Risk Management Reports

November 2002
Volume 29, Number 11

The IIA Enterprise Risk Management Conference 2002

“The purpose of risk management is NOT risk avoidance but knowing what risks are worth taking.” This observation from The World Bank’s Enrique Rueda-Sabater was one of many pithy comments drawn from this year’s Enterprise Risk Management and Control Self-Assessment conference, sponsored by the Institute of Internal Auditors. More than 400 registrants and speakers joined the two-and-a-half day session in Chicago, preceded and followed by workshops. It was one of the best on this topic that I’ve attended.

The question is no longer whether enterprise risk management (ERM) is worth considering. It now is, “how do we go about implementing the process?” This conference featured ten case studies, for organizations as varied as The World Bank, Harley-Davidson, Burlington Northern Santa Fe Railway, Duke Energy, Tennessee Valley Authority, Wal-Mart Stores, Caterpillar, Zions Bancorporation, Canada Post and Steelcase. Risk management goes beyond financial and energy companies. In the famous words of Arlo Guthrie’s song, “Alice’s Restaurant,” it is now a “movement.” Canada’s Tim Leech echoed this sentiment at this conference: “ERM is becoming a dominant trend.”

The opening session featured an all-too-familiar “motivational speaker,” whose name and platitudes shall remain anonymous, other than a memorable comment about an associate who was less than mentally gifted: “His grits aren’t on the center of the plate.” That’s a new metaphor, worth remembering!

The best case study featured Jim Brostowitz, the Vice President and Treasurer of Harley- Davidson, Pat Keller, his Director of Enterprise Risk Management, and Larry Baker, of consultant Ernst & Young. Harley-Davidson, a motorcycle manufacturer in the unusual position where demand exceeds supply, turned to Keller, an engineer as well as an MBA, to implement its new ERM program in January of 2001. The company expects to complete it by the end of 2004. Using the outline of E&Y’s RiskUniverse™, Keller and his team created a new Risk Management Framework that involves structure, culture & capability, strategy, technology, processes and governance. A CEO-designated group first completed a strategic risk assessment and an Infrastructure Blueprint, presented them to the company’s Leadership & Strategy Council and named the new Director, who heads an ERM Steering Committee and Task Force. For 2003, Harley-Davidson plans to pilot ERM in at least one business unit, to begin education of all employees, to complete risk assessments, to update the company’s Risk Scorecard (the now-familiar “spiderweb” first used in Australia in the late 1990s), and to provide on-going reports to the Leadership Council, the Board, and its Audit Committee.

Keller emphasized that the goal of ERM is not “to solve problems, but to facilitate and coordinate better solutions by others.” ERM’s objectives are to “grow values for stakeholders and strengthen the brand.” I also sensed that good humor and humility are equally necessary characteristics of the successful risk manager within this company. While ERM involves Internal Audit, it remains separate from it. As Keller explained, internal audit is essentially backward looking and focused on compliance and tactical responses. ERM tries to look forward as many as 15 years. It is proactive, actionoriented and strategic in its outlook.

Burlington Northern Santa Fe Railway presented a similar description of its progress toward ERM. BNSF is an unusual organization in that it controls property (its tracks) that is 100 feet wide and 33,000 miles long. It uses the same Ernst & Young model as Harley-Davidson, creating its own customized “Risk Universe™” and developing riskrating criteria for such areas as strategy, finance and knowledge. ERM at BNSF asks three questions:

  1. Are we taking the right risks?
  2. Are we taking the right amount of risks?
  3. Do we have the right processes to manage them?

The impetus for ERM at BNSF began with the CEO and CFO and led to Ken Kempker, the Vice President - Corporate Audit, accepting responsibility for implementing the new program, with the assistance of Dave Burr, BNSF’s AVP – Risk Management.

After listening to both these presentations, I had one reservation. Both started their risk assessments with senior officers: a top-down approach instead of the generally favored bottom-up analyses. Shouldn’t up-front and continuing risk analyses by operating and business units be top priorities for new ERM programs? Both have a three-year time frame for completion. Harley-Davidson’s plan, however, employs a strategic direction, in contrast to the more tactical approach of BNSF.

Some comments from other case studies at this IIA conference:

  1. Tennessee Valley Authority: Its VP and Chief Risk Officer, Kip Fox, cited “mistrust of financial information” as the top change in the business climate that is driving ERM. Four questions that stakeholders ask are: (1) what is the corporate threshold for pain? (2) Can risk finance put a floor on the range of potential outcomes? (3) How much risk capital is needed to support these risks? and (4) what is the optimum mixture of equity, debt and contingent capital to support the desired level of return on equity? TVA segments its program into risk control, counterparty & credit risk, insurance, pricing risk and product risk.
  2. Duke Energy: Rich Osborne, Duke’s EVP and Chief Risk Officer, adopted two core principles: (1) Awareness and Integration: that risk management is everybody’s business and that it must be integrated into the business, from strategic planning to operating controls, and (2) Clear and Timely Information: requiring intensive systems, clarity and consistency. He reports directly to the CEO. ERM and the naming of a CRO started with Duke’s CFO who served on the boards of banks that had already named CROs. To Duke, “managing risk is an approach to business.”
  3. World Bank: How does an organization that manages a $300 billion portfolio approach risk? It is already the elephant in its own right! It integrates its risk management process with its overall mission, “poverty reduction,” using four focal points:
    Financial Soundness
    Stakeholder Support (member governments, clients, partners and public opinion)
    Operational Efficiency
    Strategic Effectiveness

I heard favorable responses about this conference from many of the participants. Two of them, attending as a team, Deborah Luthi, Director, Risk Management Services, and John Gregg, Director, Controls and Accountability, from the University of California, Davis, commented: “One of our top ‘takeaways’ was to leverage and build upon past successes—don’t bill ERM as a new initiative. As the introduction of ERM at our institution is a collaborative effort between Controls & Accountability and Risk Management, this perspective offers the opportunity to leverage ERM as the maturation of the successful, but siloed, management of risk into an inclusive, integrated approach.” Deborah continued, “ . . . just as diversity of a community enriches the whole, so too do the diverse ways in which different risk disciplines approach the management of risk enhance the ultimate success of the ERM effort.”

I offer two final comments on this year’s IIA ERM meeting. First, the sludge of consultants’ jargon is beginning to ooze into the ERM vocabulary. Phrases such as “deliverables,” “embedding risk management,” “leveraging talents” and “deploying skills” are ready for burial. Try using some fresh words! Second, these meetings were delightfully almost commercial-free. True, IIA did have the support of several “sponsors” who were acknowledged at the opening sessions each day, and it also had a modest, nonintrusive exhibit area. Bit it was remarkably free of those intrusive sponsored breakfasts, lunches, dinners, coffee breaks, tote bags and the other heavy-handed paraphernalia of too many conferences.

The squid seller’s call
Mingles with the voice
Of the cuckoo.

A haiku by Basho, as translated by Robert Haas, The Essential Haiku, The Ecco
Press, Hopewell, New Jersey 1994

Copyright H. Felix Kloman and Seawrack Press, Inc.

Return to RMR Table of Contents
RiskINFO Home Page
Additional Topics This Month and Archives