Empowered Enterprise Risk Management E-Book

Table of Contents

Cover

Title Page

Copyright

Preface

CHAPTER 1: Introduction to Empowered Enterprise Risk Management

WHY A THEORETICAL PERSPECTIVE?

LESSONS FROM PRACTICE

NOTE

CHAPTER 2: Risk Defined

VALUE‐CREATING RISK MANAGEMENT

RISK MANAGEMENT

DOWNSIDE RISK VERSUS UPSIDE POTENTIAL

SUBJECTIVE PROBABILITIES

IS VALUE THE RIGHT METRIC?

RISKS VERSUS RISK‐TAKING

NOTES

CHAPTER 3: Risk Theory

SILOS AND THEIR CONSEQUENCES

THE SILO EFFECT ON RISK MANAGEMENT

A THEORY OF ERM

THE INFORMATION PROBLEM OF RISK MANAGEMENT

THE AGENCY PROBLEM OF RISK MANAGEMENT

OVER‐MANAGEMENT OF RISK

UNDERMANAGEMENT OF RISK

ERM AS A SOLUTION

CHAPTER 4: Risk Culture

THREATS TO RISK CULTURE

SHORT‐TERMISM: CAUSES AND CONSEQUENCES

CORPORATE CULTURES AND COMPENSATION PACKAGES

CREATING THE BEHAVIOURS THAT SUPPORT A RISK CULTURE

CHAPTER 5: Risk Governance

THE ROLE OF THE BOARD OF DIRECTORS

RISK OWNERSHIP

A MORE GRANULAR LOOK AT RISK OWNERSHIP

RISK GOVERNANCE TO SUPPORT INTEGRATED RISK MANAGEMENT

THE THREE LINES OF DEFENCE

RISK MANAGEMENT INDEPENDENCE

NOTES

CHAPTER 6: Risk Register

WHAT SHOULD GO INTO A RISK REGISTER

ESTIMATING PROBABILITY AND IMPACT

AN EXTENDED RISK REGISTER

NOTES

CHAPTER 7: Risk Response

RISK MITIGATION

RISK TRANSFER

RISK RETENTION

THE INTEGRATED VIEW

THE INTEGRATED RISK RESPONSE

NOTES

CHAPTER 8: Risk Appetite

WHY RISK APPETITE DOES NOT WORK

HOW TO MAKE PROGRESS

THE WAY FORWARD

RISK CAPACITY

QUANTITATIVE EXAMPLE OF RISK CAPACITY

NOTE

CHAPTER 9: Risk Budgeting

RISK BUDGETING AND QUANTITATIVE MODELS

FINANCIAL MODELS WITH ACCOUNTING AND ANALYTICAL INTEGRITY

PERFORMANCE‐aT‐RISK

INTRODUCING CRITICAL THRESHOLDS

CHAPTER 10: Risk Strategy

STRATEGY PERFORMANCE

STRATEGY FORMULATION AND SELECTION

CORE STRATEGIC RISKS AND THE RISK RADAR

STRATEGY EXECUTION

STRATEGIC INTERACTION AND RISK MANAGEMENT

NOTE

CHAPTER 11: Risk in Practice: The Case of Equinor

THE ERM VISION

EARLY DEVELOPMENTS IN ERM

RISK MAPPING IN EQUINOR

RISK GOVERNANCE IN EQUINOR

RISK CULTURE IN EQUINOR

RISK OPTIMIZATION

ERM AND STRATEGY

FINAL THOUGHTS

NOTES

CHAPTER 12: Concluding Remarks

REVISITING THE ERM PUZZLES

Bibliography

Acknowledgements

Index

End User License Agreement

List of Tables

Chapter 3

TABLE 3.1 Fragmentation of risk management

Chapter 6

TABLE 6.1 Extended risk register

List of Illustrations

Chapter 3

FIGURE 3.1 Effect of uncoordinated risk management

FIGURE 3.2 Integrated risk management

Chapter 4

FIGURE 4.1 Risk culture

FIGURE 4.2 Risk culture

Chapter 7

FIGURE 7.1 Risk response

FIGURE 7.2 Insurable versus uninsurable risks

FIGURE 7.3 Overview of risk transfer

FIGURE 7.4 Risk transfer with derivatives (producer perspective, 100% hedge ...

FIGURE 7.5 Consequences of risk retention

Chapter 8

FIGURE 8.1 Absolute versus relative risk appetite

FIGURE 8.2 Risk capacity

Chapter 9

FIGURE 9.1 Traditional budget and risk factors

FIGURE 9.2 Monte Carlo simulation of performance

FIGURE 9.3 Traditional versus risk‐adjusted budget

Chapter 10

FIGURE 10.1 ERM and strategy

Chapter 11

FIGURE 11.1 Equinor's value chain

FIGURE 11.2 Performance‐at‐risk under alternative hedging policies

FIGURE 11.3 Risk maps’ evolution over time

FIGURE 11.4 Equinor screensaver

FIGURE 11.5 Risk manager career ladder

FIGURE 11.5 Catastrophic risk (net of insurance and tax, illustrative number...

Guide

Cover Page

Table of Contents

Begin Reading

Pages

iii

iv

v

ix

x

xi

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

199

200

201

203

205

206

207

208

209

210

211

212

213

Empowered Enterprise Risk Management

Theory and Practice

This edition first published 2021

© 2021 John Wiley & Sons, Ltd

Registered officeJohn Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ,

United Kingdom

For details of our global editorial offices, for customer services and for information about how to apply for permission to reuse the copyright material in this book please see our website at www.wiley.com.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior permission of the publisher.

Wiley publishes in a variety of print and electronic formats and by print‐on‐demand. Some material included with standard print versions of this book may not be included in e‐books or in print‐on‐demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The publisher is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. It is sold on the understanding that the publisher is not engaged in rendering professional services and neither the publisher nor the author shall be liable for damages arising herefrom. If professional advice or other expert assistance is required, the services of a competent professional should be sought.

Library of Congress Cataloging‐in‐Publication Data

Names: Jankensgård, Håkan, author. | Kapstad, Petter, author.

Title: Empowered enterprise risk management : theory and practice / Håkan Jankensgård, Petter Kapstad. Description: First Edition. | Hoboken : Wiley, 2021. | Series: Wiley corporate F&A | Includes index.

Identifiers: LCCN 2020035534 (print) | LCCN 2020035535 (ebook) | ISBN 9781119700159 (hardback) | ISBN 9781119700180 (adobe pdf) | ISBN 9781119700203 (epub)

Subjects: LCSH: Risk management. | Organizational effectiveness.

Classification: LCC HD61 .J356 2020 (print) | LCC HD61 (ebook) | DDC 658.15/5‐‐dc23

LC record available at https://lccn.loc.gov/2020035534

LC ebook record available at https://lccn.loc.gov/2020035535

Cover Design: Wiley

Cover Images: © kool99/Getty Images, © Ascent Xmedia/Getty Images

For August and Wilma – HJ

Many thanks to Tone, Lotte, and Kaja for their support and inspiration – PK

Preface

IN THIS BOOK, WE ARE INTERESTED in how firms should organize themselves to deal with risks affecting their performance, as well as the process of risk‐taking itself. When enterprise risk management (ERM) arrived on the scene in the 1990s, it presented itself as a framework that allows firms to deal with precisely these questions. ERM brought novel ideas to bear on the risk management process, such as the involvement of the board of directors and taking an integrated perspective on the firm's various risks. Ideas like these set corporate risk management on a whole new path, and the response has been massive among practitioners as much as academics. Today, ERM is a rapidly expanding field that has become the new benchmark for how to think about risk management in firms.

Our interest in principles means that we will take a tour of the theories of risk management in search of insights. Theory, as we will argue in the first chapter of the book, is not only of interest for its own sake. It can often be a powerful guide to action, as it articulates the problems to be solved and identifies the mechanisms whereby value can be created. In an eclectic and sprawling field such as ERM, which has proven to be an endlessly malleable concept, we feel that such a return‐to‐fundamentals approach has many benefits.

Our goal is to draw up a vision of an empowered version of ERM that fully leverages these value‐creating mechanisms and makes a real difference. But theory can only get you so far. ERM challenges the status quo in organizations and is sometimes met with raised eyebrows or even disinterest. Consequently, in some cases ERM is reduced to an uninspired activity far below potential: a box‐ticking exercise that does just enough to meet outside expectations. The stakes are high, because empowered ERM will interact with several important decision‐making processes in the firm.

The second theme of this book is that if we want to tap into ERM's full potential, we need to harness lessons learnt from practice as well. Our quest will lead us to explore the experiences of Equinor, a Norwegian energy company, where risk management has reached the status of core value in the sense of being expected by every employee. The firm's culture and governance structures have been profoundly influenced by ERM since its humble beginnings over two decades ago. The hard‐won lessons learnt by Equinor over many years give us valuable insights into how ERM can deepen its impact.

This book is organized into twelve chapters that chart out something akin to a journey. In the first chapters, we create a foundation on which to build further, identifying theories and principles that can guide action (Chapters 1–3). From there we move on to consider the basic building blocks and tools of ERM (Chapters 4–7), onto what might be considered more advanced issues at the frontier of ERM (Chapters 8–10). Then follows a case study based on the lessons learnt from the implementation of ERM in Equinor (Chapter 11). The final chapter (Chapter 12) integrates the previous chapters and concludes the book. Below follows a brief description of the individual chapters.

Chapter 1 traces out the origins and ideas behind organized forms of risk management, and shows how ERM sprung out of an increasingly felt need to improve risk governance in firms. We also elaborate on the roles of theory and lessons to be learnt from practice in arriving at an empowered and more impactful version of ERM.

Chapter 2 discusses how risk can be defined and how that connects with the value‐creation process. We establish increasing long‐term value and living up to the standards of good corporate citizenship as the twin goals of companies, and by extension of ERM, arguing that these goals are not mutually exclusive.

Chapter 3 identifies the distinguishing features of ERM and compares that to traditional forms of risk management. In developing a theory of ERM, we focus on coordination and cost efficiency problems resulting from decentralized risk management, and on information and incentive problems that are also created by the existence of such risk management ‘silos'.

Chapter 4 discusses risk culture: how it can be understood, the benefits it brings, and what stands in its way. We emphasize the role of short‐termism in creating its opposite, a risk‐prone culture, and highlight the importance of clarifying expectations and desired behaviours with respect to risk management to create a culture that contributes towards successful risk management.

Chapter 5 takes on the subject of risk governance, which refers to the formal processes and protocols in the risk management process. An important part of this is clarifying responsibilities with respect to risk management, which brings us to the crucial concept of risk ownership. The risk oversight by the board of directors as well as centralized and decentralized models of risk ownership are extensively discussed.

Chapter 6 explains important aspects of the most visible output of most ERM programmes today: the risk register. We look at the principles for creating consistent and useful inventories of risks that connect with the decision‐making process and highlight several pitfalls that commonly arise in this process.

Chapter 7 deals with the risk response, that is, how managers choose to respond to a risk that has been identified and assessed. We place special importance on understanding the costs of the three broad types of response: mitigation, transfer, and retention. The goal is to control downside risk in a cost‐efficient way, while keeping as much of the upside potential as possible intact.

Chapter 8 discusses risk appetite, a concept presently touted by many in the risk management community. We take the view that it is a useful point of entry for certain kinds of discussions about risk, but that it comes with several flaws that can turn it into a curse more than anything else. We also outline the concept of risk capacity, understood as a buffer of financial resources that allow the firm to absorb losses without serious consequences.

Chapter 9 introduces risk budgeting, which refers to an analysis of risk in the context of financial performance and strategic decision‐making. We see risk budgeting as a way for ERM to increase its impact, allowing for a satisfactory assessment of the risk of the firm as a whole and how that is affected by corporate policies.

Chapter 10 contains a discussion of the strategic role of ERM, which many see as its ‘next frontier'. We show that ERM potentially contributes to many stages of the strategy process. A more well‐informed approach to integrating risk into decision‐making is key to playing this role, as is maintaining a dynamic view of contingent risks and hidden opportunities.

Chapter 11 contains an empirical case study based on Equinor. We survey its origins and development over time. We also review many of its applications and give examples of how practice has changed as a result of ERM. Above all, though, we search for insights as to how risk management arrived in a position where it is considered one of the firm's core values, and how it came to diffuse the culture of the company.

Chapter 12 provides some concluding remarks and seeks to integrate the preceding chapters into a set of takeaways with respect to empowered ERM.

CHAPTER 1Introduction to Empowered Enterprise Risk Management

A CLEAR SIGN THAT YOU are a helicopter parent, according to online sources, is developing a bad back from constantly stooping down and following your toddler's every step. Helicopter parents are, as it were, those constantly trying to identify and remove threats to their child's safety. They hover above the playground, ready to interfere at a moment's notice, and generally put a variety of restrictions on the child's activities to remove any notion of danger. Such a highly regimented style of parenting is in sharp contrast with the much more relaxed approach that was common not too long ago. As recently as the 1980s, even in that epitome of the safety‐first approach, in Sweden it was not uncommon to see small children standing up between the front seats of the car while the car was being driven. Their parents would not necessarily have been viewed as irresponsible by other adults or reflected much themselves on the possibility that they might have been taking unacceptable risks.

The helicopter parent is just one caricature describing a broader current in society, namely a desire towards identifying and controlling risks that might affect our well‐being. Sociologists have even referred to our modern world as a ‘risk society', meaning a society that is increasingly preoccupied with the future and any risks that it might bring (Beck, 1992). It turns out that modernity has ushered in a wide variety of man‐made risks on top of the natural hazards that have always threatened societies. The complexity of the systems that support modern life, and the degree of their interconnectivity, have generated a whole range of new risks. At the same time, there has been a veritable explosion in the availability of information, making us ever more aware about potential threats. New norms emerging over time have gradually come to present an attitude of caution as a necessity.

The growing focus on risks has been accompanied by a belief that not only should they be managed but can be. As Peter Bernstein's epic story of risk shows, over the millennia we have gone through a series of intellectual revolutions, from being ‘passive before the gods' – that is, largely resigned to fate – to claiming mastery over risk (Bernstein, 1996). The premise seems to be that science and our expanding knowledge can be used to assist us in more safely navigating the world. This premise has given rise to an entirely new profession: risk management. In its early applications, the position of risk manager typically referred to a highly specific area of expertise. However, ideas about risk management have reached further and further up the corporate hierarchy, infiltrating even top management teams and boards of directors. Power (2007) writes:

In a relatively short period of time, in a number of different countries, hospitals, schools, universities, and many other public organizations, including the very highest levels of central government, have all been transformed to varying degrees by discourses about risk and its possible management.

Risk management, in this view, has gone from being a specialized subfield to being a source of principles for organizing and managing in general. To put it another way, there has been a shift from risk analysis, a technical discipline, to the governance of risk in organizations.

Interest in risk governance took a giant leap in the early 1990s with the publication of two reports that were to become highly influential: The Cadbury Code, published in the UK in 1992, and the COSO framework for internal control, also published in 1992.1 These reports contain a set of recommendations for achieving sound governance in organizations, and to generally improve oversight over vital processes. The background for both reports was a string of corporate failures that were deemed to have been triggered not so much by exogenous risks or flawed analysis, but rather failures of governance. In other words, there was a systematic lack of checks and balances in organizations that left them too vulnerable to fraud and other misbehaviours. To improve this situation, boards of directors were encouraged to, among other things, put in place systems designed to increase control. This led to the codification of what is known as ‘internal control', defined in COSO (1992) as follows:

Internal control is a process effected by an entity's board of directors, management and other personnel designed to provide reasonable assurance of the achievement of objectives in the following categories:

Operational Effectiveness and Efficiency

Financial Reporting Reliability

Applicable Laws and Regulations Compliance

Internal control can be viewed as an effort to address the control problems that afflict organizations without adding new and costly external regulations (Power, 2007). Instead, risk control was to be achieved from within, through ‘self‐discovery and reporting'. To this end, new functions like internal audit and compliance were set up in many firms, in no small measures boosted by the arrival of the Sarbanes–Oxley Act in 2002. Taking stock some thirty years later, the focus on internal control can certainly be said to have had a lasting impact on business practices. True, the application of the concept has been varied and frequently modified to reflect firms' specific needs and capabilities, but the core idea of maintaining an independent function to safeguard the integrity of important processes has stood the test of time.

The introduction of new functions related to internal control was a major leap in the broader trend towards organized forms of risk management. One of the five pillars of COSO's framework is that internal control should be ‘risk based', which is to say, it should be preceded by an inventory and assessment of the risks that could pose a threat to the entity's objectives. However, the reach and impact of risk management ideas has continued unabated. Contributing to this development was the fact that internal control was found to be lacking in two main respects. One was that it was not perceived as holistic, or enterprise wide, enough. The risks that fall within its scope are only a subset of all the different kinds of risk that businesses face. There are market risks, reputation risk, business disruption risk, and so on, in an almost endless variety. The second factor that spurred on further development was the feeling that risk management ought to provide more active support to business decisions, thereby working closer with management and ‘adding value'.

Functions dedicated to internal control are held back in such pursuits by their pledge to remain independent vis‐à‐vis management. Internal control, at its core, chiefly seeks to contain threats. A different set of ideas would be needed to realize the vision of an enterprise‐wide form of risk management that supports business strategies. The principles behind holistic risk management were first developed in the mid‐1990s by the people behind the Australian risk management standard (AS/NZ 4360) with later additions by their Canadian counterparts. But again, it was COSO that delivered the blueprint that was to shape much of the field's future development. In 2004 the Enterprise Risk Management (ERM): Integrated Framework was published. It defines ERM as follows:

Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.

In this definition the ambitious agenda of ERM is plain to see. It is no longer just about risk control, but it shall support decision‐making in a ‘strategic setting'. Risk management is now to be carried out across the enterprise and is not limited to compliance, financial reporting, and operating hazards. Another game changer was the introduction of the term ‘risk appetite', which signalled that some level of risk can be tolerated. In fact, the COSO (2004) text makes explicit mention of the concept of ‘capitalising on opportunities', a perspective that is absent in the world of internal control. In 2017, COSO published, jointly with consulting firm PWC, an updated version of its framework that emphasized even more strongly the connection between strategy and ERM. The other main risk management standard, ISO 31000, issued by the International Organization for Standardization, shows a similar trajectory towards a strategic agenda involving senior management.

For all these advances in the thinking about the role of risk management in firms, it is significant that its most cited blueprint grew out of the world of internal control. Lest nobody mistakes where it came from, COSO (2004) even states that ERM builds on, and completely encompasses, the internal control framework. This has meant that the ethos of internal control, with its emphasis on risk control rather than balancing risk and return in a pursuit of value, has come to have a disproportionate effect on the implementation of ERM. Power (2009) makes a key point: ‘The ERM model is strongly, if not exclusively, influenced by accounting and auditing norms of control, with an emphasis on process description and evidence.' He goes on to comment on the proliferation of detailed processes for risk management based on rules and prescriptions: ‘Accounting ideals of internal control are embedded in the design itself, resulting in a style of risk management practice with wide and seductively expansive reach – the risk management of everything.'

This leads to a question that is still not fully resolved. Is ERM supposed to be ‘just another control function', or an in‐house advisory that works closely with the executive team on matters of strategic importance? Many managers indeed seem to associate ERM more with controlling risk than anything else, and therefore seem content to just produce a risk map, check risk management off the list, and carry on as before. As a result, ERM could amount to what Power (2009) refers to as ‘the risk management of nothing': a superficial effort that fails to drill deep into the interconnected nature of risks. Any feeling of safety afforded by it is therefore an illusion, or even worse, misleading, because it largely fails to articulate and comprehend critical risks.

In fact, puzzles and paradoxes abound in the COSO definition of ERM. Another example of an unresolved issue is that of the real meaning of risk appetite. The core questions we may ask are:

How much risk can we tolerate?

How exactly is risk supposed to be traded off against upside potential?

The latter balancing act is the dimension that risk appetite is supposed to bring much‐needed attention to when compared a framework geared towards risk control. But as so often with these frameworks, they only establish certain basic guiding principles and leave much of the interpretation open to the organizations doing the implementation. Truth be told, however, there are probably few concepts in business that have generated similar levels of confusion as risk appetite. Risk appetite as a concept seems to be almost perfectly designed to do so by appealing to the subjective nature of risk rather than to an analytical, fact‐based approach, and for being something of a contradiction in terms. Yet it pervades the discourse on risk management today. And yes, we do need a way to impose a limit on risk‐taking and put that in the context of business opportunities. So, how is this dilemma to be resolved?

Another paradox in ERM concerns the role of objectives in determining risk management strategies. In the main frameworks, COSO and ISO 31000, the achievement of objectives is put on a high pedestal. In practice, many firms have taken this to mean protecting short‐term targets, or the so‐called key performance indicators (KPIs) that are widely used by firms to measure progress. While protecting targets sounds fair enough, this leaves ample room for behaviours that are inconsistent with the higher‐level objective of creating value. In fact, it is not hard to illustrate situations where spending resources to increase the probability of target achievement is detrimental to long‐term firm value. And to completely flip the perspective, there is growing evidence that the targets themselves may be a source of risk. The performance pressure induced by such targets has been known to cause reckless behaviour and gambling on a scale that can lead to firms getting into serious trouble. The Deepwater Horizon disaster, under the watch of BP, and the fall from grace of US bank Wells Fargo are only two examples of target‐chasing as generators of risk.

And what happened to firm value as a higher‐level objective anyway? Here is yet another paradox. Most managers find it self‐evident that they are in business to generate profits, and ultimately dividends for their shareholders. Treatises on ERM often do speak about shareholder value, but on the whole the emphasis is not that strong. In fact, the ERM frameworks seem to be embedded, to a fair extent, in the stakeholder value paradigm. The first line in COSO's executive summary (2004) reads as follows: ‘The underlying premise of enterprise risk management is that every entity exists to provide value for its stakeholders' (emphasis added). In stakeholder theory, firms exist to satisfy the interests of their many stakeholders, such as employees, customers, the state, and so on. Shareholders are just one of many stakeholders and have no special privilege when it comes to setting the firm's objectives. When business units, the very risk management ‘silos' that ERM was meant to integrate, discuss their risk appetite, from a stakeholder perspective, with respect to the risk of failing to meet short‐run targets, we have a pretty confused situation.

The paradoxes do not end here. We have also observed, among ERM practitioners, a curious reluctance to quantify and perform financial analysis. Another observation is that often the responsibility for a risk is simply delegated to the person who is already working in that part of the business. With the result that some sort of governance of risk has taken place, at least on paper, but nothing of substance seems to be elevated to a centralized form of management, as defined in the portfolio view of risk underpinning ERM. What is more, for all the talk about holistic, enterprise‐wide risk management, ERM programmes seem generally incapable of addressing questions related to total risk. Any notion of what the risk of the firm is as a whole continues to elude firms that implement ERM, to the extent that this perspective is not even brought up at all.

Amidst all these paradoxes and puzzles of ERM, there is the nagging concern that, for a framework that loves to emphasize the need to use risk management as a tool in the pursuit of upside and business opportunities, there seems to be a lot of ‘covering your back' going on. Is it possible that the result of all the governance taking place, and the processes needed to support it, is that firms are more anxious and slower to respond to new opportunities? Formal risk appetite statements written into policy documents, for example, do have a whiff of corporate bureaucracy attached to them. Just like helicopter parents may be accused of stifling their children's autonomy and independent judgement, could the apparatus around ERM contribute to the dulling of the entrepreneurial spirit in firms? Do people become so worried about making errors that they consistently prefer to stay within their comfort zones instead of venturing out into new and risky, but also potentially very lucrative, projects? This is certainly not the intended meaning of either the internal control or risk management frameworks. But it suggests that how such organized forms of risk management present themselves – their ‘vibe' – is quite important. Is it going to be another round of control and compliance, or is it a partner in business, an enabler that that helps the firm compete, succeed, and create value? In this book, we support the latter version of ERM. While more difficult to achieve, the benefits are also far greater.

WHY A THEORETICAL PERSPECTIVE?

ERM has obviously moved on since the COSO (2004) document was published. ERM is sometimes described as an evolving phenomenon, which may take many years before it becomes codified and practised in a consistent way. In this view there is an ongoing search for best practices that eventually will settle into a body of concepts and practices that will constitute ERM. The idea is that best practices will evolve, in a Darwinian‐like manner, if given enough time. Along these lines, Mikes and Kaplan (2015) argue that there is no one universal form of ERM that will be right for all firms. Rather, each firm chooses from the available design parameters to obtain an ‘ERM‐mix' that is suitable to its particular circumstances.

While there is certainly something to be said for letting robust practices evolve by proving their usefulness in actual practice, we also take a somewhat different view. We believe that ERM stands to benefit from a more rigorous description, at the theoretical level, of the problems it is supposed to solve in the first place. The definitions of ERM provided by the frameworks are just that – definitions. And definitions are not theory, except by accident. They are more like opinions, descriptions of how one sees the world or would like things to be. Reflecting the endless malleability of ERM, there are indeed definitions aplenty on offer, not just in the frameworks but from large numbers of authors who have their own take on ERM. Theory, in contrast, draws attention to the root causes of the problems afflicting practice, and can therefore point to the appropriate solutions. It provides focus and structure to the design of ERM. We are not just ‘doing risk management', but rather addressing certain well‐defined problems with the goal of improving decision‐making in pursuit of a defined higher‐level objective. ERM, in this more theoretical approach, is derived from a set of first principles instead of just conjured up from definitions.

A more theoretical view of risk management in firms starts with some basic premises about what is being optimized – the ultimate goal. This is usually taken to mean firm value. In the classic theory of corporate finance by Modigliani and Miller (1958), however, capital structure (and risk management by implication) turns out to be irrelevant. The reason underlying this somewhat disturbing result is that the authors make several very strong assumptions – such as no taxes, a fixed investment opportunity set, and equally distributed information. Much of the theory since this seminal work has progressed by investigating what happens to optimal corporate policy if one or more of these assumptions fail to hold. In fact, almost none of the assumptions bear scrutiny in the real world. Obviously, it is fairly indisputable that taxes and bankruptcy costs exist in the real world. But we also know that decision makers suffer from behavioural biases, conflicts of interest, and lack of complete information.

The optimal corporate policy is, broadly speaking, the one that minimizes the impact of all these imperfections on firm value. The use of financial derivatives to manage risk (‘hedging') and insurance are two of the policies that have been investigated from the perspective of minimizing the impact of these frictions. These strands of research amount to what could be referred to as ‘classic' risk management theory, which has delivered many important insights that we will come back to numerous times in this book. Hedging to reduce expected costs of bankruptcy, for example, is a long‐standing example of how the use of derivatives can increase firm value.

In these academic models, the firm itself is characterized as a unified entity interacting with providers of financing who know less about the company's prospects (information asymmetries) and suspect that managers have hidden agendas (conflicts of interest). Just like in classic economic theory in general, it is usually taken for granted that whoever sets policy in the firm has access to full information, and that it is the ones on the outside that struggle with lack of information. If there is a conflict of interest, it is between the firm's managers and the investors in the company, not between different layers of the firm.

Reality overwhelmingly suggests, however, that firms are not unified entities. Even if the executive team's interests have been aligned with those of shareholders (which we take to mean maximizing firm value), there remains the issue of how risk management can be applied for this purpose in an enterprise consisting of several business units with decentralized decision‐making, for whom firm value is a distant and abstract concept. History is also replete with examples of executives and directors who were not able to understand the firm's exposures to risk and were taken by surprise when something bad happened. In surveys, executives regularly point to challenges in aggregating information about exposures, and in increasing the ‘visibility' of certain risks.

In our analysis of ERM we shift the attention to how some of the aforementioned imperfections operate within the firm. ERM is much more about the risk management process than any specific risk management strategy. It belongs in the realm of corporate governance and management control, both needed to govern decision‐making processes that are at least partly decentralized. The focus will be on behavioural biases, conflicts of interest, and information asymmetries as they play out on multiple levels in a firm with decentralized decision‐making. ERM thus takes place at the interface between the board of directors, the executive team, and multiple business units and corporate functions. Does the board of directors really have access to full information about the main risks? Do business unit managers really use risk management to maximize value or do they pursue other agendas? Are business units too optimistic and willing to pursue ventures that imply too much risk? In contrast to the view that ERM is an evolving set of techniques, to be chosen by each firm from some kind of smorgasbord, these behavioural, agency, and information issues are themes that should guide the design of risk management in any firm.

Theory, then, is useful because it articulates with greater clarity the problems that ERM is meant to solve, pointing us to the root causes of inferior risk management execution. Our interest lies in using theoretical perspectives to understand the problems at hand, because we believe doing so simultaneously points to the most effective solution. In this book the reader will therefore find no complicated math or excessive jargon for its own sake. To us, theory is basically only a set of well‐supported ideas about how the world works. We strongly believe in keeping things simple, and that the real point is to improve thought processes (and by extension decision‐making). While our exposé covers some fairly advanced topics, our basic message is that most of the benefits can be reaped through a few relatively simple changes in mindsets and practices that are well within the reach of all organizations, whether small or large and regardless of industry.

LESSONS FROM PRACTICE

However, as we pointed out in the Preface, theory is not enough. We also need to better understand how risk management principles can be embedded in organizations and achieve impact. ERM wants to make a difference in practice, yet often comes up against powerful forces that seek to limit its influence. ERM calls on people, at least to some degree, to change their way of thinking and how they do things, and anyone who has worked in an organization knows that this is no small task. Therefore, ERM initiatives often have an element of change management to them. ERM in our case company, Equinor, has even been described by company insiders as a ‘culture project' as much as being about specific tools and techniques.

What we can learn from studying practice is, above all, what the keys to successful implementation are (and the traps to avoid). What are the things that need to be said and done to overcome the obstacles and resistance to change? What resonates with people at different levels in an organization and motivates them to take on ERM? What makes them strive together towards a common goal rather than be stuck in opposition? All in all, we want to find out about what really works and what helps unlock the potential of ERM. Theory cannot inform us a lot about these things. One has to get out in the midst of organizational life and the constant to and fro of different ideas, trends, power struggles, individual quirks, and so on. But for all the variety and richness of this setting, certain patterns are more likely to be associated with success than others. Thus, we hope and believe that many of the keys and success factors uncovered in our empirical material are generally applicable.

What is a good case company for an in‐depth exploration of ERM in practice? We believe that the answer to that question is a company where ERM has demonstrably been impactful and where it has been practised for many years, interlocking ever more deeply with decision‐making processes. Equinor meets these two criteria. It was one of the early adopters, launching an ERM programme in 1996. ERM has been continuously used and refined since then, from an initial focus on market risks to a fully enterprise‐wide effort that actively engages the board of directors as well as smaller operating segments. Equinor has indeed reached the point where risk management is considered a core value, or ‘a way of life', as it is sometimes called. It is not merely a technical exercise by specialists in the risk management function. Understanding and managing risk is something that is practised by – indeed expected from – each employee.

A case study on how Equinor got to this point holds the promise of offering insights into how ERM can be best approached in practice. We have tried to refine into a compact and accessible format all that Equinor has learnt the long and hard way. The ambition is to make the journey for someone just starting out quicker and more direct to the desired destination. What awaits at the end of that journey is empowered ERM, which occurs when the organization commits to risk management and elevates it to a core value, central to its way of doing things and how it defines itself. As a result of this commitment to proactive risk management, there will be better information and conversations around risk; clearer responsibilities; a unified language and methodology; and improved business decision‐making that takes due account of risk.

NOTE

1

   COSO (Committee of Sponsoring Organizations of the Treadway Commission) is an ‘umbrella organization' consisting of the following five organizations: Institute of Internal Auditors; the Association of Accountants and Finance Professionals in Business; Financial Executives International; American Institute of CPAs; and American Accounting Association.