent as weak. They noted that “The distribution of ERM scores has remained relatively stable over the past 7 years with the average score being Adequate.”
2016 The Institute of Directors Southern Africa issues their King IV Report on Corporate Governance for South Africa 2016,42 which states that “The definition for risk used in King IV consists of three parts, namely uncertainty of events, the likelihood of such events occurring and their effect, both positive and negative. King IV's understanding of risk thus balances the traditional, negative view of risk with one that recognizes the potential opportunities inherent in some risks. Thus, an opportunity may present itself as the potential upside of a risk that could adversely affect the achievement of organizational objectives.“

The U.S. federal government issues Office of Management and Budget (OMB) Circular No. A-12343 requiring all federal agencies to establish enterprise risk management in their agencies.

The Chief Financial Officers Council (CFOC) and the Performance Improvement Council (PIC) of the U.S. federal government issues the “Playbook: Enterprise Risk Management for the U.S. Federal Government.”44 This document provides guidance for establishing an ERM program to meet the requirements of Circular No. A-123.
2017 COSO issues an updated Enterprise Risk Management—Integrated Framework document.45 The framework was updated to address new risks that have come to light since the original publication in 2004, as well as to provide greater emphasis on strategy and performance.
2018 The International Organization for Standardization (ISO) issues an updated ISO 31000:2018, Risk management—Guidelines.46 This updates earlier publications of ISO 31000 in 2004 and 2009. This edition “provides more strategic guidance than ISO 31000:2009 and places more emphasis on both the involvement of senior management and the integration of risk management into the organization.”

Wells Fargo pays a $1 billion fine for falsifying customer accounts.47 Wells Fargo admitted that they had charged some 570,000 clients for car insurance they didn't need, and some mortgage borrowers were charged for missing a deadline even though it was Wells Fargo's fault.

Danske Bank of Denmark admits that its money laundering activities involved some $234 billion in illegal money laundering.48
2019 The ISO issues IEC 31010:2019, Risk management—Risk assessment techniques.49 This lists some 31 techniques such as the Delphi method, Bowtie analysis, and Monte Carlo simulation.

In Australia, the Financial Services Royal Commission Final Report50 honed in on the need for boards to get the right information about emerging nonfinancial risks. This requires the board to:

  1. seek further or better information if what they have is deficient; and
  2. use that information properly in order to robustly challenge management's approach to managing these risks.

If the board does not have the right information, it simply cannot effectively challenge management and properly discharge its functions. The report noted that boards frequently did not get the right information about emerging nonfinancial risks. It firmly lays the responsibility for getting the right information on boards and senior management.

The U.K. Treasury Department issues an updated Orange Book: Management of Risk—Principles and Concepts.51 This updates the 2004 original, which was considered a major advancement in the thinking of risk management in government. It emphasizes “timely, accurate and useful risk reporting to enhance the quality of decision-making and to support management and oversight bodies in meeting their responsibilities.”

The Risk Coalition (an association of not-for-profit professional bodies and membership organizations committed to raising the standards of risk management in the UK), publishes Raising the Bar: Principles-based guidance for board risk committees and risk functions in the UK Financial Services sector.52 This is a comprehensive, principles-based guidance document for financial services risk committees and risk functions. It notes that: “In financial services the real risk is to take no risks.”

The Institute of Internal Auditors and the Neel Corporate Governance Center at the University of Tennessee, Knoxville's Haslam College of Business published the inaugural American Corporate Governance Index (ACGI).53 This Index rates companies according to their performance with a set of eight principles of corporate governance. They reported that “the most troubling finding surrounding board performance relates to the oversight of management, specifically the extent to which board members are willing to offer opinions that are contradictory to or conflict with those of the CEO. When presented with specific scenarios in which the CEO wants to delay reporting negative news, respondents believed that only 64% of board members at their company would push back on the CEO, meaning more than one-third (36%) of board members would not.”

FINAL WORDS

Perhaps Peter Bernstein's Against the Gods is a fitting end to this list of risk management milestones. It illustrates the importance of communication. Too often, new ideas have been unnecessarily restricted to the cognoscenti. Arcane mathematics, academic prose, and the secretiveness of current risk management “guilds,” each protecting their own turf, discourage needed interdisciplinary discussion. Peter's lucid prose, compelling syntheses of difficult concepts, personal portraits of creative people, and particularly his warnings of the perils of excess quantification, bring us an appreciation of both the potential and perils of risk management. No matter what title we attach to this thinking process (risk management; enterprise risk management; strategic risk management; etc.), it will continue to be a part of the human experience.

None of this retrospection has any meaning or value unless it acts as a stimulant for a more prudent, intelligent, and optimistic use of the ideas and tools of past innovators.

Step out and create some new risk milestones.

Paradoxically, the very mortality that bears each of us along to a finite conclusion also gives us, through its unfolding, the means to repossess what we believe we have lost. It is in memory, given its true shape through the imagination, that we can truly possess our lives, if we will only strive to regain them.

Louis D. Rubin Jr., Small Craft Advisory Atlantic Monthly Press, New York, 1991

Risk and time are opposite sides of the same coin, for if there were no tomorrow there would be no risk. Time transforms risk, and the nature of risk is shaped by the time horizon: the future is the playing field.

Peter Bernstein, Against the Gods, John Wiley & Sons, New York, 1996 (Revision September 2008. An earlier version of this brief history appeared in the December 1999 issue of Risk Management Reports.)

ABOUT THE AUTHORS

Felix Kloman is a retired principal of Towers Perrin, an international management consulting firm. His experience includes serving as Editor and Publisher of Risk Management Reports for 33 years, from 1974 to 2007, and more than 40 years in risk management consulting with Risk Planning Group (Darien, CT), Tillinghast (Stamford, CT), and Towers Perrin (Stamford, CT). He is the author of Mumpsimus Revisited (2005), and The Fantods of Risk (2008), both sets of essays on risk management. He is a Fellow of the Institute of Risk Management (London), a past director of the Nonprofit Risk Management Center, a past and founding director of the Public Entity Risk Institute, past chairman of the Risk Management & Insurance Committee for the U.S. Sailing Association, and a charter member of the Society for Risk Analysis. He received the Dorothy and Harry Goodell Award from the Risk & Insurance Management Society in 1994.

He is a graduate of Princeton University, 1955, with an AB in History.

John R.S. Fraser, FCPA, FCA, is the former Senior Vice President, Internal Audit & Chief Risk Officer of Hydro One Networks Inc., one of Canada's largest electricity transmission and distribution companies. He is a Fellow of the Ontario Institute of Chartered Professional Accountants and a Certified Internal Auditor. He has more than 30 years' experience in the governance, risk, and control fields, including areas such as: finance, fraud, derivatives, safety, environmental, computers, and operations. He is past Chair of the Advisory Committee of the Conference Board of Canada's Strategic Risk Council, an ex-Practitioner Associate Editor of the Journal of Applied Finance, and a past member of the Risk Management and Governance Board of the Canadian Institute of Chartered Professional Accountants. He is a recognized authority on enterprise risk management and has co-authored numerous academic papers on ERM.

NOTES

  1. 1.  Douglas Barlow, in letter to the author, January 8, 1998. Barlow was, for many years, the risk manager for Canada's Massey Ferguson Company.
  2. 2.  Robin Lane Fox, The Classical World (New York: Basic Books, 2006), 49.
  3. 3.  Ibid., 157.
  4. 4.  Peter L. Bernstein, Against the Gods (New York: John Wiley & Sons, 1996), xxxv.
  5. 5.  Ibid., 337.
  6. 6.  Stephen Lagerfeld, “Editor's Comment,” Wilson Quarterly (Autumn 1999).
  7. 7.  Bernstein, op. cit., 197.
  8. 8.  See www.rmahq.org for more information about RMA.
  9. 9.  See 1985 reprint from the University of Chicago Press and first edition, 1921, Hart, Schaffner, and Marx, Boston.
  10. 10. See 1963 reprint from Macmillan.
  11. 11. See www.afajof.org.
  12. 12. See 1952 original and 2003 reprint from Houghton Mifflin, Boston.
  13. 13See Grossman Publishers, New York, 1965.
  14. 14. See www.aicpcu.org.
  15. 15. See www.genevaassociation.org for more information on the Geneva Association.
  16. 16. See www.journals.uchicago.edu.
  17. 17. See www.rims.org for more information on RIMS.
  18. 18. See www.sra.org for more information about SRA.
  19. 19. See Science, vol. 221, no. 4615, September 9, 1983, and www.science.mag.org.
  20. 20. See www.theirm.org for more information about IRM.
  21. 21. Vernon Grose, Managing Risk: Systematic Loss Prevention for Executives (Englewood Cliffs, NJ: Prentice-Hall).
  22. 22. See www.unisdr.org for more information on ISDR.
  23. 23. See www.archive.official-documents.co.uk.
  24. 24. See Journal of Applied Corporate Finance, vol. 6, no. 3 (Fall 1993), www.blackwell-synergy.com.
  25. 25. See www.terry.uga.edu/sanford/vita.html.
  26. 26. See www.standards.com.au.
  27. 27. See www.garp.org for more information about GARP.
  28. 28. Bernstein, op. cit., 7.
  29. 29. See www.prmia.org for more information about PRMIA.
  30. 30. See www.bis.org.
  31. 31. See www.iso.org.
  32. 32. Nassim Nicholas Taleb, The Black Swan (New York: Random House, 2007), xxvii.
  33. 33https://www.ashburnham-insurance.co.uk/blog/2017/05/10-biggest-insurance-claim-payouts-of-all-time/.
  34. 34https://www.fsb.org/history-of-the-fsb/.
  35. 35https://www.cnn.com/2013/03/11/us/bernard-madoff-fast-facts/index.html.
  36. 36. https://en.wikipedia.org/wiki/Deepwater_Horizon_oil_spill .
  37. 37. https://en.wikipedia.org/wiki/2010_eruptions_of_Eyjafjallaj%C3%B6kull#Effects_of_the_ash_plume_on_air_travel .
  38. 38. https://en.wikipedia.org/wiki/2011_T%C5%8Dhoku_earthquake_and_tsunami .
  39. 39https://www.londonstockexchange.com/companies-and-advisors/aim/publications/documents/corpgov.pdf.
  40. 40https://www.fsb.org/2013/11/r_131118/.
  41. 41https://www.nyse.com/publicdocs/nyse/listing/NYSE_Corporate_Governance:Guide.pdf.
  42. 42https://c.ymcdn.com/sites/iodsa.site-ym.com/resource/collection/684B68A7-B768-465C-8214-E3A007F15A5A/IoDSA_King_IV_Report_-_WebVersion.pdf.
  43. 43https://www.whitehouse.gov/sites/whitehouse.gov/files/omb/memoranda/2016/m-16-17.pdf.
  44. 44https://www.cfo.gov/wp-content/uploads/2016/07/FINAL-ERM-Playbook.pdf.
  45. 45https://www.coso.org/Pages/default.aspx.
  46. 46https://www.iso.org/iso-31000-risk-management.html.
  47. 47https://money.cnn.com/2018/04/20/news/companies/wells-fargo-regulators-auto-lending-fine/index.html.
  48. 48https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3446636.
  49. 49https://www.iso.org/standard/72140.html.
  50. 50https://financialservices.royalcommission.gov.au/Pages/reports.aspx#final.
  51. 51https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/815635/Orange_Book_Management_of_Risk.pdf.
  52. 52https://riskcoalition.org.uk/the-guidance.
  53. 53http://contentz.mkt5790.com/lp/2842/277868/ACGI-Report.pdf.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.65.65