A View of the Future of Risk Management

Author(s): Richard B. Corbett

Source: Risk Management, Vol. 6, No. 3 (2004), pp. 51-56
Published by: Palgrave Macmillan Journals
Stable URL: http://www.jstor.org/stable/3867778 .
Accessed: 02/06/2014 05:55

Your use of the JSTOR archive indicates your acceptance of the Terms & Conditions of Use, available at .
http://www.jstor.org/page/info/about/policies/terms.jsp

.
JSTOR is a not-for-profit service that helps scholars, researchers, and students discover, use, and build upon a wide range of
content in a trusted digital archive. We use information technology and tools to increase productivity and facilitate new forms
of scholarship. For more information about JSTOR, please contact support@jstor.org.

Palgrave Macmillan Journals is collaborating with JSTOR to digitize, preserve and extend access to Risk
Management.

http://www.jstor.org

This content downloaded from 111.68.103.233 on Mon, 2 Jun 2014 05:55:12 AM

All use subject to JSTOR Terms and Conditions
 Risk Management: An International Journal 2004, 6 (3), 51-56

A View of the Future of Risk Management

Richard B. Corbett1

Recent high-profile corporate scandals have resulted in moves to improve corporate

governance, specifically financial reporting. One of the offshootsof improvedfinancial
reporting is the notion that publicly held firms should disclose clearly all 'threats to
people, property, or profits'. An enterprise-wide risk management program considers
the collective exposures that can affect the value of an economic entity. There is a
focus on three distinct areas: human resources, physical resources, and financial
resources. Risk management is associated with the maintenance of value of these
resources within the entity.There is a recognition that no decision is without a risk
management aspect. The risk management process is validated because of this clear
connection between risk management activities and the value of the economic entity.
This has brought an increased appreciation for risk management as an academic
discipline. The concept of enterprise-wide risk management appeals to management
scholars viewing the relationships among strategic management, operational
management, and risk management. In an increasingly complex world, identifying
and analyzing these relationships is critical to the success of economic entities.

Key Words: Risk; risk management; enterprise risk management;

corporate governance

There are several views of the future of risk management, some of which contrast greatly.
Whether the discussions involve the profession and practice of risk management in economic
entities, or risk management as an academic discipline, the views diverge. An extreme view is
that risk management is being de-emphasized as a separate notion in economic entities. As an
evolving discipline, risk management cannot be harmed by these discussions. Every discipline
faces periodic re-evaluations of its core assumptions and practices. Risk management is subject
to that same process.

Where is risk management now?

Risk management is the identification, analysis, and treatmentof an economic entity's exposures
to loss. In this time of increasing technology and complexity, there are more things that can go
wrong, ie more exposures to loss. It stands to reason that risk management is a growth industry.
Risk management is a core value in many firms. Over 800 of the 'Fortune 1000' firms have
membership in the Risk and Insurance Management Society (RIMS). Peter Drucker lists the
practice of risk management as a hallmark of a developed economy. Clearly, there is something
of value inherent in the concept of risk management.

As is true of most disciplines, there are some underlying assumptions or beliefs, or 'givens',
about risk management. Some of the givens of current risk management practice are as follows:

? risk management has evolved into a profession and a set of concepts applicable in most
functional areas of business administration;

Copyright ? 2004 Perpetuity Press Ltd 51

This content downloaded from 111.68.103.233 on Mon, 2 Jun 2014 05:55:12 AM

All use subject to JSTOR Terms and Conditions
Risk Management: An International Journal 2004, 6 (3), 51-56

?
many risk managers perform their professional duties in relative isolation, ie without
being included in higher-level decision making;

?
many risk managers do not have authority commensurate with their responsibilities;

?
many risk managers are called upon to react to adverse events, rather than being involved
in the planning that might have prevented those events; and

?
many risk managers spend a disproportionate amount of their time on insurance issues,
rather than on more modern risk management topics.

Are these things indications that risk management has somehow failed as a discipline? We
believe that is not the case. In fact, risk management appears to have entered an era of much
greater visibility, which will have the effect of solving many of these perceived problems.
The movement to an enterprise-wide application of risk management has brought about some
very desirable changes.

The driving force: improved corporate governance

Along period of laissez-faire corporate governance led to some large, and largely predictable,
both
corporate scandals. Enron and WorldCom are two examples of this phenomenon,
associated with 'fuzzy' financial reporting. The result of these scandals was, predictably,
action to require greater 'transparency' in corporate financial reporting, in essence, truth-in-
reporting. The Treadway Commission in the US, the Toronto Stock Exchange's Dey Report
in Canada, and the Cadbury Commission in the UK all moved toward the same goal: improved
financial reporting for publicly held firms. The formal name of the Treadway Commission,
the National Commission on Fraudulent Financial Reporting, gives all the information
necessary about the nature of the problem.

One of the offshoots of improved financial reporting is the notion that publicly held firms
should disclose clearly all 'threats to people, property, or profits'. This is the key tie-in to risk
management and to having risk management as a core value throughout an economic entity.
An enterprise-wide risk management program looks at the collective exposures that can affect
the value of an economic entity. There is a focus on three distinct areas: human resources,
physical resources, and financial resources. Currently, the RIMS has an 'initiative' attempting
to improve the constructs of enterprise-wide risk management and to guide its membership in
promoting the notion.

Early problems with enterprise-wide risk management

The concept of enterprise-wide risk management experienced some growing pains; some
might say those are still being experienced. First of all, there was the problem of terminology.
Is the correct term 'enterprise risk management'? Or is it 'integrated risk management'? Or
should we speak of 'enterprise-wide risk management'? The major problem, of course, is that
without standardized terminology, we are not sure that we are discussing the same thing.
Each of these terms has its advocates, and some of them are passionate about their viewpoints.
Interestingly, a major US university risk management and insurance program that secured
funding for an 'enterprise risk management center' has recently changed the name to 'strategic
risk management'.

52 A View of the Future of Risk Management

This content downloaded from 111.68.103.233 on Mon, 2 Jun 2014 05:55:12 AM

All use subject to JSTOR Terms and Conditions
 Risk Management: An International Journal 2004, 6 (3), 51-56

Another problem that arose was an almost missionary focus on risk financing, at the expense of
risk control. Some of this was by persons, including some service vendors, who viewed enterprise
risk management as a risk financing product that they could sell, or install, or both. Persons with
experience in the broader aspects of risk management are troubled by this downplaying of risk
control. There will be furthercomment about this later in this paper.

The promise of enterprise-wide risk management

There are many positive aspects of enterprise-wide risk management. First, and foremost, is
that the risk management process is validated because of the clear connection between risk
management activities and the value of the economic entity. Risk management is associated
with the maintenance of value of the human, physical, or financial resources of the entity.There
is a recognition that no decision is without a risk management aspect.

Another positive aspect of enterprise-wide risk management is the potential forincreased visibility
for both risk management and risk managers in economic entities. There is a greater attention to
risk-related issues at higher levels in organizations. Better-managed entities are taking the view
that it makes more sense to consider the risk dimensions of decisions early in the decision-
making process, ratherthan tryingto retrofitrisk management tools and techniques afterdecisions
have been implemented.

This has led to greater attention to risk issues throughout line management, especially in
areas such as IS/IT, marketing, and the protection of intellectual property. Risk managers are
consulting with line managers as consultants and facilitators in designing and implementing
risk management programs. Favorable offshoots of this activity include a new focus on
strategic
risk and operational risk exposures within the firm and increased attention to 'critical
dependencies'. As risk managers are consulted with regard to these strategic and operational
exposures, they increase their contacts with upper management, thereby increasing their
personal visibility and that of their discipline.

This focus on critical dependencies within economic entities is leading to a greater

appreciation of the role of risk management and to a greater focus on the fundamental step
in the risk management process, identification of exposures to loss. The World Trade Center/
September 11 event was a watershed in this aspect of risk management practice. When
lower Manhattan was closed off south of Canal Street, businesses with no direct
physical
damage suffered major business income and extra expense losses. They had neglected to
think about the sources of their customers and the extent of their trade areas. Other firms,
Morgan Stanley and NASDAQ, for example, had developed contingency plans with a greater
range of 'What if?' scenarios. The whole concept of 'worst case scenario' or probable
maximum loss was re-examined.

Another positive aspect of the concept of enterprise-wide risk management is that risk
managers have been allowed to be creative and that this creativity is being rewarded. New
risk-control initiatives are being formulated in an effortboth to protect the various resources
of the economic entity and to lower risk-financing costs. New risk-financing initiatives are
being formulated, ranging from securing insurance on hard-to-place exposures to setting
up non-traditional arrangements for uninsurable exposures. Some of these arrangements
have been very creative integrated risk-financing products, combining traditional pure risk
exposures with speculative risk exposures. Such initiatives are only possible when the risk
management staff has a close working relationship with top management.

Richard B. Corbett 53

This content downloaded from 111.68.103.233 on Mon, 2 Jun 2014 05:55:12 AM

All use subject to JSTOR Terms and Conditions
Risk Management: An International Journal 2004, 6 (3), 51-56

The myths of enterprise-wide risk management

Partly because enterprise-wide risk management is an evolving discipline, there are also some
prevalent myths about the concept and its practice. Some of these are potentially serious barriers
to good risk management practice, and some are easily overcome by a clearer understanding of
the objectives of risk management. Some of these myths are promoted by those with an economic
interestin keeping them alive. They are presented here with no particular viewpoint that any one
is more serious than another.

The firstmyth of enterprise-wide risk management is that this notion is for everyone. This is a
common sales pitch for most new ideas. We already recognize the segmentation of economic
entities into size categories. The concept of a 'middle-market entity' in risk management and in
insurance markets is well recognized. Some economic entities, because of their relative size and
financial resources, will focus on insurance as theircore risk-financing strategy.Their practice of
risk control will be mainly to reduce insurance premiums. This is all rational in risk-averse entities,
and thatrisk aversion is closely related to the size and financial resources of the entity.Interestingly,
some argue that small economic entities are more likely to practice enterprise-wide risk
management because management and the workers are often the same people.

Another myth of enterprise-wide risk management is that it is some kind of product, or a

project. This concept leads to some of the confusion in the terminology. Integrated financial
products, ie financial derivatives or insurance contracts covering both pure and speculative
risk exposures, do not themselves constitute enterprise-wide risk management. Some writing
on the topic, however, created that very impression, ie that the concept and the tool were one
and the same. This notion is inherently dismissive of the role that risk control plays in risk
a
management. If enterprise-wide risk management is a project, then does it have an endpoint,
can lead to the disastrous notion that an
completion date? What happens then? This potentially
economic entity can have a 'Risk Management Day' or a 'Risk Management Week'. Risk
management by definition is an ongoing process.

Another myth of enterprise-wide risk management is that risk management as traditionally

'silo
practiced was fatally flawed. The explanation is thattraditional risk management followed a
and was not integrated across functional areas in economic entities. While there are
approach'
many expressions of this notion, there are few actual objective studies with significant results

demonstrating the existence of this fatal flaw. Can risk management practice be improved? Yes,
of course, but not on the basis of anecdotes.

a
Closely tied to the previous myth is the notion that every economic entity needs to employ
Chief Risk Officer (CRO). As usually expressed, this notion at least implies that the current risk

manager will not have the breadth of knowledge and experience to fill the job. This was heavily
promoted by entities with an interestingeconomic incentive?they proposed to provide outsourcing
for the CRO's duties. Again, the lack of objective studies with significant results demonstrating
the advantage of the new practice is a telling point. Many current risk managers are both
the
experienced in a wide variety of risk management practices and tools and capable of learning
mechanics of new ones.

Another myth of enterprise-wide risk management is that exposure identification is easy. This
notion was promoted mainly by vendors of quantitative risk analysis products. The idea being
promoted was that the solution was the important part and that the problem would easily appear
to the user. Years of experience, not all of it positive, have taught us that problem identification is
more important than problem solving. Exposure identification remains the core ongoing task of
most risk managers. It is a risk management truththat you cannot treat an exposure that you have
not identified.

54 A View of the Future of Risk Management

This content downloaded from 111.68.103.233 on Mon, 2 Jun 2014 05:55:12 AM

All use subject to JSTOR Terms and Conditions
 Risk Management: An International Journal 2004, 6 (3), 51-56

Finally, there is a myth that is hard to overcome, because it is based in truth.That is the notion
that integrated risk-financing products are clearly the best answer, because the capital markets
have greater capacity than the insurance markets. This is the classic 'true, but not very meaningful'
proposition. Is insurance less useful because some exposures can be treated with capital-market
products? Capital markets are supposed to have greater capacity than insurance markets. One of
the essential beauties of insurance is that it allows those pooling their exposures and sharing their
losses to minimize thatpart of theirproductive resources in the loss-sharing pool, and to maximize
that part of their resources that are in productive use. Integrated products have their place, but it
is unlikely that they will replace insurance. (The less-than-enthusiastic response of investors to
catastrophe bonds seems to provide evidence of this.)

Risk management as an academic discipline

This consideration of the promise and myths of enterprise-wide risk management leads us to
consider the state of risk management and insurance as an academic discipline. All academic
disciplines within the domain of business administration face the classic dilemma of whether
they will lead or follow actual practice within the discipline. Risk management and insurance
certainly are subject to this, and professors in the discipline are well aware of the constant struggle.
In spite of the struggle, the future looks good for the discipline.

When potential recruiters are surveyed, they consistently cite four characteristics of potential
hires thatare most important to them: writing skills; speaking skills; the ability to work in groups;
and an ethical focus. In those surveys, actual course content ranks no better than fifth.This gives
academics great leeway with regard to their approach to course content. The approach ranges
from highly theoretical to highly practical. The best approach seems to be a well-organized
progression from the theoretical to the practical, bolstered by application exercises. This also
provides excellent preparation for continuing education, eg the examinations for the various
professional designations.

Some academics argue that, because the 'industry does not rate course content highly in the
surveys', distinct preparation in risk management and insurance is unnecessary. Actually, the
surveys seem to indicate a belief that, without certain core skills, specific knowledge is not
worth much. Reasonable people can disagree, and the survey results will be subject to different
interpretations. Many risk management and insurance academics are housed in departments of
finance, and many finance-discipline academics take the 'no distinct preparation' notion as
absolute truth.

Recently, however, there has been an increased appreciation for risk management as an academic
discipline. The concept of enterprise-wide risk management appeals to management scholars
viewing the relationships among strategic management, operational management, and risk
management. Integrated risk-financing products and derivatives used for risk-financing purposes
help finance scholars better understand the successful long-term operation of the insurance
enterprise. Clearly, the corporate success stories related to the World Trade Center/September 11
event have increased the visibility and respectability of risk management and have caused a
number of academics to understand the value of preparedness and pre-loss preparation.

The key task foracademics in the risk management and insurance field is to retain viable programs
in good universities. The key related task is to raise awareness among their colleagues with
regard to the risk management aspects of the various functional areas of business administration.
Even academics can understand that no strategic or operational decision in an economic entityis
without a risk management aspect. The higher visibility of risk managers, cited earlier as a strength
of enterprise-wide risk management, is a positive factor in this. A remaining challenge will be to

Richard B. Corbett 55

This content downloaded from 111.68.103.233 on Mon, 2 Jun 2014 05:55:12 AM

All use subject to JSTOR Terms and Conditions
Risk Management: An International Journal 2004, 6 (3), 51-56

'educate' finance colleagues that 'financial risk management' is only a part of an overall risk
management strategy. This seems likely to be an ongoing task. Overall, university budgets and
demographics will be greater problems in the near future than narrow-minded colleagues.

Is enterprise-wide risk management a new idea?

The answer to this question is 'No, not actually', although a couple of the national brokers would
like to get credit for the idea. In 1960, Professor John Long of Indiana University published an
article in the journal of the American Risk and Insurance Association advocating an enterprise-
wide approach to risk management (Long, 1960). Sometimes a person has an idea whose time
has not yet come.

What comes next? What is the future of risk management?

The future of risk management, both as a business function and as an academic discipline, seems
bright.Conditions are excellent forrisk management to improve its place in the corporate hierarchy.
World economic and political climates indicate that we will continue to live in interesting times.
These are some of the things that seem relatively certain:

?
Murphy's Law will continue to prevail as the fundamental law of risk management?the
increasing complexity of the world will ensure that more things will go wrong;

?
pre-loss preparation and well-organized response systems will be invaluable to economic
entities; and

? economic entities with risk management plans will continue to achieve the basic post-loss
objective?they will survive.

With regard to the 'givens' mentioned earlier, some will continue to be true for some economic
entities. Not everything will change in a day or two. Some risk managers will continue to struggle
to be recognized and to be consulted. In the better-managed firms, however, the positive
contributions of the risk manager and of the risk management function will be the givens.

Notes

Richard Corbettis theIndependentLife and AccidentInsuranceCompany Professorin theCollege

of Business, Florida State University,Tallahassee; email: rcorbet@cob.fsu.edu.

References

Long, J.D. (1961) Proposal for a New Course: Risk in the Enterprise System. Journal of Insurance.
Vol. 28, No. 3, pp 55-63.

56 A View of the Future of Risk Management

This content downloaded from 111.68.103.233 on Mon, 2 Jun 2014 05:55:12 AM

All use subject to JSTOR Terms and Conditions