Essentials of Enterprise

Risk Management
Essentials of Enterprise
Risk Management
Practical Concepts of ERM for
General Managers

Rick Nason and Leslie Fleming

Essentials of Enterprise Risk Management: Practical Concepts of ERM for
General Managers

Copyright © Business Expert Press, LLC, 2018.

All rights reserved. No part of this publication may be reproduced,

stored in a retrieval system, or transmitted in any form or by any
means—electronic, mechanical, photocopy, recording, or any other
except for brief quotations, not to exceed 400 words, without the prior
permission of the publisher.

First published in 2018 by

Business Expert Press, LLC
222 East 46th Street, New York, NY 10017
www.businessexpertpress.com

ISBN-13: 978-1-94709-836-7 (paperback)

ISBN-13: 978-1-94709-837-4 (e-book)

Business Expert Press Finance and Financial Management ­Collection

Collection ISSN: 2331-0049 (print)

Collection ISSN: 2331-0057 (electronic)

Cover and interior design by Exeter Premedia Services Private Ltd.,

Chennai, India

First edition: 2018

10 9 8 7 6 5 4 3 2 1

Printed in the United States of America.

 Abstract
Enterprise risk management has never been as topical as it currently is.
The 2008 financial crisis, ever-present cyber-security threats, market
­volatility, increasing regulation, climate change, stakeholder activism, and
changing workforce demographics are just a few of the factors creating
a focus on enterprise risk management. This book lays out the basics of
enterprise risk management for the general manager and provides readers
with the concepts and tools to excel in the current dynamic risk manage-
ment environment and make risk management a value-adding activity
within their organization.
This book has two major origins: The first is a series of executive
workshops that one of the authors (RN) has been conducting for the last
­several years for a major Canadian-based financial institution. The second
origin is an innovative and popular course on enterprise risk management
that we have developed and continue to deliver for MBA students. The
book reflects these two origins in that it covers both the current base of
enterprise risk management knowledge but critically examines that base
by exploring emerging risk management ideas and concepts.
The concept for this book is a common sense yet highly applicable
approach to understanding the basic components of ERM and how they
can be implemented by the general manager. This book, intended for gen-
eral managers of all levels, Board of Directors, students of risk manage-
ment, and all others who need to be concerned about risk management
and strategy, provides a solid base for not only understanding current best
practice in risk management, but also the conceptual tools for exploit-
ing emerging risk management technologies, metrics, regulations, and
ideas. The central thesis is that enterprise risk management is a necessary
­value-adding activity that all types of organizations; public, private as well
as not-for-profit can use for competitive advantage and maximum effec-
tiveness. The book will rely heavily on numerous examples to illustrate
effective ERM practices and concepts.

Keywords
ambiguity, complexity, decision making, enterprise risk management,
framework, governance, regulation, risk management, risk mitigation,
strategic analysis, uncertainty, volatility
 Contents

Introduction������������������������������������������������������������������������������������������ix

Chapter 1 What Is ERM?���������������������������������������������������������������1

Chapter 2 Is ERM for You?�����������������������������������������������������������15
Chapter 3 ERM Frameworks��������������������������������������������������������27
Chapter 4 Setting ERM Objectives�����������������������������������������������39
Chapter 5 Implementing ERM�����������������������������������������������������51
Chapter 6 Measuring Risk������������������������������������������������������������63
Chapter 7 Risk Management Responses����������������������������������������87
Chapter 8 ERM and Social Responsibility������������������������������������97
Chapter 9 Governance and ERM������������������������������������������������109
Chapter 10 The Future of ERM����������������������������������������������������123

Index�������������������������������������������������������������������������������������������������127
 Introduction
What Is Enterprise Risk Management?
Simply put, enterprise risk management (ERM) is an integrated and holis-
tic approach to risk management within an organization. That sounds
quite basic, and it also sounds like it is simply common sense. Why then
is there so much ado about ERM? Why is there a need for books and
training seminars about ERM? Why is there a need for this book?
Although ERM is basic and common sense, the devil is in the details
of design and implementation. This is a book that like many others covers
the main concepts of ERM, but the difference is with a focus on practical
design and practical implementation.
The overarching goal of ERM should be on making an organization
more effective and efficient. That’s it. Nothing more and nothing less.
ERM should allow an organization to achieve its goals more easily and
more often. A well designed and implemented ERM should be a valuable
and useful set of tools and processes for an organization. Sadly however,
our experience is that in many organizations it appears the organization
exists for the purpose of the ERM system. In other words, the ERM tail
is wagging the dog!

Who This Book Is Intended for?

This book is intended for all who are involved in the day to day operations
of an organization—whether it is a for-profit company, or a not-for-profit
organization. Everyone who has some form of professional function can
benefit from increasing their ERM intelligence. It is intended to be a
straightforward, no nonsense, jargon free and accessible guide for manag-
ers, board members, administrators, and organizational stakeholders such
as shareholders, rating agencies or even consumers.
Although not written in the style of a textbook, we believe the content
is very well suited for a university course in risk management. In particu-
lar, the contents are especially well suited for an organizational workshop
x Introduction

or training seminar on risk management. In fact, the origins of this book

stem from a series of corporate training programs we have conducted over
the last few years as well as an executive masters level course in ERM that
we have taught for the last decade.
This book is also meant to compliment the two companion books;
Rethinking Risk Management: Critically Examining Old Ideas and New
Concepts, and Essentials of Financial Risk Management. Together, the
three books give a comprehensive overview of the various aspects of orga-
nizational risk management.1

Our ERM Philosophy

As previously stated, our philosophy begins with the premise that ERM
should be a valuable asset to the organization. It should not be an expen-
sive and cumbersome to maintain bureaucracy that clogs the organization
down in mounds of paperwork, reports and needlessly confusing rules
and regulations.
Following on that, the ERM must be practical and in scale with the
operations of the organization. A multinational company is likely to have
very different amount of resources attached to the ERM function than
the local community Little League administrators do. However, both can
gain from suitably applying best practices of ERM.
Central to our thinking on ERM is the definition of risk. If you ask
most people (particularly those that work in large organizations with a
well-developed ERM system) what their definition of risk is, the response
that you will get is along the lines of “risk is the possibility of something
bad happening.” We believe that definition is limiting and leads to a lot
of ineffective and inefficient ERM practices. Our definition of risk is “the
possibility that bad or good things may happen.” It seems like such a
minor change, but we have seen firsthand that it produces big changes
in risk management outcomes. We will speak at length on this within
the book, but for now it is important to consider the possibility that our

1
  Nason, R. 2017. Rethinking Risk Management: Critically Examining Old Ideas
and New Concepts. Business Expert Press; Chard, B., and R. Nason. 2018 (Forth-
coming). Essentials of Financial Risk Management. Business Experts Press.
 Introduction xi

definition allows for ERM to do much more than prevent bad things
from happening. Our definition means that ERM can also help good
things happen.
This brings us to our definition of risk management. In many organi-
zations that we deal with, the risk management function is often known
as the “department of no!”, or perhaps something even more derogatory.
Our definition of risk management is “managing so as to increase the
probability and magnitude of good things happening while also man-
aging to decrease the probability and severity of bad things happening.”
The final cornerstone of our philosophy of risk management is that
all organizations exist to take risk. Without risk, there are no corporate
profits. Without risk there is no Little League Baseball. Without risk there
is no gardening club. Without risk there is no such thing as entrepreneur-
ship. Without risk there are no multibillion dollar companies with global
reach. Without risk an organization cannot make progress and evolve.
Organizations exist to achieve tasks that involve risk. Given this, it makes
sense that ERM should be fully integrated into the day to day activities
of an organization, ERM should be part of the culture and ERM should
be an inherent part of the fundamental operations—no matter what form
the organization takes. This does not mean that ERM should be intru-
sive—anything but! However, ERM should not be thought of as a sepa-
rate activity or as a separate department. The whole of ERM should not
be left to risk management specialists, but instead ERM should be part
of everyone’s function and mindset. ERM should be an integral part of
everything an organization does, from strategy setting through to ship-
ping of final product or delivery of service. ERM does not stand alone but
is an integral part of any type of organization.
Before concluding this introductory section it is incumbent on us
to point out what is not part of our philosophy on ERM. Firstly, we
strongly believe that ERM is not regulation or compliance manage-
ment—although that is the origin and the prevailing philosophy at many
organizations. ERM is not compliance, and likewise compliance and
auditing is not ERM. Compliance and auditing should never be confused
for effective ERM.
We also believe that ERM is not a set of rigid rules and regulations—in
fact we will argue that in most cases the more flexible the ERM system the
xii Introduction

more effective it is. We also believe that ERM is not something that you
need specialized degrees or intensive multi-level certifications to be profi-
cient at. In fact, many of the most ineffective ERM managers we know are
also the most highly trained. Conversely some of the most effective ERM
managers have as their sole training a naturally developed common sense
and a willingness to learn and try different tactics and strategies. Perhaps
the best way of putting this is to use the words of Jeff Swystun, of Swystun
Communications; “think playbooks, not rulebooks.”
Finally, we believe that ERM should not be a center of “no,” or “you
can’t do that.” Instead we believe that ERM should be an enabling cen-
ter; a philosophy that instead of saying “no!”, works for the objectives
of the organization and develops a plan of “how you can do it better in
a more risk intelligent manner.” This last philosophy is a hard one for
many organizations, managers, and administrators to swallow. They are
so accustomed to risk being a brake, when instead we believe that when it
is appropriate that ERM should be the accelerator. ERM should develop a
risk culture that allows for and creates success. Success is a good thing (to
borrow a phrase from a well-known lifestyle celebrity) and as such, ERM
is also a “good thing.”

Roadmap of the Book

We begin in Chapter 1 with an introduction to ERM and some of the key
concepts of ERM. The key emphasis is on understanding how an organi-
zation’s definition of risk and risk management can dramatically alter how
they both view and how they implement an ERM strategy.
Chapter 2 discusses some guidelines for determining whether an orga-
nization should adopt an ERM process, and if so, the extent of the ERM
process. While it is obvious that we have a bias toward organizations
implementing some form of risk management, there is an appropriate
level of risk management for each organization. Too much risk manage-
ment can be just as detrimental as too little.
Chapter 3 looks at the various ERM frameworks that already exist
and the key features that each of them have. Chapter 4 discusses the var-
ious objectives that a firm can adopt for their ERM strategy. Together
Chapters 3 and 4 provide the necessary elements for Chapter 5 where we
 Introduction xiii

discuss designing and implementing an ERM framework that is appro-

priate for your specific organization.
Chapter 6 reviews the various ways for identifying and measuring
risk. In particular the chapter focuses not only on the easier to measure
quantitative risks, but also on the harder to measure but generally more
important qualitative risks.
Chapter 7 explores the various ways that an organization can
choose to respond to risk. Among the responses examined is embracing
risk—a response that is typically not thought of when risk management
is ­discussed.
Chapter 8 looks at the linkages between ERM and social responsi-
bility, while Chapter 9 continues with the same theme to explore the
relationship between good governance and ERM.
The final, and tenth chapter is where we speculate about the future
of risk management. In our opinion, risk management, and ERM in
­particular, is like a young adolescent: as a field it is mature enough to have
some established principles, but still not experienced enough to have all
of the answers. With advances in social media, big data, the Internet of
things, and even management practices, it is a safe assumption to assume
that ERM as a profession will also produce significant advances in how it
is both perceived and practiced.
 CHAPTER 1

What Is ERM?
Defining enterprise risk management (ERM) is like defining what consti-
tutes great art. In large part, ERM is in the eye of the beholder. For some
organizations it is an overall operating procedure that covers almost all of
the operating activities undertaken by the organization. For others it is
simply a mindset of how to think about issues as they arise.
In this chapter, we will go through a couple of the different definitions
and ways of thinking of ERM. In a nutshell, we believe that ERM is
simply a way of doing business so that the management of the company
is as efficient and as effective as possible in achieving its overall goals and
objectives despite the plethora of risks, uncertainties, and challenges that
arise or that may potentially arise. An ERM mindset both implicitly and
explicitly recognizes that the strategies and plans of an organization are
rarely, if ever, executed exactly as they are first envisioned. Risks force
these changes. ERM explicitly acknowledges that a risk management plan
is needed in addition to the operating plan to deal with the inevitable
risks that will arise. The better that an organization is at dealing with risk,
the better the organization will be in achieving its goals and executing its
plans. As President Eisenhower once said “in preparing for battle I have
always found that plans are useless, but planning is indispensable.” ERM
is what applies to ensure that the plans do not become useless and that the
organization’s ultimate objectives are achieved as efficiently as possible.

Defining Risk
Let us start with a very basic question; what is risk? Generally, we think
of risk as being the possibility of something bad happening. Risk is some-
thing that we want to avoid, and certainly not something that we want to
covet. However, a more enlightened and useful definition of risk is; “risk
is the possibility that bad or good things may happen.”
2 Essentials of Enterprise Risk Management

There are three elements to our proposed definition: an element of

the future, uncertainty, and that risk has both upside as well as upside
components to it. Risk is about the future, and as we will see, risk man-
agement is about planning for future events. Unfortunately, the forward
looking aspect of risk is too often ignored, and organizations make the
common mistake of managing the past—for which they cannot alter—
and forgo managing the future—for which they do have some level of
control and manageability.
Uncertainty is the realization that we do not know what is going to
happen. Uncertainty is that quality of risk that cannot be measured. It
is the unknown unknowns. Although uncertainty cannot be predicted,
it can be prepared for and some might argue this is the primary reason
that many organizations practice ERM. Good risk management may not
prevent uncertainty, but it should help organizations better deal with it
when uncertain events inevitably do occur.
Then, there is the two-sided component of risk. Risk can be both
positive and negative. This is a constant theme throughout this book, so
we will not overextend the discussion here beyond the case study of the
Philadelphia Eagles, Super Bowl LII champions. However, it is this third
component of the definition of risk which we believe is central to the
successful implementation of ERM.

Case Study: Philadelphia Eagles, Super Bowl

LII Champions
Throughout most of the 2017 NFL season, the Philadelphia Eagles
looked like they might have a shot of going deep into the playoffs,
and potentially even to the Super Bowl. Their quarterback, Carson
Wentz was widely considered by many sports commentators to be the
front-runner for the league’s Most Valuable Player award despite being
in just his second year of professional football. However, while atop
the standings as the season drew near to a close, disaster struck and
Carson Wentz was out for the rest of the season as well as the playoffs
with an injury. Backup Nick Foles had bounced around the league as
 What Is ERM? 3

a journeyman quarterback. Although he had a very successful season

with the Philadelphia Eagles in 2013, and his quarterback rating was
amongst the highest in the league which in turn had him as a selection
for the 2014 Pro Bowl, his career was far from impressive. After his
2013 season, Foles struggled somewhat, and was traded a couple of
times, seeing limited action as a backup quarterback. He even consid-
ered retiring from the game, but eventually he was traded back to the
Philadelphia Eagles for the 2017 season.
Replacing the injured Wentz, Foles was able to win the final two
games of the season, but he obviously was not playing to the stan-
dard of Wentz, and was a long way away from having the kind of
success he had in his 2013 season. At this point the coaching staff of
the ­Philadelphia Eagles could have gone into downside risk mitigation
mode and developed a game plan to minimize the weaknesses of Foles
as a quarterback. Instead however they looked at the upside risk. To do
so they examined the types of plays that had made Foles so successful
as a quarterback in 2013. With minimal time left in the season, they
revamped the playbook of the Eagles. The payoff was almost imme-
diate as in the first two playoff games Foles seemed to thrive with the
new set of plays.
In the Super Bowl, the Eagles were up against the heavily favored
New England Patriots and their storied quarterback Tom Brady. The
odds makers, as well as most sports pundits gave the Eagles virtually
no chance of winning. However, the new set of plays that the Eagles
coaching staff implemented worked to perfection and Nick Foles had
one of the best games ever in the Super Bowl for a quarterback and was
named the Most Valuable Player of the game.
While this can be seen as a feel-good David and Goliath type sports
story, it can also be viewed as a risk management case study in which
the focus on the upside of risk can be as valuable as a focus on the
downside. If the coaching staff of the Eagles had gone into downside
risk mitigation mode, instead of focusing on the upside risk then it is
quite likely that the story would have ended quite differently for Nick
Foles and the Philadelphia Eagles.
4 Essentials of Enterprise Risk Management

Defining Risk Management

Before getting to a definition of ERM, perhaps it is wise to take a minute
and examine what we mean by risk management, and then proceed to
develop a definition for the more specific ERM. If the definition of risk as
the possibility that bad or good things may happen is accepted, then the
definition of risk management must be “the design and implementation
of tools, tactics and strategies that increase the probability and magnitude
of good risks occurring while also decreasing the probability and severity
of bad risks occurring.”
Risk management does not necessarily mean avoiding or eliminating
risk. Risk management means choosing the level of risk desired, choos-
ing the responses to risk and to a certain extent choosing the risks that
the firm will encounter. Good risk management means that the firm will
be able to prudently take on more risk and different types of risk than
it would otherwise. As all types of organizations exist to take on risks,
good risk management means that they can accomplish their objectives
more effectively.

Defining ERM
To begin, perhaps it is easiest to cite the definition of ERM as proposed
by the Committee of Sponsoring Organizations of the Treadway Com-
mission, often better known as COSO. The COSO framework for ERM
was first developed in 2004, and then extensively revised in 2017. It has
become one of the benchmark frameworks for ERM and will be discussed
at length in Chapter 3. The definition of ERM as provided by COSO is:

Enterprise risk management is a process, effected by an entity’s board

of directors, management and other personnel, applied in ­strategy
­setting and across the enterprise, designed to identify potential events
that may affect the entity, and manage risk to be within its risk
­appetite, to provide reasonable assurance regarding the achievement
of entity objectives.1

1
 Enterprise risk management—integrated framework: executive summary,
­ommittee of Sponsoring Organizations of the Treadway Commission,
C
­September 2014.
 What Is ERM? 5

There is a lot to unpack in this rather precise and lengthy definition.

The first element is that ERM is a process. ERM is not a onetime exercise
that magically solves all problems with one swoop. ERM is a continuous
ongoing activity.
The second major element is that ERM is an element of an organiza-
tion’s strategy. ERM is not an organizational silo, but is an integral part of
the organization’s strategy. A consistent and constant theme throughout
this book will be that ERM exists first and foremost as a key component
for the achievement of an organization’s strategy and overall objectives.
Ultimately though, what makes ERM unique is that it is both a
holistic as well as an integrated strategy for managing risk across an orga-
nization. ERM is holistic as it covers the full range of risks that an organi-
zation is reasonably likely to face in the course of its operations. ERM is
integrated in that risk is not managed in silos amongst the various units,
but instead is managed from the viewpoint of the entire enterprise—thus
the name ERM.
In particular, ERM takes into account the fact that risks are seldom
isolated in their effect. Risks tend to have ripple effects across an organi-
zation with spin-off effects and unintended and unforeseen consequences.
ERM is an approach to risk management that explicitly acknowledges
both the interconnectedness of risk as well as the fact that risk emerges in
unforeseen ways. It is an approach that understands that risk is a complex
phenomenon. ERM is an approach to dealing with risk that attempts to
overcome the inefficiencies of managing risk in a set of separate silos for
each component of an organization. ERM views an organization as a port-
folio of risks. When risk is examined as a portfolio, then diversification,
leverage, and feedback loops are viewed more realistically and productively.
Just as an organization has an overall strategy that guides the oper-
ational processes of an organization in a coordinated and consistent
­manner, ERM is an overall set of risk practices and principles that like-
wise guide the organization in terms of how it identifies, measures, and
manages its risk processes. Admittedly, in large organizations there will
­usually be different divisional strategic tactics utilized based on the spe-
cific ­operations of a given division. Likewise there will be unique risk
management tactics employed by specific operational units of an organi-
zation. However, the key point being that ultimately the risk management
is consistent throughout the organization and takes a systems view of risk.
6 Essentials of Enterprise Risk Management

The Rise of ERM

The corporate debacles of the 1990s were a major impetus for the rise of
ERM. The defaults of Worldcom, Enron, as well as others led to stake-
holders taking a serious look at why organizations fail, particularly orga-
nizations with the scale and scope of some of the major defaults of this
era. Two critical changes in ERM came out of the 1990 fall of major
organizations. Those changes were the Dey Report and SOX. The Dey
Report, published in 1994 was a report by Peter Dey and the Toronto
Stock Exchange. The report was an attempt to improve the corporate
governance of Canadian corporations. The Dey Report focused on
the implementation of three key areas that they felt were crucial to a
healthy corporate governance culture. The first was a stronger board of
directors which

allowed them to act independently of the management team to

fulfill their mandate. The second was the board’s role in choos-
ing the CEO and their role in assessing the strategic goal of the
company. Thirdly, they addressed issues that directors will face in
corporations with shareholders.2

All of these began the groundwork for the role that a board now plays
in the company. Like ERM it is an active not a passive role.
The second major impetus for ERM was the Sarbanes-Oxley Act of
2002. The Enron scandal of 2002 prompted this act which was passed
into legislation by the U.S. government to protect shareholders, the pub-
lic from accounting errors, and fraudulent accounting practices and to
improve the disclosures that company’s make. The principles introduced
in the Sarbanes-Oxley Act created a set of measures that firms need to
comply with the goal of improving their financial and operational report-
ing and in turn improving the relevancy, accuracy, and transparency of
the public statements made to stakeholders. Many of the principles of
the Sarbanes-Oxley Act were also the same principles for good ERM
—although it is critically important to highlight that simply being in

2
  http://goodmans.ca/files/file/docs/cs120301.PDF
 What Is ERM? 7

compliance with Sarbanes-Oxley does not necessarily mean that the

company is practicing good ERM. However, the overlaps were signifi-
cant and thus many companies decided that if they were doing all of this
upgrading of their analysis and reporting for Sarbanes-Oxley, they may
as well go further and develop an effective ERM implementation. The
Sarbanes-Oxley Act, often called simply SOX, will be discussed at more
length in Chapter 4 when we discuss risk frameworks.
ERM implementation thus, for many organizations, grew out of
compliance management. From the legislation of SOX in particular, the
Committee of Organizations of the Treadway Commission (COSO)
which was formed in 1985 to examine issues of financial reporting fraud,
expanded to examine ERM issues. The COSO committee, formed of
a portfolio of industry experts from a variety of professions including
finance, accounting, auditing, investing, and various industries, produced
in 2004 the ERM—integrated framework. The COSO ERM integrated
framework, along with the International Organization for Standardiza-
tion (ISO) 31000 Risk Management: Principles and Guidelines Report,
produced in 2009, accelerated the movement for the adoption of ERM.

Integrated Risk Management and Complexity

Integrated risk management means that risk cannot be disaggregated.
Another way of putting this, is that risk management cannot be effec-
tively, nor efficiently, practiced using reductionist thinking. It is very rare
that you can isolate a risk and deal with that risk, and that risk alone.
Risks tend to be connected and complex.
To better appreciate the need for integrated risk management, it is
useful to take a moment and consider some of the findings from system
science.3 In systems thinking, it is useful to think of systems as being

3
 A more complete introduction to systems thinking and complexity can be
found in Nason, R. 2017. It’s Not Complicated: The Art and Science of Complex-
ity in Business. University of Toronto Press. The examples give to illustrate the
difference between simple, complicated and complex systems in this section
are from this book. See also, Chapter 3, “What is Complexity?” In Nason R.
2017. Rethinking Risk Management: Critically Examining Old Ideas and New
­Concepts. Business Experts Press.
8 Essentials of Enterprise Risk Management

s­imple, complicated, or complex. Each of these three types of systems

have distinctive characteristics, and as a result there are different implica-
tions of how they must be risk managed.
A simple system is one that can be managed by rules of thumb, or by
basic recipes or checklists. The two key characteristics of a simple system
is that they more or less follow a known set of rules, but the rules are not
robust; that is you do not need to be rigid in the following of the rules in
order to achieve desired outcomes. An example is making coffee; everyone
knows how to make a pot of coffee, and more or less does it the same way,
although everyone is slightly different in how much coffee they add to the
coffee filter and how much water they add.
Something that is complicated follows an exact set of rules and will
produce the exact same outcome every time the exact same process is
followed. Complicated things tend to follow the laws of science—gravity
being a commonly used example; dropping an apple means that it always
falls to the ground and not float in the air (assuming that one is not
in gravity-less environment like outer space). The fact that complicated
systems follow a given set of laws, rules or regulations, means that com-
plicated systems are processes that can be digitized or at least conceptually
operated by a computer or a robot. Chess for instance is a complicated
game, and computer chess has been around for several decades. A business
example is accounting, tax and payroll, which is subject to relatively rigid
accounting and wage-based rules. Since complicated processes follow well
known and fixed rules, it is relatively easy to automate such processes and
have them managed by a robot or a computer. Thus, we have accounting,
tax and payroll software that is replacing much of the need for human
intervention to operate complicated functions and tasks.
Although in common usage, the words complex and complicated are
frequently considered to be synonyms, in systems thinking they have quite
different meanings and interpretations. In complex systems there are no
laws, rules, or even rules of thumbs that determine how things will turn
out. Although outcome patterns may be observed, things that are complex
produce outcomes that appear to be completely random and unpredictable.
A classic example is a murmuration of starlings which as a pack of birds fly
in wonderfully majestic emerging patterns as the birds as a flock dip first
one way and then another in randomly changing patterns. In a business
 What Is ERM? 9

context, the stock market is an example of a complex system. There appear

to be patterns to how stocks tend to move in upward or downward trends
but such trends ultimately are random and unpredictable.
Complexity arises whenever there are agents (for instance people,
employees, competitors, customers, etc.) who can connect (for instance
at the office cooler, through social media or traditional media, though
advertising, at industry conventions etc.) and who can adapt (change
their mind, buy a different product, choose different friends, change orga-
nizations, etc.). When complexity exists an outcome called emergence
happens. Emergence is the process of the murmuration of starlings dash-
ing first one way and then another way as a pack in the sky; emergence
is the boom and busts of the stock market; emergence is how certain
products become fashionable and then just as quickly fall out of fashion.
Emergence is a key element of the operations of every organization
and indeed of every industry, every economy and even the global econ-
omy. Emergence is also a key element in risk management. Emergence
explains why a small risk event often turns into a much larger risk event
and why some major risk events fizzle to nothing at all.
Emergence is also one of the key reasons that organizations need to
consider ERM as the preferred method for dealing with their risk man-
agement issues. In a complicated world, risk management issues can
be isolated and dealt with individually or in an isolated fashion. It is a
reductionist way of operating. In a complicated world, risk would best
be managed by a computer algorithm. When complexity is ­present, this
reductionist way of thinking is no longer valid. Complex systems by
their nature need to be managed holistically. The sum is much more,
and much different than the sum of the parts in a complex system.
Thus, risk management is not a task for a computer but instead is a task
for a thinking, creative and context aware manager who can adapt to
changing environments.
Managing an organization is ultimately about managing people. It
is about managing employees, managing customers, managing suppli-
ers, managing to react to the actions of competitors, managing financial
stakeholders and managing a host of other interested parties such as reg-
ulators. People are complex. Thus, managing an organization is for the
most part an exercise in complexity. If an organization was a complicated
10 Essentials of Enterprise Risk Management

entity, then just like playing chess, a computer program could and should
manage the organization. Indeed, parts of some organizations are com-
plicated in their nature and thus we have automated banking machines,
self-serve kiosks and, of course, the increasing role of robot factories and
self-driving vehicles.
People however are complex. Also we conjecture that people are the
root issue for the vast majority of risks in an organization. Complicated
risks can be managed relatively easily—you simply follow the rules, laws
or regulations that produce the desired outcomes. Complex risks however
require a manager to manage. Furthermore, to repeat, they require man-
agement in a holistic and integrated manner. Thus the need for ERM.
Integrated risk management is not trivial. It is tough to do. That is why
a flexible framework such as ERM is needed. A rigid framework is only
effective for simple or complicated type risk issues. ERM thus requires
managers to be constantly thinking, learning, and adapting. The complex
nature of risk means that ERM is a dynamic and ongoing process. ERM
is anything but a “set in motion and forget” type mode of operating.

ERM as Integral to an Organization

For organizations that successfully adopt ERM (and adoption of ERM
does not automatically mean that it will be successful) there is an accom-
panying change in the organizations way of thinking about and managing
its risk. ERM as a way of managing risk becomes a part of not only the
risk culture of the firm, but also the operational culture of the firm. Every-
thing that the firm does with the adopted ERM framework and the risk
metrics became as important a target to achieve as the sales targets or the
production targets. ERM is not a separate department with its own sep-
arate set of functions but instead is an integral part of every department
and all of their separate functions and processes.
Furthermore, and critically important, ERM becomes integrated into
the strategy. Remember, the ultimate goal of ERM is to help an organiza-
tion achieve its objectives. Thus ERM is an integral part of objective setting
and strategic competitive advantage. Both the objectives and the strategy
become set with ERM in mind. Likewise, the ERM function is completely
answerable to the firm’s objectives and implementation of the strategy.
 What Is ERM? 11

Having the ERM goals fully integrated with the organization’s goals
means that ERM is part of the organizations competitive advantage. ERM
is thus not seen as a cost or as a drag on the organization but instead as a
strategic partner. ERM becomes a valuable tool that provides an organiza-
tion with an edge in whatever competitive landscape it may find itself in.
A successful ERM implementation becomes part of the mindset of
the firm. It is a mindset that affects the human resources policies of the
firm, the training policies, the operating and sales policies and indeed
the entire culture of the firm. The Hydro One Case Study illustrates an
­example of one company that made such a transition in mindset.

Case Study: Hydro One

Hydro One Inc. (Hydro One) is the largest electricity delivery com-
pany in Ontario and one of the ten largest in North America.4 It has
total assets over $11.3 billion and approximately 4,000 employees.
In 1999, ERM was introduced at Hydro One as a pilot project during
the demerger of the previous Ontario Hydro. The Corporate Risk
­Management group, led by the Chief Risk Officer John Fraser, was
given six months to prove its worth. They achieved this goal and are
often seen as one of the “best practices” companies to follow.
The success of this pilot was due to several key elements of the
program. The Corporate Risk Management group had bought in from
the senior management. This set the stage for a corporate culture that
demanded that;

Risk management is everyone’s responsibility, from the Board

of Directors to individual employees. Each is expected to
­understand the risks that fall within the limits of their account-
abilities and is expected to manage these risks within the
approved risk tolerances.5

4
  This section is based on Aabo, T., J.R.S. Fraser, and B.J. Simkins. 2005.
“The rise and evolution of the Chief Risk Officer: enterprise risk management
at hydro one. Journal of Applied Corporate Finance 17, no. 3, pp. 62–75.
5
 Ibid.
12 Essentials of Enterprise Risk Management

Not only senior management bought in but also there were

workshops of managers from within the organization who used
the Delphi Method, a facilitation method discussed in Chapter 6
that is used to discuss the most impactful risks of the organization.
This helped to provide a more holistic view of the risks across the
organizations.
The second key element was that the program was put in place to
help move the corporate strategy forward and to achieve the corporate
goal. The pilot program put together the risks via the Delphi Method
and workshops, the controls to manage the risk via tools such as feed-
back loops and finally the monitoring and reviewing mechanisms were
put in place to monitor risks as we know they are not static and make
any adjustments that are needed at the risk change.
The ERM framework that Hydro One implemented was a suc-
cess. Hydro One is seen as one of the first successfully implemented
ERM programs that views risk in its totality versus in silos. With such
a rapidly changing global environment many elements of the Hydro
One ERM system including the Delphi Method, risk maps, risk toler-
ances, risk dashboard, risk controls, risk profiles, and risk ranking have
become ever more main stream in many organizations.

Key Concepts
Throughout this book we will continually rely on a few key concepts that
underlie ERM. The first key concept is that risk is something that can be,
and indeed should be, managed. This sounds obvious, and the fact that
you are this far into reading a book on risk management demonstrates
that you too must hold this belief, but it is one that is not often acted
upon. Many organizations believer that risk is something that should be
avoided or eliminated whenever possible. If it can’t be eliminated then it
is treated as some sort of drag or friction on the organization that must be
tolerated as a cost of doing business.
Firms that have implemented a robust ERM process demonstrate
instead that risk is something that can be managed, and furthermore can
be managed for competitive advantage. Risk management is such a key
 What Is ERM? 13

component of leading firms that risk management can almost be seen as

management. Organizations at their most fundamental core exist to take
on risk. It could be the risk of the unknown or the untried, or it could be
the risk of whether or not a particular product or service will be profitable
or even needed. Virtually every part of a valuable organization involves
risk—again, if it did not, then we would be in a world where computers
and robots ran everything. It is the fact that things are risky, unknown,
and complex that we have human managers. Risk is management, and
management is risk management.
A second key tenet is that risk management is everyone’s responsibil-
ity and not just a task or a concern for the people directly involved in the
risk management function. This is particularly true in the context of an
organization that is employing ERM. The basis of ERM is that it perme-
ates throughout the organization, and this will obviously not be the case
if risk management is not seen as part of everyone’s role.
With many types of organizational issues, it is a question if it should
be driven from the top down or from the bottom up. With ERM, risk
management must be embraced by all parts of the organization. It is
not an issue of risk management being top down or bottom up. Risk
management must be embraced throughout. Obviously ERM should be
embraced by the Board and by senior managers. However, it must be
organically embraced throughout the organization.
Too often risk management is something that is forced on various
parts of an organization. In part this may be because of regulatory issues,
management by fad of the month club, or by an overly zealous consulting
report. Buy-in from all parts of the organization is critical. The good news
is that properly implemented ERM should be welcomed by virtually all
stakeholders of an organization.
A third key tenet is that ERM is a value-added function. Implement-
ing an ERM system does indeed involve cost, time, and effort. However
the advantages, both in terms of economics, in operational efficiency, in
terms of better and safer use of resources, and in terms of aiding the orga-
nization in achieving its strategic objectives must be present and clearly
visible. If ERM is not adding value to all of these components of the
organization then it should be dropped in favor of some other method
managing risk.
14 Essentials of Enterprise Risk Management

The important point is that if ERM is not going to be value-added,

or if it is not going to improve the efficiency of an organization achieving
its objectives then ERM should not be implemented. ERM as a process
should be used wherever and whenever it is appropriate and likewise not
be implemented whenever it is not going to be appropriate. This is a point
that will be discussed at length in the next chapter.

Concluding Thoughts
In a world where everything is in flux and the global stage is volatile,
uncertain, complex and ambiguous a flexible, holistic ERM system that
is both vertically and horizontally integrated is integral to a corporation
being able to meet its strategic goals.
Many organizations, most notably the United States military,
are embracing the term VUCA. VUCA is an acronym for volatility,
­uncertainty, complexity, and ambiguity. ERM is ideally suited for an
organization that believes in the VUCA concept, whether they have
­formally adopted it or not. VUCA seems the appropriate acronym for
our times, and likewise, ERM seems like an appropriate system of think-
ing for our times.
 Index
Action plans, managing risks, 34
Adopting ERM, 22–26
Avoided risk, 91
Barings Bank, 117–118
Barrick Gold, 92–93
Benefit Corporation, 104
BP Deep Water Horizon, 99
Burger King, 31
Case studies
Barings Bank, 117–118
Barrick Gold, 92–93
BP Deep Water Horizon, 99
Burger King, 31
Cyber-Attacks of 2017, 31
Hydro One Inc., 11–12, 16–17
Johnson and Johnson (J&J), 33–34
Long Term Capital Management
(LTCM), 35–36
Philadelphia Eagles, 2–3
Proctor and Gamble (P&G), 46–47
SCOR, 55–56
TOMS, 105–106
Transportation Security
Administration (TSA), 94–95
Wells Fargo, 112–113
Cash flow at risk (CFAR), 78
CFAR. See Cah flow at risk
Committee of Organizations of
the Treadway Commission
(COSO), 7, 27–29
Co-movement, 73–74
Complex risks, 10, 23
Compliance, 47–48
Complicated risks, 10, 23
Core risk, 92
COSO. See Committee of
Organizations of the Treadway
Commission
Culture risk, 69
Cyber-Attacks of 2017, 31
Delphi method, 80–81
Demographic risks, 66–67
EAR. See Earnings at risk
Earnings at risk (EAR), 78
Economic and market risks, 66
Emergence, 9
Empathy, 106–107
Enterprise risk management (ERM)
adopting, 22–26
advantages of, 15–19
compliance and, 47–48
deciding factors, 22–24
definition of, 4–5
description of, 1, ix
disadvantages of, 19–22
future of, 123–126
governance and, 109–121
as integral to organization, 10–11
intended for, ix–x
key concepts, 12–14
philosophy, x–xii
reasons for not implementing,
24–26
rise of, 6–7
social responsibility and, 97–107
Enterprise risk management
framework
action plans, managing risks, 34
advantages and disadvantages,
29–30
communicating results, 34–35
description of, 27
identify, measure, and prioritize
risks, 34
process to protect against risk
complacency, 35–37
setting objectives, 32, 45–46
Enterprise risk management
implementation
designing processes, 54–60
importance of, 51–53
128 Index
internal challenges of, 51
setting objectives, 54
training, 59
ERM. See Enterprise risk management
External risks, 65–66, 67
Governance
Board and, 110–117
definition of, 109–110
enterprise risk management and,
109–121
middle management, 118–120
regulators, 120–121
senior management, 110–117
Hydro One Inc., 11–12, 16–17
Integrated risk management, 7–10
Internal financial risks, 68
Internal risks, 65, 67
International Organization for
Standardization Standard
31000 (ISO 31000), 27–29
Internet of things, 124
ISO 31000. See International
Organization for
Standardization Standard
31000
Johnson and Johnson (J&J), 33–34
Long Term Capital Management
(LTCM), 35–36
Mitigating risk, 91
Monte Carlo simulation, 76–77
Negative semi-standard deviation, 73
Operational risks, 67
Organizational culture, 69
Organizational learning, 60
People risk, 68
Philadelphia Eagles, 2–3
Political risk, 66
Positive semi-standard deviation, 73
Prediction markets, 81–82
Process risk, 67
Proctor and Gamble (P&G), 46–47
Qualitative risk measurement
Delphi method, 80–81
description of, 79–80
prediction markets, 81–82
risk survey, 80
Quantitative risk measurement
cash flow at risk, 78
co-movement and variables, 73–74
earnings at risk, 78
Monte Carlo simulation, 76–77
regression analysis and models,
75–76
semi-standard deviation, 72–73
standard deviation, 70–72
value at risk, 77–79
Regression analysis, 75–76
Regression equation, 75
Regression models, 76
Regulators, 120–121
Risk
complex, 10, 23
complicated, 10, 23
core, 92
definition of, 1–2, 39–42
governance of choice, 93
importance of, 42–43
types, 65–69
Risk appetite, 88
Risk bang for the buck, 93–95
Risk dashboard, 55–56, 58
Risk homeostasis, 35
Risk management
definition of, 4, 44–45
integrated, 7–10
objectives, 87
Risk maps, 82–84, 88–90
Risk measurement
importance of, 63–65
qualitative, 79–82
quantitative, 70–79
Risk mitigation, 91
 Index 129
Risk response range, 90–91
Risk survey, 80
Risk tolerance, 88
Sarbanes-Oxley Act, 6–7, 25
SCOR, 55–56
Semi-standard deviation, 72–73
Social responsibility
description of, 97–98, 100
empathy, 106–107
enterprise risk management,
97–107
risk management strategy, 100–104
triple bottom line, 104–106
Stakeholders, 23–24, 64
Standard deviation, 70–72
Strategic risk, 69
TBL. See Triple bottom line
Technological risk, 67
TOMS, 105–106
Training, 59
Transportation Security
Administration (TSA), 94–95
Triple bottom line (TBL), 104–106
Value at risk (VAR), 77–79
VAR. See Value at risk
Variables, 73–74
Volatility, uncertainty, complexity,
and ambiguity (VUCA), 14
VUCA. See Volatility, uncertainty,
complexity, and ambiguity
Wells Fargo, 112–113