ERM - Enterprise Risk Management E-Book

For other titles in the Wiley Finance series

please see www.wiley.com/finance

ERM Enterprise Risk Management

Issues and Cases

This edition first published 2014 © 2014 Jean-Paul Louisot and Christopher Ketcham

Registered officeJohn Wiley & Sons Ltd, The Atrium, Southern Gate, Chichester, West Sussex, PO19 8SQ, United Kingdom

For details of our global editorial offices, for customer services and for information about how to apply for permission to reuse the copyright material in this book please see our website at www.wiley.com.

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by the UK Copyright, Designs and Patents Act 1988, without the prior permission of the publisher.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Designations used by companies to distinguish their products are often claimed as trademarks. All brand names and product names used in this book are trade names, service marks, trademarks or registered trademarks of their respective owners. The publisher is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with the respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. It is sold on the understanding that the publisher is not engaged in rendering professional services and neither the publisher nor the author shall be liable for damages arising herefrom. If professional advice or other expert assistance is required, the services of a competent professional should be sought.

Library of Congress Cataloging-in-Publication Data

ERM, enterprise risk management : issues and cases / [edited by] Jean-Paul Louisot, Christopher H. Ketcham.         pages cm. – (The Wiley finance series)     Includes bibliographical references and index.   ISBN 978-1-118-53952-1 (hardback)   1. Risk management.    I. Louisot, Jean-Paul.    II. Ketcham, Christopher.     HD61.E74 2014     658.15′5–dc23

2014005796

A catalogue record for this book is available from the British Library.

ISBN 978-1-118-53952-1 (hbk) ISBN 978-1-118-53951-4 (ebk) ISBN 978-1-118-53949-1 (ebk) ISBN 978-1-118-89201-5 (ebk)

Cover images reproduced by permission of Shutterstock.com

Contents

Contributor List

About the Editors

Acknowledgements

Introduction

Case Studies

The Articles

The References

ISO 31000 and Guide 73: 2009 Definitions

ISO 31000 and Guide 73: 2009 Select Terms and Their Definitions

1

Notes

PART 1 ERM ARTICLES

1 Establishing the Internal and External Contexts

1.1 Managing Risks to Enable Strategy

1.2 Strategy, Constraint, Risk Management and the Value Chain

1.3 The Risk of Group Decision Making Within Organizations: A Synthesis

Notes

2 Risk Assessment

2.1 Risk Quantification: Cornerstone for Rational Risk Management

2.2 Brief Overview of Cindynics

2.3 Risk Assessment or Exposure Diagnostic

2.4 Managing the Collection of Relevant Data for an ERM Program: The Importance of Efficient and Neutral Questionnaires

2.5 Enterprise Risk Analytics Systems

2.6 Emerging Enterprise Risks Facing the US Healthcare Industry

Notes

3 Select and Implement the Appropriate Risk Management Technique

3.1 Risk to Reputation

3.2 Disturbance Management

Notes

4 Monitor Results and Revise

4.1 Business Ethics and Risk Management

4.2 Governance, Risk, Compliance: the New Paradigm of Risk Management

Notes

5 Communicate and Consult

5.1 Communication as a Risk Mitigation Tool

Notes

PART II CASE STUDIES

6 Case Study Protocol

Appendix A – Case Study Interview Questions

7 Case Study: Risk Management Implementation in China

7.1 Market background

7.2 China's SOEs and SASAC

7.3 Current Development

7.4 Implementation Case Study

7.5 Lessons Learned

7.6 Questions for Students and Practitioners

Appendix A

Notes

8 Case Study: Agreeing Upon the Scope of the Project and the Job of the ERM Risk Manager

8.1 Scope of the Project

8.2 Job Description for ERM

8.3 Questions for Students and Practitioners

9 Case Study: Wellcome Trust

9.1 Generalities and Presentation

9.2 The ERM Program

9.3 The Benefits of ERM: Cost and benefit analysis

9.4 The Problems or Challenges Associated With ERM

9.5 Recommendations for Others Seeking to Implement ERM

9.6 Questions for Students and Practitioners

10 Case Study: Large Health Insurer in the US

10.1 The Large Health Insurer Today

10.2 Implications of the Affordable Care Act

10.3 Why ERM for This Insurer

10.4 ERM Reporting Structure and ERM Department Structure

10.5 The ERM Initiative Today

10.6 The Risk Management Process

10.7 Surprises

10.8 How Can an Organization Sustain an ERM Initiative over Time?

10.9 How Does This Insurer Risk Management Program Measure ERM Success?

10.10 Questions for Students and Practitioners

Appendix A

Appendix B

Notes

11 Case Study: Three Steps for Bringing Risk Management Back in House

11.1 Memorial Hermann

11.2 The Decision to Bring Risk Management Back In House

11.3 Step One – Laying the Groundwork: Re-establish Risk Management

11.4 Second Step – Introducing New Approaches: The ERM Council

11.5 The Third Step – Evolving Towards Enterprise Risk Management: Narrative Risk Description

11.6 Tangible Results at MH

11.7 Recommendations for Other Risk Managers

11.8 Questions for Students and Practitioners

Notes

References

12 Case Study: University of California

12.1 The University of California and the Office of Risk Services

12.2 Why ERM?

12.3 Critical Strategic Risks

12.4 ERM Accomplishments

12.5 ERM Progress Over Time

12.6 The “Upside of Risk”

12.7 Challenges Facing Higher Education and the University of California

12.8 Recommendations for Others Engaged With ERM

12.9 Where Further Research and Analysis is Needed

Appendix A: UC Enterprise Risk Management Tools

Questions for Students and Practitioners

Notes

13 Case Study: Managing Risk at the OPAC du Rhône

13.1 The organization

13.2 Activity

13.3 Turnover and Competition

13.4 Main stakeholders

13.5 Vision and Social License to Operate

13.6 The identified Need for ERM

13.7 Summary

Questions for Students and Practitioners

Notes

ERM References for Practitioners

Further Reading

Index

End User License Agreement

List of Tables

Chapter 2

Table 2.1

Table 2.2

Table 2.3

Chapter 3

Table 3.1

Chapter 10

Table 10.1

Table 10.2

Table 10.3

Table 10.4

Table 10.5

Chapter 13

Table 13.1

Table 13.2

List of Illustrations

Chapter 1

Figure 1.1

The risk management process.

Chapter 2

Figure 2.1

Hyperspace of Danger – the result of the look.

Figure 2.2

Space of Exposures.

Figure 2.3

“What keeps you up at night?”

Chapter 3

Figure 3.1

The Reputation Equation

3

Figure 3.2

Reputation impact on stakeholders' behavior

Figure 3.3

Risks and perception

5

.

Figure 3.4

Reputation drivers and source of risk. Reproduced with permission. Rayner, J. (2003).

Managing Reputational Risk: Curbing threats, leveraging opportunities.

Chichester: Wiley.

Figure 3.5

Stakeholders/reputation drivers. Reproduced with permission. Rayner, J. (2003)

Managing Reputational Risk: Curbing threats, leveraging opportunities.

Chichester: Wiley.

Figure 3.6

Perception and evaluation of hazards and perils.

Chapter 4

Figure 4.1

Illegal vs. Unethical.

Figure 4.2

The four steps to ethical behavior.

Figure 4.3

The GRC triangle.

Chapter 9

Figure 9.1

Wellcome Trust Corporate Risk Matrix (edited September 2010). Reproduced by permission of the copyright holder. (

Continued

)

Chapter 10

Figure 10.1

The ERM process as applied to enterprise risks, project risks and functional risks

Chapter 11

Figure 11.1

Re-establishing the Risk Management at Memorial Hermann. Reproduced by permission. Copyright © 2013 Memorial Hermann. All rights reserved.

Figure 11.2

Brand compass outlining Memorial Hermann's vision, brand promise, and culture. Copyright © 2013 Memorial Hermann. All rights reserved.

Figure 11.3

Risk Management Journey. Copyright © 2013 Memorial Hermann. All rights reserved.

Guide

Cover

Table of Contents

Introduction

Part I

Chapter 1

Pages

vii

viii

ix

x

xi

xii

xiii

xiv

xv

xvii

1

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

155

156

157

158

159

160

161

162

163

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

191

192

193

194

195

196

197

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

215

216

217

218

219

220

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

241

242

243

247

249

250

251

252

253

255

256

257

258

259

260

261

262

Contributor List

Franck Baron, private enterprise risk manager in the Republic of Singapore.

Laurent Condamin, Ph.D., is an independent consultant involved in risk modeling for industry and the financial sector specializing in: project risk quantification, business plan modeling, and operational risk quantification.

Richard Connelly, Ph.D., Chairman and Cofounder of Business Intelligence International, Wayne, Pennsylvania, USA.

Grace Crickette, SVP, Chief Risk and Compliance Officer, AAA NCNU, formerly Chief Risk Office for the University of California, USA.

Fiona Davidge, LLB., FIRM, MBCI, Enterprise Risk Manager for Wellcome Trust, London, United Kingdom.

Kenneth W. Felton, RN, MS, CPHRM, DFASHRM, Senior Vice President, National Healthcare Practice, Willis Group Holdings, Hartford, Connecticut, for introductions to key industry players.

Sophie Gaultier-Gaillard, Ph.D., is an associate professor at University Paris 1 Panthéon-Sorbonne (France) and director of the “Management in crisis situation” certificate; a French specialist of global risk assessment and crisis management in management sciences; and an executive member of the Society for Risk Analysis Europe. She is currently conducting research on reputational risk and crisis situations, studying the decision makers' perception.

Daniel A. Gaus, General Manager, Berkshire Hathaway International Insurance Ltd., Zurich Branch, Zurich Switzerland.

George-Yves Kervern (deceased), formerly Ancien Élève de l'Ecole Polytechnique; Founder of Cindynics.

Kevin W. Knight, AM, is the Chairman ISO Technical Committee 262 – Risk Management, and is a founding member of the Standards Australia/Standards New Zealand Joint Technical Committee OB/7 – Risk Management that produced the original AS/NZS 4360 Risk Management Standard in 1995 and its subsequent revisions in 1999 and 2004.

Duojia (Doug) Lu, Ph.D. Chairman, First Huida Risk Management, Beijing, China.

Christopher Mandel SVP, Strategic Solutions, Sedgwick, Inc., long-term senior risk management practitioner/leader.

Patrick Naim, ARM is a consultant involved in risk modeling and quantification for major banks, insurance companies and industries in France, UK and US. Patrick also co-authored several books in risk quantification, data mining, data modeling, and Bayesian networks.

Alain Ngolui, graduate student, Université Paris 1 Panthéon-Sorbonne, compiler of references for this text.

John R. Phelps, CPCU, ARM is the 2013 President and Director of the Risk and Insurance Managers' Society (RIMS).

Jenny Rayner, MIRM, Director, Abbey Consulting, UK.

Renee Reimer, J.D., Chief Risk & Legal Operations Officer, Memorial Hermann Health System, Houston, Texas, USA.

Marc Ronez, Chief Risk Strategist and Master Coach, Asia Risk Management Institute.

Robert L. Snyder, J.D. is a professional risk advisor and a member of the Texas Bar and has served as an adjunct lecturer in Insurance and Risk Management in the College of Business at the University of Houston – Downtown, Houston Texas, USA.

Samiha Viand, Directeur Gestion des Risques et Assurances, The OPAC du Rhône, France.

About the Editors

Christopher Ketcham, Ph.D., CPCU, CRM, CIC, CFP®, Formerly Visiting Assistant Professor, University of Houston Downtown, Houston, Texas; Garnet Valley, Pennsylvania

Pr. Jean-Paul Louisot, Formerly Université Paris 1 Panthéon-Sorbonne, Directeur Pédagogique du CARM Institute, Paris,  France; Philadelphia, Pennsylvania

Acknowledgements

We would like to thank all of the contributors and others who helped make this book possible.

The editors and authors also want to thank two anonymous reviewers who provided extensive and valuable feedback to the first draft of the text.

Introduction

“So, how are we doing?” is the question many in the board and C-suites are probably asking of their enterprise risk management team. The answers will likely vary from, “We are just getting started and it is too soon for results”; “While it isn't perfect, we are getting results”; or even, “I believe we have exceeded expectations.” All three answers may also be appropriate for any given ERM implementation, for like any other strategic initiative operated by people, the take-up rate will vary from department to department. There is, of course, an answer in the other extreme: “It's gone off the rails …”.

As of yet there is no agreed upon definition for Enterprise Risk Management (ERM). The ISO 31000 and Guide 73 define risk management as “coordinated activities to direct and control an organization with regard to risk”. Enterprise or enterprise-wide risk management has grown out of the need for financial and non-financial organizations to direct and control risks outside of the traditional operational hazards and events. Financial institutions (and some other enterprises) have, on the other hand, long been using risk management techniques of another sort to direct and control financial, credit, and market related risks. Enterprise-wide risk management has been expressed as a way to bring the direction and control of all categories of risks under one umbrella so that all critical risks to the organization are identified and directed and controlled. Towards this end, more and more organizations are locating their risk management (ERM) efforts at the senior levels of the organization and are linking risk management efforts towards critical risks that can impact the strategies and strategic goals of the organization. “Grafting risk management onto strategy” is a phrase that has been used to identify this change in focus. Unlike hazard risk where there is only the opportunity for loss, ERM also considers the possibilities of the positive effects of risks of outperforming strategies that may arise from unanticipated events, conditions, or opportunities. While traditional operational and financial risk management techniques are often retained in an ERM installation because they are effective, organizations are finding that other types of risks (some of these not anticipated) require unique risk management strategies that do not have traditional methods of treatment or control. Some of the cases in this book reflect the broadening horizon of risks that ERM has begun to identify and control.

This book has three purposes. The first purpose in the articles section is to address certain key issues of ERM implementations that may need greater explanation. The second is to provide a number of case studies of organizations in the midst of their strategic ERM implementations. Cases include mature implementations as well as organizations that are in the early stages of inculcating ERM into their organizations. No attempt was made to connect the articles section with the case studies section. Many of the topics addressed in the articles section are from issues raised in the broader risk management community or from discussions with individual risk managers who were not part of the case studies presented in this text. The third purpose of the text is to provide a more recent bibliography of resources for risk management professionals who are in the midst of, or are contemplating, ERM implementations.

The book was designed for the practicing risk professional and those who aspire to become risk professionals, including university students. The case studies in this book are appropriate for these readers as well as senior leadership in organizations in the midst of, or considering, adopting ERM. This said, there are other texts, white papers, and journal articles that will provide more extensive development and examination of sophisticated financial and other quantitative risk identification and analysis tools. Many of the sophisticated tools appropriate for quantitative risk identification and analysis have been used by risk management teams showcased in the case studies and are appropriate for certain of the processes and activities outlined in the articles. Risk managers have used these tools to identify the likelihood and probability of risk as well as its impact. However this text was written in response to one of the identified issues in ERM, and that is the need to provide accessible methods that all stakeholders in the organization can use to identify and assess the impact of critical risks. Risk managers have found that they can use sophisticated tools to quantify probability and impact, but it is crucial that all risk owners understand the “critical risks” and that they and the organization are engaged in the dialog necessary to begin the process of managing these risks. For this purpose, many are using “expert” methods to identify and assess the impact of critical risks. These “expert” methods require a combination of the analysis of quantitative data prepared by and from different sources as well as an ongoing dialog towards understanding the specific enterprise in context with its local and global ecology.

The other issue that risk managers are discovering is that they must prepare the organization to collect good and relevant data in sufficient quantities for these sophisticated tools to have any credibility. If critical risks are identified, this narrows the scope of data required to understand these risks. However, all are in agreement that ERM risk identification and quantification is a continual process, so over time, required data and the tools to analyse data will evolve. This is one of the distinct advantages of ERM because it continually develops the understanding of critical risks the organization is and will be facing.

Case Studies

There was no attempt to try to find a case study for every industry or in every part of the world. Case studies in the US include a hospital system, a health insurer, and a university system. There is a biomedical trust case from the UK, a public housing office agency in France, and an analysis of ERM implementations in various public sectors in China. Finally, there are observations from a veteran risk manager about negotiating the CRO job and establishing the scope both of the job and the ERM project in an organization. These case studies by no means represent a complete spectrum of the ERM environment today. However, we hope to show in this text the importance of collecting more case study data on more ERM installations simply because there are so many different approaches to the process. In addition it is likely that each organization that engages an ERM installation will have its own issues with change management and the actual environment of managing risks. The fact that no two ERM installations are likely to be the same is a reason why more case studies are required to broaden the available data on the issues that organizations can face in the ERM process.

Frankly, some organizations we approached declined to speak on the record because they have found that their ERM initiative has uncovered areas of improvement that at this point they would not want to make public. Others have been unwilling to explain how their ERM initiative went off the rails. While the cases in this text are limited in industry breadth and depth, and there is not more than one case for any one industry, there are some common threads in these cases that should be explored further.

One of the cornerstone requirements of ERM is strong management support. Case study participants agreed that this is important. However, many participants observed that management support will vary over time. There will be changes in leadership or priorities and like any initiative sometimes support can become stale. ERM is not like a project to develop a new product. Unlike most projects with end-stage goals, ERM does not have an end product – it is a process that never concludes. What risk managers must do is to find ways to keep the initiative on track even when the organization strays or priorities change.

The second observation gleaned from these case studies is that quite often the simpler the better. There is a time and place for sophisticated risk analysis using Monte Carlo and other tools but, by and large, the risk needs to be understood by managers, employees, and stakeholders. The case study participants provide a number of examples of how they have simplified processes, calculations, and explanations in a way that those who are not risk management professionals can understand and adopt specific practices in their departments and throughout the organization. What risk managers are finding is that if they have solid ERM practices in place that managers feel comfortable with, and it benefits them and their departments directly, they will continue to utilize these tools and techniques with little prodding. The goal, as risk managers explain it, is to have these practices become part of the everyday activity of the organization. This said, all of the quantitative and qualitative tools risk managers have traditionally used (and others are beginning to use) are available to the organization engaged in ERM. In fact, many of the successful ongoing operational risk management practices that mitigate workers' compensation, liability claims and the like are often retained in an ERM installation because they are already effective. However, ERM identifies broader areas of risk beyond the operational and with such categories as financial, strategic, and competitive risk. As a result, risk managers have had to learn new processes and procedures and find new tools to accomplish the task of ERM to manage risks to strategy.

A third observation is that there will be setbacks. Risk managers have had to first understand and then manage the risks of their ERM initiative. This means anticipating organizational, economic, and other changes that could derail an ERM initiative or make it more difficult to manage. This is codetermined with the first and second observations and it means that enterprise risk professionals must understand that management commitment will vary over time; keeping it simple helps to maintain the initiative even during periods when management attention is drawn to other areas.

The fourth observation is that the risk management job must be properly defined to meet the expectations of the risk manager and leadership but also should be designed so as to have the authority to do what is required to graft ERM onto the organization's strategy. This means having a seat at the highest leadership table. As ERM is a strategic initiative it should be at the same level as other strategic leaders in the organization.

While some of the risk management professionals who participated in the case studies have JDs and/or report up through the legal department, this may not be appropriate in all organizations. Where there are significant contractual obligations and litigation this may be proper. With other organizations that have heavy property and operational hazards, someone with considerable loss control experience might be a better fit. Suffice to say that the job must be structured to meet the requirements of the organization and the risk management team must draw its expertise from talented individuals both within and outside the organization. Specialty expertise can include legal, financial, credit, engineering, process improvement, actuarial, security, and other professionals where required. It may also make sense, as it has in some of the cases, to restructure the organization so that members from different but important departments such as legal, audit, and finance be aligned so that resources necessary to meet ERM expectations work together and through a single leader.

A fifth observation is data. Having good, available, and distributed data was deemed critical by participating risk managers. For some, building better and more robust data gathering techniques was the first task.

Each case study poses different challenges to the risk manager and to the organization. While operational risk management remains a mainstay in ERM implementations, case study participants quite often found that the operational risks that are important to the traditional risk manager may not be as critical to the organization as other risks. This is a good sign because discovering and managing risks from whatever source critical to the organization and its strategy is a key objective for any properly constituted ERM initiative.

Participating risk managers were also asked to speak about issues associated with research that needs to be done to make ERM a more robust process. Responses from risk managers included the need for additional research in: the analysis of decision making under uncertainty, the differences in risk appetite at different organizational levels, ways of improving empathy towards students in the collegiate setting, challenges facing ERM initiatives in China, and better business intelligence processes.

At the end of each case are “Questions for Students and Practitioners”. These are intended for a university audience but can also be used by risk managers in their consultative and coaching role when the case is being used to help the risk management team or others in the organization better understand some of the issues that companies face in an ERM installation. There is sufficient diversity in these cases to provide most risk managers with a case study that can help exemplify an issue that their enterprises are confronting or will be confronted with.

The Articles

There have been many books and articles written about ERM. The articles in this book are intended to respond to issues being raised in the ERM community or as a result of discussions with individuals involved in ERM implementations. No attempt was made to correlate these articles with the issues raised in the cases although there are some issues such as group decision making, strategy, healthcare risks and risk uncertainty that were addressed in specific case studies found in this book.

Particular attention has been paid to emphasizing that ERM is associated with managing risks to strategy – by Jean-Paul Louisot, Chris Ketcham, and Kevin W. Knight.

There is also a need to understand how organizations and leaders and others make decisions under uncertainty. Towards this end, Daniel A. Gaus discusses some of the risk issues associated with group decision-making.

In the US, recent healthcare legislation has altered the risk landscape for most companies, not just hospitals and health insurers. Robert L. Snyder reviews the emerging risks in the healthcare industry.

Jean-Paul Louisot brings to the fore ERM basics with separate discussions on GRC (Governance Risk and Compliance), communication, risk identification, risk quantification, and risk assessment.

Georges-Yves Kervern and Jean-Paul Louisot remind us through the science of Cindynics to be aware of the unknown risks and how to prepare for an uncertain future.

Richard Connelly and Jean-Paul Louisot provide an update on advances in business intelligence.

Sophie Gaultier Gaillard, Jean-Paul Louisot, and Jenny Rayner offer a rubric for assessing and managing risk to reputation, an asset that is not easily measured.

Managing the different levels of disturbance requires different strategies, which Jean-Paul Louisot explains.

Marc Ronez considers the ethical implications of ERM and risk management.

Sophie Gaultier Gaillard provides suggestions on how to structure and conduct questionnaires to gather data for risk identification and analysis.

The References

Many articles in this book have references associated with specific topics. We also provide a manageable list of ERM-related references from the past five years and others that have stood the test of time. This list is by no means exhaustive and we apologize if a favorite article or book of yours has been left off the list. Over time and as ERM matures we hope to expand this list into a more robust resource for practitioners and others.

ISO 31000 and Guide 73: 2009 Definitions

ISO 31000 provides risk professionals with an internationally recognized framework for enterprise risk management. Associated with this framework is a list of key risk management terms that have been carefully defined by the committees working on this project. As ERM evolves, the group working on ISO 31000 will have the opportunity to revise these definitions when the science of risk improves. Following this introduction is a list of some of the key terms that will be helpful to those who read this book. Unless a particular article or case otherwise defines a term in this list differently please consider the ISO 31000 and Guide 73: 2009 definition as your guide. Remember this is not a reproduction of the entire ISO 31000/Guide 73, only select terms that the editors considered to be especially relevant to the topics and cases explored in this text.

ISO 31000 and Guide 73: 2009 Select Terms and Their Definitions1

ISO 31000 Guide 73: 2009 Select Terms and Their Definitions

Guide 73 has additional notes for some definitions that are not included here. The definitions listed are select definitions chosen by the editors of this book and do not include all the key terms definitions in Guide 73.

Enterprise Risk Management:

Not defined by the Guide 73

Event:

Occurrence or change of a particular set of circumstances

Exposure:

Extent to which an organization and/or stakeholder is subject to an event

Hazard:

Source of potential harm

Resilience:

Adaptive capacity of an organization in a complex and changing environment

Risk

: Effect of uncertainty on objectives

Risk Appetite

: Amount and type of risk that an organization is willing to pursue or retain

Risk Attitude

: Organization's approach to assess and eventually pursue, retain, take or turn away from risk

Risk Management

: Coordinated activities to direct and control an organization with regard to risk

Risk Management Framework:

Set of components that provide the foundations and organizational arrangements for designing, implementing, monitoring, reviewing and continually improving risk management throughout the organization

Risk Management Plan:

Scheme within the risk management framework specifying the approach, the management components and resources to be applied to the management of risk

Risk Management Process:

Systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context, and identifying, analysing, evaluating, treating, monitoring and reviewing risk

Risk Owner:

Person or entity with the accountability and authority to manage a risk

Risk Tolerance

: The organization's or stakeholder's readiness to bear the risk after risk treatment in order to achieve its objectives

Notes

1

The text taken from ISO Guide 73:2009 Risk management – Vocabulary, is reproduced with the permission of the International Organization for Standardization, ISO. This standard can be obtained from any ISO member and from the website of the ISO Secretariat at the following address:

www.iso.org

. Copyright remains with ISO.

Part 1ERM Articles

These articles are organized according to the major steps in the risk management process as expressed in the ISO 31000 framework. The steps are:

Establishing the internal and external contexts

Risk assessment (including identification, analysis, and evaluation)

Select appropriate risk management techniques; Implement appropriate risk management techniques

Monitor results and revise

Communicate and consult with all internal and external stakeholders

1Establishing the Internal and External Contexts

Establishing context includes understanding why the organization is engaged in ERM, the need and scope of the ERM program, and how the organization defines ERM. Defining strategy is often the first step for the organization because all risk management is associated with critical risks to strategy.

1.1 MANAGING RISKS TO ENABLE STRATEGY

Jean-Paul Louisot

Université Paris 1 Panthéon-Sorbonne, Directeur pédagogique du CARM_Institute, Paris, France

Christopher Mandel

SVP, Strategic Solutions, Sedgwick, Inc., long term senior risk management practitioner/leader

1.1.1 The Origin of Modern Risk Management

Spectacular events occurred during the final decades of the twentieth century that fed the “fear of the millennium”. The first decade of the twenty-first century also fed fears, including alternating natural events or technological catastrophes, increasing terrorism, social upheavals like the “Arab Spring” that began in 2011, the Asian tsunami in 2004, and the typhoon in Japan in 2013. Traditional media, expanded by social media, did not miss an opportunity to blame the ravages of globalization, the brittleness of the world socio-economic system or to question its long-term sustainability. It is clear that the relationships between the different actors in the system are becoming more and more complex while their interdependencies are increasing. This is precisely the state of the system that might be explained by the tenets of chaos theory.

The last millennium came to a close with the resource-intensive campaign to prevent the anticipated damages of Y2K, the bug that was supposed to crash all computer activity on December 31, 1999. Apparently, to the general public at least, nothing serious occurred at midnight and some concluded, a little too quickly, that the threat was only a fabrication of IT consultants to ensure their business development for the previous three years. For risk management professionals Y2K was a vivid illustration of the fundamental paradox of the trade: the catastrophe was avoided thanks to heavy investments, and the success of the risk treatment avoided IT Armageddon! In France, it was ironic, however, that the Y2K crisis teams were activated when two exceptional storms, Martin and Luther, with winds close to 150 miles per hour hit the country right in the middle of the Christmas season in 1999. This is the main reason why the railway system, SNCF, and the electricity utility, EDF, were able to react promptly and save the day, and enhance their reputation.

The third millennium started with the fireworks of the September 11 terrorists attacks and ten days later by the AZF1 complex explosion in Toulouse; a series of financial catastrophes, initiated as early as August 2001 with the Enron collapse; and natural events such as the tsunami in Southeast Asia at Christmas 2004, and more recently in the spring and summer of 2011 the tsunami in Japan and catastrophic floods in several countries. These events and others revealed dependencies, sometimes to unaware actors who suffered massive contingent business interruptions. The rise of aberrant situations brings about ruptures that leaders in the private as well as the public sectors must learn to address aggressively in order to avoid their degenerating into full-blown crises.

In such a context, it is all too clear that the traditional and static approach to managing risk, mainly organized around the purchase of insurance cover to protect physical assets, has become totally obsolete. We are well overdue in making room for a dynamic and global vision, integrating recently identified “black swan” type risks like the interconnected effects of global supply chain and terrorism. It is essential to encompass the world of threats and opportunities, not only from an inside out view formed at the board level, but enlightened by an outside in view reflecting the expectations and fears of all main stakeholders.

1.1.2 Strategic Risk Management?

The recently developed concept of strategic risk management can add value to the risk management process, provided it is interpreted as including the risk management disciplines of influencing, development and implementation of organization strategy, the ultimate responsibility for which rests with the board and the C-suite. The generic term used here, “organization”, refers to all types of enterprises, private, for-profit enterprises as well as NGOs, healthcare providers, local authorities, etc. But nations themselves have to organize their internal (police and judicial system) as well as external (national defense) security in an ever more complex and fluid environment, not to speak of their reputation in the light of the fight against corruption and money laundering. Political leaders should therefore regularly review their approach and engage in an iterative risk assessment and management approach.

However, both academics and practitioners of risk management are aware that managing uncertainties is contained within a comprehensive package of concepts, principles, framework and process, well summarized in the ISO 31000:2009 standard. Risk management implementation in any given field requires a specific understanding of internal and external contexts, all the more complex when the system is open. No organization functions effectively today as an autocratic entity but, nevertheless, hospitals (in national healthcare countries), local authorities and nations have more authority to consider, and possibly a longer time frame to take into account, in their decision making processes in other than crisis situations.

All that said, the emergence of the term strategic risk management as a “new discipline” is probably unnecessary. This new term attempts to emphasize risks to strategy, a more than appropriate emphasis. However, this emphasis is one that should not have been necessary, had risk managers risen to the challenges posed by the original expansion of the discipline, i.e. enterprise risk management (ERM). ERM was always intended to capture the strategic emphasis now highlighted by SRM, but many failed attempts at ERM missed this opportunity. There are many reasons why ERM has failed in many venues, but that aside, we didn't need to add another moniker to enable what has always been assumed as central to ERM strategy. However, we can take this opportunity to leverage the new labeling as a de facto rebranding or risk management/enterprise risk management, often useful to initiatives that have failed to get the traction necessary for long-term acceptance and success.

1.1.3 Ethics, Sustainable Development, and Governance (ESG)

It is only in the last three decades, after the fall of the former USSR destroyed the communist alternative to the “free” economy model, that courses in ethics started to appear in the curriculum of MBA programs in leading universities. Business ethics became part of public speeches of leaders, both political and industrial, and took different forms: “sustainable development” when it comes to environment issues; “governance” or “compliance” in connection with societal issues and transparency.

But are these leaders' intentions followed by actions? Ethics cannot remain a nice concept only, it must become an integral part of the management toolkit; in commercial entities of course, but even more so in public entities where there is growing public demand for integrity and transparency. There is ethics only in ethical behavior; this is why a better phrase would be “ethics in action”.

Obviously, if issues were black and white, most human beings would have a clear choice that would be obvious. But the set of values underlying an ethical behavior is in constant evolution, it changes through time and space. This notion of an active and progressive ethic implies that the decision makers must be ready at all times to question organizational objectives, and that managers and supervisors in the organization be willing to question themselves continuously in light of the set of fundamental values at issue.

In any decision process, ethics in action opposes the “could” and the “should”. It questions the basic definition and meaning at the heart of the approach of many consultants specializing in human factors. These questions are dealt with in the next section.

1.1.4 Where Are We Heading? Why and For Whom? How?

Ethics in action also questions the validity of an old proverb: NO, the end DOES NOT ALWAYS justify the means! And it is becoming increasingly clear that the end (financial optimization) is not enough to justify any means (the negation of the universal human condition, the depletion of the planet's resources and contempt for the primitive rules and/or the fundamentals of collective life). Even at a time when most European governments are leaning to the right of the political spectrum (while the US leans to the political left while being troubled by the right e.g., The Tea Party), people are reacting more and more vociferously to the publication of record profits by leading economic entities who, at the same time, outsource jobs to “emerging” economies. Massive layoffs in profitable shops to enable hiring in even more profitable shops are viewed as morally unacceptable and the “license to operate” might well be revoked by public outcry or boycott before governments intervene. The challenge against greed and for social justice is especially vocal in European Union countries.

The fall of the Berlin Wall, signaling the end of the centralized economic alternative, has put free market economics at the forefront and since 1989 this free market has flourished in a world that seems more and more borderless. However, many do not understand the economic “reality”. Wealth is mostly intangible, some would say even fictitious, and evermore excessive compared to real assets, not to speak of the average income level of the middle classes. This self-perpetuating system has grown beyond the grasp of human minds and has inflated bubbles in the stock exchanges of the world. Even after the series of financial collapses since July 2007 and the first sign of the imminent crisis with the “subprime mortgage meltdown”, many economic players have resumed “business as usual” with collateral casualties: the working populations.

All this happened even as, before the start of the nagging economic crisis we are still going through, some states had taken measures to control some negative effects of globalization. The European Union produced its eighth directive on governance and France introduced the precautionary principle into its constitution. Clearly, survival under any circumstances requires a global and integrated approach to the management of the uncertainties. Felix Kloman championed the expression “holistic”. Francophone academics prefer another Greek word, “Cindynics”, or the “science of danger” based on a body of principles developed by Georges-Yves Kervern on the foundation of the systemic approach proposed by the Nobel laureate Herbert A. Simon.

What has come to light in the last ten years is that risk management is no longer the exclusive domain of a risk management professional at the headquarters of the organization. On the contrary, effective risk management requires all key stakeholders to be appropriately engaged in the process, within and outside the organization. This engagement is always important, but even more crucial for open systems, public space, and territories where all citizens are to be active participants. Therefore, the first challenge to meet is the risk illiteracy of the majority of stakeholders. This is nothing new, for in the eighteenth century, Benjamin Franklin envisioned a future for democracy only if the citizens were educated and learned to read, write and “understand risks”. At a recent conference,2 Professor Gerd Gigerenzer of the Kant Institute in Berlin denounced risk illiteracy as the root of broken communication and consultation with stakeholders who cannot understand the threat and opportunity challenges of our technological world. In reality, the issue at stake is an understanding of the benefits and limitations of statistics to avoid being manipulated by sorcerer apprentices (as Warren Buffet said, “beware of geeks bearing formulas”) that arbitrage risks, threats and opportunities and which can lead corporate and other citizens to adopt solutions to their own selfish advantage, rather than the common good.

For example, commenting on the recent result of the election in France, a leader of a nationalist party mentioned the “tenfold result in his party's members of parliament”. They went from zero to three, out of 572! From zero any increase is “infinite in percentage”. In the world of finance, fat tails and mathematical models have deceived decision makers as to the level of risks at stake with derivatives, and induced the crisis of the second decade of the twenty-first century we continue to struggle with.

Ethics, sustainability and governance must rely on transparency and symmetry of information if all stakeholders will be efficiently involved in and make contributions to the decision-making processes. Therefore, understanding statistical concepts and limitations should be at the heart of any civic education, together with reading, writing and mathematics. For corporate and other citizens to make enlightened choices and decisions we must ask whether people understand how to question the validity of the figures that are put forward to them.

1.1.5 Fundamentals in Risk Management

ERM – Enterprise-wide Risk Management – relies on the fundamental assumption that all actors in the political, economic and social environments understand the risks generated within the perimeter of their responsibility, or the manifestation of a risk to the organization that first appears under their watch. Managing risk is at the heart of management's mission, but it is also a fundamental tool that can significantly influence and enable the achievement of optimal performance. It is therefore essential that each professional be equipped with an efficient and effective set of tools to manage risk. Since every organization has a risk culture, whether by design or default, it is essential that a more intentional effort be put forward to design an effective risk culture and integrate it into the desired corporate culture. In so doing the ideal result will be to enable every manager to be both a “risk owner” and risk manager. This is why the key to “effective risk management” is to integrate risk management competencies into the existing organizational culture, thereby improving the chances that the organization's mission will be accomplished.

Risk Management and Corporate Objectives

Risk management is one of the fundamental methods for managing organizations with the goal of optimizing performance while coping with uncertainties or risks; both threats and opportunities. All organizations are driven to achieve predefined objectives: profits, growth, public service, political goals, re-election, etc. But whatever the long-term goal or mission, there is the inescapable reality: Surviving any event or change of situation that may occur may result in losses, the threats …but there can also be situations where one can take advantage of those adverse events to open new possibilities and opportunities.

The specific mission of the risk management professional, as part of the C-suite, is to propose a framework and a process for risk management and ensure that all managers (and risk owners) are equipped to act and optimize the impact of potential internal or external rupture points on the life of the enterprise, i.e. be accountable for curbing threats and enhancing opportunities: “Transmute disruptive ruptures into creative ruptures”.3

As a process, risk management supposes to conduct an in depth analysis of the internal and external contexts of the organization to help refine sustainable objectives. A proper inclusion of uncertainties and adhesion to ethical values requires that risk management be integrated at all levels in the development of the strategy, to be in a position to systematically review and assess the scenarios on which it is based.

1.1.6 Risk Management Process

Once the corporate objectives are defined, the following three steps help increase the assurance of reaching an entity's strategic goals and by extension, its mission.

Step 1 – Risk Assessment:

beginning with an inventory of all of the organization's exposures, i.e. all that could impact its fundamental objectives, define a risk profile, establish a risk matrix and develop a risk register with the following elements:

Identification:

the resources “at risk” and the uncertain events or change of circumstances that might impact their level (substantially);

Analysis:

the impact and likelihood in light of the objectives and without any treatments (controls) in place

(gross or original risk);

Evaluation:

the impact and likelihood taking into account the existing treatment mechanisms

(residual risk).

Step 2 – Risk Treatment: consists of all measures to mitigate risks.

As far as risk reduction is concerned, the whole range of mechanisms should be evaluated, spreading far beyond the traditional perimeter of insurance risk transfer, including risk avoidance. The array of possible actions covers all the major functions in the organization: marketing, production, procurement, legal, etc. The goal is to implement all instruments that will allow the reduction of impact and likelihood of threats to an acceptable level (risk tolerance). It is important to be clear that these threats and their treatments are related to the essential mission of management: continuity and optimization of operations.

As far as risk financing is concerned, the whole range of mechanisms should be evaluated to reinforce the finance strategy of the organization with an “exceptional financial resource plan”, at the headquarters level.

The following process could be followed, for reduction of risk at the operational level, for financing at the C-suite level, and in all cases facilitated by the risk-management professional:

Identify

all the instruments efficient to mitigate these exposures;

Outline and get concurrence from

the person responsible and accountable for the exposures (the risk owners) the mitigation tactics best suited to achieve objectives

(at the operational level for risk reduction; executive level for risk financing)

;

Implement

the agreed upon tactics by the person responsible and accountable for the management of these exposures

(risk owner).

Step 3 – Monitor and Review:

consists of the control of results to obtain assurance of proper implementation of the strategy and tactics as well as its efficiency and relevance. In this step the organization monitors and implicitly addresses the interests of the executives and the board in its desire for risk management program effectiveness.

Internal audit is the “natural” owner of risk management audit, but it works in cooperation with the risk management professional and audits the management of risk at the operational level. There is a growing trend for auditors to go beyond their natural role and absorb all the activities of risk management, including the mission of facilitator and consultant for the decision makers. As the number of seats at the table in the executive committee is limited, joining the universal corporate functions (audit, internal controls, quality, and risk management) may prove necessary but it is then essential that the officer in charge clearly defines the missions of each of the collaborators and their specific competencies.

To be specific, whereas rigor is the key attribute of an internal auditor, as far risk management is concerned, its implementation requires from the risk management professional a good dose of imagination at all stages of its development, especially to uncover the emerging risks.

A risk manager must always push for the mitigation of tomorrow's threats and opportunities, rather than the treatment of yesterday's catastrophic event! This is the price to pay to ensure continuity under all circumstances at the operational level (risk reduction toolkit) while ensuring sufficient cash and return at the level of the overall organizational financial strategy (risk financing toolkit).

Finally the risk management process is in essence iterative and does not represent a vicious circle but on the contrary a virtuous circle, a permanently improving Deming wheel:4 every turn aims at improving and refining the approach and updating the risk register by deleting obsolete exposures and introducing emerging ones in view of the evolution of the internal and external context of the organization, including its own mission, goals and objectives. The circle representing the ISO 31000:2009 risk management process (see Figure 1.1 above) illustrates the intimate interaction between strategy and risk management as well as the need to incorporate the expectations and needs of all major stakeholders in the process.

Figure 1.1 The risk management process.

1.1.7 From Risk Management to Good Governance

As evidenced by all that is stated above, buying insurance is clearly now only a portion of a risk management strategy. It is a global and integrated management of risks that all organizations are expected to develop and implement, be it for compliance, or for governance issues. However, what has been learned through several centuries, financing and managing “insurable risks” should not be forgotten or discarded. In many organizations, the risk management learning process is initiated by request from insurance underwriters with the assistance of their expert teams visiting the insured locations. It is important to be candid and transparent with the insurer. Getting the best conditions from an insurer requires equipping it with precise and detailed information, reflecting a rigorous overall management and control system. Currently, this process is a necessary step towards timely and relevant information for all stakeholders in the communication and consultation processes.

The pressure from public opinion relayed in social media and the expectations of consumers and citizens does not leave any room for elected officials or executives to wiggle out of messy situations. A key mission of the public official is to develop a risk management policy that goes beyond the protection of physical assets and liabilities to ensure the safety, security, and secure procurement for, all stakeholders, private and public, that are impacted by their decisions.

The rising importance of risk management during the first decade of the twenty-first century is translated at the organizational level by the evolution from a technical function embodied by a limited group of risk management professionals, to the extension of all managers' missions to effectively manage the risks they generate or identify. It is made possible only by the development of a body of concepts, methods and tools that have been created jointly by academics and practitioners. This risk management culture, defined by risk management competencies, must extend not only to all in charge, at the economic, political and social level, but also to all those who have a stake in the organization's success.

The widening of the scope and mission of risk management can only be successful if the risk management professional is better recognized inside and outside of the organization. The norm should be that a competent well-compensated risk manager should report to the CEO, board, most senior official or mayor (if a public entity). For this enlarged new risk management scope and mission to be successfully implemented within any organization, the risk management professional will need to be recognized by their leadership. This will require that the risk management professional gains a strategic vision and strong competencies.

The risk management profession has as its challenge the need to increase the level of competency that risk management professionals in organizations will require to manage twenty-first century risks. Whatever the title, CRO5 or other, risk management professionals must earn the trust and confidence of leadership, the recognition of their peers, the support of the population at large and the organization's partners/stakeholders through the creation and management of sustainable risk-management policies. It will require patience and perseverance through advances and setbacks. But it will require from their leaders a continuous political will to keep the long-term course of the organization in focus.

Once all in charge have made the necessary efforts to enable a sound risk management policy, the ultimate result will be a more universal process that protects the security and safety of all consumers/voters whether for the next election, for social license, or the products they purchase. People will recognize that it is sound risk management, far beyond any compliance, that ensures “Good Governance” for the benefit of all.

This is not a new idea. In a position paper published in the daily Le Monde in Paris on May 27, 1981,6 two weeks after the election in France of a socialist president, Jacques Ellul, sociologist, anarchist and theologian, took a position against the generally politically correct stance of the time when he wrote: “Nothing essential in the fundamental trends of our society are going to be modified” to further stress that to support the economic growth would be: “complete foolishness” as “the quality of life is in utter contradiction with the growth of industrial production and the industrialization of agriculture”.

A sound risk-management strategy, rigorously implemented at all levels of the organization is the perfect tool to enable effective communication and consultation with all stakeholders. It is the tool to demonstrate a real commitment to sustainability and the expectations and need of the populations in a proactive and structured approach to work better and more efficiently for the common good.

Hence, the assurance of resilience and the optimization of opportunity, the ultimate goals of risk management, are the keys to success in the economic, social and political arenas as it is accomplished by executing the tenets below.

It is essential to get ahead of, and gain some understanding of, emerging risks:

While great debate continues about which “unknown” risks require an organization's attention, and even what a “black swan” event really represents, it is clear that senior leaders and boards (especially in the latter's oversight role) increasingly expect risk stakeholders to gather intelligence on far-off threats that could be company-ending events. This longer term, low probability view is not unlike how planners have long looked at the competitive landscape.

Assessing and aggregating all risk is essential:

Individual exposure assessment is not enough anymore as it does not take into account correlations and more generally interactions within the set of exposures of a given organization, this is why it is necessary to implement a “portfolio approach” to the aggregation of risks.

Taking into account extreme, low probability events is required to inform a comprehensive strategy:

A risk universe does not always follow the normal probability distribution and it is essential to take into account unexpectedly large deviation from the expected, i.e. fat tails or black swans that could produce catastrophic impacts.

Whereas quantifying tools are important, qualitative tools and sound judgment should not be neglected:

Even if the kit of quantifying tools is quite comprehensive, it is imperative to keep in mind the limitations of mathematical models. They reflect past wisdom or experience more than they predict future behaviors as they rely on past data and implicit, as well as explicit, hypotheses that condition and limit their validity.

Risk appetite must be defined and understood:

ERM is essentially strategic in nature; it must be able to balance costs and benefits with the acceptable level of risk necessary to achieve the organizational goals and objectives. It is the board's responsibility to define the risk appetite and risk tolerance level at which the organization can safely and efficiently operate but it must also provide key risk indicators that operational managers can monitor to remain within risk thresholds and be accountable for their results.

Risk culture must be rooted in the organization: