Risk Management Reports

May, 1998
Volume 25, No. 5

Integrated Risk Management Conference
With all the talk in recent years of integrated or strategic risk management, few seminars or conferences have come close to addressing the subject on a truly holistic basis. Many use the term but regress to the specialties or knowledge of the sponsors or key speakers. The Conference Board of Canada has changed this. It conducted a one day conference on "Integrating Risk Management" in Toronto on March 26, 1998, setting the standard for breadth of content in future events worldwide.

Every presentation was thoughtful and challenging. Speakers and audience were representative of the multiple disciplines and nations involved in risk management: engineers, finance officers, consultants, academics, insurance risk managers, and accountants, coming from Canada, US, Australia, Switzerland and Germany. The brevity of the session (one day) attracted senior corporate and governmental decision-makers and proves the old adage that "less is more." Above all, the conference was run smoothly, in keeping with the reputation of the Conference Board. My only complaint was that the registration list did not include email addresses.

My other frustration as a registrant was that I could not participate in every break-out session: there were eight and I could attend only two. I did, however, collect materials from the sessions I missed.

Charles Barrett, Vice President, Business Research, Conference Board of Canada, led off with a "conceptual framework" for an organization's integrated risk management structure, using diagrams used by Barclays Bank (see RMR April 1997), Standard Chartered Bank (see RMR September 1996), Royal Bank Financial Group (see RMR December 1996) and Microsoft. A simple visual picture of "risk management" helps everyone understand the idea. Barrett also warned managers against becoming too enamored of quantification: "don't deny subjectivity." He concluded that the larger transnational organizations face unusual challenges in dealing with diverse cultures, challenges that are inherently subjective.

The second plenary session in the morning opened with Rick Anderson, Senior Vice President - Finance, of Canada's Noranda Inc. describing its "strategic risk management" plan. He acknowledged that, for this mining company, the process "reinforces our humility about the future." The key to Noranda lies in "integrating risk analysis with the Capital Allocation Process, related to international growth."

Using scenario planning, Noranda defined its risk categories in operational, market-financial, socio-political, technology, capital project and human resource areas. Of these, the socio-political and technological were less systematically identified and managed than the others. Anderson cited the recent example of a potential gold mine, near Yellowstone Park, in the US. Plans to develop the mine have been dropped because of unanticipated public antagonism. Noranda failed to consider the interests of all stakeholders when it announced its plans. "We were politically naive," he said. Noranda is now assessing a potential venture in Zambia, one it is approaching more cautiously because of the lessons learned in the US.

At Noranda operational and market-financial risks are plotted on a "risk map" measuring potential frequency and severity, and matrices are used to describe current mitigation measures and recommended improvements. His conclusion: "don't avoid risk: manage it!"

In the second plenary session, William Fealey, Risk Manager of The Estée Lauder Companies Inc., described a recently-completed company-wide risk review and adoption of a new "enterprise" risk management program. Working under the axiom that "brand reputation" is the company's foremost asset, the CFO, as the "champion" for the review, assigned a working team, led by the risk manager, that included audit and treasury representatives.

The "process" for Estée Lauder incorporates four steps: (1) Assess Risk (identify risk factors, prioritize them and profile risk opportunities), (2) Shape Risk (quantify effects, then contain and finance them), (3) Exploit Risk (analyze opportunities, develop plans, and implement them), and, (4) Keep Ahead (monitor changes and re-enter prior steps as necessary). I like this simple, yet complete, approach, especially No. 3, the idea of exploiting and taking advantage of risk. This step is often overlooked.

The Lauder team interviewed 36 senior managers, in concert with the company's external consultants, to define its "manageable" and "strategic" risks and to develop a balanced approach between over- control that could stifle initiative and over- leniency that could encourage "gambling." Fealey's "critical success factors" are important: (1) obtain the buy-in of the whole senior management team, (2) use a focused approach, (3) start with understanding the business, (4) try to be objective, and (5) "just do it . . . it's worth it!"

The Lauder approach was echoed in the last plenary session of the day, conducted by Jerry Miccolis, Tillinghast-Towers Perrin, who served as a consultant in the Lauder project. He suggested that "performance consistency typically explains 25% of the annual change in share value" and that "the market reacts to perceptions of how well risk is handled." This supports the importance of an integrated approach to all risks facing an organization. Miccolis sees two critical questions: "Is the risk more dangerous to competitors?" and "Can we manage the risk better than competitors?" These questions force risk management out of its traditional reactive and tactical responses into therealm of strategy.

The afternoon sessions were equally challenging. After much deliberation, I picked two of eight. I skipped presentations by Murray Corlett, the Executive Vice President, Risk Management, for Royal Bank Financial Group, since I had already talked with Murray and summarized his program in RMR, December 1996, and by Scott Lange, the Risk Manager at Microsoft, as I will be hearing first-hand more about his program this June in Seattle. I also missed a session on the Canadian "Criteria of Control" (CoCo) presented by Peter Jackson, of the Canadian Institute of Chartered Accountants. I will review this new approach to risk management later this year, in conjunction with its US counterpart, "Internal Control - Integrated Framework," developed by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission. Peter's organization will also publish this summer an issues paper, entitled "Risk Identification and Assessment," which I hope to include in my review.

Last year, the Global Association of Risk Professionals (GARP) named James Lam, Chief Risk Officer, Fidelity Investments, as its "Risk Manager of the Year." After listening to him, I understand the accolade. Lam defines risk as "an event that can result in financial or reputational loss or prevent achievement of business objectives." His categories include market, credit, operational, organizational, business and integrated risks.

Citing major recent risk events that ravaged Barings, Sumitomo, Orange County, Metallgesellschaft, Daiwa and Kidder, he described the lessons learned from them: (1) know your business (this echoes the earlier Lauder comment), (2) establish checks and balances, (3) set limits and boundaries, (4) keep your eye on the cash, (5) use the right yardstick, (6) pay for the performance that you want, and, finally (7) "balance the yin and the yang." The last comment emphasizes both "hard" and "soft" sides of risk management. The hard (yin) includes committees, policies & procedures, quantitative assessments, reporting, limits, audits and systems. The soft (yang) reflects awareness, people, skills, integrity, incentives, cultures, values, trust and communication. Both sides are essential to a sound program.

Lam illustrated his points with dramatic videotapes showing Nick Leeson of Barings explaining his trading in yen and Joseph Jett of Kidder describing his strip securities transactions. Both tapes are used in awareness training at Fidelity. He also uses a simplified "R.I.S.K." diagram : "R is for Return, I is for Immunization, S is for Systems, and K is for Knowledge." All four interact in Fidelity's system. Fidelity produces a "Monthly Risk Report" that shows Core Risk Measures, such as market-to-market P&L, VAR analysis, and trading errors, and Key Risk Trends, such as unreconciled items and other trouble indicators.

Lam described the new "continuous" approach of Fidelity that replaces the old disaggregated and accounting-based risk program:

o Integrated firm-wide risk management

o Market-based performance and risk measurement

o Risk-adjusted measurement

o Well-defined boundaries and limits

o Risk management as an integral business process

o Integrated systems and databases

o Incentives driven by risk/return performance

Two of Fidelity's Guiding Principles bear repeating:

o "We need to balance our business and control requirements because risk management is a necessary but insufficient requirement for success and survival," and,

o "Given that we must manage risk on an integrated basis -- across different risks, processes, business units and countries -- risk management is everyone's job."

Judi DeRosie, Senior Specialist, Risk Management, for NOVA Chemicals Ltd. described her company's "Integrated Risk Assessment Process" (see RMR, April 1998). NOVA started with its SHER risks, those treated by safety, health, environment, and risk management disciplines, creating a holistic view of them through a team approach incorporating corporate risk management (team leader), process safety, occupational safety & health, environment and industrial hygiene. As with many other companies, the process is scenario based. NOVA defines "acceptable risk" as a threshold for developing "ranked lists of risks." For example, a fatality once every 100,000 employee-working years is considered an "acceptable" risk. Once every 10,000 working-years requires "sensitivity analysis," while once every 1000 working years is "unacceptable." Detailed probabilistic risk assessments result in an overall comprehensive risk score calculated for each scenario, based on likelihood and potential severity across a broad range of consequences. The "overall risk score" is measured in "risk points per year."

NOVA has spent almost three years developing its IRAP and will expand it to include commodity, interest rate and currency risks in the near future. Here is an example of beginning with a company's core risk management strength to create an overall integrated program, just as financial institutions often begin with their more familiar credit and financial risks.

DeRosie noted that most "participants in the process are uncomfortable dealing with uncertainty." The keys to increasing that comfort level are based on changing corporate culture, enlisting senior management support, having an executive level "champion", and providing operating units and stakeholders early and continuous demonstrations of tangible results and benefits.

I collected papers and talked with the presenters of two sessions that I could not attend. Brian Kelly, Senior Risk Associate, Syncrude Canada Ltd., addressed the critical issue of building an internal culture in which risk management is "entrenched." It begins with an "emotional commitment" at the top, followed by a strategy of relating risk to business success, linking risk categories, introducing basic concepts, establishing acceptance criteria and introducing practical assessment tools. Risks and controls are then built into key plans and decisions and supported by audits and reviews. As with so many of the other speakers, Kelly re-emphasized the importance of looking at risk as a combination of problems and opportunities.

Michael Oswald, of Context Risk Management Australasia, should be well-known to readers of Risk Management Reports. I've often quoted him and commented on his innovative approaches. His presentation on strategic risk and value mapping underscored the importance of simplified graphics. He defines risk as "a measure of the possible volatility to outcomes defined by a perception of value." (I still prefer my briefer "deviation from expected" definition!) Oswald's key point is that "risk does not exist in a vacuum." He continues his personal search for a method of defining success for this elusive discipline. This has led him to use of a "spider web" form of risk-map on which four to eight "risks" can be measured in terms of aggregate consequence and degree of response. While inherently subjective, it does have the value of displaying both risk and response at a glance.

(see illustration: "CRMA™ Copyright All Rights Reserved")

Oswald concluded with three "payoffs" of effective risk management:

(1) Reduced abnormals and organizational surprises.

(2) Strategic plans road tested for risk and value issues.

(3) Corporate governance and management reporting becomes transparent and accountable.

Jerry Miccolis perhaps summarized the conference best: "risk management is a journey, not a destination." This one day in Toronto significantly expanded the on-going dialogue on our discipline.

A final observation: it was a session with no hospitality suites, no sponsored breakfasts, coffee breaks, or lunches, and no workbooks or other handouts supplied courtesy of one vendor or another. In short there was no puffery. We came to listen and learn, and we did.


Crisis, though painful, has much to commend it. High among its virtues is that it makes inertia all but impossible to sustain.

"A few more bangs, please," The Economist, April 4, 1998

New Perspective
That risk management can and should be refreshed by new perspectives goes without saying. I came across a challenging new definition on my Internet discussion group, RiskWeb, in late March. David Block, a practicing neurologist and physician in Milledgeville, Georgia, sees risk management as "an organic and integrated approach to an uncertain future, based on the experience of the past, modeled on the theories (including guesses, prayers, and lamentations) of the present." What does David do? He responded, "My practice is in peripheral neurology - musculoskeletal injury and peripheral nerve entrapment. I have always been more interested in how people adapt to injury and how they can be helped to adapt or see injury as an opportunity to look at things in a different way. . . . The concept of risk is so robust that I think it could provide a central metaphor for our society. I know this must sound farfetched and academic, but I think that, under the proper circumstances, one could approach the nature of risk in an historical time as an expression of societal assets, which in fact risk management is. . . . I do some work with local companies, but I have found -- understandably -- that, unless I can discuss the net present value of an investment in an ergonomic improvement along with ways of controlling and financing the risks everyone here faces, nobody will listen."

I agree with David's two points. Risk is indeed a metaphor for society. The response to uncertainty, individual and collective, has been a sustaining as well as a corrupting force in society since its inception. Peter Bernstein's Against the Gods, (RMR, January 1997) confirms this thesis. And we are indeed too concerned with the immediate financial implications of any action, disregarding the longer-term and more intangible repercussions. The bean-counters are in their ascendancy, but, I trust, not for long.

In the meantime, David Block is studying risk management and planning to work in this field along with a professor of operations research and an economist. Welcome to the fray! We need your perspectives!

(John Stuart Mill) demands that we accept uncertainty. He wants us to live . . .with the assumption that life is neither stationary nor easily understood. No single idea -- religious, economic, political -- will organize everything, interpret everything, unify everything. We're condemned to change and complexity, and only reason and debate will produce knowledge and even progress. How sexless, how unexciting. But what else is there?

David Denby, Great Books, Touchstone, New York 1996

Good Reading
Three recent articles are worth reading:

"A Conceptual Framework for Integrated Risk Management" was written by Lucy Nottingham, then with The Conference Board of Canada, now with Price Waterhouse, and published by the Conference Board in September 1997. It is a concise, four-page summary of current developments in a more integrated approach to the discipline. Nottingham sees it as an "emerging concept," one that starts with an organization-wide "risk framework, top-down support and a risk management champion." She echoes Lee Puschaver and Robert Eccles (see RMR January 1998) in emphasizing not only minimizing uncertainty but also maximizing opportunity. "Properly implemented," Nottingham writes, "integrated risk management is comprehensive and holistic, highlighting interrelationships between different business functions and operations. It is an anticipatory, proactive process that becomes a key part of the strategy and planning process." This brief and well-written paper (Members' Briefing No. 212-97) is worth distributing to senior management and the Board. Email the Conference Board at pubsales@conferenceboard.ca for copies.

"New Job Title: Chief Risk Officer," written by Russ Arensman, appeared in the March 1998 issue of Global Finance. In it he tracks the emergence of new, senior "corporate risk officers", in such organizations as GE Capital, Fidelity Investments (see the comments of Jim Lam, above), Lehman Brothers, Royal Bank Financial Group, American Electric Power, Textron, Microsoft and Siemens.

While the idea of a CRO, reporting directly to the CEO, remains in its infancy and subject to question by some observers, it seems to work in financial institutions, utilities and major transnationals. This piece echoes the earlier article entitled "In Pursuit of the Upside: The New Opportunity in Risk Management" by Lee Puschaver and Robert Eccles, in PW Review, Price Waterhouse, December 1996, as reported in RMR in January 1998.

"Enterprise Risk Management" was written by Robert Schneier and Jerry Miccolis, of Tillinghast-Towers Perrin and published in Strategy & Leadership, Vol. 26, No. 2, March-April 1998. It too addresses risk from a holistic view, with a strong focus on shareholder value. The authors define risk as "the possibility that something will go wrong to prevent the achievement of specific business objectives." While they acknowledge the opportunity and reward inherent in risk and risk decisions, their focus still appears to be more on the negative side. They separate risk into "manageable," those addressed in the normal course of business, and "strategic," those that require capital investment or changes in direction, plus quantification and modeling. The steps of "Enterprise Risk Management" (also outlined in the Estée Lauder presentation, above) fall under two major headings: Risk Scanning and Risk Shaping. The first includes infrastructure review, qualitative risk threshold assessment, preliminary risk definition, preliminary quantification, risk prioritization and strategy outline. Risk Shaping include modeling, risk quantification, organization change and risk financing.

The overall emphasis in each of these articles is the advent of a new approach to dealing with uncertainty.


A man's tongue is a glib and twisty thing . . .
plenty of words there are, all kinds at its command --
With all the room in the world for talk to range and stray.
And the sort you use is just the sort you'll hear.

Homer, The Iliad, translation by Robert Fagles, Penguin Books, New York 1990

Copyright 1998, by H. Felix Kloman and Seawrack Press, Inc.