Many take the title of risk manager, but few actually practice all that is implicit in risk management. It's a strange, segregated world out there! For example, how many `risk managers' can identify GARP or PRMIA, much less count themselves as members? Who knows who John Graham is and why he is arguably the foremost proponent of risk management in the US today? How many have read the risk management publications of the Institute of Internal Auditors? Which ones are members of the Society for Risk Analysis? How many work for firms that are members of the Risk and Insurance Management Society? Who can describe the Basel Accords or explain the Precautionary Principle or IBNR?

Risk management today is a composite of many complementary disciplines, too many of which fail to make the slightest effort to let their members know what the others are doing. And that means that many so-called `risk managers' do much less than they should for their organisations.

To answer the questions above, GARP is the Global Association of Risk Professionals and PRMIA is the newly-formed Professional Risk Managers' International Association. John Graham is the former director of Harvard's Center for Risk Analysis, now serving as the US government's guru on risk analysis and risk management in the Office of Management and Budget. The IIA has in print three outstanding risk management publications, all of which should be required reading. The Society for Risk Analysis has represented global public policy risk managers since 1980. The Risk and Insurance Management Society, and its fellow organisations around the world, serve those who buy insurance. The Basel Accords, now in their second iteration, are suggested guidelines for the allocation of capital, based on various types of risks, for major financial institutions. Finally, the Precautionary Principle is one guide for current and proposed governmental risk regulations.

Is any one of these organisations better than the others? RIMS is too insurance-orientated. GARP and PRMIA are havens for quants. SRA is too often a lecture hall for public policy academics. IIA remains bounded by the constraints of auditing. Others, such as AIRMIC, the UK's insurance managers' group, and the Institute of Risk Management, also based in London, are moving beyond their natural turf. The Conference Board of Canada now has a separate council for Chief Risk Officers, those who actually practice integrated and strategic risk management. And groups in Australia and New Zealand have used their new risk management standards to create broader responsibilities.

Cross-fertilisation
We need more cross-fertilisation among risk management organisations, particularly at their annual conferences. Emergency planners, public policy risk analysts and financial modelers should speak to insurance buyers and safety specialist, and vice versa. Those interested in holistic, integrated, enterprise, business or strategic risk management - whatever name is applied - should have opportunities to hear all the voices of this discipline. And perhaps some day we will have one organisation representing the combined view.

Consider two of the new workbooks on broader risk management. Both reflect the growing consensus on the meaning, framework and potential benefits of a more holistic approach to risk. Both acknowledge the necessity of addressing both the up and downsides of risk. They are concise, clear and well-written, in contrast to many of the earlier tomes that litter the landscape. Add them to your risk manager's bookshelf.

The Secretariat of the Treasury Board of Canada provides a bilingual (French and English) contribution reflecting several years of work. Integrated Risk Management Framework aims to strengthen risk management practices in the public sector in Canada but is applicable worldwide. It emphasises four management commitments: citizen focus; values; results; and responsible spending, incorporating two elements that I have supported for some time - consultation and communication. At a time when citizens around the world are questioning the validity of big government, an eager audience should respond to the possibility that risk management can make government more affordable and effective. It defines three `critical concepts' - risk itself, risk management and integrated risk management. It sees risk as the `uncertainty of outcomes', being the common element in all current definitions. It acknowledges, however, that some sub-groups still address only unwanted or adverse consequences. It defines `risk management' as a `systematic approach to setting the best course of action under uncertainty by identifying, assessing, understanding, acting anon and communicating risk issues.' This is unnecessarily wordy, but it captures the essential idea. And it considers `integrated risk management' as a `continuous, proactive and systematic process to understand, manage and communicate risk from an organisation-wide perspective.'

The second booklet is Enterprise Risk Management: Trends and Emerging Practices. Its principal authors are Jerry Miccolis, Kevin Hively and Brian Merkley, of Tillinghast-Towers Perrin, with assistance from the Conference Board of Canada. The publisher is the Institute of Internal Auditors Research Foundation. The authors surveyed 130 senior officers of global profit-making organisations, mixing these results with a thorough literature review and personal interviews to create an overview of the current state of enterprise risk management (their term for the `integrated risk management' used by the Canadians). They developed a consensus set of `success factors' and added case studies of eight major corporations, two from Canada, two from the US, and one each from Germany, Australia, the UK and Switzerland. The authors see `risk' as `dealing with uncertainty' and enterprise risk management (ERM) as a `rigorous and co-ordinated approach to assessing and responding to all risks that affect the achievement of an organisation's strategic and financial objectives.' They cite primary motivating factors for ERM as the recent governance and standard initiatives in Australia, New Zealand, Canada, the UK, Germany, the Netherlands and the US (and now Japan, as of July 2001).

The authors identify two major approaches to ERM. One is measurement-driven and the other is process/control-driven. Both have weaknesses and strengths, and this work attempts a synthesis. They also report a discernible move towards a single co-ordinating executive for the process, the Chief Risk Officer (CRO). But the most valuable insights from this study are the success factors gleaned from the most progressive ERM programs:

  • strong and visible support from senior management;

  • a dedicated group of cross-functional staff to drive implementation and continuity;

  • close linkage of ERM to key financial and strategic objectives and processes;

  • ERM as an enhancement to existing processes rather than a new, stand-alone process;

  • importation of ideas from outside the organisation; and

  • proceeding incrementally, leveraging `early wins'.

    Yet what does a risk manager do? Last year, I developed the `Parable of the River' to try and explain how risk context affects risk decisions and the importance of both positive and negative consequences.

    Once upon a time, a man came to a river. It was a quarter-mile wide, with a fast-moving current in its centre, tumbling into dangerous rapids a mile just below his spot. His guidebook warned of piranha both upstream and downstream but not at his location. He could cross the river easily by walking ten miles downstream to a bridge. Should he swim across or take the bridge?

    Here is a classic case of decision-making under uncertainty. The man must weigh the potential rewards against potential penalties. Yet both rewards and penalties are contingent on his circumstances at a particular time. Consider three scenarios. One: he is on a leisurely vacation, with more than two weeks left. Two: he's at the end of his vacation, with two hours to catch a home-bound plane at the airport just over the river. The next flight is three days later. His boss will certainly dock his pay if he returns to work late and may even dismiss him. Three: he's just escaped from a local jail, where he was tortured and condemned to life imprisonment. He can hear the pursuing hounds baying in the distance. Across the river is another country, no extradition treaty and freedom. If he takes the bridge he will almost certainly be caught. His risk decision must be based on his balance of both reward and harm related to the particular time and circumstances. In the first scenario, he'll detour to the bridge. In the second, the bridge is a probable choice. In the third, there is no question that he must swim.

    What if this man had a corporate staff to advise him? Legal counsel notes that crossing to the other country other than by the bridge will constitute illegal entry. Arrest is certain if he swims. Internal audit argues that he should wait two days until proper controls can be put in place (double-checking for piranha, etc). Human resources is concerned about the potential loss of a key man. Safety panics: an injury, or worse yet death, would ruin the lost time record and bring in inspectors and regulators. The insurance manager reports good and bad news. The good news is that he's covered by workers' compensation and group life insurance. The bad news is that any injury or death would affect the loss-premium ratio, bringing higher premiums next year. He too advises against swimming. By focusing only on the downside, none of these `risk managers' clearly appreciates the whole picture.

    Corporate scenario
    Extend this parable to a corporate example. A company can invest in a new technology in a new country, guaranteeing a return on equity exceeding 100% for at least the next four years. But the new country (entirely hypothetical!) is prone to earthquakes where the plant must be built. Power outages are common every afternoon. And extremists oppose both the siting of the plant and its potential product. The country is highly litigious. Class action lawsuits are certain at the first sign of any product fault.

    A decision must be made immediately as competitors will establish themselves in less than a year if the company fails to act.

    Again the circumstances affect the decision. Scenario one: the company has reported a comfortable return on equity (ROE) of 12% for the past three years, its stock is steady, and strategists and external analysts consider its prospects good to excellent. Scenario two: the company's ROE is poor (less than 5% for the past three years), the shareholders and stock analysts are concerned, and some key people are leaving. Scenario three: the company has reported losses the past three years, cash will run out in less than two years, and it needs a quick and public turn-around to save itself and its jobs.

    In the first case, the company weighs the pros and cons and considers the new investment as a joint venture with another organisation. In the second, it might seek a merger with a larger company with more cash and a stronger bottom line. In the third, it will probably raise as much cash as it can and go for the risky investment. After all, it's somebody else's money!

    The moral to these two parables is that any decision made under uncertainty and risk must include the likelihood of both rewards and penalties, plus factor in timing and circumstances. Any risk decision that considers only one side of the equation, be it upside or downside, is incomplete and potentially damaging. To separate the positive rewards, tangible and intangible, from the potential penalties is not risk management.

    By H Felix Kloman
    H Felix Kloman is editor of Risk Management Reports, and a former risk management consultant. Portions of this article previously appeared in Risks Management Reports, June 2001, September 2001 and October 2001, and can be viewed at www.riskreports.com .

    Copies of Integrated Risk Management Framework are available from the Treasury Board of Canada Secretariat at www.tbs-sct.gc.ca or call 613-957-9654.

    Copies of Enterprise Risk Management: Trends and Emerging Practices are available from the IIA Research Foundation at www.theiia.org or call 407-830-7600.