Each week I am inundated with announcements of risk management conferences from Kuala Lumpur to Boston, from London to Los Angeles, run by associations, investment firms, insurance brokerages, banks, consultancies and professional conference-sponsoring organizations, among others. It’s a chaotic melange of the frankly commercial to the academic and abstract. How does anyone decide which, if any, to attend? For me it’s the track record.
Last year the Conference Board of Canada presented a particularly challenging conference on “Integrated Risk Management,” in Toronto, one that I summarized in the May 1998 issue of Risk Management Reports. So I decided to return to this year’s session in Chicago in early May. I wasn’t disappointed. It was as provocative as a year ago. As with the first conference, registrants heard speakers from all of the sub-disciplines of risk management. The title this year is indicative of a refreshing attitude toward risk: “Realizing the Rewards in Risk.” This theme was echoed in many of the presentations, perhaps most succinctly by Chris Luck, Head of Risk Assessment at Diageo, in London: “Effective risk management is designed to help people achieve their business objectives, and not to stop people from doing things.” This positivist approach to risk is an over-due contribution of the financial risk arena. Murray Corlett’s keynote address was easily the high point. The Executive Vice President of Toronto’s Royal Bank Financial Group, retiring this summer, suggested seven key words for understanding an “evolving and emerging discipline” and stimulating its growth within organizations:
(1) “Questioning:” Risk managers should be perpetual skeptics, unafraid to challenge conventional thinking, even that of senior management.
(2) “Unpredictability:” They should acknowledge and emphasize that uncertainty persists, despite all the tools at our disposal.
(3) “Ambiguity:” Easy answers do not exist: every proposed solution is ambiguous.
(4) “Decisive:” After considering the options, act, don’t shilly-shally. But beware confusion about correlation and causation. They are not the same.
(5) “Strategic:” Risk management is “anchored at the highest level,” and it must first address the strategic issues of the CEO and the Board.
(6) “Boundaries” are the “enemies of risk management.” Acknowledge that turf wars occur but that, in the end, risk management is multi-disciplinary. It blends specialties.
(7) “Behavior:” Building new and more creative reward and incentive systems will help solve the people element of risk management. Too many current incentives are counter-productive, witness the annual bonus systems that encourage short-term risk-taking.
These seven words, from one of the first chief risk officers, warrant serious review.
Financial institutions clearly lead the development of integrated risk management and the creation of CROs, but other organizations are beginning to follow. The Boeing Company is one. Deborah Hopkins, its SVP and CFO, fresh from initiating such a program at General Motors, described her new efforts at Boeing. Her keys: first, sell the idea internally; second, start with Board and CEO support; third, concentrate on the positive side of risk (the theme of the entire session); and last but not least, be prepared to answer the two universal questions of employees: “What’s in it for me?” and “How do I fit in?” Hopkins’ answers to these questions were, first, develop a direct connection between risk management and the remuneration system and, second, insist on “ownership” of risk at every level. She acknowledged, however, the serious problem of multiple “languages” of risk. As a solution she suggested adopting a new technology and learning infrastructure that uses the simple, fundamental formula: "Objectives + Risk - Control = Exposure.” This is an enterprise approach that incorporates planning, operational, and process risks, with their different terminologies. Boeing also uses a risk map, relating likelihood and impact, that ranks risks from “acceptable” to “caution” and “unacceptable.” Finally, she identified a CRO as the “right goal” for Boeing but acknowledged that it will probably take several years to accomplish. In the meantime, she, as CFO, acts as the “champion” for a broad risk perspective.
Another non-financial organization promoting an integrated form of risk management is Canada’s Hydro-Québec, a 100% government-owned, C$8 billion sales electrical generation and transmission utility. I first reported on this company in RMR in November 1998, and, at this conference, André-Richard Marcil, the Director, Control and Integrated Risk Management, provided a progress report. The proposal for a truly integrated program was approved by its Board in December 1997, when Marcil became its first Director. He manages all business risks, reports to the CFO and CEO on management efforts and, through them, to the Board on risk assessments. It is an opportunistic rather than a reactive effort to support and enhance the business plan.
He is the utility’s “champion,” using a top-down policy to drive bottom-up risk assessments. Risk management is at the center of the planning process for both five year strategic and one year budget plans. The five major “categories” of Hydro-Québec’s Business Risk Model include four conventional areas (competitiveness and business development; corporate organization and structure; corporate image; external factors) plus one less common: “protection of people and heritage.” “Heritage” acknowledges two unique considerations: the position of French-speaking Québec in Canada, and the position of the Inuits, Crees and other native tribes in the province. Like many other companies, Hydro-Québec uses a risk map based on “probability” and “impact,” plus a “risk evaluation format” that incorporates deterministic and stochastic approaches. The Board sets limits on risk and return, and the entire process is communicated to the organization, on a two-way basis, using an intranet, written materials, meetings, training, a databank, and research.
Marcil reports solid progress, in the less than two years that he has been at work, on the trio of goals set by the Board: (1) protect the continuity of the utility; (2) provide optimum management of risk, and (3) empower managers to manage risks. Representatives of the financial risk arena presented current ideas. One of the founders of GARP, the Global Association of Risk Professionals, Lev Borodovsky, of Credit Suisse First Boston, in New York, described major (and expensive) risk management efforts within financial institutions, aimed primarily at first integrating credit and market risk, and later operational risks. He suggested that, in the next five years, we will see a strong move toward greater risk disclosure (note the recent FAS 133 requiring disclosure of derivative information) and a move from more reactive risk measurement to proactive and efficient allocation and pricing of capital. Borodovsky also commented on the “risk language” problem: banks call it a “derivative loss,” while others refer to the cause as “fraud.”
Ron Dembo, the CEO of Toronto-based Algorithmics Inc., a provider of financial risk management software, and the co-author of Seeing Tomorrow, encouraged the use of scenario analyses to develop a “mark-to-future” paradigm that is dynamic, not static, comprehensible to non-mathematicians, and less dependent on econometric models and quantitative gurus. After the Long-Term Capital Management debacle, he has a point! He also plotted four “bubbles” in history: the 1929 stock market crash, the gold crash of 1980, the market crash of October 1997 and the Japanese market crash of 1990. He asked, but did not answer the question, “When the Internet Bubble bursts, will it make a sharp drop and then recover or die a slow death, like other bibles of the past?”
Tactical and practical efforts were presented by Jerry Miccolis, of Tillinghast-Towers Perrin, the consultancy that co-sponsored the event, Rich Inserra of Union Carbide and William Fealey of Estée Lauder. Each proposed a more limited initial focus on “shareholder” (as compared to “stakeholder”) value, but their respective approaches seemed to work for their organizations. Miccolis described a three-dimensional integrated risk management universe: risk sources; scope of operations and risk management processes. Fealey’s firm adopted a “fix it before it becomes a problem” attitude, using a series of in-depth internal interviews to generate “manageable” and “strategic” risks that were then assigned to a “Risk Oversight Group.” For Union Carbide, the Bhopal disaster keyed a variety of responses (its reaction is “never again!”), one of which is a more imaginative use of its captive insurance company for funding a broad range of internal risks.
I saw in many of the presentations a tendency to describe relatively limited efforts as “integrated risk management,” when in fact they were simply first steps toward a holistic approach. Perhaps this is to be expected as professionals in different sub-disciplines attempt to move beyond their own intellectual limits. It does, however, pose a problem in communications. Marrying a property and casualty insurance policy with some limited foreign exchange risk is hardly “integrating” risk management. To look at credit and market risks together is only a first step. What many of these organizations must guard against is thinking they have gone the whole way, when all they have done is dip an experimental toe in the water. These steps are important, but not to be confused with the ultimate goal.
At the base of the entire effort lies solid communication. Here is where modern information technology plays a major role. Scott Lange, the recently-retired risk manager for Microsoft and now Chief Information Officer for a new insurance and technology firm, InQuis Logic, summed it up: “Web technology is the best way to communicate risk management,” emphasizing that communication requires full-time, two-way discussion of a complex concept, with radically different personal perspectives, and difficult-to-understand metrics. The interactivity capability of new technical communication tools will undoubtedly stimulate the growth of risk management in all organizations.