Risk Management Reports

May, 2003
Volume 30, No. 5
Enterprise Risk Management: Past, Present and Future

This is a paper that I first presented to a meeting of the Institute of Internal Auditors, in September 2002. I later used it in revised versions in Stockholm in November 2002 to the NORD RM Conference and in New York in March 2003 to the Annual Conference of the National Association of Commercial Contract Managers. My readers will recognize many of the ideas, as most of them appeared in these pages over the past few years. It is a summary of my current thinking.

Introduction Publications, conferences, organizations and vendors constantly trumpet the phrase “enterprise risk management” as if it is the Second Coming or the next great thing since the Internet. Is it a passing fad or can it address some of the pervasive ills that have infected our organizations over the past decade? Do we need the adjective “enterprise” or any of its sister phrases, such as “integrated,” “business,” “holistic,” or “strategic” (which I confess to using)? Isn’t all this simply “risk management?” I believe our discipline is important but we must bring it back into perspective. One way to do that is to retrace its historical roots before considering its current posture and where it is likely to lead us. My first step is a short walk through history. Then I describe where we are now, and, finally, I offer some thoughts for the future, as we address three critical management issues.

For me, two authors frame our discussion, pointing out a remarkable paradox.

Anthony Storr, in his 1966 study of saints, sinners, madmen and gurus, Feet of Clay, wrote that doubt and uncertainty “are distressing conditions from which men and women passionately desire release . . . . As a species, we are intolerant of chaos and have a strong predilection for finding and inventing order . . . . Certainty is hugely seductive.” The human condition does not like uncertainty.

We should like it, however. The Nobel laureate physicist Richard Feynman countered that “it is in the admission of ignorance and the admission of uncertainty that there is hope for the continuous motion of human beings in some direction that doesn’t get confined, permanently blocked, as it has so many times before in various periods in the history of man.” Progress is dependent on taking risk.

Uncertainty is a human paradox: we fear it but need it! In the past century most corporate, nonprofit and governmental analyses of and responses to both uncertainty and risk were conducted on a fragmented basis. We focused primarily on specific fears and harmful events, looking only at the negative sides of risk to the exclusion of possible benefits. We responded too often to those who had something to sell, financially or politically.

In the future we will look at risks affecting the whole of an organization and its place in the community. We will address both upside and downside consequences and our view will be enterprise-wide, integrated and holistic. The result will be a more intelligent balance between potential benefits and harms. We will increase the confidence of stakeholders in our organizations and make them more resilient in a day and age of increased uncertainty. This is the real goal of risk management.

Where Have We Come From? Human history is a record of attempts to understand unexpected events. Floods, storms, lightning bolts on the one hand, and success in battle and love on the other were all attributed to either the gods or Fate. To avoid misfortune and gain success, men and women prayed to and propitiated gods, singular or plural, including the sacrifice of human beings. Overwhelming uncertainty was the primary fact of life. Later, as we began to keep oral or written histories, we found that some events occur within a pattern. Using this knowledge we built reserves to tide us over when misfortune struck. Farmers allowed their lands to lie fallow once every seven years and took advantage of spring floods. As commerce developed throughout the Mediterranean Sea, shippers wisely split their goods among several vessels to reduce the chance of total loss from weather, pirates or Sirens. Men learned to challenge uncertainty and to determine the causes, other than heavenly wrath, of various misfortunes. They began to create measurable risk from immeasurable uncertainty. This, as Feynman points out, is the essence of humanity: the quest for the new even as we try and explain the old. 

Peter Bernstein’s Against the Gods: The Remarkable Story of Risk is the best chronicle of our centuries-old progress from reliance on the gods to the transformation of some uncertainty into “risk,” through the application of experience, numbers and probability. 

He writes: “The revolutionary idea that defines the boundary between modern times and the past is the mastery of risk: the notion that the future is more than a whim of the gods and that men and women are not passive before nature. Until human beings discovered a way across that boundary, the future was a mirror of the past or a murky domain of oracles and soothsayers who held a monopoly over knowledge of anticipated events.”

Bernstein describes the efforts of well-known trailbreakers such as Pascal, Fermat, Edward Lloyd, Bernoulli, Bayes, and Bentham. He also introduces us to many lessknown names such as Pisano (Arabic numerals), Cardano (probabilities of dice), John Graunt (statistical tables), Abraham de Moivre (the “bell” curve and standard deviation), and Francis Galton (regression to the mean).

But it was the 20th century in which we made the most progress in measuring and understanding risk. Here are some of the milestones: 

Otto von Bismarck introduced social security and workers’ compensation in Germany in the late 1800s, from which these ideas spread to Europe and the United States in the early 1900s

Frank Knight’s Risk, Uncertainty & Profit (1921) celebrated the prevalence of surprise and separated risk from uncertainty. He cautioned against overreliance on extrapolating the past into the future.

John Maynard Keynes’ Treatise on Probability (1921) cited the importance of perception and introduced us to the Law of Great Numbers.

Von Neumann and Morgenstern (1926 and 1953) created the theory of games and strategy and suggested that the goal of not losing is often superior to that of winning.

Markowitz (1952) developed portfolio analysis, including new aspects of returns and variances.

We formed new associations representing students and practitioners of the discipline, including the Risk & Insurance Management Society (1975), followed by counterparts in Europe, South America, Africa and Asia, the Society for Risk Analysis (1980), London’s Institute of Risk Management (1986), the Global Association of Risk Professionals (1996), and the Professional Risk Managers International Association (2002). Older organizations, such as the Institute of Internal Auditors, and the Risk Management Association (formerly Robert Morris Associates), incorporated risk management within their mandates.

Gustav Hamilton, of Sweden’s Statsforetag, created in 1974 a “risk management circle” that first described the interaction and integration of all the elements of the process.

Daniel Kahneman and Amos Tversky published their “prospect theory” in 1979, demonstrating that human nature can be perversely irrational, especially in the face of risk, and that the fear of loss often trumps the hope of gain.

The “Precautionary Principle,” an idea that first surfaced in Sweden in 1969, was embodied in the UN World Charter for Nature in 1982.

In 1983, Bill Ruckelshaus, Director of EPA, gave his seminal speech, “Science, Risk and Public Policy” at National Academy of Sciences, bringing risk analysis to center stage in government and public policy circles.

Beginning in the mid-1980s, national commissions created new standards and guidelines on risk: the Treadway Commission in the US, that led to the COSO guidelines (1987), the Cadbury Commission (and following Hempel and Turnbull Commissions) in the UK (1992), the Australian/New Zealand Risk Management Standard – the first in the world (1995), followed by Canada (1997) and Japan (1997) and the UK (2001 and 2002).

Where Are We Now? Risk management in 2003 is recognized as an integral part of sound management. It is taught worldwide in more than 100 universities and graduate schools. Yet, because of the continuing inability or unwillingness of many of its practitioners in the separate sub-disciplines to communicate with each other, we lack a common understanding of its meaning.

The word “risk” itself is subject to several interpretations. It can mean “chance of loss,” a physical property that is insured, or “a measure of the possibility of unexpected outcomes,” the definition that I prefer. The safety, public policy and insurance communities continue to use risk in its limited, negative sense, while financial practitioners see it in its larger sense, encompassing both upside and downside consequences. The International Standards Organization now defines risk as “the combination of the probability of an event and its consequence,” noting that “consequence may be either positive or negative.” ISO adds a footnote suggesting that, “in some situations, risk is a deviation from the expected.” This is a major step forward.

John Adams, in his 1995 book Risk, sees it as a cultural construct that “illuminates a world of plural rationalities.” Risk, to him, is a “balancing act” in which the actors “balance the expected rewards of their actions against the perceived costs of failure” in a world in which expectations and perceptions are constantly changing, in large measure as a result of our multiple responses. 

However we define “risk,” “risk management” is our discipline for dealing with uncertainty. According to Peter Bernstein, “the essence of risk management lies in maximizing the areas where we have some control over the outcome, while minimizing the areas where we have absolutely no control over the outcomes and the linkage between effect and cause is hidden from us.” 

Over the years the process of risk management has been encrusted with many overlapping steps, complicating what should be simple. The process has two easily remembered steps: Risk Analysis and Risk Response. Risk Analysis includes identification of possible unexpected events, their measurement in terms of likelihood, consequences, and public perceptions, and their assessment in terms of an organization’s objectives. Risk Response encompasses the controls adopted to balance risk, measuring and monitoring performance, and communication with stakeholders. The discipline answers the questions “what could happen?” and “what should we do about it?” 

Current problems include the often conflicting and confusing “languages” of different practitioners, many of whom are intent on protecting their own traditional “turf,” such as derivatives, the environment, health and safety, security, contingency planning or insurance. This inevitably leads to a continued interest in tactical, rather than strategic, responses to risk (buying liability or property insurance; managing currency and interest hedges; reducing employee injuries; protecting environmental resources, etc.) But who is watching the entire store? Cross-turf problems such as the recent examples of outrageous executive compensation and perks, excessively compliant accounting, governance riddled with conflicts of interest, and the failure to communicate intelligently with stakeholders call for a more integrated approach to risk management.

New public accounting and stock exchange guidelines from such diverse areas as North America, the UK, Germany, India and Malaysia, plus new laws (Sarbanes-Oxley in the US) create altered responsibilities for governing boards. They must now assure themselves of the depth of risk analyses and the scope of responses. 

This in turn stimulated a new executive position in many corporations, the Chief Risk Officer. James Lam created this new responsibility, first at GE Capital in 1993 and later at Fidelity Investments. CROs are now found today in more than 150 major corporations. In addition, in the absence of any group leading enterprise risk management, the internal auditing profession moved into this vacuum, suggesting that its members help create the function. The Institute of Internal Auditors has published  several intelligent and practical monographs on the process, conducted numerous global conferences and stimulated new training such as Control Self-Assessment (CSA). It is a natural role for internal auditors, who generally report to both the CEO and the governing board. A question remains, however. Does the practice of risk management conflict with the traditional requirement for auditor independence?

Despite these current problems, I see a growing consensus on the critical steps in risk management:

Board and senior management commitment

Broad view of risk encompassing both reward and penalty

Common framework for the integrated analysis of all risks

Single independent leader or coordinator for the process

Bottom-up risk assessments, continuing periodically

Necessity for clear and timely data

Two-way communication with key stakeholders (this is the most often overlooked aspect of today’s risk management)

Goal: to build and maintain stakeholder confidence through improving stakeholder “value,” creating a healthy internal risk culture 

Where Are We Going? I believe that risk management will become a critical part of strategic planning. While the sub-disciplines of finance, safety, public policy, insurance, and security, etc. will be tactically linked, they will be coordinated so that an organization can reach its overall goal of creating and maintaining public confidence. Given that we can never anticipate all possible outcomes in an increasingly volatile world, contingency or business continuity planning will become a major responsibility of the senior risk officer. Finally, organizations will acknowledge that risk management is not the privileged province of specialists but the responsibility of all employees. Risk management will become part of the organization’s culture.

The greatest area of change will be improvement in communication with stakeholder groups, including employees, customers, suppliers, lenders, investors, regulators, communities and the public at large. It is now risk management’s weakest link. When we should communicate? How do we do it? How do we create a two-way dialogue?

In addition, risk management can help organizations solve three major current and future issues:

 Credibility: the events of 2001 and 2002, affecting governments, nonprofits and for-profit corporations alike, demand new steps to re-establish stakeholder confidence.

Resilience: today our organizations are even more vulnerable to the unexpected. How should they prepare? Can they react and survive? Is it time to re-create the idea of redundancies?

Perspective: for too many years corporations, particularly in the developed world, fostered the illusion that an emphasis on short-term results will satisfy their stakeholders. It hasn’t worked. We now need to restore the long view and alter organizational culture accordingly.

Why not re-phrase René Descartes’ cogito ergo sum - “I think, therefore I am?” to periclitor ergo sum - “ I risk, therefore I am.” Taking risk is the defining element in human existence. We should relish, not avoid it; balance, not eliminate it.

Conclusions: Risk management remains a developing discipline, even as it expands to encompass the entire enterprise. It embodies the basic caution that we can never know the future. We can only prepare for it more intelligently. As Steve Hagen concluded in Buddhism – Plain and Simple (Charles E. Tuttle, Boston 1997): “Underneath the ground of our beliefs, opinions and concepts is a boundless sea of uncertainty.” Risk management is the fragile vessel on which we sail this boundless sea. Certainty is always beyond our grasp. 

I’ve been involved with risk management since the mid-1960s, and I admit to a degree of proximity that distorts my own perspective. So I close with two haiku that suggest that my views should be treated with some degree of skepticism and caution. 

First, from the poet Basho: 

A cicada shell;
It sang itself
Utterly away

Or, as J. W. Hackett expressed it in another haiku:

Another sermon—
Wafting through words without end,
The smell of coffee!

Yes, freedom is that space in which contradiction can reign; it is a never-ending debate.

Salman Rushdie, Step Across This Line, Random House, New York 2002

Copyright 2003, by H. Felix Kloman and Seawrack Press, Inc.

Return to RMR Table of Contents
RiskINFO Home Page
Additional Topics This Month and Archives