The Two Headed Coin E-Book

Table of Contents

Cover

Title Page

Copyright

Dedication

Preface: Risk Is Good and Uncertainty Is the Reality!

STRATEGY IS THE STARTING POINT!

WHAT IS RISK? WHAT IS UNCERTAINTY?

NOTES

Acknowledgments

JAMES L. DARROCH

DAVID WM. FINNIE

About the Authors

CHAPTER 1: Strategy and Risk

STRATEGIC POSITIONING AND RISK

STRATEGY AND RISK IN A START-UP

NOTES

CHAPTER 2: Executing on the Plan and Discovering New Risks

THE ASSUMPTION OF GOAL CONGRUENCE AND THE IMPORTANCE OF CULTURE

CONCLUSION

NOTES

CHAPTER 3: Which Risks to Keep

STRATEGIC POSITIONING AND RISK GOVERNANCE

HOW DOES RISK MANAGEMENT HELP CLOSE THE GAP BETWEEN STRATEGY FORMULATION AND EXECUTION?

CONCLUSION: EMBRACING AND MANAGING RISK

NOTES

CHAPTER 4: How Do We Achieve Independent Risk Governance and Improve Performance?

WHAT DO WE MEAN BY ERM?

NOTES

CHAPTER 5: Who Has the Specific Knowledge to Design the Risk Architecture?

THE STRATEGY-RISK-GOVERNANCE PROCESS

MEETING THE OBJECTIVE AND THE CATEGORIZATION OF RISKS

THE RISK ARCHITECTURE

CREATION OF A RISK FUNCTION

CONCLUSION

NOTES

CHAPTER 6: Enterprise Risk Management and Competitive Advantage

HOW DOES STRATEGY AFFECT RANDOMNESS?

NOTES

CHAPTER 7: What Reputation Do We Want? With Whom?

MANAGING REPUTATION RISK

NOTES

CHAPTER 8: Uncertainty, Scenario Planning, and Real Options

REAL OPTIONS

CONCLUSION

NOTES

CHAPTER 9: Risk Culture and Ethics

THE ADVISOR-CUSTOMER ENCOUNTER

CONTROL SYSTEMS, DISCRETION, AND ETHICS

CULTURE, ETHICS, PERFORMANCE, AND RISK MANAGEMENT

NOTES

CHAPTER 10: The Top of the Pyramid

THE CEO: THE OPERATIONAL INTEGRATION OF STRATEGY AND RISK

THE BOARD: THE GOVERNANCE INTEGRATION OF STRATEGY AND RISK

THE BOARD PROVIDES MORE THAN OVERSIGHT

NOTES

Epilogue: Decision-Making at the Restaurant

APPENDIX I: Risk Transformation and the Need for an Integrated Risk Approach

NOTES

APPENDIX II: Resiliency

NOTES

Bibliography

Index

End User License Agreement

List of Tables

Chapter 1

TABLE 1.1 Strategy, Risk Management, Brand, and Culture

List of Illustrations

Preface

FIGURE P.1 Royal Bank of Canada's Risk Pyramid 2014

FIGURE P.2 The Strategy-Risk-Governance Process

Chapter 1

FIGURE 1.1 The Strategy-Risk-Governance Process

Chapter 3

FIGURE 3.1 The Normal Distribution and Scales

Chapter 4

FIGURE 4.1 Royal Bank of Canada's Risk-Governance Framework

FIGURE 4.2 A Modified Risk Strategy Pyramid Emphasizing the Challenge of Str...

Chapter 5

FIGURE 5.1 The Strategy-Risk-Governance Process

FIGURE 5.2 Generic Risk Function Chart

Chapter 7

FIGURE 7.1 A Modified Strategy Risk Pyramid Emphasizing the Challenge of Str...

Chapter 8

FIGURE 8.1 Illustration of a Scenario Matrix for Entering a Foreign Market

FIGURE 8.2 Location Decision Tree

Chapter 9

FIGURE 9.1 The Moment of Truth

Chapter 10

FIGURE 10.1 A High-Level Governance Map

Appendix II

FIGURE AII.1 Credit Loss Distribution and Capital

Guide

Cover

Table of Contents

Begin Reading

Pages

ii

iii

iv

v

xi

xii

xiii

xiv

xv

xvi

xvii

xviii

xix

xx

xxi

xxii

xxiii

xxv

xxvi

xxvii

xxviii

xxix

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

141

142

143

144

145

146

147

148

149

151

152

153

154

155

157

158

159

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

Founded in 1807, John Wiley & Sons is the oldest independent publishing company in the United States. With offices in North America, Europe, Australia, and Asia, Wiley is globally committed to developing and marketing print and electronic products and services for our customers' professional and personal knowledge and understanding.

The Wiley Finance series contains books written specifically for finance and investment professionals as well as sophisticated individual investors and their financial advisors. Book topics range from portfolio management to e-commerce, risk management, financial engineering, valuation, and financial instrument analysis, as well as much more.

For a list of available titles, visit our website at www.WileyFinance.com.

The Two Headed Coin

Unifying Strategy and Risk in Pursuit of Performance

Copyright © 2021 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey.

Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993, or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Names: Darroch, James L. (James Lionel), 1951- author. | Finnie, David W., author.

Title: The two headed coin : unifying strategy and risk in pursuit of performance / James L. Darroch and David Wm. Finnie.

Description: Hoboken, New Jersey : Wiley, [2021] | Series: Wiley finance series | Includes index.

Identifiers: LCCN 2021000093 (print) | LCCN 2021000094 (ebook) | ISBN 9781119794202 (hardback) | ISBN 9781119794226 (adobe pdf) | ISBN 9781119794219 (epub)

Subjects: LCSH: Risk management.

Classification: LCC HD61 .D35 2021 (print) | LCC HD61 (ebook) | DDC 332.1068/1—dc23

LC record available at https://lccn.loc.gov/2021000093

LC ebook record available at https://lccn.loc.gov/2021000094

Cover Design: Wiley

Cover Images: © tokenphoto/Getty Images, © iStock/Getty Images

To my wife, Brenda Blackstock, and our son, Daniel.

To my wife, Marilyn Finnie, and our growing family—Geoffrey Finnie and Sidita Zhabjaku; Gillian Finnie, Ilia Baranov, and their daughter, Alice; and Colin Finnie.

PrefaceRisk Is Good and Uncertainty Is the Reality!

We have been working together now for well over a decade. Our journey started with designing a comprehensive risk management education program for the Risk Management Group at the Bank of Montreal (BMO). Following that we developed several strategy and risk programs for the Schulich Executive Education Centre (SEEC) and worked on a risk program for bank directors at the Global Risk Institute in Financial Services. We have learned much along the way from our professional colleagues and the participants. Although our backgrounds are in strategy and risk management for financial institutions, we have worked with people from many different industries, including not-for-profits.

We thought it was time to share what we have learned from financial institutions (FIs), which are among the leaders in integrating strategy and risk. This should be no surprise because that is their business. We believe that it is worthwhile to see what is at the leading edge of the integration so that other public and even private companies can reflect on the appropriateness of their integration. We also think our ideas will be useful for people starting their careers in risk at FIs. To that end, we try to balance the needs of a broad audience with the challenge of being relevant to risk professionals.

Here are the highlights we cover in this book:

The elements of both strategy and risk management are common sense.

Both strategy and risk management are broad in scope and inclusive.

Achieving fit of the elements is complex.

Bringing risk awareness into the conversation is the necessary complement needed to achieve fit in a dynamic world.

Consequently, although the journey starts with strategy, recognizing risk and uncertainty is the flip side of the coin and the needed complement to ensure completeness and integration.

STRATEGY IS THE STARTING POINT!

This of course raises the question, “What is strategy?”1 There are many approaches to this but let us lay out a fairly classic position largely associated with Michael Porter and many of his Harvard colleagues.2 Strategy is an intentional activity: it is goal oriented. Porter provides a succinct summary of this position:

A company can outperform rivals only if it can establish a difference that it can preserve. It must deliver greater value to customers or create comparable value at a lower cost or do both. The arithmetic of superior profitability then follows: delivering greater value allows a company to charge higher unit prices; greater efficiency results in lower average unit costs.3

There are several key points to the above. First, “creating a difference” or positioning is the key. Porter elaborates: “The essence of strategy is choosing to perform activities differently than rivals do.”4 Strategy is about being unique, and this requires a unique set of activities and, as we shall discuss later, a unique set of risks. The second fundamental point to notice is the focus is on profitability. Please note the focus on costs not prices. The point is that if you are creating comparable value and have the lower cost structure, you will be more profitable, as you will be if you can create more value. The third fundamental point is the need to preserve the position. Generally, in our discussion when we employ the term sustainability, it refers to maintaining a more profitable position, not corporate responsibility.

This positioning approach focuses on the desired outcome for perception of the product/service, which leads to the desired economic results. But achieving this result demands a process.5 The process outlines the sequence of actions, including consultation, that will produce a simple and comprehensive mission statement that addresses the following:

Mission—why we exist

Values—what we believe in and how we will behave

Vision—what we want to be

Strategy—what our competitive game plan will be

Objectives = ends

Scope = domain (customer or offering, geographic location, and vertical integration)

Advantage = means

Balanced scorecard—how we will monitor and implement the plan

6

To elaborate, the process must include specific goals or ends that guide decision-making. The mission is to solve a customer's problem, but to do this, it is essential that we create the appropriate perception of our brand. In today's world, the brand is affected not only by its ability to solve the problem but also by other corporate actions, such as social values the company promotes.7 Being clear on the scope is critical because strategy is as much about what not to do as it is what to do. It should also be clear that our values and the reputation that we desire place restrictions on the means that we can employ to accomplish our objectives. The “Statement on the Purpose of a Corporation” by the Business Roundtable in September 2019 makes it clear that it is inappropriate to employ means that don't consider a broad range of stakeholders.8 Finally, the nature of our competitive advantage must be linked to an understanding of the risks it generates—both upside and downside—and how those risks are managed to protect value and build resiliency. Throughout this book we emphasize that strategy and risk, in an integrated approach, both focus on creating a sustainable business.9

And it is a classic mistake to divorce content from process. The two are interdependent and link strategy formulation (content) to execution (process). In short, involvement in the formulation or development process improves the content in terms of its ability to be executed but more significantly improves the quality of the content by involving more expertise. It also has the benefit of enhancing engagement or commitment over compliance. But this means engaging a broader set of stakeholders if the process is to be best in class.10 The process presents a number of steps or actions to gather diverse insights and unify them to pursue corporate goals. It is the fit of all the elements that drives competitive advantage and sustainability of the advantage because the processes that achieve fit are difficult to duplicate.11 You know you have achieved fit when the elements of your strategy are mutually reinforcing, rather than being at odds with, or independent of, one another.

One of us learned this the hard way in an executive seminar designed to embed strategic processes into the thinking of the second level of management, that is, the management level below the C-Suite. The C-Suite executives had determined what the strategic process should be without consulting their reports. The focus on the content of the strategic process actually violated the assumptions of the strategic planning process that they were trying to embed.12 The failure to consult was evidence of a culture that did not value transparency and openness. When the question was raised as to why the C-Suite executives were not at the session, the hopes of embedding the new process came crashing down. Leadership needed to set the agenda but also invite active participation to include what they were not aware of. Failure to do so doomed the change management hopes of the C-Suite. To put it more simply, the strategy journey is not linear—it has twists and turns.

We view goals beyond profits as a needed complement to Porter's definition of strategy. But without superior profits it is challenging for established companies to attract the resources needed to win and grow.13 The recognition that these resources go beyond capital creates linkage to the growing social demands being placed on companies by employees and even investors.14 An organization's values as established by the board are essential for creating a healthy culture and giving meaning to the work of its employees. By meaning, we mean participating in value creation, not simply being the guardians against value destruction, or being the department of NO! Fundamental to our understanding of giving meaning to employees are those in risk oversight who are essential players to be involved in the strategy process from the start.

Your strategic goals and position create the risks that you need to manage. This comes from not only a strategy professor but also a risk professional. As a strategist, working with risk professionals such as David taught James that strategy was creating risks that were being managed ex post when risk thinking or risk considerations needed to be brought into the strategy process ex ante.15 This has since been recognized by Kevin Buehler, Andrew Freeman, and Ron Hulme16 at McKinsey and more recently by Daniela Gius, Jean-Christophe Mieszala, Ernesto Panayiotou, and Thomas Poppensieker, also at McKinsey.17 Buehler et al. also noted that the type of rigorous analytics and use of statistical tools common to risk management in financial institutions was becoming increasingly common in other business areas.18

We realized early on in our collaboration that the strategy, specifically the goals and positioning theme made concrete in the organization's value proposition, determined the risks that must be managed. This is because in creating value for customers/clients the organization must deal with both risk and uncertainty.19 The positioning theme explores the ceiling on what customers will pay.20 The financial executives and especially the risk manager help determine what is the minimum price that must be charged for the business to be economically sustainable.21 The science of risk management employs statistical tools to determine the probability of losses—for the organization to survive, it must consider the impact of losses on pricing and capital reserves. This concept is fundamental to the capital structure of the firm. Holding reserves against capital loss establishes a boundary between risk management and uncertainty. Beyond the limit set for unexpected losses,22 which is partly determined by market forces of investor demands for returns and creditor demands for safety, lies the world of uncertainty. Failure to recognize how this highlights the element of art in risk management leads to myopic strategies, poor risk management, and organizational failure.

Our business and teaching experiences have further taught us how these concepts can be applied to any organization and improve their strategic processes and business success.23

WHAT IS RISK? WHAT IS UNCERTAINTY?

Our ongoing engagement with diverse organizations has also helped us to understand the challenges created by the term risk. For many, risk is something to be avoided or eliminated; to us, risk is good because if there is no risk, there is no profit. But in the modern world, virtually all risk can be transferred to others, as Nobel Laureate Robert Merton has noted.24 Oddly enough, the implications of this was recognized by Frank Knight in his classic work on Risk, Uncertainty and Profit.25 Despite Knight's status among risk scholars, he held that uncertainty, not risk, was the source of profit. The question for the strategic risk manager then becomes, to what level of uncertainty or unexpected loss do I want protection from and how much will markets allow? The science and art of strategy and risk management meet in this decision.26 In our everyday lives we make a similar decision when we decide on insurance deductibles in either health or property and casualty (P&C) insurance. When making that decision, we confront our willingness to accept the possibility of negative outcomes up to a certain limit but transfer the risk beyond that point to someone else.

This means we must learn to manage risk, and to do that, we need to identify, assess, or quantify and monitor our risks. There is both a content and process side to doing this. Superior risk management can lead to competitive advantage, as we will show in later chapters. The process side is fundamentally important because here we embrace the people managing the risk process. The risk process is entirely geared toward enabling and informing the organizational strategy and day-to-day business decisions made by the lines of business with risk-rich information and insights. This requires that risk awareness be embedded in the entire organizational culture so that risk management takes place at the first line of defense.27

We also need to embrace a definition of risk that at the minimum has both an upside and downside.28 But it would be better to embrace one in which the upside exceeds the downside, because these are the risks worth taking.29 For the general reader, understand that strategic risk has both an upside and a downside. The future can exceed our wildest dreams or make real your worst nightmare. For people from the FI world, think market risk, not credit risk.30 Recognizing the upside helps people working in risk functions make the work more meaningful because although saying “no” to projects is important to the business, avoiding problems is generally not as well recognized as contributing to success.32 There are advantages to participating in profit centers that are not as readily available to cost centers. So, it is important that the risk function be recognized as contributing to the overall profitability of the business by helping the lines of business take the right risks in the right way for the right return.

FIGURE P.1 Royal Bank of Canada's Risk Pyramid 201431

Source: Royal Bank of Canada Annual Report 2014, Royal Bank of Canada's Risk Governance Framework (2014), 52. © 2014, Royal Bank of Canada.

Royal Bank of Canada is among the 30 global banks deemed too big to fail by the Financial Stability Board in Basel. It is also worth noting that it escaped the 2007–2008 financial crisis as did the other Canadian banks relatively unscathed, suggesting a robust approach to risk management. The bank developed a very appealing graphic that provides not only a typology of different risks but also presents them in a hierarchical fashion based on the organization's ability to control the risks (see Figure P.1).33

We take risks in the expectation of gains; the question is which risks we should take and how should they be managed and priced.34 Royal Bank of Canada's pyramid sets out several different risks that need to be identified and managed. Implicit in the hierarchy is that the lower levels of the pyramid need to be managed to make the higher levels manageable. This is made clear by the way that operational risk can affect all the financial risks. For the moment we also want to make clear a distinction between operational risk and financial risks.35 Generally, financial risks are susceptible to scientific measurement, which is often an approximation via statistical tools based on historical experience within a certain confidence level. Parts of operational risk may be susceptible to scientific measurement, too. But, one does not take operational risk for regulatory purposes. Operational risks are taken as necessary to fulfill the organizational strategy and objectives. Operational risks, and compliance efforts, are a cost of doing business. There is another dimension to operational risk.36 Many operational risks provide the opportunity for learning.37 Although operational risk is hard to profit from, it directly affects the cost structure of the firm. If the risk is controlled to the right level, using effective cost-benefit analysis, the firm is able to build risk understanding into its cost structure and, thereby, create competitive advantage in its costs. This makes clear the need for risk management to be dynamic and holistic: it must be complete in scope and integrated.

When we started working together, we discussed elements of reputation risk, but the term was not really in vogue. It is now, and it has important implications for how we view management.38 Financial risk management in FIs has always had a strong commitment to financial stakeholders, but once reputation is recognized as an asset, it becomes imperative to move beyond a shareholder model to a stakeholder model.39 Royal Bank of Canada points to the lower degree of control over reputation, and we believe this is because although reputation is generally the outcome of delivering on your value promise, external elements can affect your reputation. So, it is not just the actuality of your performance, it is the perception of what you do. With the outbreak of trade tensions in 2020, the country of origin can have a significant impact on a company's reputation unrelated to past performance. This broadening of the scope of risk management takes us deeper into the realm of uncertainty and risk management as art, not just science. And it makes risk management strategic.

Our process framework identifies the elements and relationships in managing the strategy-risk-governance process (see Figure P.2). It assumes an intentional view of strategy by starting with the strategy to be achieved, moving through risk to ensure only the strategy-supportive risks are maintained to support a strategic- and risk-based competitive advantage. That competitive advantage leads to strong performance and the desired reputation. Above all the execution activities exists the governance processes supporting ethical approaches, appropriate behaviors, and a strong organizational culture. Beneath the execution actions are the enablers—including risk appetite, data capabilities, and strong and appropriate infrastructure and systems including all organizational capabilities. Because these goals are to be accomplished in the future, the strategist must deal with both risk and uncertainty that lies beyond the confidence level.40 The framework shown in Figure P.2 provides a graphic representation of how to integrate strategy and risk.

FIGURE P.2 The Strategy-Risk-Governance Process

It needs to be understood that strategists and risk managers may have different approaches to the same issue. For example, if the problem is earnings volatility rather than hedging exposures, a change in the balance of product lines may be the answer. For a FI this might mean increasing the percentage of retail operations; for a consumer goods company it might mean adding a lower-priced brand to the product line to protect against changes in the business cycle.

However, for our purpose we need to emphasize creating customer value and stakeholder management41 as central to the business objectives. Setting risk appetite and tolerances is essential to the strategic process if risk is to be managed and is too often ignored by the last line, or fourth line, of defense: the board.42

There are multiple facets to the relationship between strategy and risk. The book seeks to consider more deeply these aspects in the following chapters:

Chapter 1

: Strategy and Risk: Two Sides of the Same Coin

Chapter 2

: Executing on the Plan and Discovering New Risks

Chapter 3

: Which Risks to Keep

Chapter 4

: How Do We Achieve Independent Risk Governance and Improve Performance?

Chapter 5

: Who Has the Specific Knowledge to Design the Risk Architecture: Why You Need an Independent Risk Function

Chapter 6

: Enterprise Risk Management and Competitive Advantage

Chapter 7

: What Reputation Do We Want? With Whom?

Chapter 8

: Uncertainty, Scenario Planning, and Real Options

Chapter 9

: Risk Culture and Ethics: Can You Have Excellence and Consistency at the Same Time?

Chapter 10

: The Top of the Pyramid: The CEO as Integrator of Strategy and Risk and the Board as the Fourth Line of Defense

Epilogue: Decision-Making at the Restaurant: Creating and Executing a Risk-Aware Strategy

The journey starts by exploring two partners making strategic choices that create the risks that must be managed in a risk-return framework. Chapters 1 and 2 explore the dialectic between strategy and risk in developing the plan and the dialectic between executing to turn the dream into reality. These two chapters provide a touchstone for the rest of the book. The third chapter addresses the fundamental strategy-risk decision: how to determine which risks are fundamental to the strategic positioning and goals and must be retained and managed. Each firm will have a different solution set and we can only guide them in discovering which risks are fundamental to them. This leads to a consideration of the scope of enterprise risk management (ERM): it must be all inclusive and integrated to capture the interdependencies that unite risk and strategy. Chapter 4 argues that you need a focal point for risk management to standardize processes to ensure consistent outcomes. This requires a dedicated senior risk professional reporting to the chief executive officer (CEO) and possibly the board. In FIs, this typically is the chief risk officer (CRO).43 The role of the independent risk function and this executive is developed in Chapter 5. Closely tied to Chapter 2 is the notion of competitive advantage, and this is the focus of Chapter 6. Changes in consumer perceptions make reputation an important asset to be managed and Chapter 7 explores the relevant issues. Although uncertainty is bounded by certain considerations of risk management, it doesn't go away. Scenario planning and real options provide a framework for managing uncertainty. Moreover, scenario planning provides an opportunity to counter CEO optimism by providing the “outside view” to debias the forecast and incorporate insights from behavioral economics.44 Finally, strategy and risk management are both about creating a commitment to the goals of the organization, and this means a focus on culture and ethics. Many large losses are the result of adverse behaviors, not purposeful risk choices. In the concluding chapter the issue of conflict and alignment are discussed in the context of governance. The role of the CEO is examined as the ultimate locus of the reconciliation of strategic risk decisions within the context of board governance as the fourth line of defense. The Epilogue revisits the partners and reveals the decisions that they made in light of their strategic positioning and the awareness of the risks that it created.

NOTES

1

. This of course is the title of a famous article by Michael E. Porter, “What Is Strategy?”

Harvard Business Review

(November–December 1996).

2

. For a discussion of differing positions please see Henry Mintzberg, Joseph Lampel, and Bruce Ahlstrand,

Strategy Safari: A Guided Tour through the Wilds of Strategic Management

(New York: The Free Press, 1998).

3

. Porter, “What Is Strategy?,” 62.

4

. Porter, “What Is Strategy?,” 64.

5

. David J. Collis and Michael G. Rukstad, “Can You Say What Your Strategy Is?”

Harvard Business Review

(April 2008).

6

. Collis and Rukstad, “Can You Say What Your Strategy Is?”

7

. This is explored more fully in

Chapter 7

.

8

. Business Roundtable, “Statement on the Purpose of a Corporation,” August 10, 2019,

https://opportunity.businessroundtable.org/ourcommitment/

.

9

. We consider resiliency, or sustainability, to be critical and we have included an exploration of this in

Appendix II

.

10

. It is only appropriate to pay homage to the founder of this approach: Ed Freeman. See R. Edward Freeman,

Strategic Management: A Stakeholder Approach

(Boston: Pitman, 1984).

11

. Porter, “What Is Strategy?,” 70.

12

. For the curious, the CEO was trying to embed Hoshin Planning, a popular approach at the time.

13

. For start-ups, the promise of growth may be sufficient as we have seen with many unicorns. For other organizations, the promise of promoting artistic accomplishment, public purpose, or some other worthy goal may be enough to attract resources from investors who share those goals.

14

. Larry Fink, “Larry Fink's Annual Letter to CEOs: A Sense of Purpose,” accessed July 18, 2018,

https://www.blackrock.com/corporate/investor-relations/larry-fink-ceo-letter

. See also Julie Battilania, Anne-Claire Pache, Metin Sengul, and Marissa Kimsey, “The Dual-Purpose Playbook,”

Harvard Business Review

(March–April 2019); Adi Ignatius, “Profit and Purpose,”

Harvard Business Review

(March 2019); and James Mackintosh, “A Davos Debate: What Is Finance For?”

The Wall Street Journal

(January 24, 2019).

15

. This is very well discussed in Gary Klein, Tim Koller, and Dan Lovallo, “Premortems: Being Smart at the Start,”

McKinsey Quarterly

(March 2019).

16

. James should have paid more attention to the work of Kevin Buehler, Andrew Freeman, and Ron Hulme when he read it. See Kevin Buehler, Andrew Freeman, and Ron Hulme, “The New Arsenal of Risk Management,”

Harvard Business Review

(September 2008) and “Owning the Right Risks,”

Harvard Business Review

(September 2008). Part III, “Linking ERM to Strategy and Strategic Risk Management” in John R. S. Fraser, Betty J. Simkins, and Kristina Narvaez, eds.,

Implementing Enterprise Risk Management: Case Studies and Best Practices

(Hoboken, NJ: Wiley, 2015) is well worth a look, as are many other chapters and cases in this book.

17

. Daniela Gius, Jean-Christophe Mieszala, Ernesto Panayiotou, and Thomas Poppensieker, “Value and Resilience through Better Risk Management,

McKinsey & Company Risk Practice,

(October 2018,

https://www.mckinsey.com/business-functions/risk/our-insights/value-and-resilience-through-better-risk-management

). This approach is also apparent in Fraser, Simkins, and Narvaez,

Implementing Enterprise Risk Management

.

18

. The selection of many cases from outside the financial services industry in Fraser, Simkins, and Narvaez,

Implementing Enterprise Risk Management,

clearly demonstrates this.

19

. See the discussion of Frank Knight's work in

Chapter 3

.

20

. Differentiation raises the ceiling, but if the ceiling is set, then achieving the lowest cost structure is the way to superior profitability.

21

. Of course, you can charge less with the idea of future customer profitability, lower costs due to achieving scale, or learning curve effects, but if you do this you must prepare for the contingencies of these not occurring.

22

. Expected loss is the average loss predicted to occur using historical loss analysis in normal business conditions over a specified period of time. Unexpected loss is the potential for loss above expectations due to extreme events and is often expressed as the average total loss above the expected loss using a defined confidence level.

23

. See Joseba Eceiza, Piotr Kaminski, and Thomas Poppensieker “Nonfinancial Risk Today: Getting Risk and the Business Aligned,”

McKinsey & Company

(January 2017).

24

. Robert C. Merton, “You Have More Capital Than You Think,”

Harvard Business Review

(November 2005).

25

. Frank H. Knight,

Risk, Uncertainty and Profit,

2nd ed. (New York: Reprints of Economic Classics, 1964),

https://mises.org/library/risk-uncertainty-and-profit

. See, in particular, the Preface to the 1933 reissue and

page 19

.

26

. David R. Koenig,

Governance Reimagined: Organizational Design, Risk, and Value Creation

(Northfield, MN: B Right Governance Publications, 2018), 218. Pages 89–90 make the following observation in a section entitled, Quantification as a Coping Mechanism: “Since risk and uncertainty make us uneasy—we naturally prefer to move further down on the Risk of the Unknown factor chart—we may attempt to turn subjective risk assessments into objective measures, or quantifications. In effect, we attempt to convert uncertainty, which is not measurable, into risk, which is believed to be measurable.”

27

. Later we will discuss the three lines of defense model and the implications for the balance of centralization and decentralization. Koenig,

Governance Reimagined,

161, makes the same point as does James Lam in

Chapter 6

in James Lam,

Implementing Enterprise Risk Management: From Methods to Applications

(Hoboken, NJ: Wiley, 2017).

28

. James Lam makes the same point in his recent edition. Lam,

Implementing Enterprise Risk Management

.

29

. We thank David R. Koenig for pointing this out.

30

. Later we will discuss the upside to credit risk, but in general the downside exceeds the upside. It is also the reason we do not discuss cyber risk—although it could be the source of competitive advantage at the moment, we doubt many firms are so confident as to claim this as a source of competitive advantage. See Oliver Bevan, Jim Boehm, Merlina Manocaran, and Rolf Riemenschnitter, “Cybersecurity and the Risk Function,”

McKinsey & Company Risk Practice,

November 2018,

https://www.mckinsey.com/business-functions/risk/our-insights/cybersecurity-and-the-risk-function

; Jim Boehm, Peter Merrath, Thomas Poppensieker, Rolf Riemenschnitter, and Tobias Stahle, “Cyber Risk Measurement and the Holistic Cybersecurity Approach,”

McKinsey Quarterly,

November 2018,

https://www.mckinsey.com/business-functions/risk/our-insights/cyber-risk-measurement-and-the-holistic-cybersecurity-approach?cid=other-eml-alt-mip-mck-oth-1811&hlkid=c0daad3b6cdf461f9a5fbd5beaf94692&hctky=1961840&hdpid=2d71440f-329f-4038-8100-e353a5c2d01

31

. Royal Bank of Canada, “Annual Report,” 52.

32

. See Dan Cable and Freek Vermeulen, “Making Work Meaningful: A Leader's Guide,”

McKinsey Quarterly

(October 2018) and Alexis Krivkovich and Cindy Levy, “Managing the People Side of Risk,”

Corporate Finance Practice, McKinsey Company,

May 2013,

https://www.mckinsey.com/business-functions/risk/our-insights/managing-the-people-side-of-risk

.

33

. The positioning of operational risk is important for us. Royal Bank of Canada, however, has continued to refine the pyramid for their risk management and governance purposes. See Royal Bank of Canada, “Annual Report” (2014): 52,

https://www.rbc.com/investor-relations/_assets-custom/pdf/ar_2014_e.pdf

.

34

. Some of the risks, such as regulatory, can be viewed as calculating the cost-benefit as to the degree of compliance, rather than being taken for the sake of “gains” per se.

35

. For a very interesting discussion on learnable risks and competitive advantage, see David Apgar,

Risk Intelligence: Learning to Manage What We Don't Know

(Boston: Harvard Business Review Press, 2006). We do recognize that superior use of statistical tools can also lead to competitive advantage as Capital One demonstrated in the sub-prime credit card market and Goldman Sachs in the 2007 financial crisis.

36

. Compliance is becoming a more significant issue. See Bevan, Kaminski, Kristensen, Poppensieker, and Pravdic, “The Compliance Function at an Inflection Point.”

37

. On the importance of risks governed by nonrandom processes, see Apgar,

Risk Intelligence

.

38

. For a recent discussion, see Owen Parker, Ryan Krause, and Cynthia E. Devers “How Firm Reputation Shapes Managerial Discretion,”

Academy of Management Review

44, no. 2 (2019): 254–78.

39

. It is only appropriate to pay homage to the founder of this approach, Ed Freeman. See R. Edward Freeman,

Strategic Management: A Stakeholder Approach

(Boston: Pitman, 1984). This is still an evolving field; see Jay B. Barney, Measuring Firm Performance in a Way That Is Consistent With Strategic Management Theory.

Academy of Management Discoveries

6:1 (2020): 5–7.

40

. See the discussion of the relationship between risk and uncertainty in our discussion of Frank Knight's work in

Chapter 3

.

41

. Essential to our understanding of positioning is a focus on the customer and creating value for the customer. We concur with the insights presented in Roger Martin, “The Age of Customer Capitalism,”

Harvard Business Review

(January 2010).

42

. See Gius, Mieszala, Panayiotou, and Poppensieker, “Value and Resilience through Better Risk Management,” which asserts the following: “Boards spend only 9 percent of their time on risk—slightly less than they did in 2015. Other questions in the survey results in this McKinsey paper revealed that only 6 percent of respondents believe that they are effective in managing risk (again, less than in 2015).” The survey interviewed a large number of listed companies in the UK in 2016.

43

. This may be the chief financial officer in many organizations. See McKinsey & Company, “The New CFO Mandate: Prioritize, Transform, Repeat,” December 3, 2018,

https://www.mckinsey.com/business-functions/strategy-and-corporate-finance/our-insights/the-new-cfo-mandate-prioritize-transform-repeat

.

44

. See Dan Lovallo and Daniel Kahneman, “Delusions of Success: How Optimism Undermines Executives' Decisions,”

Harvard Business Review

(July 2003); Bill Javetski and Tim Koller, “Debiasing the Corporation: An Interview with Nobel Laureate Richard Thaler,”

McKinsey Corporate Finance Practice,

May 2017,

https://assets.mckinsey.com/∼/media/70B0411CF4524543B396B4AE2B44A827.ashx

; Tobias Baer, Sven Heiligtag, and Hamid Samandari, “The Business Logic in Debiasing,” McKinsey & Co, May 2017,

https://www.mckinsey.com/business-functions/risk/our-insights/the-business-logic-in-debiasing

; and Tim Koller and Dan Lovallo, “Taking the ‘Outside View,'”

Bias Busters,

McKinsey & Co., 2018.

Acknowledgments

JAMES L. DARROCH

When I started this project, I knew I needed a coauthor whose experiences and knowledge complemented mine. I was incredibly fortunate to be joined by my friend, David Finnie. David has been an inspirational collaborator and mentor over the years.

I owe debts to numerous people who have assisted me in the journey that led to this book. It started with my PhD committee chaired by Al Litvak, who remained an inspiration, coauthor, and friend for many years. Dezso Horvath challenged my strategic thinking and Dawson Brewer and Sy Friedland, who remained lifelong friends, challenged my financial thinking. This gave me a solid foundation for what followed.

I was fortunate to have Paul Cantor as a mentor in implementation, leadership, and governance when I worked with Paul at the Toronto Leadership Centre. It was a transformative experience to work with him and financial sector supervisors from around the world: Brian Quinn, Bob Clarke, Michael Mackenzie, Jorge Patino, David Scott, Richard Farrant, and Bill Ryback to name a few. This was my introduction to risk management.

I was then fortunate to meet David Finnie and develop the risk curriculum for the Bank of Montreal (BMO) with Fred Gorbet. This was my PhD in risk under the tutelage of Michel Maila, Mike Frow, David, Phillippe Sarfati, Tony Preccia, Milo Rado, Fred Shen, and many others. Developing the material with these mentors was an unbelievable experience and then to bring it to the classroom for BMO professionals sharpened my learnings and brought the realities of the challenges of risk management home. Working with Cory Jack at BMO also helped me learn about leadership and the challenges of implementing enterprise risk management.

Interestingly, David, Michel, Paul, Corey, and I were all reunited at the Global Risk Institute for Financial Services. We worked on creating a risk program for directors of financial institutions. After that Corey and I continued to work together in the Financial Services Leadership Program at Canadian Imperial Bank of Commerce (CIBC), where we had the privilege of working with emerging leaders at CIBC. This was the most recent stage of my journey in executive education and consulting.

Although I have worked with many executives, two people stand out for their role in this book. David Koenig was kind enough to read an early draft. His comments significantly improved the work. Francois Desjardin, while he was CEO of Laurentian Bank, not only made detailed comments on an early draft but took considerable time to discuss with us the importance of branding and the relationship of the CEO to the board. I hope we captured the insights of David and Francois, because they opened my eyes.

I would be remiss if I didn't express my gratitude to my many coauthors. Some especially stand out: Pat Meredith, who brought me into her project, which resulted in the Donner Award–winning Stumbling Giants. My contribution and understanding of Canadian public policy owe a great deal to my Schulich colleagues: Al Litvak, Charley McMillan, Fred Gorbet, Jim Gillies, and Tom Wilson. Although I was unaware of the connection while writing, I see the continuation of the work I did with David Weitzner.

The scope of the book owes much to my colleagues in the Financial Services Program at Schulich. I was fortunate to be brought back to the program and want to thank Lois Tullo, Lee Watchorn, Bernard Hyams, Desmond Alvares, Christine Tekker, and Andrew Lin.

This book is as much a result of teaching as research, so I want to thank the many Schulich students who took my courses and contributed their thoughts and insights on strategy, risk, and governance. Their challenging questions have forced me to rethink many issues addressed in this book. And key to the success of these courses were my executive assistants, JoAnne Stein, Filomena Ticzon, and Jennifer Fernandez.

The team at Wiley have provided superb support through the process of publication, so I want to express my gratitude to Kevin Harreld, Susan Cerra, Samantha Enders, and Susan Geraghty. You really made a difference. And, finally, thanks to some friends whose support in discussing many of the issues addressed in this book has been invaluable: Eileen Fischer, Moren Levesque, Dirk Matten, and Christine Oliver. Their support kept me going through some tough times.

DAVID WM. FINNIE

I want to thank James Darroch for inviting me to join him on this project. James and I have worked together many times over the years, and I have always learned from him and enjoyed our time together. I find his knowledge and understanding to be complementary to mine and, as a result, with his involvement, I am able to go beyond what I can accomplish on my own.

Over the years I have worked with tremendous thought leaders in business and risk. I owe a deep debt of gratitude to these individuals.

I entered the realm of risk management during my time at Bank of Montreal (BMO) and worked with many people in the trading business and new risk functions. I learned a tremendous amount from my first two bosses, Phil Wilson and Michel Maila. Both were thought leaders, although in very different ways. I learned about people, behaviors, and leadership from Phil and risk concepts, approaches, and philosophies from Michel. I also worked with several wonderful business and risk contributors. Jean Desgagné, Mike Frow, Geoff Hydon, Paul Marchand, and Tony Peccia taught me about the key concepts in their risk and operational specialties. During this time, I was fortunate enough to have some tremendous people agree to work for and with me. I want to thank Greg Frank, Sandy Howlett, James Ireland, Sarah Knapp, Robin Li, Graham Pugh, Phillipe Sarfati, and Fred Shen. I learned far more working with them than I believe they were able to learn from me.

I was able to make the transition into risk management due to great support from Ellen Costello and David Hyma. I worked with them and Shelley Weiss and their trading floor teams to create business-supportive risk solutions. It was with them and in this environment that I began my risk and, ultimately, risk and strategic management, journey.

It was while I was at BMO that I was able to lead the development of the risk curriculum, and it was in this effort that I first met James Darroch. This project enabled me to work very closely with James and the other people he mentions. While James learned about risk, I learned about curriculum design and development and working with educators in a high-performance setting.

I was able to take what I had learned at BMO to a number of other organizations where I met and worked with some valuable individuals. From American Express Company, I thank Kai Talarek and Bud Herrmann for their support. At Teachers Pension Fund, I want to thank a tremendous leader and risk thinker, Barb Zvan. At Global Risk Institute in Financial Services I was able to work with many of the people already mentioned along with Paul Cantor. Paul was a noteworthy chair of the board from whom I learned many governance lessons. At Central 1 Credit Union I had an excellent team from whom I learned about the credit union movement and with whom I implemented a strong, business-supportive, risk-disciplined capability. I want to thank Chris Galloway, Phil Hemming, James Ireland, Phil Kennedy, Martin Kyle, and Dan O'Connor. I also want to thank their staff with whom we as a team were able to accomplish so much.

Part of working in any financial institution is the interaction with the regulators. Over the years I worked with and learned from individuals in the Office of the Superintendent of Financial Services (OSFI), the Chicago Federal Reserve Board, the New York State Banking Authority, and the UK Financial Services Authority. More recently, I worked with individuals from British Columbia's and Ontario's financial regulators and would like to thank Mehrdad Rastan and Guy Hubert for sharing their ideas and thoughts freely and supporting my team's efforts to create a strong risk foundation at Central 1. I particularly want to thank Mehrdad for his patience as we moved to overcome the many obstacles to implementing an appropriate risk function.

I want to thank my wife, Marilyn Finnie. Marilyn has spent untold hours challenging and educating me in the numerous fields in which she has become an expert, many of which have a direct bearing on financial institution business, technology, and risk management.