Professional Documents
Culture Documents
Chapter 1
Chapter 1
Risk Management
Essentials of Enterprise
Risk Management
Practical Concepts of ERM for
General Managers
10 9 8 7 6 5 4 3 2 1
Keywords
ambiguity, complexity, decision making, enterprise risk management,
framework, governance, regulation, risk management, risk mitigation,
strategic analysis, uncertainty, volatility
Contents
Introduction������������������������������������������������������������������������������������������ix
Index�������������������������������������������������������������������������������������������������127
Introduction
What Is Enterprise Risk Management?
Simply put, enterprise risk management (ERM) is an integrated and holis-
tic approach to risk management within an organization. That sounds
quite basic, and it also sounds like it is simply common sense. Why then
is there so much ado about ERM? Why is there a need for books and
training seminars about ERM? Why is there a need for this book?
Although ERM is basic and common sense, the devil is in the details
of design and implementation. This is a book that like many others covers
the main concepts of ERM, but the difference is with a focus on practical
design and practical implementation.
The overarching goal of ERM should be on making an organization
more effective and efficient. That’s it. Nothing more and nothing less.
ERM should allow an organization to achieve its goals more easily and
more often. A well designed and implemented ERM should be a valuable
and useful set of tools and processes for an organization. Sadly however,
our experience is that in many organizations it appears the organization
exists for the purpose of the ERM system. In other words, the ERM tail
is wagging the dog!
1
Nason, R. 2017. Rethinking Risk Management: Critically Examining Old Ideas
and New Concepts. Business Expert Press; Chard, B., and R. Nason. 2018 (Forth-
coming). Essentials of Financial Risk Management. Business Experts Press.
Introduction xi
definition allows for ERM to do much more than prevent bad things
from happening. Our definition means that ERM can also help good
things happen.
This brings us to our definition of risk management. In many organi-
zations that we deal with, the risk management function is often known
as the “department of no!”, or perhaps something even more derogatory.
Our definition of risk management is “managing so as to increase the
probability and magnitude of good things happening while also man-
aging to decrease the probability and severity of bad things happening.”
The final cornerstone of our philosophy of risk management is that
all organizations exist to take risk. Without risk, there are no corporate
profits. Without risk there is no Little League Baseball. Without risk there
is no gardening club. Without risk there is no such thing as entrepreneur-
ship. Without risk there are no multibillion dollar companies with global
reach. Without risk an organization cannot make progress and evolve.
Organizations exist to achieve tasks that involve risk. Given this, it makes
sense that ERM should be fully integrated into the day to day activities
of an organization, ERM should be part of the culture and ERM should
be an inherent part of the fundamental operations—no matter what form
the organization takes. This does not mean that ERM should be intru-
sive—anything but! However, ERM should not be thought of as a sepa-
rate activity or as a separate department. The whole of ERM should not
be left to risk management specialists, but instead ERM should be part
of everyone’s function and mindset. ERM should be an integral part of
everything an organization does, from strategy setting through to ship-
ping of final product or delivery of service. ERM does not stand alone but
is an integral part of any type of organization.
Before concluding this introductory section it is incumbent on us
to point out what is not part of our philosophy on ERM. Firstly, we
strongly believe that ERM is not regulation or compliance manage-
ment—although that is the origin and the prevailing philosophy at many
organizations. ERM is not compliance, and likewise compliance and
auditing is not ERM. Compliance and auditing should never be confused
for effective ERM.
We also believe that ERM is not a set of rigid rules and regulations—in
fact we will argue that in most cases the more flexible the ERM system the
xii Introduction
more effective it is. We also believe that ERM is not something that you
need specialized degrees or intensive multi-level certifications to be profi-
cient at. In fact, many of the most ineffective ERM managers we know are
also the most highly trained. Conversely some of the most effective ERM
managers have as their sole training a naturally developed common sense
and a willingness to learn and try different tactics and strategies. Perhaps
the best way of putting this is to use the words of Jeff Swystun, of Swystun
Communications; “think playbooks, not rulebooks.”
Finally, we believe that ERM should not be a center of “no,” or “you
can’t do that.” Instead we believe that ERM should be an enabling cen-
ter; a philosophy that instead of saying “no!”, works for the objectives
of the organization and develops a plan of “how you can do it better in
a more risk intelligent manner.” This last philosophy is a hard one for
many organizations, managers, and administrators to swallow. They are
so accustomed to risk being a brake, when instead we believe that when it
is appropriate that ERM should be the accelerator. ERM should develop a
risk culture that allows for and creates success. Success is a good thing (to
borrow a phrase from a well-known lifestyle celebrity) and as such, ERM
is also a “good thing.”
What Is ERM?
Defining enterprise risk management (ERM) is like defining what consti-
tutes great art. In large part, ERM is in the eye of the beholder. For some
organizations it is an overall operating procedure that covers almost all of
the operating activities undertaken by the organization. For others it is
simply a mindset of how to think about issues as they arise.
In this chapter, we will go through a couple of the different definitions
and ways of thinking of ERM. In a nutshell, we believe that ERM is
simply a way of doing business so that the management of the company
is as efficient and as effective as possible in achieving its overall goals and
objectives despite the plethora of risks, uncertainties, and challenges that
arise or that may potentially arise. An ERM mindset both implicitly and
explicitly recognizes that the strategies and plans of an organization are
rarely, if ever, executed exactly as they are first envisioned. Risks force
these changes. ERM explicitly acknowledges that a risk management plan
is needed in addition to the operating plan to deal with the inevitable
risks that will arise. The better that an organization is at dealing with risk,
the better the organization will be in achieving its goals and executing its
plans. As President Eisenhower once said “in preparing for battle I have
always found that plans are useless, but planning is indispensable.” ERM
is what applies to ensure that the plans do not become useless and that the
organization’s ultimate objectives are achieved as efficiently as possible.
Defining Risk
Let us start with a very basic question; what is risk? Generally, we think
of risk as being the possibility of something bad happening. Risk is some-
thing that we want to avoid, and certainly not something that we want to
covet. However, a more enlightened and useful definition of risk is; “risk
is the possibility that bad or good things may happen.”
2 Essentials of Enterprise Risk Management
Defining ERM
To begin, perhaps it is easiest to cite the definition of ERM as proposed
by the Committee of Sponsoring Organizations of the Treadway Com-
mission, often better known as COSO. The COSO framework for ERM
was first developed in 2004, and then extensively revised in 2017. It has
become one of the benchmark frameworks for ERM and will be discussed
at length in Chapter 3. The definition of ERM as provided by COSO is:
1
Enterprise risk management—integrated framework: executive summary,
ommittee of Sponsoring Organizations of the Treadway Commission,
C
September 2014.
What Is ERM? 5
All of these began the groundwork for the role that a board now plays
in the company. Like ERM it is an active not a passive role.
The second major impetus for ERM was the Sarbanes-Oxley Act of
2002. The Enron scandal of 2002 prompted this act which was passed
into legislation by the U.S. government to protect shareholders, the pub-
lic from accounting errors, and fraudulent accounting practices and to
improve the disclosures that company’s make. The principles introduced
in the Sarbanes-Oxley Act created a set of measures that firms need to
comply with the goal of improving their financial and operational report-
ing and in turn improving the relevancy, accuracy, and transparency of
the public statements made to stakeholders. Many of the principles of
the Sarbanes-Oxley Act were also the same principles for good ERM
—although it is critically important to highlight that simply being in
2
http://goodmans.ca/files/file/docs/cs120301.PDF
What Is ERM? 7
3
A more complete introduction to systems thinking and complexity can be
found in Nason, R. 2017. It’s Not Complicated: The Art and Science of Complex-
ity in Business. University of Toronto Press. The examples give to illustrate the
difference between simple, complicated and complex systems in this section
are from this book. See also, Chapter 3, “What is Complexity?” In Nason R.
2017. Rethinking Risk Management: Critically Examining Old Ideas and New
Concepts. Business Experts Press.
8 Essentials of Enterprise Risk Management
entity, then just like playing chess, a computer program could and should
manage the organization. Indeed, parts of some organizations are com-
plicated in their nature and thus we have automated banking machines,
self-serve kiosks and, of course, the increasing role of robot factories and
self-driving vehicles.
People however are complex. Also we conjecture that people are the
root issue for the vast majority of risks in an organization. Complicated
risks can be managed relatively easily—you simply follow the rules, laws
or regulations that produce the desired outcomes. Complex risks however
require a manager to manage. Furthermore, to repeat, they require man-
agement in a holistic and integrated manner. Thus the need for ERM.
Integrated risk management is not trivial. It is tough to do. That is why
a flexible framework such as ERM is needed. A rigid framework is only
effective for simple or complicated type risk issues. ERM thus requires
managers to be constantly thinking, learning, and adapting. The complex
nature of risk means that ERM is a dynamic and ongoing process. ERM
is anything but a “set in motion and forget” type mode of operating.
Having the ERM goals fully integrated with the organization’s goals
means that ERM is part of the organizations competitive advantage. ERM
is thus not seen as a cost or as a drag on the organization but instead as a
strategic partner. ERM becomes a valuable tool that provides an organiza-
tion with an edge in whatever competitive landscape it may find itself in.
A successful ERM implementation becomes part of the mindset of
the firm. It is a mindset that affects the human resources policies of the
firm, the training policies, the operating and sales policies and indeed
the entire culture of the firm. The Hydro One Case Study illustrates an
example of one company that made such a transition in mindset.
4
This section is based on Aabo, T., J.R.S. Fraser, and B.J. Simkins. 2005.
“The rise and evolution of the Chief Risk Officer: enterprise risk management
at hydro one. Journal of Applied Corporate Finance 17, no. 3, pp. 62–75.
5
Ibid.
12 Essentials of Enterprise Risk Management
Key Concepts
Throughout this book we will continually rely on a few key concepts that
underlie ERM. The first key concept is that risk is something that can be,
and indeed should be, managed. This sounds obvious, and the fact that
you are this far into reading a book on risk management demonstrates
that you too must hold this belief, but it is one that is not often acted
upon. Many organizations believer that risk is something that should be
avoided or eliminated whenever possible. If it can’t be eliminated then it
is treated as some sort of drag or friction on the organization that must be
tolerated as a cost of doing business.
Firms that have implemented a robust ERM process demonstrate
instead that risk is something that can be managed, and furthermore can
be managed for competitive advantage. Risk management is such a key
What Is ERM? 13
Concluding Thoughts
In a world where everything is in flux and the global stage is volatile,
uncertain, complex and ambiguous a flexible, holistic ERM system that
is both vertically and horizontally integrated is integral to a corporation
being able to meet its strategic goals.
Many organizations, most notably the United States military,
are embracing the term VUCA. VUCA is an acronym for volatility,
uncertainty, complexity, and ambiguity. ERM is ideally suited for an
organization that believes in the VUCA concept, whether they have
formally adopted it or not. VUCA seems the appropriate acronym for
our times, and likewise, ERM seems like an appropriate system of think-
ing for our times.
Index
Action plans, managing risks, 34 Delphi method, 80–81
Adopting ERM, 22–26 Demographic risks, 66–67
Avoided risk, 91
EAR. See Earnings at risk
Barings Bank, 117–118 Earnings at risk (EAR), 78
Barrick Gold, 92–93 Economic and market risks, 66
Benefit Corporation, 104 Emergence, 9
BP Deep Water Horizon, 99 Empathy, 106–107
Burger King, 31 Enterprise risk management (ERM)
adopting, 22–26
Case studies advantages of, 15–19
Barings Bank, 117–118 compliance and, 47–48
Barrick Gold, 92–93 deciding factors, 22–24
BP Deep Water Horizon, 99 definition of, 4–5
Burger King, 31 description of, 1, ix
Cyber-Attacks of 2017, 31 disadvantages of, 19–22
Hydro One Inc., 11–12, 16–17 future of, 123–126
Johnson and Johnson (J&J), 33–34 governance and, 109–121
Long Term Capital Management as integral to organization, 10–11
(LTCM), 35–36 intended for, ix–x
Philadelphia Eagles, 2–3 key concepts, 12–14
Proctor and Gamble (P&G), 46–47 philosophy, x–xii
SCOR, 55–56 reasons for not implementing,
TOMS, 105–106 24–26
Transportation Security rise of, 6–7
Administration (TSA), 94–95 social responsibility and, 97–107
Wells Fargo, 112–113 Enterprise risk management
Cash flow at risk (CFAR), 78 framework
CFAR. See Cah flow at risk action plans, managing risks, 34
Committee of Organizations of advantages and disadvantages,
the Treadway Commission 29–30
(COSO), 7, 27–29 communicating results, 34–35
Co-movement, 73–74 description of, 27
Complex risks, 10, 23 identify, measure, and prioritize
Compliance, 47–48 risks, 34
Complicated risks, 10, 23 process to protect against risk
Core risk, 92 complacency, 35–37
COSO. See Committee of setting objectives, 32, 45–46
Organizations of the Treadway Enterprise risk management
Commission implementation
Culture risk, 69 designing processes, 54–60
Cyber-Attacks of 2017, 31 importance of, 51–53
128 Index