FUNDAMENTALSOF

ENTERPRISERISKMANAGEMENT

SecondEdition

AmericanManagementAssociation•www.amanet.org

FUNDAMENTALSOF

ENTERPRISERISKMANAGEMENT

HowTopCompaniesAssessRisk,ManageExposure,andSeizeOpportunity

SecondEdition

JohnJ.Hampton

AmericanManagementAssociationNewYork•Atlanta•Brussels•Chicago•MexicoCity•SanFrancisco

Shanghai•Tokyo•Toronto•Washington,D.C.

Bulkdiscountsavailable.Fordetailsvisit:www.amacombooks.org/go/specialsalesOrcontactspecialsales:Phone:800-250-5308Email:specialsls@amanet.orgViewalltheAMACOMtitlesat:www.amacombooks.orgAmericanManagementAssociation:www.amanet.org

Thispublicationisdesignedtoprovideaccurateandauthoritativeinformationinregardtothesubjectmattercovered.Itissoldwiththeunderstandingthatthepublisherisnotengagedinrenderinglegal,accounting,orotherprofessionalservice.Iflegaladviceorotherexpertassistanceisrequired,theservicesofacompetentprofessionalpersonshouldbesought.

LibraryofCongressCataloging-in-PublicationDataHampton,JohnJ.Fundamentalsofenterpriseriskmanagement:howtopcompaniesassessrisk,manageexposure,andseize

opportunity/JohnJ.Hampton.—Secondedition.pagescmIncludesbibliographicalreferencesandindex.ISBN-13:978-0-8144-4903-5(alk.paper)ISBN-10:0-8144-4903-4(alk.paper)ISBN-13:978-0-8144-4904-2(ebook)ISBN-10:0-8144-4904-2(ebook)1.Corporations—Finance.2.Riskassessment.3.Riskmanagement.I.Title.HG4026.H2742015

658.15’5—dc232014009521

©2015JohnJ.Hampton.Allrightsreserved.PrintedintheUnitedStatesofAmerica.

Thispublicationmaynotbereproduced,storedinaretrievalsystem,ortransmittedinwholeorinpart,inanyformorbyanymeans,electronic,mechanical,photocopying,recording,orotherwise,withoutthepriorwrittenpermissionofAMACOM,adivisionofAmericanManagementAssociation,1601Broadway,NewYork,NY10019.

Thescanning,uploading,ordistributionofthisbookviatheInternetoranyothermeanswithouttheexpresspermissionofthepublisherisillegalandpunishablebylaw.Pleasepurchaseonlyauthorizedelectroniceditionsofthisworkanddonotparticipateinorencouragepiracyofcopyrightedmaterials,electronicallyorotherwise.Yoursupportoftheauthor’srightsisappreciated.

AboutAMAAmericanManagementAssociation(www.amanet.org)isaworldleaderintalentdevelopment,advancingtheskillsofindividualstodrivebusinesssuccess.Ourmissionistosupportthegoalsofindividualsandorganizationsthroughacompleterangeofproductsandservices,includingclassroomandvirtualseminars,webcasts,webinars,podcasts,conferences,corporateandgovernmentsolutions,businessbooksandresearch.AMA’sapproachtoimprovingperformancecombinesexperientiallearning—learningthroughdoing—withopportunitiesforongoingprofessionalgrowthateverystepofone’scareerjourney.

Printingnumber

10987654321

ToDoreen,asteadysourceofsupportthroughsevenversionsofthisbookandaneditorofthefinalthreeversions.

ToAlexTango,ofFreehold,NewJersey,arisingyoungriskmanager.

ToMarySullivan,ofSaintPeter’sUniversity,anamazingpersonwhounderstandsriskfirsthandandwhodealswithiteverytime.

ToProfessorElaineOgnibene,whochangedmywritingstylejustintimeforthisbook.

CONTENTS

Introduction

PARTONE.EssentialsofEnterpriseRiskManagement1.HazardandEnterpriseRiskManagement

HurricaneAndrew.DefinitionsofRisk.HazardRisk.InsurableRisk.TraditionalRiskManagement.SeverityandFrequency.EnterpriseRisk.OperationalRisk.StrategicRisk.FinancialRisk.Conclusion.

Appendix1.RussianFrozenChicken

2.EnterpriseRiskManagementERMDefined.TheNeedforERM.Conclusion.

Appendix2.GM,Ford,andtheChryslerBailout

3.ContributionsofERMContribution1:RecognizetheUpsideofRisk.Contribution2:AssignRiskOwners.Contribution3:AlignRiskAccountability.Contribution4:CreateaCentralRiskFunction.Contribution5:InstallaHigh-TechElectronicPlatform(HTEP).

AIG’sViewofRisk.Contribution6:InvolvetheBoardofDirectors.Contribution7:EmployaStandardRiskEvaluationProcess.Conclusion.

Appendix3.HomeDepot

4.ChallengeoftheBlackSwan2014AtlantaIceStorm.WhatIsaBlackSwan?Blockbuster.RiskExperts.TheFailureofExperts.ThePerceivedLevelofRisk.SilentEvidence.Conclusion.

5.The2008FinancialCrisisSpeculativeFrenzies.HistoryoftheCrisis.ScanningforExposures.VisibleSignsofDanger.Aftermath.ParallelwiththeGreatDepression.Dodd–FrankAct.Conclusion.

6.ImplementingERMCOSOFramework.COSOStructure.COSOComponents.COSODefinitions.ApproachestoERM.RiskManagementAreas.StrategiesandSituationsinRiskManagement.

ExpandingtheScopeofERM.BenefitsofERM.MakingERMMoreEffective.LeadershipRisk.ERMPremises.HowDoWeStart?High-TechElectronicPlatform(HTEP).Conclusion.

Appendix6.ISO31000Framework

PARTTWO.RiskManagementTechnology7.RiskClusters

ClusterRiskStructure.SophisticatedRiskMapping.ClustersVersusSpreadsheets.HierarchyofSubrisks.Interactions.Conclusion.

8.RiskTechnologyin2008RejectionofSpreadsheets.High-TechElectronicPlatform(HTEP).RiskonnectHTEP.UserFeatures.DesignFeatures.Relationships.RiskDashboards.HeatMap.CP&LERMImplementation.NextSteps.Conclusion.

9.NewTechnologyin2014NewYorkUniversityHTEP.MobileDevices.HTEPLinks.EarthquakeNotification.SouthwestAirlinesHTEP.CollaborationwithChatter.Real-TimeLinkstotheWorld.WordTranslationandCurrencyTranslation.DataResources.ManagingaDisabilityClaim.Conclusion.

10.HTEPApplicationsAirbusA380JumboJet.HTEPOpportunitywithBananas.TropicalStormDisruption.BPOilExplosion.FordSupplyChain.DellSupplyChain.ChileanMineRescue.Conclusion.

11.ProductLaunchApplicationMarketRisk.ProductRisk.CapitalRisk.IntellectualPropertyRisk.RiskProfile.ExpandingtheView.Conclusion.

PARTTHREE.RisksWithoutRiskOwners

12.StrategicRiskFedEx.StrategicRiskManagement.StrategicRiskandKnowledge.PursuitofKnowledge.HistoricalPerspectiveofStrategicRisk.StrategicRiskandSynergy.StrategicRiskandToolsofKnowledge.StrategicRiskandOpportunitySince1980.ScanningPost-2014.EnergyAllbyItself.BoeingVersusAirbus.TheFaxMachineandStrategicRisk.Conclusion.

13.SubcultureRiskFord-ToyotaRowingContest.SubcultureRisk.BureaucracyasaStructure.UnderstandingSubcultureRisk.CharlesHandyonCulture.BureaucracyCulture.Spider’sWebCulture.TeamCulture.IndividualCulture.CulturalControlandEffectiveness.RecognizingtheSubculture.Conclusion.

Appendix13a.CharacteristicstoIdentifySubcultures

Appendix13b.SubcultureRiskinHighSchool

14.LeadershipRiskBehavioralRisk.

StrategicandSituationalLeadership.SituationalLeadershipStyles.CompetenceandCommitment.HowLeadersDecide.IKEABestPractices.High-PerformanceLeadership.

15.LifeCycleRiskOrganizationalLifeCycle.SharingLifeCycleInformation.LifeCycleGoals.LifeCycleTacticalFocus.PlanningHorizons.GrowthasaRiskFactor.RiskswithChange.GMandToyotaLifeCycleRisk.ERMImplementationandLifeCycles.FundingforERM.PriorityforERM.PoliticsofERM.Conclusion.

16.IBM,Microsoft,andAppleIBMatItsPeak.IBMinDecline.IBMResurgence.MicrosoftGrowth.MicrosoftPeak.MicrosoftDecline.AppleRise.AppleDecline.AppleRebound.Conclusion.

PARTFOUR.SpecialTopics17.CyberRiskManagement

CyberRisk.MaliciousSoftware.LossAssessment.ManagingCyberRisks.BuyingCyberRiskInsurance.IncidentResponsePlan.MafiaboyAttack.SonyPlayStationAttack.HackerLanguage.WikiLeaks2010Leak.AuthorizedUserExposure.HackersandCyberRisk.Anonymous.ArabSpring.BayAreaRapidTransit(BART).Megaupload.RespondingtoAnonymousThreats.Conclusion.

18.CollaborationforEffectiveRiskManagementCollaboration.GroceryAcquisition.WikipediaAccuracy.SwarmTheory.GoldCorpCollaboration.

19.Cerberus,JPMorgan,andLehmanCerberusandChrysler.JPMorganChaseandDerivatives.LehmanToxicAssets.

20.RiseofModernRiskManagementRiskManagementSupersedesInsurance.FormationofCaptivestoRetainRisks.RiskManagementAddressesLiability.DeclineofHistoricalData.PerformanceRiskAugmentsHazardRisk.ERMandCyberRisk.WarRisk.OutlawEnvironments.EnvironmentalRisks.Conclusion.

21.EvolvingERMFourProblemsforERM.BlackSwan.Long-TermCapitalManagement.SpeedingUptheImplementationofERM.TheFutureofERM.Conclusion.

22.ModernRiskManagersRiskManagerRoles.RiskManagerLevels.ProfilesofRiskManagers.AreasofAttention.ChiefRiskOfficer.ChiefStrategyOfficer(CSO).CROandCSOAreasofFocus.PaulBuckley,TycoRiskManager.ChrisMandel,USAARiskManager.LanceEwing,Harrah’sRiskManager.GeorgeNiwa,PanasonicRiskManager.SusanMeltzer,AvivaRiskManager.

CentralRiskManagementCommittee.

Denouement

Index

INTRODUCTION

RISKQUOTE:Keepyourfriendsclose,andyourenemiescloser.—SUN-TZU,CHINESEGENERALANDMILITARYSTRATEGIST,AROUND400B.C.E.

RISKQUOTE:Thiswasmyfather’sstudy.Hetaughtmealotofthingsinthisroom.Hetaughtmetokeepmyfriendscloseandmyenemiescloser.

—MICHAELCORLEONEINTHEGODFATHER(1976)

Welcome to theworldofenterprise riskmanagement (ERM), one of themost popular andmisunderstood of today’s important business topics. It is not very complex. It is not veryexpensive.Itdoesaddvalue.Wejusthavetogetitright.Untilrecently,businesseshavebeengettingitwrong.

The first editionof thisbookcarriedus into theheart of riskmanagement. Itwasmostlyabout how to do a better job of risk identification. If we define the problem correctly, wereducesurprises—noteliminatethem,mindyou,butgetmanyofthemundercontrol.

This book continues our journey with massive updates. Risk management has changeddramatically since the 2008 financial crisis. Recent developments in technology andcommunicationsdemandnewapproachestomanageriskandseizeopportunity.TheystillbuildonthebasicstructureofERM.

UpsideofRisk.Mostpeoplediscussriskasthepossibilityofloss.Thisistotallyinsufficientbecauseriskhasanupside.Alostopportunityisjustasmuchafinanciallossasisdamagetopeopleandproperty.Thisisakeyinsight.AskSun-TzuorMichaelCorleone.

Alignment with the Business Model. Within a framework for achieving goals, a singlemanagercansupervisedirectlyonlyalimitedspanofsubordinates.Similarly,onepersoncanoverseea limitednumberof risks.ERMencouragesus to create ahierarchyof riskcategoriesalignedwiththebusinessmodel.

Risk Owners. A single person should be responsible for every category of risk. Whenquestionsarise,wegodirectlytotheriskowner.WewillseeanexceptiontothisguidelineinPartThree,whereweaddressriskswithnosingleriskowner.

CentralRiskFunction.Although riskscannotbemanagedcentrally, a central risk functionacknowledgesthatsomeriskscrossunitsandresponsibilities.Thefunctioninfluencesriskdecisions by scanning for changing conditions from a central vantage point and sharingfindings.Thisbookarguesthatacentralriskfunctionshouldnot,itself,haveresponsibilityformanagementdecisions.Riskgoeswiththeriskowners.

High-TechElectronicPlatform(HTEP).ERMencouragestheuseofnewtechnologies.Thisbookdescribesacutting-edgetechnologyandarevolutionarywaytouseit.Theresultsareamazing.

Thebookisorganizedinfourparts:

1.PartOne.EssentialsofEnterpriseRiskManagement.WhatisERM?WhatisnotERM?Whatareitskeycomponents?Whydoweneedacentralriskfunction,riskidentification,ahigh-techplatform?Weaddressriskmanagementsuccessesandfailuresandcoverlessonslearnedsincetheoriginalpublicationofthisbook.

2.PartTwo.RiskManagementTechnology.This isbig. In the first edition,weexaminedvisualized risk relationshipsandbackedup theviewwith supportingdetail.Youwillnotbelieve thedevelopmentssince2008.Buildingon thesuccessofRiskonnect,wedescribethe High-Tech Electronic Platform (HTEP) that serves so many companies today. If wethoughttechnologywasbigsixyearsago—anditwas—itisamazingtoday.

3.PartThree.RisksWithoutRiskOwners.Somerisksdependoncollaboration,crossing,astheydo,thesilosoforganizations.Withacentralriskfunctionandmoderntechnology,weupdatestrategicrisk,subculturerisk,leadershiprisk,andlifecyclerisk.Weexaminehowweak management practices endanger success and how the absence of a clear andachievablevisioncanbedestructive. Includedare incisive stories about IBM,Microsoft,andAppleandtheirrise,decline,andeffortstorebound.

4.Part Four. Special Topics. Here we fill in the picture of risk management. Cyber riskmanagementdeservesachapterofitsown.Theimportanceofcollaborationisdemonstratedwithexamples.ThestrugglesofCerberus, JPMorgan,andLehmanaredocumented.Threechaptersbuildourunderstandingofmodernriskmanagers.

Our journey covers amixture of concepts, tools, and stories that add richness and depth tomanagingenterpriserisk.Modernriskmanagementisbothpopularandmisunderstood,but,aswewillsee,itisnotoverlycomplex.Norisitexpensive.Itdoesaddvalue.Wejusthavetogetitright.Isriskmanagementascience?Anart?Amystery?Orisitplainoldcommonsense?Inthefollowingpages,weupdateanswerstothesequestions.

ContributorsInthefirstedition,weacknowledgedmanypeoplewhocontributedtothisbook.ChrisMandelandLanceEwing,formerpresidentsof theRiskandInsuranceManagementSociety(RIMS),continue to encourageme to understand risk from a holistic viewpoint. Valery Vyatkin, myRussianpartner,contributedideasfromaRussianperspective.Finally,thankstoBobNirkindfromAMACOMbooks.Hisinsightandwisdomkeptthisprojectoncourse.

Let’salsoremembermyadministrativeassistant,MarySullivanofSaintPeter’sUniversity,

whowasonceagaininvaluableincreatingthefinalproduct.Mybride,Doreen,abookauthorinherownright,tellsmeregularly,“Jack,don’ttalkaboutriskmanagement.Nobodycares.”Sheisalsothepersonwhogivesmethemostsupportforprojectssuchasthisbook.

Updating this list is a single acknowledgment. Thanks to the people at Riskonnect,particularlyBobMorrell,KellyBarton,ElizabethMorrell,andRussellMcGuire.Theystartedthejourneyandbuilt theHTEPdescribedinthisbook.Anamazingjob.Justaskanyoftheirclients.

J.HamptonLitchfield,ConnecticutMarch2014

PARTONE

ESSENTIALSOFENTERPRISERISKMANAGEMENT

HEREWETELLTHESTORYofwhyorganizationsshouldcreatemodernriskmanagementprograms.Risksarerelated.Oneriskaffectsothersastheycrosstheoften-artificialwalls of day-to-dayoperations.People canbe too close to risk or just too busy torecognizeimpendingcriticalproblems.

We start with the features of modern risk management, a discipline that morphedfromanarrowinsurance-buyingrole.Storiesandexampleshelpusgrasphazardriskmanagement as a foundation for ERM. What is modern risk management? Whatdoes it mean for an organization? What are the contributions it makes to ourunderstandingofrisk?

Then we take a detour. Two challenges arose in 2007 and 2008 that seemed toundermineERM.WeexamineNassimTaleb’sconceptoftheblackswanandwhat itmeans for riskmanagement.We followup the2008 financialcrisiswith the lessonsweshouldhavelearned.WefinishwiththeimplementationofanERMprogram.Howcanitbedone?Howshoulditbedone?Whatresistancecanweexpect?

CHAPTER1

HAZARDANDENTERPRISERISKMANAGEMENT

RISKQUOTE:Morethanatanyothertimeinhistory,mankindfacesacrossroads.Onepathleadstodespairandutterhopelessness.Theothertototalextinction.Letuspraythatwehavethewisdomtochoosecorrectly.

—WOODYALLEN,MOVIEPRODUCER

RISKQUOTE:Bettertoremainsilentandbethoughtafoolthantospeakoutandremovealldoubt.

—ABRAHAMLINCOLN,U.S.PRESIDENT

HurricaneAndrewIn 1992, Hurricane Andrew caused significant losses to Allstate, State Farm, and otherinsurance companies becauseFlorida insurance lawdid not handle flood andwind damageproperly.Ifwindtookofftheroofbeforeastormsurgedestroyedahouse,howmuchwouldseparatewindandwaterpoliciespay to reimburse thedamage?Aftercleaningup themess,insurance companiesworkedwith the Florida State InsuranceDepartment to apportion lossfromacombinationofwaterandwind.In2004and2005,hurricanesFrances,Charley,Ivan,Katrina, andRitadamagedproperty inFlorida.Asa result of thenew laws, insurers savedmoney,andhomeownersreceivedpromptandefficientclaimsprocessing.

ThechangemadeafterHurricaneAndrewiseffectiveriskmanagement.Still,ithadaflaw.The insurancecompaniesoperated in isolatedunits thatdidnotshare risk information.Theydid not seek changes in the laws inGeorgia,Mississippi, Louisiana, or Texas. The resultswereunnecessarycomplicationsresolvinglossesin2005,whenhurricanesdamagedpropertyinthosestates.

AsecondHurricaneAndrewstoryrevealsanotherflawinsharingdata.Itinvolvestheroleof an actuary, a mathematician who determines the rate charged for insurance coverage.Actuariesworkwithhistoricaldatatomakeestimatesofthefrequencyandseverityofloss.

In1992,thedataforFloridahurricaneswastakenfromtheOkeechobeehurricanein1928.Itkilled2,500peopleinSouthFloridawhenastormsurgebreachedthedikesurroundingLake

Okeechobee.Italsodidseriouswinddamagetohouses.Inthe1920s,houseshadbeenbuiltwithmasonrywallsandclaytileroofs.Bothwithstood

winddamageverywell.Still,5percentofroofswereliftedfromtheirconnectionstohomes.Thiswasthedamagelevelusedinactuarialprojectionsofpropertydamageinthe1980s.

TheproblemwasthathousesbuiltinFloridainthe1980shadshingledroofsconnectedtothewallswithnailsor staples.ApersonvisitingMiami in themonthsafter the stormcoulddrive on an overpass and see subdivisions where all the homes were covered with bluetarpaulins. Every single roof had been removed by the storm. The actuarial data failed toprovidesufficientfundstopaytheclaims.Itisnotasurprisethat11insurancecompanieswereforcedintobankruptcy.

DefinitionsofRiskWhensomeonetellsustotakeariskornottotakearisk,whatisthemessage?Inmostcases,“risk”hasoneofthreemeanings:

1.PossibilityofLossorInjury.Thisisthemostcommon.Wehavesomethingtolose,andwemightloseitthroughanaccidentormisfortune.

2.PotentialforaNegativeImpact.Thisisgeneric.Somethingcouldgowrong.Whatcouldgowrong?Wemightfaceadeclineinthevalueofabrand,orcompetitorsmightpenetrateourmarkets.Thenegativeimpactmaybevagueandunknown.

3.LikelihoodofanUndesirableEvent.Thismovesusintotheworldofquantitativeanalysis.Weseeariskonthehorizon.Whatisthelikelihoodthatitwillmaterialize?Whatwillbetheimpactifitoccurs?Canwequantifythedamage?Whatwillbeourbestcaseifitoccurs?Ourworstcase?

HazardRiskThisincludesexposuresthatcauselosswithoutthepossibilityofgain.Acompanymaysufferphysicaldamagetoassets,aswhenfiredestroysabuilding.Physicalinjurymayoccurwhenaccidents,injuries,ordiseasestrikeemployeesorcustomers.Lawsuitscanbetheoutcomeofcontractualorliabilityclaims.

Hazard risk can be broader than the direct damage it causes.An explosion at a refineryrequires repair and renovation directly. Indirectly, the waiting period until the refinery isrepairedcausesanimmediatelossofsalesandmaycausefuturebusinessandfinanciallosses.

InsurableRisk

Aninsurableriskisaformofhazardriskthatmeetsspecificcriteria.

DefiniteLoss.Wecanidentifythecause,time,place,andextentofdamage.MonetaryDecline.Ifanexposurehasnofinancialimpact,itisnotaninsurablerisk.ContingentLoss.Theexposuremustbefortuitous,coveringonlylossesnotcertaintohappen.

HARTFORDSTEAMBOILER

Thedevelopmentofnewtoolstomanagehazardlosseswasacceleratedbyasingleinnovativecompany.ItwasTheHartfordSteamBoilerInspectionandInsuranceCompany(HSB),foundedin1866inConnecticut.Priortothe1850s,smallcompaniesconductedmostmanufacturingintheUnitedStatesusingsmallplantsinruralareas.Waterpowerwasthesourceofpower.Thenumberoffactorieswithsteamboilersandenginesgrew,andsodidindustrialhazards.Disastrousboilerexplosionscausedthelossoflifeandproperty.HartfordSteamBoilerbecameaninspectioncompanyfirstandaninsurance

companysecond.Itspecifiedrigorousrequirementsforshuttingdownboilerstoallowpreventativemaintenanceandrepair.Ifamanufacturerfailedtocomplywiththeinspectiontimetableandrecommendedrepairs,theinsurancewouldbevoided.Theresultwasamassivedeclineinboilerexplosionsandanewawarenessoftheimportanceoflosscontrol.Riskmanagementtrumpedinsurance.

TraditionalRiskManagementTraditionalriskmanagementcovershazardsandprogramstoavoid,mitigate,ortransferthem.

Themajordevelopments:

1940s to the 1960s. Riskmanagement began as a formal process in North America afterWorldWar II and then expanded around theworld.Before the 1940s, organizations hadbuyersofinsurancewhofocusedalmostexclusivelyonrisktransfer.

1970s to the Present. Risk management expanded into loss control, safety, and otherstrategiestoavoid,reduce,ortransferrisk.Inadditiontobuyinginsurance,riskmanagerswereexpectedtoreducelosses.Insurancebecameasubsetofriskmanagement.

Traditionalriskmanagementfocusedonfourareas:

1. Insurable risk. Risk managers identified exposures, assessed them, chose strategies tocovertheirimpacts,andimplementedariskmanagementprogram.Thisprocesssetupbothpreventiveandcrisisriskmanagement.

2.Internalcontrol.Companieshaveprocessestoprovidereasonableassurancethatpoliciesare being followed. Elaborate systems became common, particularly in industries highlyregulatedbygovernmentagencies.

3.Internalaudit. Internalauditorspursueassurance that internalcontrolsareworking.Theyfocusonoperatingactivities,theconsistencyofprocedures,andcompliancewithdirectives.

4. Regulatory compliance. This seeks to ensure conformity with official requirementsimposed by statutes, public agencies, or the courts. Examples involve plant safety,environment standards, reliable financial reporting, and compliance with social andeconomicmandates.

Traditionalriskmanagementidentifiedfoursourcesofhazardrisk.

1.PhysicalRisk.Situationswheretherealworldcreatesadanger.Fire,earthquake,drivingvehiclesoncrowdedstreets,andflyinginhotairballoonsareexamples.

2.MoralHazard.Arises from a lack of honesty or integrity.Examples are fraud, theft, taxevasion,andthesaleofdefectiveproducts.

3.BehavioralHazard.Derivesfromcarelessness,aswhenpeopledonotexerciseaproperdegreeofcautiondrivingacar,usingaforkliftinafactory,orcleaningaboiler.

4.LegalHazard. Anybody can be sued and thus frivolous and numerous lawsuits are, bythemselves,sourcesofhazardrisk.

GLOBALPETROLEUM

AGlobalPetroleumCompanyrefined-productstankerwasroundingthecoastofScotlandattheheightofthesummervacationseason.Itranagroundinastormonrocksclosetoasmallresorttownwith300year-roundresidentsandone40-roomhotel.Within24hours,acrisisteamarrivedtocontaintheoilspill,whichwasgrowingbythehour.Theteamconsistedofateamleader,asystemsspecialist,afinancespecialist,apetroleumengineer,alogisticsspecialist,andapublicrelationsmanager.Within12to36hoursafterthespill,tugsfromLondonarrivedwithoilcontainmentequipment.Theywerejoinedby150workerswhowouldwork12hoursonand12hoursoffforthreetofourweekstocleanupthespill.Thecrisisteamleadersawanimmediateproblem.Fewlocalresidentswere

willingtoprovidesleepingaccommodationsforworkers.Thehotelwasbookedsolidwithsummervacationersthattheownerwouldnotdisplace.Thenearesttownwithhotelswas120kilometers(75miles)fromthespill.Searchingforasolution,theteamleaderconsideredalternativestosolvethe

housingproblem.Hecouldnegotiatewiththehotelorhomeowners,bringintentsorasmallcruiseship,orbusworkerstoandfromhotelsinthedistanttown.Whatshouldhedo?

Inthesenseofmodernriskmanagement,thecompanygavefullauthoritytotheteamleadertomitigateriskswithoutseekingpermission.Heboughtthehotelanddisplacedtheguests.Weekslater,hesolditbacktotheoriginalowneratalossthatwasmuchlessthanthelikelycostofindecisionorinaction.LessonLearned:Whatisthereallesson?Thinkaboutit.Doyouhavethe

authoritytooffer£5millionforahotel?Isyourorganizationsetupwithariskmanagementprogramthatcantransfermoneyonamoment’snoticetoaScottishbank?Thisismodernriskmanagement.Prepareforaloss.Reacttoitwithaneffectivemitigationstrategy.

SeverityandFrequencyHazardriskiscommonlymeasuredontwoscales.

1.Severity.Referstotheintensityormagnitudeofalossordamage.Amedium-high-orhigh-severity loss causes serious business disruption or damage to people, financial position,assets,orreputation.Amedium-low-orlow-severitylosscauseslessdamage.

2.Frequency.Referstothelikelihoodofoccurrenceofaloss,damage,ormissedopportunity.Somelosses,likevehicleaccidents,arefrequentandpredictable.Somepotentiallossesaresoremotethatwecannotimaginehowtheycouldhappen.

Figure1-1showsagraphoffrequencyandseverity.Aswemoveupandtotherightonthegraph,weincreasethedangertotheenterprise.Low-frequencyandlow-severityexposuresarenot of much concern. High-frequency and high-severity exposures can produce disastrousconsequences.

WORLDTRADECENTER

LarrySilversteinacquiredtheleasetooperatetheNewYorkCityWorldTradeCenter(WTC)twomonthsbeforeaterroristattackdestroyedthecomplexonSeptember11,2001.AlthoughtheWTChadbeendamagedbyacarbombinitsundergroundparkingspacein1993,Mr.Silversteindidnotforeseeahigh-severityexposuretotheWTC.Thus,heinsuredthetwintowersfor$3.6billion,halfofthereplacementcostifbothtowerswerelostinasingleoccurrence.Yearsoflitigationfollowedthe2001loss.Mr.Silversteinclaimedthatthetwohijackedairlinerswereseparate“occurrences”forinsurancepurposes,entitlinghimtocollecttwiceonthepolicies.Theproblemwascompoundedbyaninsurancepolicythathadbeendiscussed

butnotissuedasofthedateoftheattack.Twopolicyformswereunderconsideration.Onedefinedoccurrence.Commonly,suchapolicywouldcoverany

losswithinaspecifiedtimeperiod.Theotherpolicyformdidnotdefineoccurrenceatall.Theresultwasthatsomeinsurerspaidforoneoccurrence,somefortwo.Mr.Silversteinreceived$4.6billionratherthanthe$7.2billionfullreplacementcostfortheproperty.LessonLearned:Frequencyisnotreallyanissuewhendealingwiththepotential

forcatastrophicloss.Tobeprotected,risktransfershouldindemnifyatotallossevenifthepossibilityofitsoccurringisremote.

FIGURE1-1.GRAPHINGRISK.

EnterpriseRiskAbroaderdefinitionthanhazardriskbecamethenormforbusinesses,nonprofitorganizations,andgovernmentagenciesinthe1990s.Enterpriseriskisthelikelihoodthatactualresultswillnot match expected results. Enterprise risk includes hazard risk as one of its majorcomponents.Itaddsoperating,strategic,andfinancialrisktothefocus.Inthisperspective,riskhastwocharacteristics:

1.Variability. Expected results from operations or decisionsmay notmatch our sometimeselaborate forecasts. Why did we miss our forecast? What went wrong? The answer isprobablynothing.Theworldisvariable.

2.UpsideofRisk.Whenanenterpriseengagesinitsactivities,itacceptsrisk.Resultsmaybebetterorworsethanexpected.Enterpriseriskexplicitlyconsidersbothpossibilities.

LEVELSOFENTERPRISERISK

Fromtheseconcepts,werecognizesomerisksareseriousandsomearenot.

Minor.Thisisasituationwherealosswouldhurtanoperatingunitbutnotbenoticeableonfinancialstatements.

SignificantLoss.Thiscancauseareductionofcurrentyearrevenuesorearningsthathasasubstantialimpactonoperations.

CriticalorMajorLoss.Thisseriouslyhampersafirm’sabilitytodobusiness.Anexampleisthecollapseofamajoroperatingunitorproductline,followedbyasubstantialfinancialsetbackthatcouldleadtobankruptcy.

Catastrophic Loss. This involves the destruction of a majority of assets, an unbearablefinancial loss, and an inability to continue operation. It produces a near-term, if notimmediate,bankruptcyanddissolutionoftheenterprise.

ENTERPRISERISKACCOUNTABILITY

Todealwithdifferingimpactofrisks,weuseaprogressionofevents,asshowninFigure1-2:

Incident. An occurrence of seemingly minor importance that can lead to seriousconsequences.ERMmonitorssucheventsthatnormallyariseinoperationalareas.

Emergency.A serious situationwhen anunexpected incident demands immediate action toavoidmoredamage.

FIGURE1-2.PROGRESSIONOFRISKEVENTS.

Crisis.Atimeofintensedifficultyordangerwhenanimportantdecisionmustbemade.Thequalityandspeedof thedecisiondetermines the turningpoint foran improvedorworseoutcome.

Disaster.Apointwhentheriskcanthreatenthesurvivaloftheorganization.Catastrophe.Thefinalstageoforganizationalfailuretodealwitharisk.Theorganizationis

destroyedbecauserarelycanriskmanagementeffortsbeeffectiveatthislevel.

Enterpriseriskincorporateshazardriskbutalsoaddsoperational,strategic,andfinancialrisktoitsperspective.

OperationalRiskThisisafailureinthemanagementofinternalprocesses,people,andsystems.Itreflectsthepossibilitythatanorganizationwillnotcompetesuccessfully.Exposuresvarywiththelineofbusiness, thenatureoftheentity,politicalandeconomicissues,andotherfactors.Exposurescaneruptsuddenlyordevelopovertime.Thecompanymayfailtoupdateaproductorservice.Technologymaymakecurrentactivitiesobsolete.Customerpreferencesmaychange.

StrategicRiskAstrategymaybeseenasahigh-levelplantoachieveoneormoregoalsunderconditionsofuncertainty.Strategiesinvolvepatternsofdecisionstoundertakeactivities,allocateresources,pursuebehaviors,andachieveoutcomes.Strategicriskarisesfrompossiblelossesasaresultofpursuinganunsuccessfulbusinessplanandmakingpoorbusinessdecisions.Itreflects thesubstandardexecutionofdecisions,inadequateresourceallocation,orafailuretorespondtochangesinthebusinessenvironment.

DAIMLERANDCHRYSLER

DaimlerA.G.isanexampleofacompanythatsufferedabusinessriskloss.In1998,Daimlerexchangedstockworth$38billiontomergewithChryslerCorporation.AfterinvestingbillionsofdollarsinChryslerovera10-yearperiod,DaimlersoldthebulkofthefirmtoCerberusforlessthan$8billion.ItislikelythatDaimlerusedathoroughacquisitionanalysisthatconsideredthepossibilityofsuchadebacle.Woulditsucceedbecauseofthesynergiesandsharedtechnologyofthetwocompanies?Wouldthedifferencesincorporateculturesprovedeadly?Wouldexternalchangesinconsumerpreferences,thepriceofoil,orotherfactorsmakethemergeruntenable?Asitturnedout,thesynergiesdidnotmaterialize,andtheclashofculturesprovedtobedisastrous.DaimlerfailedtomergethedistinctGermancorporateculturewiththeproudbuttroubledexecutivesandworkersinDetroit.Isthefailureofthismergeracaseofoperationalorstrategicrisk?

Answer

Whatevertheanswer,operationalandstrategicfailurescandestroytheupsideofrisk.

FinancialRisk

Thelastcomponentofenterpriseriskisfinancialrisk,thepossibilityofashortageoffundsforoperations.Theproblemcanbecausedbyaninadequateinitialcapitalization,oritcanresultfromcashflowproblemsinoperations.Customerscanfailtopaytheirbills,orcreditorscantighten lending requirements.High-interest costs or restrictions on borrowingmay constrainexpansion. The use of short-term debt to finance long-term assets may produce liquidityproblemsorleaveinsufficientcashtopaydividends.

AMAZONANDWEBVAN

Inthe1990s,twocompaniesenteredtheonlinearenaforconsumerproducts.Amazon.comstartedoperationsin1995,sellingbooksviatheInternet,andthendiversifiedtosellotherproducts.WebvanwasanonlinefoodbusinessthatacceptedInternetordersanddeliveredgroceryproductstocustomers.Amazonsucceededinitsventure,becomingthelargestonlineretailerintheworld.Webvanranoutofmoneyandfiledforbankruptcyin2001.WhataccountsforthedifferencebetweenAmazonandWebvan?Bothlooked

likepromisinginvestmentsinthenewmarketplaceoftheInternet.Ariskanalysiswouldhaveshownkeydifferences:

Operational Risk. It should have been apparent that Webvan had seriousproblemsindistribution.AmazonsimplyacceptedordersandfulfilledthemusinganexistingUPSdistributionsystem.Webvanhadtobuilditsownsystem.

StrategicRisk.AnotherfactorwasthatWebvanwasnotalignedwithitsmarkets.It offered daytime deliverywithin a 30-minutewindow to customerswho usedthe service because theywere too busy to shop. Theywere not home in thedaytime, so the food would spoil. Amazon could deliver its nonperishableproductsanytimeandleavethemonthedoorstep.

FinancialRisk.Bothcompaniesneededconsiderablecapital,butthefinancialriskwas much greater for Webvan. One part of the exposure was of its ownmaking. Webvan signed a billion-dollar contract with Bechtel to buildwarehouses, purchased a fleet of delivery trucks, and spent a large sum ofmoneyonequipment.AsecondpartwasthedifferenceinmarketsforAmazonand Webvan. The expensive delivery structure squeezed the profits from thegrocerybusiness.Webvanwasdoomedbyacombinationofa tight cash flowaccompaniedbycapitalinadequacy.

LessonLearned:Riskmanagementrecognizesthedifferenceamongoperational,strategic,andfinancialriskswhilerecognizingthattheycanmergetoproduceeithergoodorbadresults.

ConclusionTraditionalriskmanagementhasnotfullymorphedintoabroaderperspective.Wecontinuethejourneybuildingonthesolidfoundationjustdescribed.

APPENDIX1

RUSSIANFROZENCHICKEN

We can gain a more in-depth understanding of risk management by illustrating it for aninternationalproject.

ExpropriationRiskAcompanyhad a project to export frozen chickenbyoceangoingvessels fromVirginia andNorthCarolinatoSt.Petersburg,Russia.Thecompanyplannedtoload60-to80-poundboxesonpallets for theoceanvoyage.Aproblemarosebecause thePortofSt.Petersburghadnoshoreside refrigeration to allow the quick unloading of an expensive reefer vessel. Thecompanywouldincursignificantdemurragecharges(extracostsresultingfromavesseldelay)iftheshipwastedtimeinportwhileitwaitedforcontainersorrailroadcars.Oneoptionwasto build awarehouse, but the riskmanager identified an expropriation risk. She spotted anaction involving theHotel Europa in St. Petersburg, whichwas partly owned by Europeaninvestors. In the mid-1990s, the hotel opened a foreign bank account to handle dollartransactions.Russianbankinglawsprohibitedsuchaccounts.Whenthegovernmentlearnedoftheaccount, agovernment agency leviedaheavy fineon thehotel, causing the foreigners tolosetheirentireinvestment.Effectively,thegovernmentconfiscatedthehotel.

TheriskmanagerknewshecouldobtaininsurancefromanagencyoftheU.S.governmenttoreimburse the company for expropriation.At the same time,was it really an expropriation?Insurancedid not seem to be the answer.Thus, the company consideredbuying anold (andrelatively inexpensive) reefer vessel and using it for storage. It could build a refrigerationfacilityonabargethatcouldbemovedif thesituationbecamesticky.Alternatively, itcouldfindastrongRussianpartnerwithhigh-levelgovernmentconnectionsandallowthepartnertoaccepttheexpropriationandstorageexposure.ThecompanyfoundsuchaRussianpartner.

LessonLearned:Investigatealloptionsforriskmitigation.Donotassumethatthetraditionalinsuranceapproachistheanswer.

CreditRiskSogoodnews.ThecompanyexportingfrozenchickentoRussiahadapartner.Thiswasalso

thebadnewsbecauseitcreatedacredit risk.HowwouldtheU.S.companyensurepaymentfrom theRussianpartner? Itwasnot realistic to demandpayment in advanceor to obtain aletterofcredit toguaranteea futurepayment.TheRussianpartnerwasnotable topayforacargofor30orsodaysafterreceivingit.Todealwiththecreditexposure,thepartiesagreedthattheRussianpartnerwouldhavetopayforonecargobeforeitcouldreceiveasubsequentcargo.

How did this mitigate the exposure? The stream of profits from a series of cargos wassignificantlylargerthanthefundsfromadefaultonpaymentforasinglecargo.IftheRussianpartnerdidnotdepositfundsinaWesternbankaccountbyday45afterreceiptofacargo,theshipcarryingthenextcargowouldbedivertedfromRussiatoanorthernEuropeanport.

LessonLearned:Giveotherparties,inthiscasetheRussianpartner,incentivestohelpyourorganizationmitigaterisk.

PhysicalSecurityRiskOnce the Russian partner accepted the chicken in St. Petersburg, it shipped the chicken byrailroad to Moscow, Yekaterinburg, and beyond. The cargo was placed in refrigeratedcontainers thatwere lockedand then loadedon flat railcars.On the fifth journey,oneof thecontainerswasemptywhenitarrivedinMoscowafterthethree-daytripfromSt.Petersburg.At this point, the partner was facing a risk management problem. Two strategies werediscussed. The first was to purchase insurance, an idea that was quickly eliminated. Whowould insureacargowithahighchanceof loss? IfaRussian insurancecompanyagreed toprovidecoverage, thepremiumswouldbeprohibitivelyhigh.The secondwasdoor-to-doorcontainerplacement.Therailroadcompanywouldplacethecontainersontheflatbedrailcarssothedoorscouldnotbeopenedifthelockswerebroken.Thiswasthechosenstrategy.

The story continues. Sometimes a risk mitigation solution does not actually solve theproblem. Several journeys later, another container arrived empty. The partner realized thatsomeonehadacraneonasidingwhenthetrainstoppedinthemiddleofthenight.Whatelseshouldbetried?

Theproblemwasfinallysolvedbyplacingaboxcaronthebackofthetrain.Thecarwasfittedwithheatersandcots.ItcarriedguardswithKalashnikovweapons.Wheneverthetrainstopped, guards stepped out to protect the containers. It was a simple but effective riskmanagementstrategy.

LessonLearned:Staywithituntilariskmanagementstrategyworks.Sometimesittakesafewtriestogetitright.

UpsideofRiskThe story of guards on the train can be used to illustrate the upside of risk. The railroadsecurity situation in Russia has improved significantly since the 1990s, when the storyunfolded.Prior to the improvement,abusinessopportunityarose.Once thecargowasbeingprotectedbyarmedguards,theRussianpartnercouldofferinsuranceservicestothirdpartiesto protect their cargoes aswell as the chicken.Thepartnerwould incur small costs for theguards but could be confident that the train would experience no losses.We do not knowwhetherthisopportunitywaseverpursued.

CHAPTER2

ENTERPRISERISKMANAGEMENT

RISKQUOTE:Whenyouarriveataforkintheroad,takeit.—YOGIBERRA,BASEBALLPLAYER

RISKQUOTE:Thegreatestgloryinlivingliesnotinneverfallingbutinrisingeverytimewefall.

—NELSONMANDELA,SOUTHAFRICANSTATESMAN

Enterpriseriskmanagement(ERM)emergedintheearly1990sasanextensionofhazardriskmanagement. It argues that an organization should manage enterprise risks in a single,comprehensiveprogram.

RISKVERSUSUNCERTAINTY

Risk. Something that we attach to a probability. In many cases, we can alsocalculateorestimatethefinancialcostorbenefit.

Uncertainty. Something that can go wrong without an understanding of theconsequences,likelihood,orcostorbenefit.

ERMraisesissuesaboutrisktolerance.Howmuchriskarewewillingtotake?Whichrisksarewemanaging?Whichrisksareunbearable?Whichareimportant?Whichareunimportant?ERMbecameanorganizationalprioritytoidentifyandmanagenewexposures.ERMbecameabuzzword on the lips of CEOs, CFOs, members of boards of directors, and shareholders.Everybodyunderstood thatERMwas important.Thequestionconfrontingorganizationswashowtogetitright.

By2005,ERMhadboggeddown.Still,manyriskobserverspushedastrongERMagenda.They recognized the logic of coordinating the management of risk. So why did ERMimplementationstall?TheanswerstartswithseveraldefinitionsofERM.

ERMDefined

Enterpriseriskmanagementisabroadandcomplexconceptthatreachesintoeverymajorareaof an organization. As such, it is not surprising that many definitions of ERM have beenoffered.Thesedefinitionsfallintothreecategories.Astrategicdefinitionfocusesonresults,asERMisexpressedintermsoforganizationalobjectives.AfunctionaldefinitiondescribesERMintermsofactivitiesthatreducerisk.Aprocessdefinitionfocusesonactionsundertakenbymanagerstomanagerisk.Aconsensusdefinitionmightlooksomethinglikethis:

GENERALMOTORSINVENTORY

Asorganizationsreachmaturity,theycannolongerdependonarapidlygrowingmarketforgoodsandthecontinuationofthebusinessthatmadethemsuccessful.Theymustseeknewapproachestooperationstoincreasetheirsuccessinmanaginglifecyclerisk.ThefollowingdiscussioninvolvesBoAnderssonandhisexperienceatGeneralMotorsCorporation.Itprovidesagoodstoryaboutmodernriskmanagement.In2001,BoAnderssonbecamethetoppurchasingmanageratGM.Whenhe

arrived,herealizedthatGMwasspending$85billiononcarpartseachyear,purchasedfrom3,200suppliers.HealsolearnedthatGMhadseparateengineeringforalmosteverytypeofvehicleitproduced.Vehiclesdidnotsharecommonparts.Seatframeswereanexampleofaparticularlyinterestingsubculturefeature.Theywereexpensive,partlybecauseGMhad26differentseatframes.Toyotahadonlytwo.AsimilarsituationexistedwithV6engines.Onceagain,GMhadhighcosts

becauseithad12V6engines,whereasToyotaandHondahadtwoeach.Whataboutfuelpumps?GMhad12.ToyotaandNissanhadtwo.Movingon,BoAnderssonaddressedtherathersimpletopicofdoorhinges.He

learnedthattheycouldbemadeoutofthreepiecesinsteadoffive.Makingthechangewouldsave$100millionannually.Hehadasubcultureresponse.Engineersanddesignersdebatedthechangeformorethanthreemonths.Thentheyreluctantlybeganalengthyprocessofdesignandtestingforthenewdoorhinges.Afterstudyingthesituationtobesureheunderstoodit,BoAnderssonidentified

thedesignandpurchasingproblemsandbroughtthemtotheattentionoftheengineerswhoworkedinmanufacturing.Hisargumentswerecarefullyframed,buttheywerenotwellreceived.Thedifferentunitsdidnotsupportchanges,arguingthatachangeinonecomponentwouldhaverippleeffectsthroughouttheentirelineofautomobiles.Intheend,changecameslowlyovertheperiodfrom2001to2006(BusinessWeek,July31,2006).

LessonsLearned:GMlackedamodernriskmanagementapproachtointernalmanufacturing.ProductionefficiencylaggedbadlywhileGMfailedtomakedesperatelyneededchangestobecompetitive.GMneededERM.Oneadditional

note:TheGMsituationisalsoafailureofleadershiprisk.ThisiscoveredinChapter14.

Enterpriseriskmanagementistheprocessofidentifyingmajorrisksthatconfrontanorganization,forecastingthesignificanceofthoserisksinbusinessprocesses,addressingtherisksinasystematicandcoordinatedplan,implementingtheplan,andholdingkeyindividualsresponsibleformanagingcriticalriskswithinthescopeoftheirresponsibilities.

TheNeedforERMWhydoweneedtomanageriskandpursueopportunityinasinglecoordinatedprogram?

Afewquickanswers:

Survival.Wewantabetterchancetoidentify,mitigate,avoid,andtreatrisksthatcouldcloseusdown.

Stability.Wewantreliableandpredictablebehaviorswhencreating,distributing,financing,andsellingproductsandservices.

FiduciaryResponsibility.ERMhelpstheboardandCEOmeet theirshareholder,employee,community,social,andethicalresponsibilities.

Ethics.ERMhelpsbuildgoodrelationshipswithotherpartieswhoexpectustoobservelegalandethicalbehaviorsintheconductofouroperations.Thisaffectscustomers,employees,suppliers,creditors,andregulators.

As we move past the definitions and need for ERM, some heavy hitters have joined thediscussion.

TOWERSPERRINONERMTowers,aprofessionalservicesconsultingfirm,wasanearlyadvocate,believingthatERMisessentialtoachieveoperatingstability,buildorganizationalresilience,andincreaseeconomicvalue.AsshowninFigure2-1,TowersPerrindevelopedasix-stageERMRoadMaptocreateacustomizedERMprogram.

MOODY’SONERMMoody’swas also an early advocate of ERM, using the tool to assess banks. In 2004, thecompany deployed Risk Management Assessments (RMA) to help it understand exposures

facingnonfinancialcompanies.AnRMAisbuiltonfourpillars,asshowninFigure2-2.

STANDARD&POOR’SANDERMS&P uses ERM in rating financial securities for nonfinancial companies. It acknowledgesmanagement’s overall capabilities, quality of strategies, and adaptability to changingconditions. ItbelievescompanieswithsuperiorERMshouldhavegreatstabilityofearningsandahighlikelihoodofrepayingdebtobligations.

FIGURE2-1.TOWERSPERRIN’SERMROADMAP.

Stage1.EstablishthecurrentstateofERMcapability. Stage 2. Contrast the current state to ERM best practices and produce a gap

analysishighlightingareasthatneedimprovement. Stage 3. Define a target goal for ERM based on organizational strategy and risk

profile.Stage4.Prepareaformalactionplanforimplementation.Seekquickwinsaswellas

longer-termERMobjectives. Stage 5. Implement the ERM vision using timelines, milestones, and assigned

responsibilities. Stage 6. Establish a formal monitoring process with continuous evaluation and

reportingandfollow-upinitiatives.

FIGURE2-2.MOODY’SPILLARSOFRISKMANAGEMENTASSESSMENT.

Risk Governance. Are board members engaged in defining and reviewing thecompany’s risk philosophy and appetite? Does the reporting structure, includingbudgetingandcapitalallocation,containriskconsiderations?

Risk Management. Does the company have risk control processes with unit- andoperating-level reporting linesand riskdiscipline?Does thecompanyunderstandits risk appetite and have controls to set limits in portfolio diversification andbusinessdecision-makingprocesses?Doesthecompanyuseriskmitigation,riskcontrol,andriskfinancingprocessesandtechnologies?

RiskAnalysisandQuantification.Doesthebusinessquantify the levelofrisk that isacceptable?Doesithaveeffectiveriskmonitoringandreporting?

RiskInfrastructureandIntelligence.Doesthecompanyhaveariskinfrastructureandsupporting systems? Is risk intelligence developed with valid risk models andaccurateandtimelydata?

JETBLUEAIRWAYS

Standard&Poor’sproposedauniqueapproachtoERMin2008.Insteadofaspecificformulaorchecklist,S&Pbelievesmanagingenterpriseriskdependslargelyonthequalityofmanagement.Still,evenahigh-qualitymanagementteamcanstumbleifitdoesnotuseERM.AnexamplecameonFebruary14,2007,whenNewYorkCity’sKennedyAirport

washitbyanastyicestorm.JetBlueAirways,thelargestairlineatKennedy,usedtheairportasthehubofitsentirenetworkbutwasnotprepared.Thousandsofpassengersweretrappedinplanesonrunwaysforuptoeighthours.Aircraftranoutoffood.Toiletsoverflowed.Theairlinecanceledmorethan1,000flightsandrequiredsixdaystogetthebacklogcleared.NowsupposeJetBluehadhadanERMprogramthathadidentifiedthepossibility

ofsuchanoccurrence.Letusfollowthisthrough:

Sourceof theRisk.The risk stems fromdisruptionofoperationsat peak flyingtime. Examples include ice storms, police action, and acts of terrorism. Theupside would be a display of JetBlue’s high level of customer service andenhanced reputation. The downside would be a negative public reaction andfinancialloss.

Risk Owner(s). This scenario is assigned to the senior vice president ofoperations,whofurtherassignsittotheKennedyAirportOperationsCenter.

Frequency.IcestormshitNewYorkCityonceeverythreewinters.Thelikelihoodisonechance in three that itwillhitatabusy time.Apeak-traveldisruption isthuslikelytohappenonceeverynineyears.

Severity.Thedisruptioncouldbeapublicrelationsboonifhandledsmoothlyandacustomerrelationsnightmareifpassengerswerestrandedonplanesfor longperiods of time. It could be financially beneficial if good news attracts newcustomersorcostlyiftheairlinehastoreimbursepassengersforlossesortimespent.

Evaluation.Adisruptionisamajorriskopportunity.Options.First,JetBluecouldarrangetohavebusesavailableforanemergency.Itcouldunloadpassengersstuckinplanessittingonthetarmacwhenallgatesarefull.Second,itcouldprovideadditionalpersonneltosolveproblems,handleluggage, and mitigate discomfort. The company headquarters was a shortdistancefromtheairport.Thecompanycouldtrainofficestaffontasksneededduringacrisis.Third,thecompanycouldinstituterapid-responsecapabilitiesforweatherorothercrises.

Cost-Benefit Analysis. Any approach you usewould be good riskmanagementcomparedtoleavingpassengersstuckonplanes.

Epilogue:Beforetheincident,aBusinessWeekmagazinesurveyrankedJetBlueAirways fourth in theUnitedStates incustomersatisfaction.After the incident,themagazinepulledtherankingfromitsMarch5,2007,editionandreportedthefailureinconsiderabledetail.Priortothissingleevent,JetBluehadearnedmanyhonors for customer service. It was the top choice in a national airline qualityrating four years ina row. Itwona readers’ choiceaward fiveyears ina rowfrom Conde Nast Traveler. It always ranked high in J. D. Power’s qualityratings.Thenitstumbled.

LessonLearned:AnERMprogramwithconstantscanningandsharingofrisksmighthaveavoidedlossesthatexceeded$30million.AsformerJetBluecustomerspurchasefutureticketsonotherairlines,wewillneverknowthetrueextentofthelosstoJetBlue.

ConclusionThescopeofERMisbroad.Therefore,itisimportanttosimplifyriskandtogetitrightina

complexworld.Wewillcontinuetotellstoriesofhowtodoitrightandwrong.

APPENDIX2

GM,FORD,ANDTHECHRYSLERBAILOUT

In late2008,GeneralMotors,Ford,andChrysleraskedthefederalgovernment tohelpthemsurvive a liquidity crisis resulting from the global financial meltdown. The following is amodernriskmanagementanalysisofthesituation.

TheProblemsTheBigThreewerestrugglingwithanumberofissues.

LaggingSales.GM,Ford,andChrysler,combined,had less thanhalf themarket.AlthoughGMremainednumberonewith20percent,ToyotaMotorCorp.wasaclosenumbertwoinU.S.marketshare.

HighCosts.Thecompanieshadbloatedsalariedstaff,probably25percentmorethanneeded.Hourlylaborcostswerenotcompetitive.

Legacy Costs. The companies provided prohibitively costly retirement and health carebenefits,ignoreddemographictrendsonlifeexpectancy,andfailedtofunddeficienciesinpromisedbenefits.

Dealerships. All three companies had toomany dealers. GeneralMotors was in themosttrouble.WithapproximatelythesamelevelofU.S.salesasToyota,GMhad7,000dealers.Toyotahad1,500.

ContractualCommitments.AgreementswiththeUnitedAutoWorkerswerehighlypunitiveto the companies.One examplewas a programwhere90percent ofwages andbenefitswerepaidtolaid-offemployees.Anotherfinancialdrainoccurredwhencitiesandtownsfinancedfacilitiesbyissuingrevenuebonds.Ifacompanyneededtocloseanunderutilizedfacility,itcouldnotdosowithoutpayingheavypenalties.

AutoCompanyManagement.Thecompaniesneverseemedtohavetheabilityorthecourageto make desperately needed changes. Senior oligarchs were set in their ways, resistedsuggestionsforchange,andstifleddissentingviewsandinnovation.

TheSolutions

Thecompaniesexaminedthestrategiestofixtheproblems.

LaggingSales.Thecompaniesneededtobecomesmaller.ToomanycompetitorsservedtheU.S.market.Somebrands,suchasChevrolet,Buick,Cadillac,Ford,Chrysler,andJeep,hadconsiderableloyalty.Eventhequalitywasacceptable.Thecompaniescouldfocusonthesebrands,update features,and reduce thenumberofU.S.manufacturingplants.Salescouldcomeintobalancewithdesiredvehicles.

HighCosts.Nogeniuswasneededhere.Costshadtobecut.Companies could streamline salaried positions, cut back on hourly workers, and reduce

othermanufacturingandsalescosts. Legacy Costs. No one wants to fail to deliver on prior promises. At the same time,

contractualcostswerenotaffordable.Thecompanieshadtomodifyorbreakcontracts. Dealerships. Many of the dealerships had to close. This would be horrible for local

communitiesandloyaldealerswhohadbecomemembersofafamily.Nomatterhowwenowlookatthisissue,closureswereinevitable.

Contractual Commitments. If negotiations to change agreements failed to obtain neededresults,thecompanyhadtobreakcontracts.Sorryaboutthat.Theseweretoughtimes.

Management. Personnel changes were needed, starting at the very top. Ford CEO AlanMulallyandChryslerCEORobertNardelliwerecrisismanagerswhocouldbesuccessfuliftheygrabbedthebullbythehorns.GMCEORickWagonerwasmoreproblematic.Hedidnotshowsignsofbeingtherightpersontochangearigidculture.

RiskAssessmentNowthediscussiongetsreallyinteresting.Thecompaniesapparentlyhadtwooptionstomakechanges.Negotiationswithotherparties forconcessionscoulddo the job.Alternatively, thecompaniescould reorganizeunder theU.S.bankruptcycode.Sucha filingallowsacourt toenforcechangesthatallowacompanyeithertoresumeviableoperationsorclosedown.

Lagging Sales. The strategy is to reduce production, eliminate brands, and close plants.Whoops.TheUnitedAutoWorkersandmunicipalcontractswouldnotagreetothesesteps.Scoreoneforbankruptcyreorganization.

HighCosts.Weneedtoreducethenumberofsalariedandhourlyemployees—notlikelybynegotiation. A UAW hourly worker was quoted, “I think we’ve given enough.” Thestatementclearlyreflectedtheunionmoodandposition.Scoretwoforthelegalremedy.

LegacyCosts.Thecompaniesneededtoreducetheunbearablelevelofbenefits.Theywerecontractual with no sign that workers would give them up easily. Score three for

bankruptcy.Dealerships. State laws made it prohibitively costly to close dealerships. As a political

reality,nomayorsorotherofficialscouldeveragreetoprovidereliefforacarcompanyatthepriceofalossoflocaljobs.Scorefourforreorganization.

ContractualCommitments. We can only muse about, “Who signed these things?” Nevermind.Courtsenforcecontracts,andlawyersfight tokeeptheminplace.UnderU.S. law,onlybankruptcycanbreaktheagreements.Scorefive.

Management. We did not need a “car czar,” a position proposed by the House ofRepresentativestooverseetheU.S.autoindustry.It ishardtoimaginethegovernmentinthe business of straightening out carmakers. The industry needed functioning boards ofdirectorsandexecutive leadershipoperating inasystemthatworks.Fix themanagementculture.Scoresix.

VerifyingtheChoiceAnygoodriskanalysislooksforopposingviews.Theseareopinionsexpressedatthetimeofthecrisis.

BankruptcyasanOption.GM’sMr.Wagonerwasquotedassaying,“Bankruptcyisnotanoption.”Asitturnedout,hewasright.Theword“option”impliesotherchoices.Iftherewerenone,bankruptcywasnotanoption.Itwasaneventuality.

ProtectingDealers.MichaelJacksonwastheCEOofAutoNation,thelargestU.S.retailerofcars. He argued that automakers had improved quality, reduced labor costs, andrationalized production. Does this mean the companies needed all the local dealersincludedinAutoNation?Hispoint,althoughcorrect,wasnotrelevant.Thecompanieshadtoomanydealers.

LaborCosts.WhatwastheUAWview?Thequote,“I thinkwe’vegivenenough,”capturesthehard-lineviewofthelaborforceanditsleaders.Wehavenohelphere.

LikelihoodofChange.Mr.Wagonersaidhewouldnotresign.Thatwouldbetakencareofsoonenough.Theboard,perhapswithproddingfromthegovernment,wouldforcehimout.

Effects of Bankruptcy. Amarketing research firm reported that 80 percent of car buyerswouldnotpurchaseacarfromabankruptcompany.Anothersurveysaid51percentwouldnot buy a car fromGM in any case. Bankruptcymay produce a condition where somebuyerswouldtakeanewlookatAmericanproducts.Asitturnsout,theydid.

DecisionTime

Ourwork is almost done.Arewe ready to choose?Bankruptcy reorganizationwould havenegative effects, offset by the possibility of fixing high costs, reducing legacy costs andexcessivedealerships,andbreakingburdensomecontractualcommitments.Itwouldbeawaytofixthesystem.Hereiswhathappened.

GeneralMotors. In June 2009, GM filed bankruptcy. On that filing, the U.S. governmentprovided $33 billion in financing. A new GeneralMotors was formed around the fourmajorbrandsofChevrolet,Cadillac,GMC,andBuick.Thecompanykept3,600of7,000U.S. dealerships, shut down 14 of its U.S. plants, and eliminated 20,000 of its 80,000employees. In 2012, the company earned $4.9 billion in profits and had repaid thegovernmentmostofthemoneyitborrowed.

Ford.ThecompanywasinastrongerfinancialpositionthanGMorChryslerin2008.Startingtwoyearsearlier,AlanMulallyhadtakenaggressivestepstorestructurethecompany.Hesheddivisions,cutcosts,andmortgagedFordassetstoraise$24billiontomodernizethecompany.HeturnedFordaroundwithoutagovernmentbailout.Afterlosing$30billionintheperiod2006–2008,Fordearnedalmostallofitbackbetween2009and2012.

Chrysler. The company filed for bankruptcy in 2009, after failing to reach agreement withcreditorsonadifferentplan.Acourtapprovedthecreationofanewentitywith20percentoftheownershipinthehandsofFIAT.TheU.S.governmenttook10percentofthesharesand provided financing of $6.6 billion. The new Chrysler dropped contracts with 25percentofitsdealers.TheUAWretireemedicalfundheldtwo-thirdsofthecommonsharesandwasthemajorshareholderofthefirm.Freeofmanyobligations,thecompanyreported$1.7billioninprofitsin2012.

CHAPTER3

CONTRIBUTIONSOFERM

RISKQUOTE:NotonlydoInotknowwhat’sgoingon,Iwouldn’tknowwhattodoaboutitifIdid.

—GEORGECARLIN,COMEDIAN

RISKQUOTE:Cheerstoanewyearandanotherchanceforustogetitright.—OPRAHWINFREY,BUSINESSWOMANANDTVPERSONALITY

Nowwemoveintonewterritory,identifyingthesevencontributionsofERM.Morethanthat,wedevelopaparadigmforenterpriseriskmanagement.Wegetclosetotheoperationallevelwhereriskcomesaliveandmanagersdealwithitonaday-to-daybasis.

Contribution1:RecognizetheUpsideofRiskAs already explained, the first contribution of ERM occurs when “risk opportunity” isincorporated into the definition of “risk.” This acknowledges the interaction among risksbecauseanexposuredoesnotoccurinisolation.

HENRYFORD’SUPSIDEOFRISK

HenryFordwasmanufacturingModelTautomobilesinDetroit.Employeesworked10hoursadayforsixdaysaweektoearn$18perweek.Suchascheduledidnotleavetimetodriveautomobilesordomuchelse.In1914,FordchangedthenatureofworkintheUnitedStateswhenhepaidworkers$5adayforfivedays’workperweek.Healsoshortenedtheworkdaytoeighthours.Othercompaniesfollowed.Peoplehadtimeforactivitiesotherthanpaidwork.A

leisuresocietystarted.ItbecameafullydevelopedconsumereconomyafterWorldWarII.Byhisaction,Fordplayedtworolesintheworldofriskmanagement:

Added Hazard Risk. Trucks and automobiles were a massive new exposure.People drove farther and faster, resulting in accidents and the need for

insurance.Theyalsoneededsafedrivinglessons,betterroads,andsafercars.Awholenewriskmanagementareaarose.

Upside ofRisk. People hadmore leisure time to conduct activities that did notinvolvetheautomobile.Thereductioninworkinghours,accompaniedbyariseinincome, increased demand for his vehicles. It also allowed Americans toconduct new risky activities. This byproduct of Mr. Ford’s decision gave newimpetustoriskmanagement.

Contribution2:AssignRiskOwnersThe second contributionofERM is to assign a riskowner for every categoryof risk. In anERMstructure,the“owner”hastheknowledge,experience,andabilitytomanagetheexposureandthusbeaccountableforit.AswewillseeinPartThree,someriskscannotbeaddressedwithasingleriskowner.

U.S.AIRWAYSRISKOWNERSHIP

U.S.Airwaysflight1549landedwithnolossoflifeontheHudsonRiverin2009.Thelanding,bypilotChesley“Sully”Sullivan,wascalledthe“MiracleontheHudson.”Priorto2009,U.S.Airwayshadahistoryoffinishingatthebottomofcustomerservicerankings.MaybeitlearnedsomethingfromtheJetBlueincident.Maybenot.Whateverthecase,U.S.Airwayswasreadytoseizeopportunityinasituationofrisk.Theairlinehadaprogramofconductingdryrunsforincidentsthreetimesayearateveryairportitserved.ACareTeamofgateagents,reservationclerks,andotheremployeescouldbedispatchedonamoment’snoticetothesceneofanincident.Itcreatedan800numberthatacceptedtoll-freecallssothatfamiliesandfriendscouldcallforinformation.Whentheincidentoccurred,everybodymoved.Some150employeesfromthe

companyheadquartersinArizonarushedtotheairportandboardedaplaneforNewYork.Theyhadadvanceauthorizationtousetheirpersonalcreditcards.Someindividualshadsuitcasesfilledwithprepaidcellphones,sweatsuits,anddryclothes.Someonebroughtabagofcash.Onceonsite,everyonewenttowork.Staffmembersescortedpassengersto

hotelssetupwith24-hourbuffets.Employeespurchasedmedicines,toiletries,andotherneededitems.Theyarrangedtrainticketsandrentalcarsforindividualswhodidnotwanttogetbackonaplane.Theyreachedouttohigh-levelexecutivesatHertzandAmtraksothatpassengerswouldreceivenohasslegettingthetickets.Theyretainedlocksmithstohelppassengerswhohadlostkeysfortheircarsor

homes.Activitiescontinuedintheweeksaftertheincident.Onefollow-upactioninvolved

sendinglettersupdatingpassengersaftertheyarrivedhome.Anotherwastorefundtheairplaneticketandgiveeachpassenger$5,000toreplacelostpossessions.Additionalmonieswerepromisedtopassengerswhere$5,000didnotcoverlosses.

Upside:U.S.Airwaysreceivedmillionsofdollarsoffreepublicityaftertheincident.Itsreputationsoared.

Contribution3:AlignRiskAccountabilityA third contribution of ERM recognizes the importance of matching responsibility andaccountability for riskmanagementwith thebusinessmodelof theenterprise.Thisproducesthe least disruption of current successful practices while adding a new perspective on andcapacitytounderstandbusinessrisk.Alignmentoccurswhenrisksaregroupedtogethersothattheycanbemanagedbyasingleowner.

Abusinessmodelincludesseveralitems.Thefirstisavaluetobecreatedforcustomersorclients.Secondisthearchitectureoftheorganization,whichcreatesahierarchy,partnerships,andotherstructurestodeliverthevalue.Nextisthenetworkofemployees,partnerships,andotherrelationshipsthatcreateanddelivervalue.Finally,resourcesalignedwiththestructureprovidethecapital,assets,andpeopleneededtogeneratesustainableprofitsandcashflows.

ERMcanbefittedtothevariousunitsandlevelsofthebusinessmodel.ERMisenhancedwhenkeyriskshaveriskownerswhileinternalcontrolstakecareof“all”risks.Thenwecanuseastructureoflower-levelriskstodrilldownriskownershipintotheentity.

Who are the risk owners in a business model? Functional staff members in production,marketing, and finance support the business model. Business units, including relativelyautonomousregionsandoperations,areobvious riskowners.Finally,andnot tobeomitted,arekeyinitiatives.Thesemajoractivitiesreflecthighlyvisiblegoals,crossunitlines,provideentrepreneurialopportunities,andsolvemajorproblems.

Thefinalstepistomatchriskcategorieswithriskowners.Thisenhancesthechancethattheriskalignmentwillworksmoothly.Eachriskownerisfocusedonhisorherimportantrisks.This limited list of perhaps five to eight exposures should be created at each hierarchicallevel.Riskshandledbyday-to-dayorganizationalpracticesandinternalcontrolsarenotpartofthestructureandareincludedonlyasexceptionsifaninternalcontrolprocessbreaksdown.

FORDMOTORCOMPANYRISKACCOUNTABILITY

AnotherFordMotorCompanystoryoccurredinthelate1990s.Thecompanyrecognizedanexposuretopricefluctuationsintheraremetalpalladium,an

importantcomponentincatalyticconverters.Toreducetherisk,thepurchasingdepartmenthedgedtheexposurebysigninglong-termcontractstopurchasepalladiumatstablebuthighprices.Didthestrategywork?

Answer

No.Ford’sResearchandDevelopmentdepartmentrecognizedthesameriskandredesignedcatalyticconvertersrequiringminimalpalladium.In2001,thepriceperounceofpalladiumdroppedfrom$1,500to$400,causingFordtosufferalossof$1billion.

Contribution4:CreateaCentralRiskFunctionAfourthcontributionofERMistocreateacentralriskfunction.Thisisanindividualorunitresponsibleforthecoordinationofriskdiscussionsacrosstheentity.Itshouldoccupyahighpositioninthehierarchyandhaveaccesstoseniorexecutives.Itsgoalshouldbetofacilitateeffortsbyriskownerstomanagerisk.

A central risk function can identify risks that might otherwise be missed by seniorexecutivesatthetopofanorganization(chiefmarketingofficer,andsoon,andbusinessunitorkeyinitiativeexecutives).Byfacilitatingthesharingofrisksandstrategies,itcanmanageandvetinformation.Byinfluencingriskdiscussions,itcanreducethetendencyforsilostorefusetoshareinformationandhidenegativeconditions.

In some formulations of ERM, a central risk function takes on the perceived role ofmanagingrisk.Itmayevenberesponsibleforinsurancebuyingorlosscontrol.Thisisnotagoodmodelbecauseriskidentificationandrisksharingarefundamentallydifferentfromrisktransferormitigation.Somebodyotherthanthecentralriskfunctionshouldbuyinsuranceandensureworkplace safety.Organizationsneeda central activity that seeksout factors that arechanging the business landscape. What is happening with markets, regulators, politics,competitors,andothersourcesof risk?What ishappening inside theorganization itselfwithcultural,management, leadership,human resources,andunit lifecycleexposures?Theseareimportantissues.Theydeservefullattention.

WARRENBUFFETT’SCENTRALRISKFUNCTION

TheroleofacentralriskfunctionisoftenplayedbytheCEOoroneoftheseniorexecutivesofacompany.WarrenBuffettcomestomind.In2003,heforesawthesignsofthe2008financialcrisisandsoundedanalarm:“CharlieMunger[Buffett’spartneratBerkshireHathaway]andIareofonemindinhowwefeelaboutderivativesandthetradingactivitiesthatgowiththem.…Wetrytobealerttoanysortofmega-catastropherisk,andthatposturemaymakeusundulyapprehensive

abouttheburgeoningquantitiesoflong-termderivativescontractsandthemassiveamountofuncollateralizedreceivablesthataregrowingalongside.…Inourview,however,derivativesarefinancialweaponsofmassdestruction,carryingdangersthat,whilenowlatent,arepotentiallylethal.”

Contribution5:InstallaHigh-TechElectronicPlatform(HTEP)A fifth contribution of ERM is the recommendation to create a risk management decisionsupport system specifically designed to help understand risk. It is a tool to share identifiedrisksandrecognize thescopeofeachexposure.Itprovidesarepository toshowhowariskowner is evaluating each risk and allows sharing alternatives and recommendations. InPartTwo,wewillrecommendfeaturesofsuchahigh-techplatform,includingthese:

RiskClusters.Riskcategories shouldbebuilt so that risk relationships canbeunderstoodquickly and without clutter. A risk cluster is a grouping of related risks showing theinteraction of exposures.As an example, a fire causes loss of property but also has animpactonfuturebusiness,earnings,andcashflows.

Risk Mitigation Details and Activities. The individual exposures should be linked toinherent risks andmanaged risks. All authorized risk owners can see the activities andmitigationstrategiesandmakesuggestionsforimprovementsorcooperation.

AIG’sViewofRiskEarly in2008,MartinSullivan, theCEOofAIG,becameconcerned thathiscompanyhadahigh degree of exposure to agreementswherebyAIG guaranteed payment for losses.At thetime,AIGhadnoabilitytovisualizetheexposureusingmoderntechnology.HeneededasystemsuchasthatshowninFigure3-1.Hewouldhavebeenabletolookrightdownthehierarchy,seetheUnitedKingdomunitofferingtheguarantees,andviewtheexposureandmitigationefforts.Withoutthetechnology,hehadtorelyonthewordofhissubordinates.Basedonwhattheysaid,heassuredinvestorsandothersthatAIGhadnoexposureinadecliningmarketforhomemortgages.Ifhehadhadtheviewin2005, theworldmighthaveavoidedtheseveredifficultiesitfacedasaresultofthe2008financialcrisis.

Contribution6:InvolvetheBoardofDirectors

AsixthcontributionofERMinvolvesthefiduciaryroleoftheboard.ItsmembersunderstandtheimportanceofcomplyingwithSarbanes–Oxley.Theyusuallyrequireperiodicreportsfrominternalaudit.Howcanaboardnotalsohaveindependentreportingonenterpriserisk?

The board has numerous options to obtain risk progress reports. Figure 3-2 shows astructurewherethecentralriskfunctionisreportingdirectlytothechiefexecutiveofficerbutalsohasacommunications linedirectly toacommitteeofboardmemberswhooversee riskidentificationforotherboardmembers.

FIGURE3-1.VIEWOFRISKNEEDEDBYAIG.

Figure3-3presentsadifferentstructure.Theboardhaschargedasingleboardmemberwithresponsibilitytoreportonriskidentification.Thisboardmemberhasadirectcommunicationslinkwiththecentralriskfunction.

FIGURE3-2.ERMANDTHEBOARD1.

FIGURE3-3.ERMANDTHEBOARD2.

Contribution7:EmployaStandardRiskEvaluationProcessTheseventhcontributionofERMencouragestheuseofaviableevaluationprocesstoassessrisk.Itisessentiallyaproblem-solvingprocessthatisusedwidelyinplanningandbudgetingandthatismodifiedtosystematicallyapproachdecisionstoretain,transfer,reduce,oravoidexposures.Thisisoneversion:

Identify the Risk. External risks are largely uncontrollable because they arise from thecompetitive environment, economic factors, acts of regulatory bodies, and other outsidesources. Internal risks reflect the culture, value structure, management and leadershipstyles,subcultures,andrelationshipsamongemployees,suppliers,customers,andothers.Exposuresexist fromfaultybusinessprocesses, internalcontrols,andweaknessesamongworkersanddepartments.

AssignanOwnerorOwners.Establishclearaccountabilitybymatchingeveryimportantriskwith a functional area, business unit, or key initiative. Delegate accountability down achainofcommandtoco-ownersinadirectreportinglinewiththeriskowner.

AssesstheImpact.Whatistheexpectedfrequencyofeachrisk?Isthechanceoflossremoteor likely?What are the levels of damage severity under different assumptions? Supportassessmentswithbothquantitativeanalysisandqualitativeconsiderations.

EvaluateMitigationOptions.Whatchoicesareavailable?Cantheriskberetained,avoided,reduced,ortransferred?Recognizethetrade-offbetweenthecostofmitigatingtheriskandthebenefitsgainedbyacceptingit.

Implement,Monitor,andRevise.Pickanoptionandimplementit.Monitortheresultssothatadjustments can be made as needed. Ensure flexibility if conditions change or newinformationbecomesavailable.

Figure3-4displaysthesevencontributionsthatpointthewaytodesigninganeffectiveERMprogram.

FIGURE3-4.SEVENERMCONTRIBUTIONS.

ConclusionYou don’t need to be a rocket scientist to understand the importance of enterprise riskmanagement. You just have to get it right. In future chapters, we examine situations so therichness ofERMcomes alive.This beginswith theHomeDepot case study that follows inAppendix3.

APPENDIX3

HOMEDEPOT

HomeDepotwasfoundedin1978andgrewto$40billioninrevenuein20years.By1999,however, growth and profits had stalled. In 2000, the board of directors brought in BobNardelliaschiefexecutiveofficer.Bobhadhadasuccessfulcareer,risingtothetopechelonofGeneralElectric.WhenhefailedtowinthepositionofCEOwhenJackWelchretired,heleftGE.

ConsidertheUpsideofRiskAt Home Depot, Mr. Nardelli changed the culture. He implemented a military-stylemanagement model. Thirteen percent of the company’s employees had military experience,compared to 4 percent at Wal-Mart. More than 500 of the 1,100 employees hired intomanagementbetween2002and2006hadpreviouslybeen juniormilitaryofficers.By2006,morethan100ofthesewerestoremanagers.Bobknewhowtorespondtorisk.Apersonwhohasfacedashootingenemywillbecalmwhendealingwithatoughcustomer.

Themilitary-stylemanagementwasconsistentwithMr.Nardelli’sphilosophy.HomeDepotwasfollowingGeorgeStalk’sprinciplesdescribedinHardball:AreYouPlayingtoPlayorPlaying to Win? Examples of the philosophy include (1) maneuvering competitors intopositions and markets where they are forced to invest heavily to stay competitive and (2)engagingweakerrivalsinawarofattrition,eventuallyforcingthemoutofbusiness.

LessonLearned:Mr.Nardelliaggressivelypursuedtheupsideofrisk.Thiscouldbegood.

AssignRiskOwnersAsaresultofthechangeinleadership,thecultureatHomeDepotchangeddramatically.Priorto2000,storemanagershadenormousauthority.Theyweretheriskownersonthefrontlineofthebusiness.Theyusedtheirknowledgeoflocalconditionsand,inmanycases,theirinstincts,ratherthandataandanalytics,toruntheiroperations.Beginningin2000,mostmajordecisionscamefromthetop.Headquartersmeasuredperformance,madedecisions,andsetgoals,usinganalytics such asmargins of profit on products and the number of customers greeted at thedoor.

Thenewsystemwasproducingresults.Between2000and2005,salesatHomeDepotrose75percent,andprofitsdoubled.By2006,thecompanywastheworld’sthirdlargestretailer,and its successwas attracting attention. InMarch 2006,Fortunemagazine identifiedHomeDepotasthemostadmiredspecialtyretailerforthatyearandnameditthe15thmostadmiredglobalcorporation.

LessonLearned:Riskownershipshiftedfromstoremanagerstocentralstaffwhomademajordecisionsandtocorporatecommitteeswithnodirectaccountabilityforresults.HomeDepotmoved away from identifying risk owners with accountability for risks. This might not begood.

AlignRiskwiththeBusinessModelAtexactly thesametime(MarchandApril2006) that thepublicpresswas takingfavorablenotice of Home Depot, Saint Peter’s University ran its first ever course on enterprise riskmanagement.Theclassnoticeda failureatHomeDepot toalign risk responsibilitywith thebusinessmodel.Committeesandcentralstaffweremakingdecisions thatwerenotvettedbystore management, including the new military-trained managers. Four teams of MBAcandidatesundertookanERManalysisofHomeDepot.Woulditconfirmthepositivepicture?

Thefirstsymptomofaproblemwastheperformanceofthecompany’sstock.Itdropped7percentbetween2001and2006.Incontrast,Lowe’s,amajorcompetitorhalfthesizeofHomeDepot,sawitsstockrise210percentoverthesameperiod.

The students looked inside the company itself. Inventory was sluggish at Home Depot.Headquartersfocusedstoremanagersonasinglemetric—inventoryturnover.Toincreasetheratio,astorecouldeithersellmoregoodsorreduceitsinventory.Inanumberofcases,storemanagersstoppedorderinginventory,andshelveswereoftenemptyofgoodstosell.Herewasacompletefailuretoalignriskmanagementwiththebusinessmodel.Storeownersshouldberesponsibleforachievinggoals,notmanagingratiosdictatedbyheadquartersstaffpersonnel.

A second failure to align riskwith thebusinessmodel involveddirectives to cut staffingcosts.TheCEOorderedareductionintheratiooffulltimetoparttimefrom70percentto50percent of total staffing.A savingswould result by holding back on employees’ health carebenefits and retirement contributions.Thiswas a disaster formorale, a hard-to-quantify butrealvariableinriskmanagement.

LessonLearned:Aligningriskcategorieswiththebusinessmodelprovidesaccountabilitynotavailablewhendirectivescomefromstaffofficersorcommittees.Whowouldbeaccountable,otherthantheCEO,ifHomeDepotweretostumble?

EstablishaCentralRiskFunctionThe Saint Peter’s MBA teams were effectively acting as a central risk function for HomeDepot.Theyfounddeterioratingconditions in themilitary-styleatmosphere,accompaniedbypressuretoperformandafailureofthecompanytomakearealcommitmenttotheworkforce.Allfourteamsidentifiedacultureoffear.Itwasaccompaniedbyawholenewlanguagethatbecamepartofemployeediscussions,includingtheseterms:

Aprons.Storeworkersthemselves,describedbytheirorangeaprons.Anapronisusefulbutdoesnothavetothink.

Bob’sArmy.Areference to individuals in thestore leadershipprogram,wherehalfofnewhireswereformermilitarypersonnel.Whathappenedtoindividualswhowerenotformermilitarypersonnel?Notgoodformorale.

Bobaganda. A term describing company programming on televisions in employee breakrooms. The TVs continuously displayed tips to help staff sell more merchandise, gavewarnings on proper and improper behavior, and sharedmessages from seniormanagersandexecutives.TheMBAteamsimaginedaratherstressfultimewhenemployeestriedtorelaxforalittlewhile.

Home Despot. The ultimate sign of cultural problems. For disgruntled employees, thisbecametheundercovernameofthecompanyitself.

The teams scanned outside the company for data.As a final nail in the coffin, the classdiscoveredaUniversityofMichiganAnnualCustomerSatisfactionSurvey.Inthe2001survey,HomeDepotandLowe’seachscoreda75.In the2006survey,HomeDepotdroppedto67,whileLowe’sroseto78.Inspiteofaccoladesinthemedia,HomeDepotwasnotahitwithcustomers.Itsscoreputitinlastplaceinthedepartmentstoreanddiscountstorecategory.

LessonLearned:Withoutacentralriskfunctionorotherscanningmechanism,signsoffuturedangercaneasilybemissed.

CreateaHigh-TechElectronicPlatformHomeDepot didnot have a central risk functionusing amodern riskmanagement platform.From all indications, the organization did not understand the relationships among customerdissatisfaction, employee low morale, and a centralized system of decision making thatseparatedriskownersfrombusinessdecisionsandstrategies.

LessonLearned:Inasituationlikethis,thingscangowrong.

InvolvetheBoardBy all indications, the board of Home Depot was highly concerned with corporateresponsibility and a high degree of fiduciary responsibility. In April 2006, the HarvardBusiness Review ran a lengthy article describing Home Depot as a model of corporategovernance. The article claimed that the company was committed to living values andrecognized an ethical obligation to shareholders, employees, customers, suppliers, and thecommunitieswhereitoperates.Thecompanyclaimedtofollowstrongcorporategovernancepractices, compliance procedures, and transparent financial reporting practices. It had adisclosurecommitteethatpursuedaccurateandcompletefinancialreporting,ithadacorporatecompliancecouncilthatregularlymonitoredinternalcontrols,anditallowedonlyindependentdirectorstoserveonkeyboardcommittees.

Lesson Learned: A board can have the best of intentions, but it can still miss importantexposuresifitdoesnothaveaneffectiveprogramofriskidentificationandsharing.

StandardEvaluationProcessFourteamsofSaintPeter’sMBAcandidatesperformedanERMevaluationofHomeDepotinApril 2006. Every single team was negative about the future of Home Depot under theleadership ofMr. Nardelli. It turned out that the ERM analysis was right on target.Withinmonths,theWallStreetJournalandotherpublicationspickedupthestory.OnJanuary2,2007,only 10 months after a Fortune magazine most-admired article, Home Depot and RobertNardellimutually agreed onNardelli’s resignation asCEOafter a six-year tenure.Nardelliresignedamidcomplaintsoverhisheavy-handedmanagementstyle.

LessonLearned:Evenwhenallseemstobegoingwell,astrongcentralriskscanningactivity,accompaniedbyastandardevaluationprocess,canhelporganizationsidentifyproblems.

AftermathThestoryofMr.NardellididnotendwhenheleftHomeDepot.HereboundedinAugust2007when Cerberus appointed him as the CEO of Chrysler Corporation. That story is told inChapter19.

CHAPTER4

CHALLENGEOFTHEBLACKSWAN

RISKQUOTE:Theworldisgettingtobesuchadangerousplace,amanisluckytogetoutofitalive.

—W.C.FIELDS,COMEDIANANDMOVIESTAR

RISKQUOTE:Aliecanrunaroundtheworldsixtimeswhilethetruthisstilltryingtoputonitspants.

—MARKTWAIN,HUMORISTANDWRITER

2014AtlantaIceStormIn2011,Atlantawasdevastatedbyastormwhensixinchesofsnowand1inchoficecloseddownhighways,schools,andmalls.Ittookseveraldaystoresumenormallife.Thesamethinghappenedagainin2014with1inchofsnow.NathanDeal,Georgia’sgovernor,saidhewasoffguardbecauseofafailurebytheNationalWeatherServicetowarnhisadministrationoftheimpendingstorm.

TheServicehasthreetypesofstormalerts.

1.WinterStormWatch.Potentialfor2inchesofsnoworaquarterinchoffreezingrainin12hours.

2.Winter StormWarning. Danger of strong impact from a combination of snow, sleet, orfreezingrain.

3.WinterWeatherAdvisory.Likelihoodofsomeimpactfromsnow,sleet,orfreezingrain.

Snow and freezing rain began at noon on January 28. Visitors to the National WeatherServicewebsitecouldseethefollowingfortheAtlantaarea:

January274:55A.M.WinterstormwatchineffectfromTuesdaymorningthroughWednesdayafternoon.

January283:39A.M.Winterstormwarningwithexpectationsof1–2inchesofsnow.January27–28,Continuousreportingontheradio,TV,andInternet.

Herearerepresentativenewsheadlinesontheradio,TV,andInternet:

“It’sa jam-packedforecast forNorthandCentralGeorgiaasawinterstormisbrewingforTuesdayintoWednesday.”

“Overnighttonight,anarcticcoldfrontwillbarrelitswaythroughGeorgia.”“HightemperaturesshouldonlyreachtonearfreezingonTuesdayandwillbegintofallwhen

precipitationstarts.” “Winter StormWatches andWinter StormWarnings are in effect from 10:00AMEST on

January28thuntil1:00PMESTonJanuary29th.”

Yetgovernmentofficialswerecaughtoffguard.Tothem,thestormseemedtobeablackswan.

WhatIsaBlackSwan?NassimTaleb,inhisbookTheBlackSwan(RandomHouse,2007),identifiesablackswanasaneventthatmeetsthreeconditions.

Outlier Risk. A potential loss found outside the realm of normal expectations based onpeople’sunderstandingoftheworld.

ExtremeImpact.Presentingthepossibilityofgreatdangerorchangeinitsconsequencestoindividuals,organizations,orsocieties.

NotPredictable inAdvance. Explainable and then understood only after it occurs. It is asurprisethatcanbeadisaster.

Nassim Taleb’s term “black swan” is based on the early and unassailable belief amongEuropeans and others that all swanswerewhite. Formillennia, that belief prevailed.Whatchanged people’s view?The discovery ofAustralia by JamesCook in 1770 or perhaps anearlierdiscoverygoingbackto1606:Thatcontinenthasblackswans.Inearlierchapters,wesetuptherationaleforenterpriseriskmanagement.NowwewilldealwithMr.Taleb’screativeandquiteaccuratepositiononrisk.Hedoesnotbelieveanyonecanpredictthelargestdisastersthatwillbefallus.Healsoseesfallaciesinhowweviewrisk.Examples of black swans can be seen throughout the course of history. Fairly recent onesincludetheriseofHitler,WorldWarII,thedemiseoftheSovietbloc,theriseoftheInternet,the9/11terroristattack,andthefinancialcrisisof2008.In1918,nooneforesawtheriseofNaziGermany, the roleofHitler,and the launchingofanotherworldwar.By1935,Nazismwasnolongerablackswan.Thefinancialcrisisof2008wasafinancial“bubble.”In2001,itwasablackswan.By2003,somepeoplesawitcoming.Whydidthishappen?Maybewecanunderstand it from Robert J. Shiller’s description of a bubble in Irrational Exuberance(Crown,2006):

Irrationalexuberanceisthepsychologicalbasisofaspeculativebubble.Idefineaspeculativebubbleasasituationinwhichnewsofpriceincreasesspursinvestorenthusiasm,whichspreadsbypsychologicalcontagionfrompersontoperson,intheprocessamplifyingstoriesthatmightjustifythepriceincreasesandbringinginalargerandlargerclassofinvestors,who,despitedoubtsabouttherealvalueofaninvestment,aredrawntoitpartlythroughenvyofothers’successesandpartlythroughagambler’sexcitement.

QuestionWhichofthefollowingareexamplesofblackswans?

ThedevelopmentofnuclearweaponsTheVietnamWarTheEnroncollapseTerroristattacksafter9/11HurricaneKatrinaGlobalwarmingAIDSpandemicAnearthquakeinSanFranciscointhetwenty-firstcentury

Answer

Taleb claims nonewere black swans. Scientists thought they could split the atom.Colonialwarswere common.Companies collapse. For years,wewaited for a hurricane to hitNewOrleansanddidnothingtopreventit.Sometimeinthefuture,SanFranciscowillexperienceadevastatingearthquake,andCaliforniaislikelytobeunprepared.

ATRUEBLACKSWAN

Thereiscontroversyoverexactlywhatshouldbelabeledablackswanandwhenthedescriptionnolongerfits.Wewillnotresolvetheissue.Wecan,however,pointoutaneventthateveryoneagreesisablackswan.ItoccursintheUnitedStatesonthelastThursdayinNovember.Foraturkey,whichhasbeenpamperedandfedgenerouslyforallitslife,Thanksgivingisablackswan.

MEDIOCRISTANANDEXTREMISTAN

One of the keys to understanding black swans is to recognize thatwe live in two different

worlds.InthewordsofNassimTaleb,theyare:

Mediocristan.Aworldwithfewextremesuccessesorfailuresandsixstandarddeviationsinabellcurvedefineallpossibilities.Figure4-1showsa“normal”worldwhere95percentoftheoutcomesallowustoforecastlikely,best,andworstoutcomes.

Extremistan.Aworldwithrareoccurrenceswithwidespreadimpacts.Figure4-2showsthe“non-normal”5percentworldwhereinlietheblackswans.

EXAMPLEOFMEDIOCRISTAN

Ahealthcareagencyweighed1,000peopleanddeterminedthattheaverageweightlosswithadiet planwas 34 pounds. In an effort to show greater success, they added five individualswhoseweight lossaveraged100pounds.Theyproducedtheir report.Therewasnoextremeresult.

FIGURE4-1.MEDIOCRISTANASA95PERCENTWORLD.

FIGURE4-2.EXTREMISTANWITHITSBLACKSWANS.

Original.34,000poundswerelost.Revised.34,500poundswerelost.

Original.Averagelosswas34.0pounds(34,000/1,000).Revised.Averagelosswas34.3pounds(34,500/1,005)

EXAMPLEOFEXTREMISTAN

A labor agency survey of 1,000 people determined that the average annual income was$34,000.Inanefforttoshowahigherstandardofliving,theyaddedanindividualwhoearnedabonusof$100million.Theyproducedtheirreportshowinganextremeresult.

Original.$34millionwastotalincome.Revised.$134millionwastotalincome.Original.Averageincomewas$34,000(34,000,000/1,000).Revised.Averageincomewas$134,000(134,000,000/1,001)

Lessons Learned: Two lessons were learned from the weight loss and annual incomecomparisons:

Mediocristan.Whenacceptingriskinthe95percentzone,anexceptiontotheexpectationhaslittleimpact.

Extremistan.Whenaccepting risk in the2.5percentzones,anexception to theexpectationhaslargeimpact.Itispositiveatoneextremeandnegativeattheother.

The role of ERM in dealing with black swans is to try to identify exposures wheneverpossibleandtoincludethemasMediocristanorExtremistanpossibilitiesinriskmanagementdiscussions.Thisisacriticalrationaleforacentralriskfunction.

BlockbusterBlockbusterwasanAmerican-basedproviderofhomemovieandvideogamerentalservices.Foundedin1985,itexpandedrapidly.By2005,ithad9,000storeswith60,000employees.Ifmanagementhadaskedthreequestions,itmighthavesaveditselffromconsiderablegriefthat,forthecompanyatleast,representedablackswan.

1.Whatarewedoing?OurbusinessisrentingDVDstocustomerswhostopinourstores.2.What will we be doing? We may be doing less business. Competition is coming fromNetflix,aproviderofDVDsbymail.Wearenotinthatmarket.

3.Whatshouldwebedoing?ItwouldbeagoodideatohedgeourbetsandofferDVDsbymail.

Apparently, Blockbuster did not ask these three questions. In 2005, revenues were $6billionandprofitswere$600million.Bygettinga latestartonDVDsbymail, itsufferedamassivedeclineinbusiness.In2009,revenuesof$4billionwereaccompaniedbyalossof$550million.

Sometimesanorganizationhelps tocreateablackswan.ThedeclineofBlockbusterwasacceleratedbyitspoliciesonlatefees.Ifyourenteda$4.99movieandfailedtoreturnitontime,youpaid$1adayinlatefees.Thenthepolicywaschanged.Ifyouwerefivedayslate,you bought the DVD at full retail price. Even though you could reverse the transaction inpersonat thestore,peoplewereannoyed.DidBlockbusterforesee therisk?Apparentlynot.ReedHastings,theNetflixcofounder,wasquotedinForbesmagazine.

ThegenesisofNetflixcamein1997whenIgotthislatefee,about$40,forApollo13[fromBlockbuster].IrememberthefeebecauseIwasembarrassedaboutit.….Itgotmethinkingthatthere’sabigmarketoutthere.

Although the truthbehind thestatement iscontroversial, it isprettyclear thatBlockbusterwasmakingbadstrategicandsituationaldecisionsaboutrisk.

Epilogue:Duetoitsfailuretospot therisk,Blockbusterfiledforbankruptcyin2010.DishNetwork, a satellite televisionprovider,purchased thecompanyand its remaining1,700stores.Dishclosed200storesin2011,500morein2012,300in2013,andtheremainingstoresin2014whenDishalsoclosedtheDVD-by-mailrental.

RiskExpertsTalebspendsconsiderabletimeontheriskmanagementactivitiesofpeoplewhobelievetheyareexperts.Hearguesthatonlysomeareasaresuitableforso-calledexperts.

Science.Anorganizedbodyofknowledge.“Truth”canbereplicated.Art.Anappliedskill.Somethingmustbedoneinspecificcircumstances.

Isriskmanagementanartorascience?Talebsaysitisanart.Itvarieswitheachchallenge,situation,andtimeperiod.

Expertsdonotexistwhenbehaviorisanart.Peoplewhothinktheyareexpertsonriskarepeoplewhosufferfromadelusion.Theydonotknowwhattheydonotknow.Whenexpertsareright,theybelieveitistheresultofdepthofunderstanding.Whentheyarewrong,theyblametheevents,claimingtheyarerandomoroutsideourcontrol.

EXPERTSINRISKMANAGEMENT?

Whoofthefollowingareexpertsonriskmanagement?Politicalleaders?Professors?Scientists?Cabdrivers?

Answer

None,accordingtoTaleb:

Politicalleadershaveagendasthatdiscouragepreventionandoutsideforcesthatencourageexpediencyanddishonesty.

Professors have not faced true decision making under uncertainty and do notrealizewhatisimportant.

Scientists are not informed until results are in from an event that already hashappened.Theycanhelponlywhentheriskisidenticaltoareplicableactivity.

Cabdriversthinktheyknoweverythingandarehappytogiveadvice.That,too,isanimpediment.

Taleb accepts some riskmanagers as being experts because replication is possible.Thisincludesastronomers, testpilots, chessmasters,physicists,mathematicians, accountants, andgraininspectors.Herejectsasexpertsstockbrokers,psychiatrists,collegeadmissionsofficers,psychologists,judges,counselors,andpersonnelselectors.

TWOMISSEDRISKS:NEVILLECHAMBERLAINANDAIG

Aclassicmomentoccurredin1938,whenAdolphHitlerwaswidelyrecognizedasathreattohumanity.BritishprimeministerNevilleChamberlainstoodoutside10DowningStreetandsaid,“Mygoodfriends…therehascomebackfromGermanytoDowningStreetpeacewithhonor.Ibelieveitispeaceforourtime.”Wealreadysawamorerecentexampleofmissingamajorriskin2008with

MartinSullivanatAIG.Herejectedanauditor’srequirementthatthecompanyshowa$19.3billionfinancialloss,saying,“Excludingtheseexternalmarketissues,theunderlyingfundamentalsofourcorebusinessesremainsolid.”Thereallosswasmuchhigher.InApril2008,AIGstocktradedabove$40ashare.OnSeptember16,2008,itsoldfor$1.25ashare.

LessonLearned:Canweseeblackswans?

TheFailureofExperts

Talebidentifiesthreeproblemswithexpertswhendealingwithrisk:

IllusionofUnderstanding.Allpeoplebelievetheyknowwhatishappeninginacomplexandrandomriskenvironment.Peoplecreateorderoutofchaoswhennoorderexists.

Distortion.Peoplecanassessriskaccuratelyonlyafterithasmaterialized.Peoplelookinarearviewmirrorandthinktheyseetheroadahead.

Overvaluation ofFactual Information. Ifwe have data,wemust use it. Itmust have theanswer.Ifwehaveaccesstotheviewsofexperts,theyarelikelytoberight.Expertsareparticularlyvaluediftheyhaveadvanceddegreesanduntestedtheories.

ThePerceivedLevelofRiskToovercometheseshortcomings,weneedtorecognizehowpeoplerespondtorisk.

Ideas.Theyarenotverypotent.Theycomeandgo.Somearefanciful.Somearejustwrong.Stories.Theyarepotent.Theystay.Peoplecanrelatetothem.Theycanchangeminds.They

cancausemistakesinjudgmentaboutrisk.Truth.Whatisit?Maybefictionrevealstruth,andnonfictionisusedtohidetheliar.Imagination.Thisisnotmuchhelp.Welackimaginationandsuppressitinothers.

Abstractstatisticalinformationdoesnotcausefear.

Possibility.Themorewecanimaginesomething,thegreatertherisk.Theperceptionofriskriseswhenwelearnofasinglemurderintheparkoranaccidentonamotorcycle.

PersonalLinkage.Stories skewour estimatesofdanger if theycontain frighteningdetails.Tellastorytoactivatesomeonetomanagerisk.Usestatisticstoputthepersontosleep.

SilentEvidenceTalebobservesthatpeopletendtoimputeevidencetosituations,affectingtheirperceptionofrisk.

UnknownSilentEvidence.Theeveningnewsshowed10survivorsofaplanecrashinwhich70peoplelosttheirlives.Astheplanewasdropping,theyjoinedinprayer.Didtheprayersavetheirlives?Talebaskstheobviousquestion:Didanyofthedeadalsopray?

KnownSilentEvidence.Adrugsaves10,000peopleayear,butsideeffectskill10others.Willadoctorprescribethedrug?Drugsarebannedallthetimewhenrisksarestatisticallyinsignificant.

WrongSilentEvidence.Sometimeswe justdonotget it right.See thenext sidebar foranexample.

SILENTEVIDENCE

Amanwasontrialformurderinghiswife.Theprosecutionintroducedevidencethatthemanwasaninveteratewifeabuser.Thedefendant’slawyerintroducedstatisticsthat4millionwomenarebatteredeveryyearbytheirmalepartners,yetonlyonein2,500isultimatelymurderedbyherpartner.Doesthisevidencestatisticallysupportthelikelihoodthatthemandidnotcommitthemurder?

Answer

Theanswerisno.ThestatisticwasintroducedattheO.J.Simpsontrial.However,NicoleBrownSimpsonwasalreadydead.Therelevantquestionwaswhatpercentageofallbatteredwomenwhoaremurderedarekilledbytheirabusers.Theanswerwas90percent,butitdidnotcomeupinthetrial.

LeonardMlodinow,TheDrunkard’sWalk:HowRandomnessRulesOurLives(PantheonBooks,2008).

ConclusionClearly,blackswansexist,andtheyplayamajorroleinriskmanagement.ERMcanonlycatchthemearlyandencouragestepstominimizethedamage.Todayweneedtowatchdevelopingcountries—China and India individually and second-world countries as well. What willhappenwith advances in technology, financially interlocking risks, changingmarkets, fossilfuel infrastructures,globalwarming,shortagesofcleanwater,andadegradingenvironment?Wemaybeseeingtheearlystagesofablackswan.

CHAPTER5

THE2008FINANCIALCRISIS

Thegreatestlessoninlifeistoknowthatevenfoolsarerightsometimes.—WINSTONCHURCHILL,BRITISHSTATESMAN

RISKQUOTE:Neverpickafightwithanuglyperson,they’vegotnothingtolose.—ROBINWILLIAMS,COMEDIAN

SpeculativeFrenzies

In1991,StephenCase foundedAmericaOnline (AOL)and led it to rapidgrowth. In2000,AOLandTimeWarnermerged,withAOLshareholdersreceiving55percentofthestockofthenewAOLTimeWarner.Thus,AOLwasvaluedmorehighlythanTimeWarner.Followingthemerger,AOLsufferedamajordecline inprofitabilityandcashflow.Asaresult,AOLTimeWarnerreportedalossof$99billionin2002,thelargestcorporatelosseverreporteduptothat time. Less than 15months after themerger, the stock price had droppedmore than 50percent. In2003,TimeWarnerdroppedAOLfrom itsnameand replacedCaseasexecutivechairman.In2005,CaseresignedfromtheTimeWarnerboard.

LessonLearned:Speculativebubblescanaffectcompaniesaswellaspeople.

IftheprospectofblackswansbringsachallengetoERM,sodidthe2008globalfinancialcrisis.Itcanbetracedbacktothedot-comfrenzyofthelate1990s.TheInternet,aswellasthedoors it opened, created opportunities to launch businesses that took advantage of newtechnologies. Changes were envisioned in consumer behavior, marketing, advertising, andcommunications. Investors encouraged new companies to endure a negative cash flow in afranticefforttoensurethefuturedominanceofatechnologyormarket.Record-settingrisesinstock valuations became the name of the game as many early investors became extremelywealthy.

Thenthebubbleburst.WecanseetheoutcomeintheNasdaqcompositeindex,wheremosthigh-techcompaniestraded.

Year Index1995 8001999 1,8002000 5,1002002 1,100

HistoryoftheCrisisAfterthecrashoftheNasdaq,investorssoughtnewplacestoputtheirmoney.Thesearchsoonfoundrisingrealestatevalues.InvestorswhospeculatedintheCalifornia,Florida,Northeast,andSouthwesthousingboomsweremakingagreatdealofmoneyby2002.Theybelievedthatpriceswouldriseindefinitely.Theywerepartlyright.From2002to2005,pricescontinuedtoriseeventhoughconstructioncostswererelativelylevel.

NEWMORTGAGES

Inthemiddleofthefrenzy,banksandinvestorsdevelopednewformsofmortgages:“Wecando you a favor. We can approve a mortgage you cannot afford.” Banks offered adjustableinterest rate mortgages (ARMs) with low rates for the first few years. Homeowners couldworry about the higher payments later. If the family could not pay themortgagewhen ratesrose, theownercouldsell thehouseataprofit.Theownercoulduse theproceeds fromthesaletobuyanotherhouse,possiblyasmallerhousethattheownercouldactuallyafford.

LEVITTONSELF-INTEREST:AFACTORINTHECRISIS

Aswetrytounderstandthefinancialcrisis,manyactorscometothestage.Wasitgreedandthievery,foolishpoliticians,incrediblystupidandunethicalexecutives,dozingregulators,homebuyerswhodemandedsomethingfornothing,orexecutivedecisionmakerswholackedthecouragetoshiftthetide?StevenLevitthasobservationsonthesourceofriskwhenitappearedthatnoriskexistedatall.HedescribesPaulFeldman,whodelivered8,000bagelsaweekto140corporateoffices.Anhonorsystemallowedemployeestopayforthebagelsastheytookthem.Ontheaverage,95percentofindividualspaidforthebagels.Inonecompany,theexecutiveswereononefloor,andthesales,service,andadministrativeemployeeswereonotherfloors.Therewasmorecheatingontheexecutivefloorthanonthefloorswithlower-paidemployees.

LessonLearned:Maybeseniorexecutiveshaveasenseofentitlement,ormaybepeoplewhotendtocheataremorelikelytobecomeexecutives.Makesurewedo

notmakethewrongassumptionsintheabsenceofinvestigation.Gatherasmuchinformationaspossiblewhenevaluatingrisk.Itisnoteasytounderstandthesourceofanexposure.

Whatwould happen to buyerswho could not afford the adjustable-ratemortgages?This,too,hadauniquesolution.Banksofferedinterest-onlymortgagesthathadlowerpaymentsthanARMs.LikeARMs,thesemortgageswouldadjustinafewyearsandrequirehigherpaymentsthatreflectedboththehigherinterestrateandrepaymentoftheprincipal.

NEWLENDINGCAPITAL

Part of the ensuing problems resulted from the availability of capital from banks. Did thebankingregulators limit the lending?No. It is true thatabankmusthaveadequatecapital tosupportlending.Anditistruethatregulatorscloselymonitortherelationshipsamongmortgageassets, deposits, and bank capital. To increase the funds they had available to lend and toreceive thefees thatgowith theoriginationofamortgage,bankssoldoff themortgagesandthusfreedupcapitaltomakenewloans.Investmentbanks,anunregulatedcomponentofglobalfinancial markets, bought the mortgages and packaged them into new securities called“collateralized debt obligations (CDOs).” Investment bankers sold these securities to eagerinvestorswho sought above-market rates of return at the perceived level of risk.Mortgagebankers facilitated the process of collectingmortgages and transferring them from banks toinvestmentbanks.

Themortgagemarketchangedcompletely.Bankshadafinancialincentivetomakeasmanymortgages as possible. At the same time, they faced no risk of default because the banksimmediatelytransferredthemortgagestoinvestmentbanks.Becausetheyfacednorisk,manybanks dropped their credit standards and began offering so-called subprime mortgages—mortgages given to those who could not qualify for traditional fixed-ratemortgages. Banksofferedstatedincomeloansthatrequirednoverificationofthesourceofthefundswithwhichthe borrower would pay interest and repay principal. When potential borrowers lackedadequate income, some banks encouraged them to inflate their stated income. Othersoverlookedcreditcardandotherdebt.

LEVITTONECONOMICANDSOCIALRISK:THEBLOODBANK

Itsoundedlikeagoodideawhenthegovernmentencouragedbankstolendmoneytopeoplewhocouldnototherwiseaffordtoowntheirownhomes,butaneconomicandsocialriskcombinedtocauseacrisis.StevenLevittdiscussestheeconomicincentivesthatfaceadifferentkindofbank.Hedescribesabloodbankthatsoughttoincreasedonationsofbloodandofferedanewlyminted$10billtoanyonewhodonatedblood.Theimpactwasadecreaseinthelevelofdonations.Whatwasthecause-and-effectrelationship?Asecondquestioniswhatwouldhappenifthe

economicincentivewere$1,000insteadof$10?HereareLevitt’sanswers:

$10 Incentive. A person received a small amount of money instead of beingpraisedforagoodact.Donationswentdown.

$1,000 Incentive.Donationsmight risebecause theeconomic incentive ismuchgreater.Riskarisesalsobecauseofthepotentialformisbehaviorsuchastheftof blood, counterfeit blood (from pigs?), and fake identification cards used bydishonestorineligibledonors.

Inthecontextofeconomicincentives,LevittquotesW.C.Fields:“Athingworthhavingisworthcheatingfor.”

LessonLearned:Conventionalwisdomisoftenwrong.Wereduceriskwhenwereconsiderandmaybeevenchallengebasicassumptions.Peopleachievetheirgoalswithbehaviorsthatseemtobeinconsistent.Thiscanhappeninbloodbanksaswellasinanentirefinancialsystem.

One of the worst developments was the creation of down payment assistance (DPA)mortgages.Thesellerwoulddonatemoneytoacharitableorganizationsothatitcouldprovideadownpaymentforabuyer.Thebuyerwouldpurchasetheseller’shouseatapriceabovethemarket,andthecharitywouldmakethedownpayment.Effectively, thebuyermadenodownpayment.Banksmade650,000suchloansbetween2000and2006.In2006,theIRSbarredtaxexemptionsforthepractice.

ScanningforExposuresAsimplescanningof thehorizonshowedimproper lendingpracticeswithseriousexposuresfor homeowners and investors.As an example, consider a 30-year, $500,000mortgage thatstartsataninterestrateof4percentandadjuststo7percentinthreeyears.Thereweretwoformats:

AdjustableRateMortgage.Themonthlypaymentwillchangefrom$2,400to$3,300.Interest-OnlyMortgage.Themonthlypaymentwillrisefrom$1,700to$3,400.

As thevolumeof thesemortgages increased, thedangerbecamesubstantial.OnemeasureofexposurecanbeseeninSanDiego,California,where,in2004,almosthalfthemortgageswereinterest-only,andanother30percentwereARMs.AnERMscanofthelandscapewouldhaveposedbigquestions.

InterestRates. Theywere dropping. Between 2000 and 2003, fixed-ratemortgageswentfrom8percentto5.5percent.ARMswentfrom7percenttobetween2and4percent.

MortgageApplications. In 1998, banks declined 29 percent of requests formortgages. In2003,theydeclinedonly14percent.

HousingConstruction. In1995,600,000newsingle-familyhomeswerebuilt in theUnitedStates.In2005,thenumbermorethandoubledto1.3million.

Recreational Borrowing. Homeowners who did not need funds to buy a house took outmortgagesanyway.Theyusedtheeasilyobtainedloansagainsttheirhomestobuypersonalproducts,takevacations,andmakehomeimprovements.

RisingPersonalDebt.Between1996and2005,homeequityloansrosefrom$100billionto$750billion.

These factors created a disaster.Manyhomeowners could notmake the payments, and theirhomeswentintoforeclosure.Thepricesofhomesplummetedbecauseofthefloodofhomesonthemarket and the decreasing pool of available buyers. This leftmany homeowners owingmoreontheirhomesthanthehouseswereworth.

VisibleSignsofDangerOthersignsshowedtheexposure.In2004,dramaticradiocommercials toldpeople that theyshould not be payingmarket rates formortgages. How could financial services companies,regulators,andothersmisssuchasignal?Somethingwaswrong.

Another signwashousingprices in a steep climb for nineyears. Itwas likely thatmanypeople could not afford the homes they sought. Buyers watched their neighbors get richpurchasingand flipping secondhomesandcondos.LasVegasandFloridawereparticularlyhot, andmortgageswere huge. It did not take an economist to figure out that a downturn inhousingpriceswouldbebadnewsformanypeople.

Enterpriseriskmanagementcanhelpusunderstandthefailure.Banksweretheoriginatorsofloansbutdidnotholdthem.Theytooknoriskchurningtheirmortgageportfolios.Securitymarkets searched forhigheryields, and investmentbankshelped.They soldoffpackagesofhousingloansandearnedahighreturnontheirinvestedcapital.Foratime,everybodygainedonmortgagesthatcarriedinterestratesof0.5percentannuallyandthenjumpeddramaticallyaftera fewyears.The temptation to relaxcredit standardsor toeliminate thementirelywasreal.Itledtodisasterwhenthebubblebroke.

AIG,MerrillLynch,andotherfinancialcompanieshavebrightleadersandmanagers.Didtheyseetheexposure?Oneansweristhattheyhadinternalauditors,complianceofficers,andquantitativemodelstomanagerisk.Thetrainingoftheseprofessionalsandthetoolstheyusefocusentitiesinwardandlullthemintobelievingthattheycanlimittheimpactofexposures.Thismaybetrueforriskssubject tointernalaudit.It isnotthepointofERM.Wegainlittlevaluefromthecentralmanagementofhundredsorthousandsofbusinessrisks.Suchaprogramcanbenothingmorethanadescriptionofinternalcontrols.Weneededsomethingdifferent.

AftermathAfterspottingtheexposureandallthewrongdoing,politiciansandotherssoughttoplacetheblame on regulators, auditors, rating agencies, and even homeowners. The issue of bailoutsdominatedthemedia.

Government. Should governments around the world intervene to stop a liquidity run thatwould destroy the global financial system? In the United States, the government hadencouragedbankstomakeloanstopoorfamilies,andmanyoftheseloanswerelatersoldtoFannieMaeandFreddieMac,formergovernment-supportedagencies.

Banks. Shouldwe blame commercial and community banks for the crisis, even though thebanksdidnotholdtheloans?Wasthecrisisthefaultoftheinvestmentbanksthatsoldtheworstmortgagestoothers?

RatingAgencies. Did they fail us by giving prime ratings to investment banks that wereissuingsecuritiesnobodyreallyunderstood?

AIG. Did it insure too many securities without backing them up with risk analyses andreserves?

Whatever the answers, governments around theworld quickly realized that drastic stepswere needed immediately. They sought to stop the erosion in home values, which meantstopping the foreclosures. They provided liquidity to the credit markets and to businessesoperatinginaglobaleconomy.U.S.regulatorsknewthata$2-trillionnewguaranteeorothercommitmentoftheU.S.governmentwasa$12,000obligationtoeachU.S.taxpayer.Theyalsoknew that U.S. investors make up 20 percent of global equity holders. If global marketssuffereda20percentdropinstockvalues,thelosswouldbe$33,000foreveryU.S.citizen.Theactionsrestoredmuchofinvestorconfidenceinthevalueofequitysecurities.

Non-U.S. governments and regulatory agencies also recognized the magnitude of theproblem.Theyconcluded that the short-term issuewasnotwhethergovernments shouldbailout poor decisionmakers and crooks. Itwasnot about severancepackages formediocre orworse U.S. CEOs. They defined the problem correctly. The solution was to take steps tostabilizethefinancialsystemandtheeconomyoftheworld.

ParallelwiththeGreatDepressionTheGreatDepressionstartedwiththeU.S.stockmarketcrashinOctober1929andbecameaworldwide economic downturn. It had a devastating economic impact on trade, economicactivity,agriculture,andthemoraleofthepeopleoftheworld.ItdidnotenduntilthestartofWorldWarII.

Thestockmarketcollapsein1929wasnotthewholestory.Themarketactuallyreboundedtoearly-1929levelsin1930.Theproblemwasfear.Consumerswhoexperiencedstocklosses

conserved their remaining capital. When bank lending became readily available in 1930,people did not take advantage of it. As spending dropped, job losses increased, and adownward spiral ensued. Government protectionist policies that weakened trade made thesituationworse. The economic decline continued until 1933,when a new administration inWashington,D.C.,beganprogramstocreatejobs.Insomeways,itwastoolittletoolate.

LessonLearned:Governmentsseemedtoknowthattimesofeconomicandfinancialcrisisarenotthetimetobetimid.Thisisariskmanagementlessonallbyitself.

Dodd–FrankActAmajor effort to promote financial stability in theUnited States involved theDodd–FrankWallStreetReformandConsumerProtectionAct.Drivenbythe2008globalfinancialcrisis,itseeks to reform the regulation of financial institutions. Itwas signed into law in theUnitedStatesin2010.

ThegoalsofDodd–Frankareto:

Streamlinetheregulatoryprocess.Promotefinancialstability.Improveaccountabilityandtransparencyinthefinancialsystem.End“toobigtofail.”Endbailouts.Stopabusivefinancialservicespractices.

QuestionTheDodd–FrankActisanefforttostreamlinethefederalregulatoryprocess.Doesitdothat?

AnswerMaybenot.Tostreamlinethefederalregulatoryprocess,Dodd–Frankincreasedthenumberofagencies that regulate the banking system. It created 243 rules to be followed by financialinstitutionsandrequiredregulatorstoconduct67studiesandissue22periodicreports.

QuestionDodd–Frankisanefforttopromotefinancialstability.Doesitdothat?

AnswerMaybe. The act created a Financial Stability Oversight Council charged with identifyingthreatstofinancialstability,promotingmarketdiscipline,andrespondingtoemergingrisks.

QuestionDodd–Frankisanefforttoimproveaccountabilityandtransparency.Doesitdothat?

AnswerMaybe.Dodd–FrankgivestheFinancialStabilityOversightCouncilbroadpowerstomonitor,investigate, and assess any risks. The power is accompanied by access to the resources ofothergovernmentalagenciesandtheauthoritytorequireinformationonriskfromlargebanksandotherfinancialinstitutions.

QuestionDodd–Frankisanefforttoendsituationsinwhichafinancialinstitutionistoobigtoletitbeliquidated.Doesitdothat?

AnswerMaybe.Dodd–FrankgrantsOrderlyLiquidationAuthority togovernment agencies, includingthe Federal Reserve, Federal Deposit Insurance Corporation, Securities ExchangeCommission,andFederalInsuranceOffice.At thesametime, in2014, the totalassetsof thethree largest U.S. banks were JPMorgan Chase at $2.4 trillion, Bank of America at $2.2trillion,andCitibankat$1.8trillion.Wouldthegovernmentallowthefailureofbanksofthissize?Onlytimewilltell.

QuestionDodd–Frank is an effort to end situations in which the United States must rescue a failingfinancialinstitution.Doesitdothat?

AnswerMaybe. The cumulative effort of all the new regulation is designed to increase riskmanagementpracticesinfinancial institutions.Will itwork?Canitavertacrisis?Ifacrisisarises,will thegovernmentallowacollapse?How largeacollapse?Onceagain, timewill

tell.

QuestionDodd–Frank is an effort to protect consumers from situations where financial institutionsextendtoomuchcredit,levyexcessivefees,chargehighinterestrates,andotherwiseengageinpracticesthatharmconsumers.Doesitdothat?

AnswerWewillseewhetheritstopsabusivefinancialservicespractices.Theregulatorsmustanswersomequestions:What is toomuch credit?What are excessive fees?What is a high interestrate?Whatpracticeshelpconsumers?Whatpracticesharmthem?

QuestionWhoisaccountableforgovernmentoversightofthefinancialsystemunderDodd–Frank?

AnswerInafailuretocomplywiththeguidelineofriskownershipintheERMstructure,noonepartyis accountable. The voting members of the Financial Stability Oversight Council are thesecretary of the Treasury (chair of the Council), Federal Reserve chair, comptroller of thecurrency, Securities and Exchange chair, Federal Deposit Insurance chair, and experts onconsumer protection, insurance, commodities, housing, and lending. To further diluteaccountability, nonvoting members are the director of the (newly established) Office ofFinancial Research, director of the (newly established) Federal Insurance Office, a stateinsurancecommissioner,astatebankingsupervisor,andastatesecuritiescommissioner.

ConclusionPriortothefinancialcrisis,onlytwoindustrysectorshadembracedERMinanymeaningfulway:energycompaniesand financial service institutions.After thecollapseofBearStearnsand LehmanBrothers and the near collapse ofMerrill Lynch andAIG,we could draw theconclusionthatERMhadfailedtheshareholdersandemployeesoffinancialfirms.WecouldrecognizeafailuretounderstandERM.

Thereactionofthegovernmenttobringingmanypartiesintodiscussionsonhowtoavoidorhandlefuturecrisesisperhapslaudablebutmaybeflawed.Withrespecttofinancialmarkets,wemaystilllackeffectiveregulationandriskmanagementstandards.

CHAPTER6

IMPLEMENTINGERM

RISKQUOTE:Thesecretoflifeishonestyandfairdealing.Ifyoucanfakethat,you’vegotitmade.

—GROUCHOMARX,COMEDIANANDMOVIESTAR

RISKQUOTE:Iwakeupeverymorningatnineandgrabforthemorningpaper.ThenIlookattheobituarypage.Ifmynameisnotonit,Igetup.

—BENJAMINFRANKLIN,SCIENTIST,PUBLISHER,ANDDIPLOMAT

RISKQUOTE:Itseemstobealawofnature,inflexibleandinexorable,thatthosewhowillnotriskcannotwin.

—JOHNPAULJONES,REVOLUTIONARYWARNAVALCAPTAIN

COSOFrameworkTheCommitteeofSponsoringOrganizations(www.coso.org)developed theframeworkmostcommonly associated with enterprise risk management. Titled COSO Enterprise RiskManagement—IntegratedFramework,the230-pagecomprehensivedescriptionofERMwaspublishedin2004andhasbeenwidelysupportedbyprofessionalassociationsofaccountantsandauditors.ISO31000wasissuedin2009asamajorexpansionof theCOSOmodel.TheRisk and InsuranceManagement Society (RIMS) formed an ERM online discussion group,establishedanERMCenterofExcellence,andofferedariskmaturitytoolforevaluatingERMprograms.

InspiteoftheCOSOandISOguidelines,wehavenoagreementonasingleprogram,eitherasaprerequisitefororasadequateevidenceofeffectiveriskmanagement.OrganizationsbuildERMstructurestoreflecttheirgoals,industries,andcorporatecultures.

COSOStructure

All ERM formulations follow the COSO imperative that organizational structure must bealignedwithorganizationalobjectivesinfourcategories:

1.Strategic:High-levelgoalstoachieveastatedmission.2.Operations:Effectiveandefficientuseofitsresources.3.Reporting:Reliabilityofreportingofoperatingandfinancialresults.4.Compliance:Effortstocomplywithapplicablelawsandregulations.

COSOComponentsCompliancewithCOSOstandardsshouldbemeasuredineightareas:

1.InternalEnvironment.Howdoestheentityperceiveandaddressrisk?2.ObjectiveSetting.Doestheentityhaveaneffectiveprocesstosetobjectivesthatsupportbusinessgoals?

3. Event Identification. How does the organization seek to understand risks andopportunities?

4.RiskAssessment.Howdoestheentityevaluatethelikelihoodandimpactofexposuresandopportunities?

5.RiskResponse.Ismanagementeffectiveinavoiding,accepting,reducing,orsharingrisk?6. Control Activities. Has the entity established effective policies and procedures foreffectiveriskmanagement?

7.InformationandCommunication. Is relevant risk information identified and sharedon atimelybasistoalloweffectiveriskmanagement?

8.Monitoring.Does theentityevaluateriskmanagementeffortsandmakemodificationsandimprovementsasneeded?

COSODefinitionsTheCOSOframeworkforERMwascharacterizedbyafocusondefinitions.Everybodyuseddifferentlanguage,including:

Tillinghast (www.towers.com in 2002). A rigorous approach to addressing risks from allsourcesthatthreatenstrategicobjectivesoropportunitiestoexploitcompetitiveadvantage.

Erisk.com (www.erisk.com in 2002). A holistic approach that fully integrates riskmanagement into how a company conducts its business and communicates withstakeholders.

KPMG (www.kpmg.com in 2002). A disciplined approach aligning strategy, processes,people,technology,andknowledgetomanageuncertaintiesastheenterprisecreatesvalue.

MarshandMcLennan (www.mmc.com in 2002).The effort to find an integrated, optimalwayofmanagingriskbybalancingfinancingtechniqueswithorganizationalpracticesandprocesses.

Aon(www.aon.ars.comin2002)Theassessmentofcollectiverisksthataffectvalueandtheimplementationofacompany-widestrategytomaximizethatvalue.

ApproachestoERMWhatever the definition, everyone recognized ERM as a broad and complex concept thatreaches into every major area of an organization. As such, it is not surprising that manyapproacheshavebeenadvancedtoinstallERM.Theyfallintothreecategories:

1.Strategy. This definition focuses on results, inasmuch as ERM is expressed in terms oforganizationalobjectives.

2.Function.ThisdefinitiondescribesERMintermsofactivitiesthatreducerisk.3.Process.Thisfocusesonactionsundertakenbymanagerstomanagerisk.

ASMALLFIRE

LightningstruckaPhillipsN.V.semiconductorfabricationplantinNewMexicoinMarch2000,startingasmallfirethatwasquicklyextinguished.Nobodywashurt,anddamagewasminor.Theplantwastheonlyindependentsourceofmicroscopiccircuitsforcell

phones.FortypercentofproductionwenttoNokiaandI.M.Ericsson.Inadditiontothetraysofwafersthatweredestroyed,productionwasinterrupted.Afterthefire,Phillipsalerted30customersthatafirehadtakenplaceandthat

productionwasstopped.Phillipsreportedanestimatedone-weekdelay.Theactualdelayturnedouttobemuchgreater.Inresponsetothenews,Nokiademandedtoknowallthedetailsandthenputthesearchformicrochipsintoacriticalriskcategory.Theresultwasalmostnodisruptionofdeliveriestocustomers.Ericssonwasadifferentstory.Lower-levelemployeesdidnottelltheheadof

productionaboutthedelayforseveralweeks.WhenEricssonfinallyrequestedhelpfromPhillipsandothersuppliers,itlearnedthatNokiahadlockedupallsparecapacity.

YossiSheffi,TheResilientEnterprise(MITPress,2005).

QuestionWhatwastheoutcomeofthesmallfire?

AnswerItvaried:

Phillips.Losseswereintherangeof$1–3millionafter$40millioninlostsaleswereoffsetbybusinessinterruptioninsurance.

Nokia. Some additional costs were offset by a rise in market share because it replacedEricssoninsomemarkets.

Ericsson. Itwas thebig loser, suffering a$2.3-billion loss in itsmobilephonedivision in2000,accompaniedbyawithdrawalfromthemarketinApril2001.

LessonLearned:Nolossissmallwhenanorganizationdoesnotunderstandtherelationshipsamongrisksandhowanincidentcanrisetothelevelofadisaster.

RiskManagementAreasManyorganizationsuseathree-partstructuretoERM:

1.OperationalRiskManagement.Coverstheactivitiesofcurrentoperations.2.StrategicRiskManagement.Dealswith thestrategies thatare inplaceor thatarebeingdevelopedtoprepareforachangingfuture.

3.FinancialRiskManagement.Covers the toolsweuse toexplain theeconomic impactofoperationalandstrategicrisksandprovidestoolstomanagethem.

OPERATIONALRISKMANAGEMENT

Fourdistinctfunctionscanbeidentified:

1.HazardRiskManagement. Riskmanagers follow a five-step process to assess hazardrisks.Theyidentifyexposures,assessfrequencyandseverity,examinealternativecoursesofaction,chooseanoption,andimplementit.Afterward,theymonitortheimplementationandmakeadjustmentsasneeded.

2.InternalControl.Theseprocesses seek to improveeffectivenessandefficiency, increasethe reliability of financial reporting, and ensure conformity with laws and regulations.Elaboratesystemsofinternalcontrolarecommoninorganizations,particularlyinindustries

thatarehighlyregulatedbygovernmentagencies.3.InternalAudit. Internal auditorspursueassurance that internal controls areworking.Theactivity focuses on the cost, efficiency, and effectiveness of processes, including riskmanagement. The internal audit team examines operating activities, the consistency ofprocedures, and compliance with directives. The internal auditor prepares a report formanagementthatidentifiesweaknessesandfailurestofollowpolicies.

4. Regulatory Compliance. These efforts seek to ensure conformity with requirementsimposed by statutes, public agencies, or the courts. Examples are rules governing plantsafety, the environment, reliable financial reporting, and compliance with social andeconomicmandates.

STRATEGICRISKMANAGEMENT

This encompasses all activities to identify risks, solve problems, and execute plans, forexample:

RiskIdentification.Theupsideisopportunity.Thedownsideisloss.ProblemSolving.Defining a problem correctly allows the pursuit of an effective strategy.

Failingtorecognizetherealproblemcandosignificantdamage.Execution.Theachievementofagoalhelpsanorganization.Thefailuretoperformhurtsit.

Strategicriskmanagementincludes:

GoalsandStrategies.Doestheentityhaverealisticgoalsandsuitablestrategiestoachievethem?

Resources.Areweidentifyingandallocatingadequateassets,people,andotherresourcestoachievethegoals?

OrganizationalStructure.Dowehavetherightstaffandunitsforthetasksathand?Capabilities ofPeople.Dowe understand the abilities of our personnel and employ them

effectivelytosucceed? Systems. Are our communication channels, operating systems, and delivery networks

designedtosupportefficientoperations?RiskIdentification.Dowehaveeffectivemeansforscanningfortheimpactsfromeconomic,

competitive,technological,legal,regulatory,andotherchangingcircumstances?

FINANCIALRISKMANAGEMENT

Thiscoversthefinancialcomponentsofhazard,operational,andstrategicriskplusrisksthatareuniquetothefinancingoftheassetsofanorganization.Itisarathersizabletasktoachievethese goals when we consider all the risks that organizations face. The topic is covered

separately and extensively in the author’s companion AMA Handbook of Financial RiskManagement.Hereisapartialandunstructuredlist:

InvestmentRisk.Thefirmmakesaninvestment.Theinvestmenthasrisksassociatedwithit.Wemayfailtoearnareturnorlosetheinvestedcapital.

CurrencyRisk.The investmentwasmade inadifferentcountryfromthehomecountryandinvolvesadifferentcurrency.Wehaveanexchangerateexposure.

LiquidityRisk.Weownsecuritiesorotherassetsthathavevalue.Unfortunately,noonewantstobuythemwhenwearereadytosell.

CashFlowRisk.Ouractivitydidnotcreateasufficientcashflowtopayourobligations,andnowwehavetoabandonit.

DebtRisk.Weborrowedmoney,andnowwecannotpayinterestandrepaytheloanbalance.MortgageRisk.Weputupanassetascollateralforaloan,andnowwemightloseit.CreditRisk.Welentsomeonemoneywhocannotrepayit.More Credit Risk. We sold goods to another party and have not yet received any cash

paymentforit.InsurableRisk.Wetookoutinsurance,buttheinsurancecompanybecameinsolventbeforeit

paidforthelossofourassets.InterestRateRisk.Wegambledthatinterestratesweregoingtorise,buttheydropped.ValuationRisk.Weboughtapieceofpropertyatthetopofthe

market,andnowitisworthmuchless.InformationTechnologyRisk.Wefailedtokeepupwithnewdevelopmentsincomputersand

telecommunications,andnowcompetitorsaretakingoverourmarkets.HedgingRisk.We thought the price we paid for rawmaterials was going to drop, but it

skyrocketed.

StrategiesandSituationsinRiskManagementWe need to distinguish how risk management allows flexibility in implementing variousstrategies.Thetwoconsiderationsare:

1. Strategic Decisions. Risk managers display strategic skills when they identify risk oropportunityandmakecorrectdecisionstorespond.

2.SituationalAdjustments.Behaviorsneedtochangewhenconditionsdemandchangestotherisk strategy.As new realities occur, the riskmanagement processmust respond. This isoftenessentialsothatemergenciesdonotrisetohigherlevelsofexposure.

ExpandingtheScopeofERMThe COSO ERM structure encourages us to understand and manage risk and make it afundamentalcharacteristicoforganizationalmanagement.Weconcludethediscussionwithtwopointsthatexpanditsscope.

1.Framework. TheCOSO formulationwas significantly expanded in 2009 by the issuanceISO31000.ThisisexplainedindetailinAppendix6.

2.Weakness. COSO and ISO 31000 discuss opportunity but do not vigorously encourageinnovation.Theyrewardriskmanagementasriskcontrol.Organizationsareencouragedtocomplywithregulations,acceptrisksthatarenottoorisky,andfollowstandardprocedures.TheyneedtobeaugmentedbyanewscopeofERM.

BenefitsofERMTheseconsistofthefollowingbehaviors:

Concentration on the Big Picture. Some risks are critical, and some are relativelyunimportant.ERMencouragesustotakethebigview.

Pursuit of theUpside ofRisk.Many possible losses are accompanied by possible gains.ERMremindsusofbothpossibilities.

Recognitionof the InteractionAmongRisks.One risk affects others.Do not ignore riskrelationships.

CollaborationforBetterRiskDecisions.Avarietyofindividualscanmakecontributionstoriskidentificationandassessment.Includetheminthediscussions.

Employment of Nonlegacy Technology. New and powerful systems can facilitate anunderstandingofourexposures.ERMbuildsmodernstructuresforidentifyingandsharinginformation.

MakingERMMoreEffectiveOrganizations have to assess their position, including products, markets, and factors thatinfluence their success, and pursue behaviors in a comprehensive framework of risk andopportunity.Someconsiderationsareto:

Recognize the Existence of Excess Confidence. Sometimes our beliefs betray us. Becarefultofocusonevidencethatsupportsconclusionsanddecisions.

DifferentiateBetweenWartimeandPeacetimeEnvironments.

Whatworks inoneculturemayfail inanother. If theenvironment isfastmoving,respondquicklytoit.Iftimeisavailableforreflection,takeit.Watch for Subtle Signs. Pay attention to the context of risk, weak signals, and irrational

behavior.Manytimes,usefulinformationisnotreadilyapparent.PrepareforBusinessDisruptionandBlackSwans.Forewarnedisforearmed.

LeadershipRiskThesebehaviorsare:

Managing Performance and Leadership Risk. People are a large part of the key toenterpriseriskmanagement.Taketimetobesuretherightpeoplearedoingtherightjobs.

RecognizingtheOrganizationalLifeCycle.Whatgoesupmustcomedown,sometimes.Donotassumethecurrenttrendisthelikelylong-termdirectionfortheenterprise.

DetermineWhenWeHave SufficientRisk Information. A good decision todaymay bebetterthanaperfectdecisiontomorrow.Aprecipitousdecisionwhenmoreinformationiseasilyobtainedisalsodangerous.

ERMPremisesWhenimplementingERM,weoftenencounteraCatch-22.OrganizationsmustimplementERMto prove its value, but management often expects the value to be proven prior toimplementation. This is a generic problem with any effort to prepare for the future or toprevent a loss before it happens. Organizations are often reactive. They seemore value inpreventionafteralosshasoccurred.Ifaprogramisimplemented,particularlyifitiscostlyortime-consuming and nothing happens, criticism will be immediate.Why did we waste thatmoney?ThisculturalnormcouldbeamajordeterrenttoERMimplementation.

How can we overcome skepticism and create incentives? One proposal is to recognizeERMpremises, that is, assumptions or beliefs that shape people’s viewof risk. Figure 6-1contains a checklist of questions to seewhether key players agree on ERM or havemixedviewsonkey issues.Resolvingconflictingviewpointsearly in theprocessgreatly increasesthechanceforasuccessfulimplementation.

FIGURE6-1.CHECKLISTOFERMPREMISES.

Premise 1. The chance for a successful enterprise risk management (ERM)implementationrisesifwealignourriskcategorieswithourbusinessmodel.Ifwedisagree,howshouldweviewriskcategories?

Premise 2. Coordinating risk in an ERM frameworkmeans creating a central riskfunction that shares informationacross theentity. Ifwedisagree,dowehaveaneedtoshare?Ifweagree,whatmechanismsdowecurrentlyuse,orwhichonesshouldbeusedinthefuture?

Premise 3. An effective ERM program requires an HTEP. If we disagree, do weneedtoshare thestatusof identifiedrisksandriskmitigation? Ifweagree,howdoweshareourviewstoday?Howshoulditbedoneinthefuture?

Premise4.Subcategories of risk should be created in a hierarchical structure andshared in the risk management system or through another mechanism. If wedisagree,dowehaveother ideas forcreatingastructureof riskcategories?Doweneedsuchastructure?

Premise5.Acentral riskcommitteeshouldoccasionally share its thoughtson risk.Doweneedsuchacommittee?Ifnot,doweneedanyothersharingmechanism?

Premise6.Thecentralriskfunctionshouldhaveadefinedrelationshipwiththeboardof directors. Do we need a central risk function? If not, what should the boardknow,howdoesitcurrentlyobtainthatknowledge,andhowshoulditdosointhefuture?

Premise7.Differentmanagementlevelsplaydifferentrolesinriskmanagement.Dowehaveanaccountabilitystructureatpresent?Ifnot,whatstructurewouldwork?Issuchastructureevenneeded?

Premise 8. All risk events should be evaluated using the same process. All riskmanagersshouldbetrainedintheprocess.Ifwedisagree,arecurrentprocessesadequate for addressing those disagreements? Do we need training on how toassessrisk?

HowDoWeStart?Oncewehavethescopeoftheimplementation,weneedastartingpoint.First,weassignanindividual toheaduptheeffort.Thepersonactsasacentralriskfunctiontobegin theERMprocess.Thenothersarebrought into thediscussion tocreate riskcategoriesand todiscusslogical owners.The plan integrates hazard, compliance, internal controls, and other playersinto theeffort.Theorganizationdecideshowtosetupscanningfunctions.Figure6-2 showsonewaytostarttheprocess.

FIGURE6-2.BUILDINGTHEFOUNDATIONSFORERM.

High-TechElectronicPlatform(HTEP)Asecondstep,orperhapsonethatoccursconcurrentlywithbuildingafoundation,istobuildastructuremanuallythatcanbemovedtotheHTEP.Figure6-3showsthemainelementsoftheprocess.Notethatitoverlapsthefirststep.

FIGURE6-3.IMPLEMENTINGERM.

ConclusionA clear need exists for ERM. Let’s not argue it any longer. We have reached a generalconsensusontheissuesraisedbymanypartiesandformalizedbytheCommitteeofSponsoringOrganizations and ISO 31000. Now we need to go further.We can recognize a variety offailures to manage risk and seize opportunity. Many could have been avoided by a well-structuredERMprogram.Wewillmoveforwardandexaminebenefitsfromtherightprogramandtheissuesthatcanmakeitwork.Wewillparticularlyfocusontechnology.

APPENDIX6

ISO31000FRAMEWORK

The International Organization for Standardization published ISO 31000 in 2009 as a riskmanagementstandard.Soonthereafter, it replacedmostothernationalandregionalstandardsfor enterprise risk management. ISO 31000 provides generic guidelines for the design andimplemention of risk management practices throughout an organization. It brings togetherstrategic and operational processes into a single framework aligned with the goals andobjectivesoftheentity.

ProcessofRiskAcceptanceWehavealreadydistinguished thepremiseofERM,where risk is somethingweattach to aprobability and uncertainty occurs when we do not have a clear understanding of theconsequences, likelihood, or cost or benefit of an occurrence. ISO 31000 shares thisphilosophybyspellingoutanorderofpreferenceforhoworganizationsshouldmanagerisk:

AvoidIt.Whyacceptariskifitisnotnecessary?AcceptIt.Topursueanopportunityoravoidaworseexposure.EliminatetheSourceofIt.Disconnecttheorganizationfromthedangeritpresents.ReducetheSeverity.Steponeinriskmitigation.ReducetheFrequency.Steptwo.ShareIt.Stepthree.RetainIt.Aftermakingafullassessmentofriskandreturn.

ElevenPrinciplesISO31000postulatesspecificprinciplesofriskmanagement.

1.Riskmanagementcreatesandprotectsvalue.2.Riskmanagementisanintegralpartoftheorganizationalprocedure.3.Riskmanagementispartofdecisionmaking.

4.Riskmanagementexplicitlyaddressesuncertainty.5.Riskmanagementissystematic,structured,andtimely.6.Riskmanagementisbasedonthebestavailableinformation.7.Riskmanagementistailored.8.Riskmanagementtakeshumanandculturalfactorsintoaccount.9.Riskmanagementistransparentandinclusive.10.Riskmanagementisdynamic,iterative,andresponsivetochange.11. Risk management facilitates the continual improvement and enhancement of theorganization.

SevenRsandFourTsISO31000encouragesastructuretoimplementtheprinciplesofriskmanagement.Itemployssevenbehaviorsandfourresponsestorisk.

1.Recognitionofrisks2.Rankingofrisks3.Respondingtorisks

TolerateTreatTransferTerminate

4.Resourcingcontrols5.Reactionplanning6.Reportingonrisk7.Reviewingandmonitoring

SignificanceofISO31000TheframeworkofISO31000promotestheformationofamodernprogramfororganizationalriskmanagement.Wenowseemtohaveagreementthatwecanidentifythefollowingfeaturesofenhancedriskmanagement.

ContinualImprovement.Wesometimesusetheexpression,“Itain’tovertillit’sover.”Forriskmanagement,weareneverfinished.

FullAccountability.Riskmanagementisnotonlyeveryone’sbusiness.Wemusthavespecific

designeeswhocoordinatetheeffortsacrosstheenterprise.RiskManagementinDecisionMaking.Allkeydecisionsshouldincludeariskmanagement

componentinadditiontothediscussionofupsideopportunity. Continual Communications. Collaboration and sharing are critical components of an

effectiveriskmanagementprogram.FullIntegration.Everyareaofanorganization’sgovernancestructure,fromtheboardtofirst-

levelsupervisor,hasaroleinriskmanagement.CulturalConsistency.ERMshouldbeincorporatedintotheriskcultureoftheorganization.

Earlyproponentsarguedthatweshouldsqueezeintotheirviewofriskmanagement.ISO31000recognizesthateveryorganizationhasauniqueriskprofile,andwemustbeabletouniquelyconfigurethetoolstosupportthatprofile.Therequirementevengoesabitfurther.Itencouragesdesigningasystemtodealwiththehasslescommonwhenupgradesoccur.

PARTTWO

RISKMANAGEMENTTECHNOLOGY

INAPRIL2007,BobMorrell ofRiskonnectcameup to theauthorata receptionduringtheannualconferenceof theRiskand InsuranceManagementSociety (RIMS).Bobhad been reading the “Emerging Risk Strategies” column in Business InsurancemagazineandwasinterestedintheparadigmforERMthatwasunfolding.HewantedtocollaborateinbringingtheconceptofHTEPtoactuality.

For thenextyear,weworkedtogether.Bobandhispeoplehad incrediblecomputerand Internet skills, accompanied by a keen understanding of risk. My role was torepresenttheriskmanager,thatis,theuserofthesystemwhowantstounderstandriskanddocumentmitigationstrategies.FormingacompanycalledRiskonnect,Bobbrought the concept of an HTEP to life. For the first time, we could see andmanipulateriskrelationships.Wecouldalsoseethebackupinformationthatshowedprevious and current riskmitigation attempts and plans for dealingwith interrelatedrisksinthefuture.Thetoolwasasignificantadvanceonspreadsheetsandonearlierapproachestounderstandingriskandriskrelationships.

In Part Two, we present the Riskonnect High-Tech Electronic Platform, acomprehensiveapproach tomodern riskmanagement.Westartwith theconceptofriskclusters,whichisatooltoorganizerisk.Then,usingRiskonnectwithpermission,westructureavarietyofriskcategories,showingriskowners,riskrelationships,andhowanHTEPhelpsusunderstandcomplexexposures.Chapter7showsthevalueofriskclusters,usinganenergycompanyasanexample.Chapter8explainstheoriginalmodel, andChapter 9 presents the updated version, Riskonnect 2014. Chapter 10broadenstheuseoftechnology,usingapplicationswithnewtechnologies.Chapter11completes the technology illustrations, switching the focus to the launch of a newproduct. The HTEP and risk cluster technology are cutting-edge and innovative

technologies.Thispartshouldpresentaninterestingjourneyforthereader.

CHAPTER7

RISKCLUSTERS

RISKQUOTE:Themostincomprehensiblethingabouttheworldisthatitiscomprehensible.

—ALBERTEINSTEIN,PHYSICIST

RISKQUOTE:MyoneregretinlifeisthatIamnotsomeoneelse.—WOODYALLEN,MOVIEPRODUCER

Aclusterisanumberofsimilarthingsthatoccurtogether.AnintegralpartofourapproachtoERM is to encourage risk clustering. We align risks with the business model, bring themtogetherintoclustersateachlevelofahierarchy,assignriskowners,andlimitthenumberofcategoriesassignedtoeachowner.Wesupporttheeffortwithtechnology,whichwedescribestartinginChapter8.

ClusterRiskStructureAnumberofbenefitsaccruefromacarefullydesignedriskclusterstructure.Foronething,wesharpentheriskvisionateachlevel.

Clarity.Anownercanfocusoncriticalrisksandbreakthemupintosubrisksforlower-levelowners.

Accountability.Becausethestructureislinkedtoriskowners,theorganizationknowswhoisresponsibleformanagingeachrisk.

Documentation. Risk owners can monitor the status of risk mitigation because risks arebackedupbydetailedstrategies,assessments,activities,andriskhistory.

SophisticatedRiskMappingA sophisticated risk-mapping program can now be a component of ERM. It can have the

followingfeatures:

Top-Level Goals. What is the organization seeking to achieve in terms of pursuingopportunityandmanagingaccompanyingrisks?Thiscanbe thestartingpoint for theriskmanagementstructure.

Top-LevelRiskCategories.Wecannotmanageunstructuredrisks,suchassimplybylistingthem in an electronic spreadsheet. We need categories that match the levels in theorganization.TheCEOneedstowatchrisksandopportunitiesthathavethemosteffectongoals and strategies. Executivesworkwithin these categories.As an example, the chieffinancial officer is responsible for financial risks, even as he or shemay participate inhelpingothersmanagemarketingrisks.

IntermediateRiskCategories.Thesefallbelowthetoplevelbutarestructuredaccordingtotheidentifiedcategories.

All theWayDown.Theprocesscancontinuedown to first-linemanagers, singleprojects,andkeyinitiatives.

Thetechnologyallowsclusteredrelationshipstobesupportedbyquantitativeandqualitativedocumentation.

Supporting Data. Including mathematical data, narrative descriptions, qualitativeassessments,likelyimpact,andalternativestrategies.

History.Priorriskmitigation,informationonsimilarrisks,andcommentsbyriskownersandothers.

VisualIndicators.Dashboardswithcolors,charts,orotherdisplaysof themitigationstatusshowingsignificantorminorimprovement,risksthatarefullyundercontrol,andrisksthatareunderreviewandthathavenotyetbeenevaluated.

Wecan start risk clustering at any level in anorganization.One startingpoint is thehighestlevelofexposure.Afteridentifyingalimitednumberofrisks,wealignthemwiththebusinessmodel and assign risk owners. Risks and risk relationships can be visualized at differentlevels.Figure7-1showsthegenericformatforariskcluster.Eachriskiscolorcoded.Red,forexample,canequalanexposurethatneedsattention.Greencanbeamitigatedrisk.

ClustersVersusSpreadsheetsERMprogramswereoriginallybuiltinanelectronicspreadsheetformat.Theweaknessesofalistingofrisksisimmediatelyrecognizable:

Impact.Whatrisksareimportant?

Relationships.Howdorisksinteract?Accountability.Whoisresponsibleformitigationanddocumentation?SharedValue.Where are thedetails, so thatmanagers at different levels andwithvarying

responsibilitiescancontributetoriskstrategies?

FIGURE7.1.CLUSTERTOOL.

Toovercometheweaknessofalistofisolatedrisks,webuildriskclusters.Asanexample,suppose senior executives are interested in critical risks inAsian andEuropeanoperations,production,marketing, finance, and key initiatives. Figure 7-2 shows a risk cluster for thiscategory.

HierarchyofSubrisksTheCFO,theriskownerforthefinancialcluster,hasidentifiedsubcategories:

FinancialCluster.Figure7-3showsriskcategoriesassignedtotheCFO.RevenueTarget.Figure7-4showsmissedrevenue,afailuretoachievebudgetedgoals.The

corporatecontrolleristheriskownerfortherevenuetarget.Theactualmodelwouldaddcolortoidentifytheimpactofeachrisk.

SupplyChainDisruption.Figure7-5identifiesthevariousareaswhererawmaterialscouldnotbeavailable,causingadisruptioninproductionschedules.

SupplyChainConcentration.Figure7-6showsthatalimitednumberofsuppliersprovidealargepercentageofakeycomponent.ThepurchasingmanagerlearnsthatmanycomponentsareproducedinChina.Eventhoughnosinglecomponentiscritical,ashutdownofsuppliesfromChinawouldbeaseriousbusinessdisruption.

FIGURE7.2.LEVEL-1RISKCATEGORIES.

FIGURE7.3.FINANCIALRISKCLUSTER.

FIGURE7.4.MISSEDREVENUERISKCLUSTER.

ControllerBoards.Figure7-7focusesonasinglecomponent.Investigatingthesituationwithcontrollerboards,thepurchasingmanagerdiscoversthatSamsung,Lenovo,andCiscoarethemainsuppliers.Isthisanexcessiveconcentration?

Thepurchasingmanagerkeepsdiggingandlearnsthat40percentofthecontrollerboardsareprovided by Cisco. This raises a red flag that will carry all the way up to supply chaindisruption.Astheriskowner, thepurchasingmanageralerts theorganizationoftheexposureandworkswithotherstodevelopandimplementamitigationstrategy.

FIGURE7.5.SUPPLYCHAINDISRUPTIONRISKCLUSTER.

FIGURE7.6.SUPPLIERCONCENTRATIONRISKCLUSTER.

FIGURE7.7.CONTROLLERBOARDDISRUPTIONRISKCLUSTER.

InteractionsAfter arranging the hierarchy,we candevelop composite views that showother linkages orreveal multiple impacts on a single exposure and use other risk-mapping techniques tounderstandexposures.Figure7-8showsataggingofrisksthatenablesananalysttoseedetailsof supplychaindisruption. It also revealshow thatexposureaffectsother risksof failing toachieve a revenue target. Figure 7-9 shows a second example of tagging, focusing on theconcentrationofsuppliersand,morespecifically,onthecontrollerboardconcentration.

ConclusionComparing the list of exposures at the start of this discussionwith the risk cluster tool,werecognizethatagraphicpresentationofriskinahierarchicalstructuresignificantlyenhancesourunderstandingofenterpriserisksandtheirrelationships.

FIGURE7.8.TAGGINGMISSEDREVENUERISKS.

FIGURE7.9.SUPPLIERCONCENTRATIONANDCONTROLLERBOARDRISKCLUSTERS.

CHAPTER8

RISKTECHNOLOGYIN2008

RISKQUOTE:Alifespentmakingmistakesisnotonlymorehonorablebutmoreusefulthanalifespentindoingnothing.

—GEORGEBERNARDSHAW,IRISHPLAYWRIGHT

RISKQUOTE:Intheend,you’remeasurednotbyhowmuchyouundertakebutbywhatyoufinallyaccomplish.

—DONALDTRUMP,BUSINESSMAN

It is one thing to recognize risk clusters. It is another thing tobuild a system that uses themappropriately.ThiswasthechallengefacingRiskonnectin2008.Let’slookatwhatwasdone.

RejectionofSpreadsheetsA first step in modern risk management was to examine existing approaches. It was quiteapparent that organizations hadproblemswhen theyused electronic spreadsheets tomanagerisk.

Information Deficiency. In spite of the excellent capabilities of spreadsheets to performcalculations,theyaredeficientinshowingriskinformation.Whenwordsmustaccompanynumbers,thetechnologylacksvalueandclarity.

Flexibility.Theusercannotmanipulatedataquicklyandeasily inapursuitofnewways tounderstandrisk.

VisualAcuity.Thecreationofgraphicsistediousatbestandmarginalintermsoftimelinessandimpact.

Accountability. The data is not linked in a structure of risk ownership, sowe can assessresponsiblepartiesforachievinggoals.

Auditability. A spreadsheet can be cumbersome when an entity seeks to know whetherpoliciesarebeingfollowed.

Security.Thespreadsheetcanbecompromisedmoreeasilythanacloud-basedsystemona

platformwithsubstantialsecurityprotection.VersionControl. When spreadsheets are used by multiple people and then modified and

stored,wecanlosetrackofthecurrentstatusofriskmitigation.Updatedspreadsheetsmaynotbeinsertedintoacentraldepository.Areweusingdatathathasbeensupersededorthatisnotfoundinotherspreadsheets?

ConsistencyandAccuracy.Spreadsheetsarehighlysusceptible tomodifications, includinglinks to additionaldocuments andchanges in formulas, that insert errors anddestroy theintegrityofthetool.

EFFICIENCYOFUSAGE

Asecondproblemoccurredbecausespreadsheetsareinefficientcomparedtoadedicatedtool.

Allocation of Time. An HTEP eliminates the expenditures of energy to build models andreducestimetoenterdata.Whenthesystemprovidesthecapabilitytoquicklyformatandlink data, any analysis can be quickly customized as opposed to creating a newmodel.Excessivetimeisnotspententeringinformationanddevelopingformatstounderstandit.

Training.Spreadsheets contain ahelpbutton, but thebasicnavigation and functionality areoften assumed. Dedicated tools are much more intuitive and user friendly, can beimmediatelyupdated,andrequirelittle,ifany,training.

Convertibility.Riskmanagement has becomemuchmore global.This applies to languagesandcurrencies.AnHTEPcanopenautomaticallyinthelanguageandcurrencyoftheuser,enablingitsquickeradoptionanduse.

Alerts.Thesystemcanbebuiltwithtriggersforcertainactions.Reminderscanautomaticallybedisseminatedfor targetdatesanddeadlines.Thisreducestimetosetupsuchadvancenoticesaswellasavoidserrorsofforgettingtoperformtasks.

DocumentationofBusinessProcesses.Considerableefficiencyresultswhen thealertsarebuiltaroundthetasksrequiredtodoajob.Everybodyknowswhathastobedoneandcanconcentrateonmeetingexpectations.

Focus.AnHTEPenablesdifferentuserstohavelimitedorexpandedaccesstothedata.Userscanopenareportorviewdataconsistentwiththeirneeds.Theydonothavetosortthroughinformationthatistheresponsibilityofothers.

High-TechElectronicPlatform(HTEP)The solution to these problems was the development of an HTEP to help organizationsunderstand hazard risk.Riskonnect knew about an early effort to improve riskmanagement,namelytheriskmanagementinformationsystem(RMIS).Itscapabilities:

Assets. Assists in consolidating property and equipment values, insurance policies andclaims,andexposureinformationinformsthatallowthepurchaseofinsurance.

Liability.Trackslawsuitsandpotentialclaimsfromthirdparties.Reporting. Allows analysts to prepare reports on retention, transfer, loss control, and the

overallcostofrisk.

Aftertheyear2001,werealizedthatRMISsystemswereinadequateiftheydidnotcoverallenterpriserisks.Insurancebrokersandsoftwarecompaniesknewthiswasthecasebutcouldnotquitefigureoutwhattodo.By2005,morethan60stand-alonecompanieshadbeenformedto tackle ERM support. Very few were successful. One problem was that the technologyneededtosupportabetterstructuredidnotyetexist.

RiskonnectHTEPThecompanywasformedin2007withagoaltobuildthereplacementsystemforanRMIS,somethingIcallaHigh-TechElectronicPlatform.ItshowshowtoimplementERMaswellashowtobuildabusiness.Let’stellthatstory.

RISKIDENTIFICATIONThe new company had only a few people and limited capital, so focuswas important. Thefounders knew that many other companies claimed to be developing ERM software, butsuccesseswerefewandfarbetween.Theriskswere:

Communications.WhatdidERMmean?Whatcoulditdo?Howcoulditdoit?Technology.Whatwasavailable?Whatwasaffordable?Wherewastechnologygoing?Tools.Whatdoorganizationsneed?Whattoolswouldmeetthoseneeds?

PRELIMINARYDECISIONS

Thecompanymadeseveralkeydecisions.

Simplicity.TheHTEPwouldbequicktolearnandeasytouse.Clientswouldnothavetohirehighlyskilledinformationtechnologysupportteamsorengageinextensivetraining.

VisualValue.Userswouldbeable tosee riskgraphically.Thiswas thecomponentof riskclusters,dashboards,andothergraphictools.

BackupData.Thesupportingdata, includingdocuments, events, calendars, and timetables,would link to the visual presentation.A single click on a risk factorwouldproduce thebackupdata,interactions,andinterpretationoftheexposureoropportunity.

QuantitativeModels.Thecompanyknewuserswantedmodelsfordeterminingrisk levels.TheycouldbeincorporatedintothesystembytheuserbutwouldnotbeprovidedbytheHTEPitself.ThiswasarecognitionthateveryoneperceivesriskdifferentlyandthatERMcouldnotbeenforcedinasinglemodel.

Theresultofthesedecisionswasaneasy-to-useplatformwhereuserscouldidentifyrisks,linkthem,seerelationshipsusingbubbletechnology,andclickonbubblestoexaminebackupdata.TheHTEPallowsustoseethatenterpriseriskisanintegratedandcomprehensiveareaof management. It covers accounting, customer relationship management, managementinformation systems, strategic planning, and human resource management. These are notisolatedareas.When theyshare informationona singleplatform,wemakebetterdecisions.Wearealsomoreefficient.Oureffortsaretimely,andwereducecost.

PLATFORMDECISION

Toachievethesebenefits,thecompanyneededtocreateasinglesoftwareplatformthatcouldbeprovidedandmaintainedbyRiskonnectandbeavailabletomanyclients.Thestrategy:

System Software. TheHTEPwould be built on a foundationwhere a specialty companymanages and integrates computer capabilities but does not directly perform tasks thatbenefittheuser.

CloudBased.Serversandstoragewouldbeonthecloud,wherethousandsofcomputerswereconnected through a real-time communication network,most commonly the Internet. Thecloudallowsusers to runaprogramor applicationonmanyconnectedcomputers at thesametime.Italsoallowscentralizedstorageofdatatobeaccessedbyallauthorizedusers.Thestoragecanbeexpandedorcontractedasneededwithnoadditionalprogrammingoruserinteraction.

SoftwareasaService(SaaS).Salesforce.comwaschosenasapartnerforthiscomponentofthe system. The Riskonnect software would be built on an underlying foundation ofprocessing software that was being updated and secured by a company whose onlybusinessisprovidingthefoundationsoftwaretousers.

SecurityAgainstUnauthorizedAccess.Any system that processesor storesdatamust besecured from collapse or intrusion by unauthorized persons, a serious problemwith thedevelopmentoftheInternet.AnorganizationthatprovidesSaaSmustbefullycommittedtomaintaining the security and stability of the system. Salesforce and Riskonnect jointlyundertookthisresponsibility.

CommunicationLinks.Computersandusersneedtotalktoeachother.Noproblemhere.TheInternet was developing rapidly, and capabilities would soon be accessible by fixedcomputersandmobiledevices.

InternalData.Companiescouldentertheirownbackupdocumentation.

ExternalData. Linkswould be built toweather forecasters, disaster response operations,economicdatabases,andothers.

SecurityofData.ThiswouldbetheresponsibilityofSalesforceandRiskonnect jointly,aswellasofthemanyorganizationsthatworkfulltimetoprotecttheInternet.

UserFeaturesThegoalwastoallowuserstodotheirownriskmanagement.TheHTEPwasonlyatool.ItwouldnottellpeoplehowtoimplementERM.Itsfeatures:

Expandability.Itcouldbeexpandedwithoutlimitationquicklyandeasily.Thiswouldallowanorganization to startwitha small program,perhaps in a singledivision, andgrow tomeetfutureneeds.Thesystemandcloudofferedunlimitedcapacity.

Transparency.Riskclusters,dashboards,maps,andothervisualtoolswouldbeincorporatedasquicklyastheycouldbeconceivedanddeveloped.

Links.Thesystemwouldbedesignedtolinktheworld,notjusttothevariousdepartmentsinanorganization.

Timeliness.Everythingwouldbeinrealtime.Whenaneventoccurred,theHTEPwouldhavethecapabilitytoelectronicallypostandshareitinstantaneously.Allinformationwouldbeasup-to-dateaspossiblebyprovidersorusersofinformation.

Customization. It was not long ago that managers had to ask the information systemsdepartmenttomodifycomputerinformationsystems.Technicalskillsinwritingcodesandknowingspecificprogrammingtechniqueswererequiredtoadjustformatsforinformationorstructuresofreports.TheHTEPendsallthat.Reportscanbeeasilymodifiedbytheuserwithvirtuallynoknowledgeofhowthesoftwareprocessesdata.

DesignFeaturesIntegratedwith theplatformdecisionwerecapabilities that couldconstantlybeupgradedasnewtechnologywascreated.Someearlyfeatures.

RiskData,Internal.Somedataandinformationonriskandopportunityiscontainedwiththefilesandmindsoftheorganizationitself.AnHTEPneedstocontainbusinessplans,events,strategies,anddatafromentityfilesaswellasfromthethoughtsandactionsofexecutivesandmanagers.

RiskData,External.Otherdataand informationare foundon theWeb, ingovernmentandprivateorganizations,andfrommediaandthird-partysources.These,too,mustbepartofthesystemlinkedbytheInternet.

RiskChanges,Real-Time. The platformmust be accessible to the providers and users ofinformationonareal-timebasis.Outdateddataoreventscangeteveryoneintrouble.

VisualRiskTechnology.TheHTEPisaidedbyvisualpresentationofinformation.Inaworldof excessive data, tools to help create useful information and knowledge are critical tounderstandingriskandopportunity.

RiskDashboards. This provides at-a-glance views of exposures or opportunities that arebeingmonitored.

RelationshipsAkeyadvantagetoanHTEP,comparedtootherriskmanagementapproaches,istheabilitytoincorporaterelationships.Inthedetailsectionofariskevent,ausercanclickonbuttonsthatdisplaywhateverlinkstheyneedtosee.Examplesinclude:

Governance.What are the oversight bodies? Is the risk governed by Sarbanes–Oxley, theEnvironmentalProtectionAgency,ortheFederalReserveSystem?

Committees.Whatdepartmentshavecommitteessetuptomonitororinfluencetherisk?Controls.Whateffortshavebeenmadeorareneededtomitigatetheexposure?Incidents.Whatproblemsaroseinthepastthatcanhelpusunderstandtherisk? Physical Locations. Where can an incident occur within the organization or with other

parties?Projects.Whateffortsareunderwaytoimprovethesituation?Whatistheirprogress?Stakeholders.Whoisaffectedbytheexposure?Whatarewedoingtomanagetheirinterestin

itsmanagement?Correlations.How does the exposure link to other risks?Arewemanaging risks that can

occurtogetherorthesecondaryeffectsofanexposure?

RiskDashboardsAbusinessdashboardprovidesat-a-glanceviewsofkeyperformanceindicatorsrelevanttoabusinessprocess,suchasmarketing,production, finance,orhumanresources. It isacriticalcomponentofamodernHTEP.Keyelements:

Simplicity.Alackofcomplexitysothatiteasilycommunicatesitsmessage.Focus.Directstheusertothespecificinformationneededwithaminimumofdistractionsor

possibleconfusion.Utility.Supportsbusinessgoalsandstrategieswithusefuldataandinformationtounderstand

whatishappening.VisualClarity. Takes advantage of the strengths of human visual perception to understand

situationsandpointtotheneedfordecisionmaking.

TOPRISKSBYRISKSCORE

A useful dashboard displays listings of risks in an entity or department to focus on areasneedingthemostattention.ARiskonnectdashboarddisplayshowriskisrankeddownwardinorderfromhighestimpact.

InherentRisk.Howseriousisanexposureifitisignored?CurrentStatus.Whereareweintheprocessofmanagingtherisktoday?TargetScore.Whatisourgoalafterwetakealldesiredmitigationsteps?

Inaseparateview,italsodisplaysthecurrentandtargetriskpicture.

OBJECTIVESDASHBOARD

Another dashboard connects objectives with the risks that affect them. It shows how anorganizationalgoalmightbeimpactedbyvariousexposuresandthestatusofeffortstoensurethatthoseexposuresdonotmaterialize.

Openthedashboardtoseetheexposuresthataffectanobjective.Clickonanexposuretoseethestatusofmitigation.Clickonthestatustoseetheeffortsbeingmadetomitigaterisk.Clickonanefforttoseethebackupdetail.

RISKOWNERDASHBOARD

Thisdashboardstartswithavisualrepresentationofalltheriskownersandtheriskstructureoftheentireentity.

Openthedashboardtoseetheproportionofrisksmanagedbyeachowner.Clickononeownertoseetherisksmanagedbytheperson.Clickononeoftheriskstoseethemitigationstatus.Clickonthedetailofthestatustoseethebackupdata.

HeatMap

This is anothervisual toolof theHTEP.Aheatmap is a two-dimensional representationofdata whose values are represented by colors. It provides an immediate visual summary ofinformation.Forriskmanagement,itcanbebuiltwithimpactononescaleandlikelihoodonthe other. Green represents lower levels of severity and frequency. Yellow and red reflecthigherlevels.

AnHTEPcanbebuiltwithacombinationofvisualriskandsupportingdetail.Figure8-1showsaheatmapintheRiskonnectformulation.Ausercanclickonittofindbackupdatathatexplainshowariskhasbeenevaluatedandwhyithasacertaincolor.

CP&LERMImplementationAn early application of theRiskonnectHTEPwas to an unregulated independent electricityproducer.ThesystemwastestedanddevelopedwithacompanywewillcallCentralPowerandLight(CP&L),anenergycompanythathadanextensiveERMprogram.CP&Lwantedtobesure it scannedexternally forchangingconditionsand risk factors thatmightaffect futureproduction, sales, and technology. Itwanted toexamine internal cultural and life cycle risksand structural weaknesses. It decided to implement an ERM program to identify risks thatimpedesustainablecompetitiveadvantage.

FIGURE8.1.HEATMAPWITHTHREELEVELSOFIMPACTANDLIKELIHOOD.

CP&LprovidedcertaindirectivesfortheinitialERMimplementation.Theprogramshouldhave a focus far broader than internal controls and compliance, and it should not involve

elaborate quantitative models or require the interviewing of a large number of employees,customers,orsuppliers. It should identifybroadriskcategories,align themwith theexistingbusinessmodel, assign risk owners, create subrisks, and bring the picture together visually,usingtheRiskonnectriskclusterandothertools.

CP&LBUSINESSMODEL

CP&Lhadthreemainsubsidiaries:

1. Central Fossil provided fuel-generated electricity for a wide range of commercial andresidentialcustomers,operatingnaturalgas,coal,andoil-firedelectricity-generatingunits.

2.CentralNuclearalsocreatedelectricity,butthesourceofpoweristwonucleargeneratingstations.

3.CentralEnergyTradingwasafast-movingandfast-responseunit thatboughtandsoldoil,coal, gas, andother commodities and traded in environmental credits.Theunit connectedelectronicallytotheworld,traded24hoursaday,andsoughtareliablesupplyofoil,gas,andothercommoditiesatmarketpricesandincompliancewithenvironmentalregulations.

Although the structure had three operating units, CP&L did not see the organizationalhierarchyas itsbusinessmodel.Essentially, thecompanyconductedbusinessbyfocusingonreliable, affordable, anduninterruptible electricitygeneration.Thesegoalswere affectedbybroadrisksthatmadeupthecompany’slevel2riskcategories.Theseriskswereconcentratedintheseareas:

ElectricityGeneration. Risks from a mixture of oil, gas, coal, and nuclear capabilities.Prices and availability of commodities and fluctuating levels of production andconsumptionmustbecarefullymanaged.

Nuclear Future. The company believed the United States would need greater nuclearcapability in the future. CP&L wanted close scrutiny of risks that would block it fromadding new nuclear generating facilities or extending the life of current nuclear powerplants.

Regulatory.Publicutilitieswere regulated, and the level of regulationwas increasing.Anapparentlyminorpieceoflegislationoradirectivefromagovernmentagencycouldcauseseriousproblemsfortheconductofbusiness.

Financial. The company was capital intensive. It had to concern itself with the long-termadequacyofcapitalizationoffacilitiesandoperations.Itneededtomonitorcashflow,bothfromtheviewpointofitsobligationstoitssuppliersandwithrespecttocollectionsfromitscustomers.

Technology. The rapid march of technology was changing everything from electricitygeneration and alternative energy sources to modifications in telecommunications, data

mining, analytical tools, and the Internet. Technology was a standalone category thatpresentedexposuresandopportunitiesinelectricitygeneration,marketing,andcommoditytrading.

Business Disruption. Many things could disrupt the supply of electricity, including localstormsthataffectfacilities,distanteventsthatdisruptsuppliersorpartners,andunexpecteddevelopmentsinvariousareasoftheworld.Thecompanywantedtopayfullattentiontotheadequacyofbackupsystems,desiredredundancy,andcontingencyplanning.

ERMPROJECT

CP&LbroughtinaconsultingfirmtoundertakeapilotERMproject.

ThefirminterviewedtheC-suiteofficersandmadealistoftheirconcerns(30days). It scanned for external risk factors that might affect production, marketing, finance, and

technology(60days).Itidentifiedcultural,productlifecycle,structural,andotherinternalconcerns(60days).

Workingwiththeconsultingfirm,managementidentifiedthecriticalrisksshowninFigure8-2.CP&Lcorporateislevel1,andlevel2hastherisksalignedwiththebusinessmodel.Theriskcategories are color coded from red (most in need ofmitigation) to green (relatively undercontrol).

CP&L then took the next step to identify subrisks at level 3. Figure 8-3 shows businessdisruption, technology, financial, regulatory, electricity generation, and the future of nuclearpower.

FIGURE8.2.CP&LLEVELS1AND2RISKCATEGORIES.

BROADENINGTHERISKPICTURE

The HTEP allowed restrictive views or expansive views of risk relationships. Figure 8-4showslevels1,2,and3risksinasingleview.

BACKUPINFORMATIONThe HTEP recognizes the importance of backing up visual risks with details, mitigationstrategies, and expected outcomes. The backup support can be manual, real-time, or anycombinationofinformationthatshowsdetailsaboutarisk.TheRiskonnecttoolisautomatedandintegratedsothatrisksarelinkedtothedocumentationoftheirstatusandaresupportedbynotes,attachments,openactivities,andhistory.

NextStepsAfteranERMsystemisinstalledandsupportedbyahigh-techplatform,anorganizationcanspread the program across the entity. Features that can be incorporated into a growing andmaturingsysteminclude:

FIGURE8.3.LEVELS2AND3SUBRISKCATEGORIES.

Expansion.Thisisthemigrationofriskcategoriestounitsandinitiativesnotincludedintheoriginalimplementation.Theorganizationaddssubrisksofsisterentitiesorlowerunits.

FIGURE8.4.LEVELS1,2,AND3RISKCATEGORIES.

FilteringandTagging.Thesystemcanaddthecapabilitytorestrictvisualrepresentationsofrelatedrisksandthenumberofrisklinkagesonthescreeninasingleview.

SupportingDocumentation.Theorganizationcanattachdocuments, integratedsystems,andotherdatatoprovidedetailsandclarityofriskmitigationactivities.

Report Writers. The central risk function can work with units to create standard andcustomizedriskmanagementreports.

Collaboration.Thesystemcancreateperiodiccommunicationsthatshareriskstrategiesandthestatusofmitigationefforts.

Presentations.ThecentralriskfunctioncancreatePowerPointandothervisualgraphicsforrisk management presentations to senior management, the board of directors, ratingagencies,investors,andothers.

ConclusionAstheorganizationgrowsinmaturitywithitsERMprogramandthetechnologytosupportit,itcan provide information not previously available to key managers. This is the essence ofsuccessful ERM because it provides both consistency and flexibility in the acceptance ofenterpriseriskandthepursuitofopportunity.

CHAPTER9

NEWTECHNOLOGYIN2014

RISKQUOTE:Thekindsoferrorsthatcauseplanecrashesareinvariablyerrorsofteamworkandcommunication.

—MALCOLMGLADWELL,JOURNALISTANDAUTHOR

RISKQUOTE:IfBerkshireevergetsintrouble,itwillbemyfault.Itwillnotbebecauseofmisjudgmentsmadebyariskcommitteeorchiefriskofficer.

—WARRENBUFFET,AMERICANBUSINESSMAN

NewYorkUniversityHTEPNYU has more than 50,000 students in North America, Africa, Asia, the Middle East,Australia, Europe, and South America. Michael Liebowitz was its Director of RiskManagement and Insurance in 2014.He reportedhowNYUused theRiskonnectHTEP in acomprehensiveprogramofriskmanagement.

BreakDownOrganizationalSilos.Riskmanagementpreviouslyhadbeenconductedwithoutcoordination.Thecentralriskfunctiondevelopededucationaltoolstoexplainmodernriskmanagement and show the benefits of cooperationwhen identifying risk and opportunityandsharingknowledgeandtools.

Avoid Technical Details When Seeking Support. The team knew that excessive detailsturnedoffriskowners.Theyclearlyloseinterestwhenoutsidepartiesareadvisingthemonrisk specifics. The buy-in had to occur on a conceptual level for the good of the entireuniversity,aswellastohelpdepartmentswiththeirownriskmanagementneeds.

ERMasaBusinessProcess.Thekeyeducationalelementwastodiscussriskmanagementasabusinessprocess.Itskeypromisetomanagerswasthattheuniversitywouldkeepitsriskmanagementprocess“assimpleaspossible.”Thiswasbig.

ERMasDecision-MakingSupport.Asasimplebusinessprocess,ERMwasaimedtohelpmake timely and accurate decisions that avoid escalating problems or missingopportunities. This meant a minimal use of spreadsheets and excessive detail and amaximum use of visual and graphical presentations of information. In thewords ofMr.

Leibowitz,“apictureisworthathousandwords.”Executive Risk Owners. A key factor was clear and persistent support from the senior

leadersoftheuniversity.TheydistributedseparateandreinforcingmessagesthatERMwasapriority.

RiskOwners.Thestructurewouldbebuiltwithahierarchysothatownershipofriskstartedatthetopandworkeddowntothelevelsthatmosteffectivelycouldmanagerisk.

Promotion of Risk Management as Management. The effort was deemed to be “riskmanagement,”notERM.Thephilosophywas,“Allmanagementisriskmanagement.”

According to Mr. Liebowitz, the biggest challenge was “getting time in front of the rightpeople.” A related difficulty was encouraging them to share the information we needed toimplementaprocessofsharingandcollaboration.Theproblemwasthatdifferentlevelsoftheuniversitywantedtoexamineinformationfromavarietyofperspectives.Theboardoftrusteesonlywanted to see“high-level risks.”Thedeansanddirectorsofdepartmentswantedmorerestrictiveviewsdealingonlywith theirownareas.Belowthem,managerswantedspecific,detailed information.Thekeywas to use anHTEP that built downward from the universitygoalsatthetoplevelandbuiltupwardwithdetailtoshowsuccessorfailureatdifferentlevelsinachievingthosegoals.

During implementation, Mr. Leibowitz found that heat maps were highly successful inwinningoverconverts tousing theHTEPfor riskmanagementactivities.Riskownerscouldvisualize the effect of risk across their spans of influence. More importantly, a heat mapfocuseseverybodyonthemostseriousrisks.Nobodywants toallow“red”risks tocontinuewithout attention. Additionally, the heat map brings together the technical risk managementpeoplewithseniormanagerswhowantahigher-levelview.Everybodyisonthesamepage,whethervisuallyorworkinginthebackupdetail.

Mr.Leibowitzconcludes,“Itisaslowevolutionaryprocess.”Afterfiveyearsofeffort,hefelt strongly that people were understanding risk management and using it to bring clearbenefits to theuniversity.At thesame time,hewarned thatseniorofficersshouldnotexpectimmediatebenefits.Heestimateditmighttakemorethansevenyearstobringriskmanagementfrominfancytofullmaturity.Healsopointedouttheneedtorememberthattheprocessisoneofcontinualchangeandupdatingbecausetheorganizationitselfisinastateofconstantchange.

MobileDevicesAn unexpected and somewhat astounding update to risk management efforts lies in theexponentialdevelopmentof thecapabilitiesofmobiledevices,combinedwithanHTEPandthe cloud. The use of an iPad or similar device is, as Liebowitz calls it, “an absolutenecessity.” The iPad replaces “a big stack of Excel spreadsheets” or aUSB drive from anearlier generation, perhaps pre-2009.Those effortswere not user friendly and often lacked

real-time information. Modern mobile devices changed all that. Now, risk managers andownerscansitaroundatableandimmediatelyshareinformation,devisestrategies,andagreeonriskmanagementeffortswhileaccessingreliableandcurrentdata.

Anotherbenefitofmobiledevicesisthattheyfacilitatecollaboration.Acompanymayhaveoperationsinmanycountries.Allpartiescanaccess thesamesystem,share information,andpursue strategies that can be monitored centrally as well as locally to ensure coordinatedefforts. People can work on joint efforts even when they are out of the office. Users canconnecttoanHTEPanywhereintheworld.

Stillanotheradvantageofamodernsystemoccursintheconversationamongriskownersand managers. When six people in different parts of the world are discussing a risk andaccessingitsdetailsonmobiledevices,thepicturecanbechangedimmediately.Anagreementtodosomethingcanbeposted,updatestoinformationcanbeadded,andnewstrategiescanbesharedinstantaneously.Riskmanagementoccursasitisbeingdiscussed.

Thevalueofmobiledevicesdoesnotdependonbeingalargeorcomplexorganization.Allthe benefits ofmobility, portability, and timeliness occur if all participants are in the sameroom,evenastheyallaccessdataonthecloud.

HTEPLinksAnHTEPworksbecauseitallowsriskmanagerstomovefromlinktolink.Ausercanlookatascreenandgatherinformation.Withasimpleclickonalink,theusermovestomoredetail,lessdetail,relateddetail,orotherdetail.Thepictureexpands,contracts,modifies,changesinotherways,orgoesonajourneytootherdestinations.Inseconds,wecangaugetheentireriskpicturewithprecisionandclarity.

The technology tools available for riskmanagement in 2014 are indeed extensive. Theyinvolvecooperationbymanyparties,includingthefederalgovernment,internationalagencies,privatevendors,andinformationtechnologycompanies.WewillusetheRiskonnectplatformasanexampleofapplyingthesenewtechnologiesindifferentareas.

EarthquakeNotificationMany people believe riskmanagementwith seismic tremors is amatter of luck. Either youavoid an earthquake, or you suffer its consequences. This is not necessarily correct. Twoexamplesshowhowtechnologycanbeappliedtomakethispoint.

LLOYDSEARTHQUAKEINSURANCELloydsofLondon isnot an insurancecompany. It is amarketplace for insurancecarriers. It

does not underwrite insurance business. It acts as an administrator of the placement ofinsurance. It sets rules for theunderwriterswhomake theirowndecisionsonaccepting riskandissuingpolicies.

Lloyd’sofferscoverageforlossfromseismicactivity.AcompanyrequestedinsuranceforsevenfactoriesinMexico.ItaskedaLloyd’sbrokertofindit.Whathappened?

AnswerThebroker took therequest toasyndicateatLloyd’s.Theunderwriter lookedatacomputerscreenwithamapofMexico.Oneoverlayshowedthefaultlinesofundergroundplateswhereearthquakes occur. A second overlay showed the exact physical locations of the sevenfacilities. Based on nearness to the faults, the syndicate quoted a premium for insurancecoverage.Thebrokeraccepteditonbehalfofthecompany.

COMPUTERSERVERSSHUTDOWN

A cloud computing company operates 250 servers at a location near San Francisco. Theserversareconnectedtoavastgrid,andtheystoreandprocessdatafromaroundtheworld.Intheeventofabruptdisruptionatornearthefacility,theserversareconnectedtoanemergencyshutdown system that takes the facility offline and preserves electrical capability.How cansuchahigh-techsystemprovideriskmanagementsupport?

AnswerThefacilityisconnectedtoanearthquakeearlywarningsystemthatsendsasignaltriggeringashutdown of electricity to protected facilities. This avoids a surge that could damage theservers.

SouthwestAirlinesHTEPSouthwestAirlinesisaclientofRiskonnect.Southwest’sinterestinthesystembeganintheriskmanagementdepartment.Thegoalwastoautomatethefollowingareas:

ClaimsAdministration.The airlinehas an internal team to receive andorganize claimsofpropertydamageorliabilitybeforeworkingwithexternalpartiessuchaslegalcounseltoresolveaclaim.

EmergencyResponseTeams.Theseareorganizedtobereadytodealwithanemergencyordisruptiveevent.

PreventionandLossControl.Theseactivitiesinvolveoperations,maintenance,employees,

facilities,andtraining. Insurance Placement. The airline has insurance policies for aviation liability, property

damage,businessinterruption,workers’compensation,andaircrafthulldamage.The reality was much greater than what was conceived as the system became a full-timeenterpriseriskmanagementsolution.

SYSTEMSINSTALLEDTheairlineacquiredthreenewtechnologies:

1.Salesforce.Acloudcomputingplatformthatallowsclientstobuildtheirownapplicationswithout theneedtodealwith thesecurityof thesystem,changingofhardwaretechnology,storageofdata,orupgradingofsystemcapabilities.

2.Riskonnect.Thehigh-techelectronicplatform(HTEP)builtontheSalesforceplatformthatallows users to create andmodify their own software solutions for business applicationswithoutdealingwithunderlyinginformationsystemissues.

3.Salesforce.com/chatter.AsocialnetworkthatallowssynchronizedcollaborationamongallusersofRiskonnectandSales-force.Ausercancreatecustomizedcommunicationsactionsand deploy them securely and immediatelywith integrated applications to computers andmobiledevices.

FLEXIBILITYBy integrating Salesforce and Riskonnect as underlying systems for risk management, theairlineachievedtheflexibilitytoconcentrateonbuildingitsownmanagementstructureforriskandopportunity.Thetaskofautomatingroutineorunexpectedexchangesofinformation,accessto data, and interactive communications could be completed by managers rather than byinformation system specialists. Workflows could be streamlined, departments could beintegrated, and outside parties could be tied into communication systems. Everybody couldworktogethertoscheduleactivities,setupworkflows,purchaseorleaseequipment,resolvedisputes, collect data, prepare reports, and perform a myriad of other integrated work orcommunicationsactivities.

AIRCRAFTDATABASE

All equipment information could be maintained on the platform, currently updated, andimmediatelyavailabletoallauthorizedparties.Forasingleaircraft,thefilemightinclude:

Identityno. 7234Tailno. 7234SW

Type Boeing737Description Primarypassenger,124seatsStatus OwnedAge 12yearsCost $65millionMarketvalue($) 34millionInsuredhull $31millionMaintenance ClickhereOther Clickhere

INCIDENTRESPONSESYSTEM

Theairlinedevelopedasystemtoshareinformationonrapidlychangingsituations.Itbuiltamoduleforsharingcommunications.Threecategoriesofidentificationare:

1.Event.Thekindofactivitydeterminesinterestedparties.Examplesareinjurytoemployees,passengers, or third parties; damage to owned or leased aircraft, equipment, facility, orairport; contract signing or enforcement; acquisition; partnership; and unspecifiedoperations.

2.InterestedParties.Access can be granted to users based on categories of need. Eventscouldbe identifiedas injury topeople,propertydamage,disruption,mediaexposure,andother.

3.Impact.Thisdetermines the importanceofnotifying individualsbasedon theexposureoropportunity.Theairlinecoulduseincident,emergency,crisis,orotherlevels.

AIRPORTREPORTABLEEVENT

Anintoxicatedticketholder,complainingaboutathree-hourmaintenancedelay,racedthroughthegate,boardedtheaircraftwithahammer,andsmashedequipmentbeforebeingrestrainedbypassengersandairportsecurity.Theincidentresultedinseriousinjurytoaflightattendantandminorinjurytotwopassengers.Whentheincidentwasreported,thesystemautomaticallysharedinformationwithinterestedparties.ThestructureconnectsthemwiththeriskownerinChattersomethinglikethis:

IncidentAlert RiskOwnerInjurytoemployee HumanresourcesInjurytopassenger GeneralcounselDamagetoaircraft MaintenanceScheduledisruption Operations

Likelyinsuranceclaim RiskmanagementMediainterest PublicrelationsCrisisteamresponse Asneeded

INCIDENTDETAILS

Allparties receiveadescriptionofwhathappened, includingchangesas theyareknownoroccur: the dates, times, and locations; and other information as initially reported and withupdates.Documentsincludinghospitalandpolicereports,actionstakentonotifyotherparties,andassignedresponsibilitiesthatwereshared.

INCIDENTDETAILSTAILOREDThe level of detail sent to each party is tailored, even as authorized users may go to theplatform for additional details. The initial information can include the involvement ofgovernmentagencies,policereports,photosandclarifyingdocuments,identityofwitnessesorotherpersons,andsubsequentevents.Ifauserseeksinformationnotdisseminateddirectly,itcanbeaccessedasneeded.

SPEEDANDACCURACY

Because the system is built without targeting a limited goal, all sorts of information areavailableorcanbequicklyidentifiedandformatted.Theserialnumberofanaircraftcanbelinked to a file that yields other data; employee names or numbers can be accessed, as caninformationabouttheairport,routes,andschedules.Asmedicalreportsarecreatedforinjuredparties or insurance reports are exchanged for damaged property, this information becomesavailable. Any directives from management on completing the investigation, handling theincident,orimplementingnewprocedurescanbequicklyshared.

Speedandaccuracyareenhancedbythemostmoderntechnology.UsingthecloudandWebportals, all authorized users are in continuous contact. They can access updates onmobiledevices,usingdevicecamerastotakephotosofpeople,documents,orphysicalsites,andtheycanview,edit,orupdateanysharedinformationfromanyplacewithanInternetconnection.

QuestionAnairlinehadtocancel450flightsto16destinationsasaresultofadisturbancethatcloseditshubairport.TheCEOhasaskedforanestimateofthecostoftheevent,specifically:

Additionalpersonnelexpenses.Additionalconfigurationcostsforthefleet.

Numberofpassengerslosttoothercarriers.Agreementsallowingthefirmtoaugmentthefleetwithplanesfromothercarriers.

HowmuchinformationcantheCEOhaveina24-hourperiodwithrespecttotheseissues?

AnswerBynowweshouldknowthatallofitcanbeavailableinlessthan24hours.

FOLLOW-UPEVENTS

All interestedparties can followup the incident as riskowners are assigned to takeaction,make adjustments, or institute corrections. As an example, assume five liability claims arefiledagainsttheairline.Thesystemcansharetheinformationandsendeachofthefollowingtotheproperpartiesforaction:

Claim1 InjuredpassengersClaim2 Passengertrauma,noinjuryClaim3 Workers’compensationClaim4 InsuredequipmentdamageClaim5 Minorairportdamage

BENEFITS

The benefits of the system, as compared to paperwork, word processing documents,spreadsheets, or other systems, are legion. The system offers lower administrative costscompared to filing papers or handling data in individual unlinked files, aswell as reducedreporting, auditing, and controlling costs. It reduces errors; speeds up processing of cloud-basedinformation;facilitatesediting,revisions,andupdatesofinformation;andlowerscostsforinsuranceandclaimsmanagement.

CollaborationwithChatterThesebenefitsareenhancedbytheeaseofusingChatter.Itisasthougheveryoneisinthesameroomwiththesamepaperdocuments.Chatterallows:

Trackingofallcommunicationsthroughoutaproblem-solvingprocessandincidentreportingevents.

Negotiatinglendingandleasingarrangements.Allowingoutsiderstoenterdatawithouthavingaccesstothefullsystem.Participationbyallauthorizedusersinattachingfilesandcommentingonthem.Distributingimmediateresponsesandupdateswhenrefreshingthescreen.UsingaLikebuttontosay“thankyou”oracknowledgereceiptofinformation.

Real-TimeLinkstotheWorldAnHTEPcanbebackedupwithaworldwidesystemofdatacenterswithreal-timeaccesstoinformation as it becomes available. Salesforce is connected in a secured and redundantnetwork with millions of users who access or share data. The airline spends hundreds ofmillionsofdollarsannuallytomaintainamodernandreliablesystem.

WordTranslationandCurrencyTranslationAfeatureoftherobustRiskonnectHTEPisthedegreetowhichitservesmultinationalfirmsandaglobalbusinesscommunity.Twoexamples:

Multilanguage. Informationcanbestored,accessed,andshared inanyof themore than50languagessupportedbythesystem.Alluserscantogglescreentext,messages,andonlinehelpintheirownlanguage.

Multicurrency. Monetary and financial data can be entered in one major currency andtranslated into other major currencies based on specified criteria. Corporate financialanalyses and reports can be created in summary or in detailed formats so that eachinternational businessunit can enter,manage, and report information in local currencies.Thesystem,withcustomizingfromheadquarters,thenproducescompany-widereportinginoneormoredesiredcurrencies.

DataResourcesThus far we have largely concentrated on data available within the organization. The trulypowerfulHTEPalsoaccessesexternalsourcesofinformation.Theentireworldisconnectedforeconomic,financial,weather,political,social,breakingnews,andotherdata,events,andcommunications. The HTEP allows users to automate much of the research and pursuit ofinformationtoachievespecificgoals:

Search.Finddataandinformationneededforbusinessdecisions,reports,operations,orotherneedsandconvertitintoformatsthatcanbeusedfordecisionmaking.

Compare. Query data from multiple sources, convert it into a single format, integrateeconomicandotherindicators,analyzenumbersandinterpretations,andcomparethevalueofknowledgeprovidedbythedifferentsources.

Visualize.Viewandpresentdata,reports,andanalysesaccompaniedbycharts,photos,andcompellinggraphicsforuseinpresentations.

Share.Postupdatedandinteractivecontentonwebsitesanddashboardsorinreports.Decide.Usetheentiresystemtomakefasterandbetterdecisionsthanavailableintheabsence

ofthecapabilitiesoftheHTEP.

ManagingaDisabilityClaimAworkerisharmedinanaccidentonthejob.Anarbitratorhasrequestedthefollowing:

MedicalFile.Reportsfromthedoctors,tests,andprognosisontheinjuredindividual.Insurance.Disabilitycoverageagreementsandstatemandatesforemployerresponsibilities.HistoricalRecords.Previousaccidentsoncompanysitesinthepastthreeyears.GovernmentRegulations.Schedules,findings,orotherdataoninjuryrecommendationsfrom

stateagencies.PersonalData.Salaryandotheremploymenthistoryfortheemployee.

QuestionHowmuchofthisinformationwouldbeintheHTEP?

AnswerAllofit.Linkscanaccessgovernmentinformation,insuranceandhumanresourcedocumentscan be stored online, and links to medical providers can be previously authorized forelectronicaccess.

ConclusionWe have made amazing progress with risk management technology since the 1980s,particularlyafter2009whenthepoweroftheInternetwasaugmentedbymobiledevices.AnHTEPis,inmanyways,adramaticadvanceinourcapabilitiestodealwiththeuncertaintiesof

doingbusinessinachangingworld.

CHAPTER10

HTEPAPPLICATIONS

RISKQUOTE:Don’tworryaboutyourheart,itwilllastyouaslongasyoulive.—W.C.FIELDS,COMEDIANANDMOVIESTAR

RISKQUOTE:Theythatareontheirguardandappearreadytoreceivetheiradversaries,areinmuchlessdangerofbeingattackedthanthesupine,secureandnegligent.

—BENJAMINFRANKLIN,SCIENTISTPUBLISHER,ANDDIPLOMAT

Thevalueofahigh-techelectronicplatformcanbetoldwithanumberofstories.Let’stellafewmoreofthem.

AirbusA380JumboJetTheyearwas2006.The risk fromdeveloping theworld’s largest commercial airplanewasbeingstudiedbyMBAstudentsatSaintPeter’sUniversity.ThisisthestoryusingtheoriginalHTEPfromRiskonnect.

EADSLEVELS1AND2In2006,AirbuswasconcernedaboutcompletingdevelopmentandlaunchingtheA380jumbojet. The company implemented a key risk management initiative, known as the Power8program.Figure10-1showsEADS,theparentcompanyofAirbus,aslevel1,alongwithfourotheroperatingunitsthatmanagedtheirownrisks.

AIRBUSVIEW,LEVELS2AND3TheA380 alone was amajor exposure to Airbus in terms of development, marketing, andoperations.Figure10-2showsfourAirbussubriskcategoriesalignedwiththeAirbusbusinessmodel.ItalsoshowstheA380keyinitiative,whichstructurallycouldreporttoAirbusAircraft

butwhich,becauseofitsimportance,wasmovedupinthebusinessmodel.

A380VIEW:LEVELS3,4,AND5Figure10-3 shows subrisks identified in thePower8 structure.Aircraft structure covers therisks of setting up efficient aircraft production, integrating the complex supply chain, andimproving and streamlining assembly once mass production begins. Financial operationsinvolve handling cash and managing cash flow, shortening the development time to fullproduction,andsolvingproblemsinmanufacturingandoperations.

FIGURE10.1.EADSTOPVIEWOFRISKCATEGORIES.

FIGURE10.2.AIRBUSRISKCATEGORIES.

Thefigureshowssomethingelse,namelytheinterventionofERMbytheMBAcandidates.TheyobservedthatPower8omittedariskcategorythatshouldhavebeenvisibleatthelevelofA380 subrisks. In formal presentations in class, theymade the argument that a key successfactorinthesaleofthejumbojetwouldbetheexistenceofalargenumberofairportscapableofefficientlyhandlingtheplane.Thus,Power8shouldaddanairportriskcategorytothefirstlevelofvisibility,ashasbeendoneinthefigure.

AIRPORTRISK:LEVELS4AND5TheSaintPeter’steamswentfurther,developingtheirownviewofthenewlycreatedairportcategory.Theyidentifiedanumberofsubrisks,showninFigure10-4.

FIGURE10.3.A380POWER8RISKCATEGORIES,REVISED.

Emergencies.Anobviousrisk.Airlinesandairports thataccept theA380wouldneednewprocedures todealwithunexpectedordangerous situationsbecauseof the largenumberandconcentrationofpassengersintheterminalorloadedonasingleplane.

BaggageandPassengerHandling.Twootherexposures.Mostairportslackedthecapabilitytomovealargevolumeofbaggageefficientlybetweentheterminalandasinglepassengerplane.BecausetheA380hasdouble-deckerdoors,airportsmighthavetomodifyphysicalfacilitiestoloadandunloadpassengersefficiently.

FIGURE10.4.AIRPORTRISKS.

AirportNetwork. A final problem. In 2006, only eight airports in the world proclaimedthemselves ready tohandle the largeaircraft.Theabsenceofalternativesites to takeoffandlandwouldreducetheflexibilityofaircraftoperationsandlimittheabilityoftheplaneto fly alternative routes. This situation could encourage airlines to delay orders for theplaneuntilmoreairportscreatedthecapabilitytohandleit.

AVAILABLEAIRPORTS:LEVELS5AND6Oneteamextendedtheanalysis to twosubrisksunder thenumberofavailableairports.Tworiskownerswereneeded.

1.AirportNegotiations. One owner to negotiatewith airports to encourage investments ininfrastructureandupgradedsystemstohandlejumboplanes.

2.AirlineNegotiations.Anotherownertoworkwithairlinesoneffortstoconvincecarrierstoupgradebaggageandpassengerhandlingcapabilities.

Figure10-5completesthehierarchicalstructure.

FIGURE10.5.AVAILABLEAIRPORTSSUBRISKCATEGORIES.

LEVELS1TO6WITHOUTTAGGINGWearenowall thewaydowntheriskmanagementstructure.Figure10-6showsall the riskrelationshipsandallowsustoseetheentirepicturethroughsixlevels.Thegoodnewsisthatweseeeverything.Thebadnewsisclutter.Thereistoomuchdetail.

LEVELS1TO6WITHTAGGINGFigure10-7correctstheclutterproblembyshowingataggedview.WecanstillseethelinkagefromEADS throughAirbus, theA380,andairport risk.Wecan focusonairport andairlinenegotiations,fardownthelistbutcriticallyimportanttosuccess.

SUPPORTINGVISUALRISKS

As in our previous Riskonnect illustrations, we can combine clusters with backupdocumentation.Welearnedthat,evenwiththehighcomplexityofrisksintheA380project,wecan use an HTEP to visualize risk relationships and support decision making withdocumentation.

FIGURE10.6.CLUTTEREDVIEWOFSIXLEVELSOFRISK.

HTEPOpportunitywithBananasAcompanyshipsbananasfromEcuadortoNorthernEurope.WhenavesselpassesMiamiorLeHavre,thecompanywantstoknowinrealtimewhetheritshoulddivertthatvesseltotakeadvantageofaspikeinthepriceofbananas.

QuestionHowcanthecompanyuseahigh-techplatformtomakethediversiondecision?

AnswerThecompanyhasthefollowinginformationinitssystem:

FIGURE10.7.TAGGEDVIEWOFSIXHIERARCHICALLEVELS.

Real-TimeBananaPricing.Thisconsistsofreal-timepricequotesinmajormarkets,astheyfluctuatethroughouttheday,fromvariouswireservicesaccessedbythesystem.

PortData.Theportswherediversionisapossibilityincludingtheirlengths,dimensions,andcapabilitiestohandlevessels.Alsoavailablearecurrentschedulesofberthsandcurrentandfutureoccupancy.Availabilityofcranesisalsoshown.

VesselData.Thisiscomposedofthespeed,fuelconsumption,portcharges,andotherdataspecifictoeachvessel.

ShipManifests.Thekindsandamountsofbananasloadedinvariousareasofthevesselonpalletsorincontainersarecontainedinthisfile,alongwiththebuyersofproducts.

CustomerOrders andNeeds. This includes information from themarketing and deliverydepartments,matchingcustomerswithrequirementsandorders.

AccountingData. This consists of other information to assess the costs and revenues ofbananas,vessels,andvoyages.

When a vessel is nearing ports in Florida, Spain, or France on the way to Antwerp, thecompanymonitorsbananaprices.Whenitnoticeschangesinprices, thesystemcomputesthechangeinrevenuesfromthesaleofbananasbasedondivertingthevesseltounloadaportionofitscargo.Ifadiversioniseconomicallyjustified,theshipisdirectedtospeedup,dischargeinadesignatedport,andcontinueontomeetitsoriginalunloadingtimetable.

TropicalStormDisruptionAtropicalstormdamagedmanyoftherefrigerationmanufacturingcompaniesinTaiwan.Thesecompanies provide refrigeration units and repair parts and components for an industrialdistributor.Management wanted to know the status of the damage and asked the followingquestions:

Whatwill the impactbeonoperations ifdamageoccurred to companies supplyinguswithoriginalequipment?

Whatwillbetheimpactonoperationsfrommissingrepairpartsandcomponents?WhichcompaniesprovideOEM,components,orpartstocompetitors?

QuestionHowmany of these questions could the company answer from its riskmanagement system?Howlongwouldittaketogettheinformation?

AnswerOnceagain,mostsuchquestionscouldbeansweredquicklywithamodernHTEPsystem.

BPOilExplosionIn2010,BPOilexperiencedamajordisasterwhenanexplosionsunktheDeepwaterHorizondrillingplatform.Thebadnewscontinuedduringeffortstostoptheleakingoil.Thecompanysuccessfullycappedtheleak86daysaftertheexplosionandthereleaseof5millionbarrelsofoilintothewater.

OneexplanationforthegenesisofthecrisisdealswithwhetherBPexecutiveshadthebigpicture.Theanswerappearstobeno.Ithadevidenceofunsafepractices,buttheinformationwasnotcontainedinahigh-techplatform.Examples:

RefineryAccident.In2005,aBPrefineryinTexasexperiencedanexplosionthatkilled15peopleandinjuredalmost200others.Ariskmanagementdatabasewouldhavedisplayedmorethan400safetyviolationsintheprecedingthreeyears.

SafetyViolation.Threemonthspriortothedisaster,theU.S.OccupationalSafetyandHealthAdministrationreportedthatBPhadmorethan800willfulsafetyviolationsinafour-yearperiod.

WorkerConcerns.WorkersontheDeepwaterHorizonweresurveyedpriortotheexplosion.Theysaidtheyhadunreliableequipmentinanatmosphereof,“Runit,breakit,fixit.”ThereportscameoutinCongressionalhearingsaftertheincident.Theywerenotavailabletoseniorexecutivespriortotheincident.

Equipment Assessment Report. The company commissioned a study that describeddeterioratingconditionsandpracticesontheDeepwaterHorizon.Therigwasoverduefordrydock,andcomponentssuchasfail-safevalveshadfailedinspections.Whenequipmentwastested,morethan25systemswereidentifiedasbeingin“poor”condition.

QuestionDid BP have any other major item of information that might have been useful to seniorexecutives?

AnswerWithahigh-techHTEPsystem,someonemayhavespottedtheresignationofKevinLacey.BPbroughthimonboardin2006toimprovesafetyonplatformsintheGulf.HeinstalledasafetyprogramatChevronrecognizedfor itsbestpractices.Hestruggled tomake improvementsatBPandresignedin2009.Thiswasnotagoodsignforwhatwouldhappenthreemonthslater.

FordSupplyChainThefourthquarterof2001producedadisruptionatFordMotorCompany.Productiondeclinedbelowforecasts.Wasthecompanypreparedforthesituation?

AnswerNotreally.ThecompanydidnothaveanHTEPsystemtoquicklyassessdisruptions.Afterthe9/11attackontheWorldTradeCenterinNewYorkCity,theU.S.governmentstoppedtruckscarryingautomobileandtruckcomponentsattheMexicanandCanadianborders.Forddidnothaveabackupplanandwasforcedtocurtailproduction.

DellSupplyChainAsimilardisruptionoccurredatDellin2010.FloodsinThailanddisruptedDell’ssupplyofcomponentsforcomputers,servers,andotherproducts.Dellandothermanufacturerscouldnotmeetcustomerneedsonatimelybasis.Deliveriesweredelayed,causingseriousproblemsforcustomers who needed new computing equipment or who wanted to repair installed Dellsystems.

QuestionWhatshouldhavehappened?

Answer

Someone in a high position with access to senior executives should have searched forproductiondisruptionfromMexicansuppliersandThailandfloods.Thisisnonlinearthinkingabout the interactions among risk. An efficient supply chain without a backup in case ofemergencyendangersanorganization.Oneriskaffectsotherrisks.

ChileanMineRescueOnAugust5,2010,acave-inattheSanJoseminetrapped33miners2,300feet(700meters)belowthesurfaceoftheground.Themenhaddescendeddownalengthyspiralpassagewayinamineknownfortheinstabilityoftheearth.Rescuersdidnotknowwhethertheysurvivedthecollapse.

Andre Sougarret, head of anothermine, was sent to take charge of efforts to rescue theminers.Hediscoveredacompletelackofinformation:

MapsoftheMine.Theywereoutofdate.Communications.Theminehadnointernalcommunicationsbelowgroundlevel.SafeRoom.Theminehadanareabelowthecollapsedesignatedasaplaceforminerstowait

forrescueintheeventoftrouble.Itwasscheduledtobestockedwithsufficientfoodandwatertolast48hourswithafull-sizeworkingcrew.Norecordswerekeptonwhetherthishadactuallybeendone.

Repair Shop. Another area below the collapse was reserved for the storage of tools andequipment.Theconditionoftheshopwasnotknowntorescuers.

AirVent.A rescue shaft had been drilled down to the likely level of theminers. It couldprovide air from the surface and included a ladder so individuals could climb to thesurfaceintheeventofanemergency.Asurfacereportshowedapriorinspectionfoundtheladder was broken and needed repair before the mine could be operating. Therecommendationhadbeenimplemented.

Sougarretlauncheddrillingshaftstowardtherepairshopandsaferoom.Seventeendayslater,therescueteamheardbangingonthedrillheadandretrievedanotethatsaidtheminerswerealive.Seventydayslater,theywererescued.

QuestionHowcouldtechnologyhavehelpedwiththerescueoftheminers?

AnswerAsinglesourceofinformationmonitoredbyacentralriskfunctionwouldhavehighlightedthe

failuretofixtheescapeladderthatwouldhaveallowedanearlyrescue.Asitwas,asecondshiftofearthafewdaysafterthemajorcollapseclosedtheventilationshaft.Acentralsystemwasalsomorelikelytomaintainthecurrentmappingoftheminetofacilitatethestartofrescueoperations. As it was, four days of confusion reigned at the site until Sougarret arrived.Finally,centralmonitoringwouldhelpensurethatthefoodstockandwaterwereactuallyinthesaferoom.Luckilyfortheminers,itwas.Riskmanagementshouldnotrelyonjustluck.

ConclusionTheversatilityofamodernriskmanagementsystemallowsittobeusedinmanyapplications.Inthischapter,wecoveredsomeofthem.

CHAPTER11

PRODUCTLAUNCHAPPLICATION

RISKQUOTE:Yougottobecarefulifyoudon’tknowwhereyou’regoing,becauseyoumightnotgetthere.

—YOGIBERRA,AMERICANBASEBALLPLAYER

RISKQUOTE:Icouldtellthatmyparentshatedme.Mybathtoyswereatoasterandaradio.

—RODNEYDANGERFIELD,COMEDIAN

AnHTEP,whenbuiltwiththefeaturesdescribed,canfindavarietyofotherapplications.Thisis demonstrated bymeans of a product launch evaluation. Our story builds on aDecember2007HarvardBusinessReview article titled “ManagingRisk andReward in an InnovationPortfolio.

Thelaunchofanewproductorservicecanbeahigh-riskventure.Fourexposuresare(1)developmentof theproduct;(2) identificationorcreationofamarket; (3)findingthecapitalneededtosupporttheproductuntilcashflowturnspositive;and(4)protectingagainstthetheftofintellectualproperty.Figure11-1showstheserisksvisually.

MarketRiskFigure11-2identifiessixfactorsthataffectmarketrisk.

FIGURE11.1.PRODUCTLAUNCHRISKS.

FIGURE11.2.MARKETSUBRISKINAPRODUCTLAUNCH.

1. Customer Behavior. Will customers behave like, something like, or differently fromexistingcustomers?

2.BrandRecognition.Willtheproductbeamajorasset,beaminorasset,orhavenovalueatall?

3.SalesAbility.Shouldsellingactivitiesbelargelyidenticalto,similarto,ordifferentfromcurrentefforts?

4.NewCompetitors.Doweunderstand,understandtosomedegree,orhavenoknowledgeoflikelycompetitorbehaviorandintentions?

5.KnowledgeoftheMarket.Doweknowitwell,orareweenteringanewarena?6.Current Customer Relationships. Are our existing strengths with customers important,helpful,orofnovalueinthenewmarket?

ProductRiskFigure11-3showsthesubrisksforproductrisk.

1. Product Development. Is the product largely the same as, similar to, or completelydifferent fromour current products?Do our current development capabilities fully apply,requiresignificantnewlearning,orapplynotatall?

FIGURE11.3.PRODUCTSUBRISKSINAPRODUCTLAUNCH.

2.TechnicalCompetency.Areourtechnologicalskillsfully,partly,ornotatallapplicabletodevelopingtheproduct?

3. Delivery Capability. Is our current distribution system suitable, partly suitable, orinappropriateforhandlingtheproduct?

4.SupportSystem.Dowehaveasystemcurrentlyorpartly inplace?Ifnot,doweneedatotallynewsystemtosupporttheproduct?

5.QualityStandards. Is the level of product quality identical to, related to, or completelydifferentfromthelevelofqualityofourcurrentproducts?

CapitalRiskInourproductlaunchanalysis,weidentifiedtwomajorcapitalfinancingexposures,asshowninFigure11-4.

1.BurnRate.Thespeedatwhichcapitalisexpendedinastartupventureorproductlaunchcompany.Itreferstotheperiodwhenthecompanymustfinancelaunchandoverheadcostspriortothegenerationofpositivecashflow.InanERMperspective,weareaskingwhetherwecancontrolmoneyspentondevelopmentandmarketinginadvanceofbreak-even.

2.SecondRoundofFinancing.Will an angel investor, awealthy individualwho providescapital for new business ventures, step up to provide additional funding without totallydilutingownershipoftheproductorventure?

FIGURE11.4.CAPITALFINANCINGRISKINAPRODUCTLAUNCH.

IntellectualPropertyRiskFigure 11-5 shows the fourth risk category, which is the danger of a loss of intellectualproperty.Italsohastwosubrisks.

1. Approved Patents. Will patents be granted by various governments to provide legalprotectioninjurisdictionswheretheycanbeenforced?

2.TheftofIntellectualProperty.Willmanufacturersincountriesthatdonotprotectinventorssteal the technology, produce thegoodsor deliver the services, andbe able tohide fromenforcementoflegalrights?

RiskProfileAswith themodel in earlier chapters,we candisplay the four top-level riskson twoaxes,fromgreen (lowest) in the lower left area to red (highest) in the upper right. The axes canrepresentfrequencyandseverity,controlandimpact,orothervariables.Figure11-6displayssuchaprofile.

ExpandingtheViewAs we have seen, we can expand the view. Figure 11-7 displays an enlarged cluster thatincorporatesthreelevelsofriskrelationships.Theviewiscluttered,butweknowwecantagrisksandfilterthemtocustomizeourview.

FIGURE11.5.INTELLECTUALPROPERTYRISKINAPRODUCTLAUNCH.

FIGURE11.6.RISKPROFILEONTWOAXES.

FIGURE11.7.PRODUCTLAUNCHWITHSUBRISKSANDSUB-SUBRISKS.

ConclusionOnceweemployriskclustersinanERMframework,wecanfindstand-aloneapplicationsthatallowustoseeriskrelationshipsandsupportingdocumentation.

PARTTHREE

RISKSWITHOUTRISKOWNERS

RISK MANAGEMENT will fail if we do not consider things that are close to us, thatendangerus,andthatarehardtoseeorassigntoasinglepersoninanorganization.

Strategies. Are we managing strategies after we formulate them? Do weunderstandtheweaknessesinourproposedcoursesofaction?

Culture.Doweconsiderhow factors in theorganizationalculturecandestroyourgoals?

Leadership.Whatkindofleadershipdoweneed?Whatkinddowehave?LifeCycle.Whatstagesoccurindifferentlinesofbusinessoroperatingunits?Whatproblemsarisefromlifecyclerisks?

Nowweexaminerisksthatarefundamentallydifferentfromtheriskstructurebuilt inearlier chapters.Nosingle risk owner canmanage them, but the failure tomanagethem can destroy the organization. In a proactive ERM program, they can beidentified by the central risk function and can be addressed by executives andmanagers.

CHAPTER12

STRATEGICRISK

RISKQUOTE:Thereisnoreasonanyonewouldwantacomputerintheirhome.—KENOLSEN,PRESIDENT,CHAIRMAN,ANDFOUNDEROFDIGITALEQUIPMENTCORPORATION,1977

RISKQUOTE:100percentoftheshotsyoudon’ttakedon’tgoin.—WAYNEGRETZKY,PROFESSIONALHOCKEYPLAYER

FedExFedExshippedmorethanthreemillionpackagesadayin2013.Itserved200countrieswith640 airplanes, 1,200 stations, and 50,000 vehicles, and it employed 160,000 people. RobCarterwasthechiefinformationofficerofFedEx.Hewasaskedthequestion,“Whatbusinessareyouin?”Howdoyouthinkheanswered?

AnswerNottheshippingbusiness.Notthepackagedeliveryindustry.Hesaid,“FedExengineerstime.”Astheworldshrinksandchanges,FedExofferssolutionsthatallowcustomerstomakethingshappen on time schedules that would otherwise be impossible. FedEx spent more than $1billion in 2005 to build its own technology platform.Customers could track any individualFedEx shipment using the Internet. It did notmatterwhether the customerknew the trackingnumber.FedExgavecustomerstheabilitytoseeeveryinboundpackage.

QuestionSupposealaboratorywantstoknowwhatbonemarrowshipmentsitwillreceivetoday.Whywoulditneedtoknowthatinformation?

AnswerTopreparefortestingthesamples.Becauseasamplehasausefullifespanofonly24hours,

tracking every inbound shipment early in the day allows the laboratory to have enoughtechniciansavailabletotestallthesamplesthatwillarriveeachday.

ThephilosophyoftheU.S.MarineCorpsisto“move,communicate,andshoot.”ItisalsothestrategyofFedEx:Startthepackagetowarditsdestination(move);makeitspositionknownto the addressee (communicate); deliver it (shoot). Intuitive decision making tells MarineswhethertheyarewinningthebattlefieldandtellsFedExwhetheritisstayingaheadofthelessinnovativebuthighlycompetitiveUPS.

Lesson Learned:When FedEx started in business, the U.S. Post Office thought it just hadanothercompetitor.Instead,ithadanorganizationthatknewhowtomanagestrategicrisk.

StrategicRiskManagementStrategicriskisthepositiveornegativeimpactofriskinthefollowingconditions:

Risk Identification. The upside is opportunity to achieve a goal. The downside is thepossibilityofloss.

ProblemSolving.Defining a problem correctly allows the pursuit of an effective strategy.Failuretorecognizetherealproblemcandosignificantdamage.

ChangingConditions.Successfuladaptationtotrends,emergingopportunities,orexposurescan produce successful business operations. Failure to adjust or respond can causedamage.

Execution. The achievement of a goal helps an organization. The failure to performeffectivelyhurtsit.

Strategicriskmanagementencompassesallactivitiestoidentifyrisks,solveproblems,adapttochange,andsuccessfullyexecuteplans.Itincludesthesecomponents:

GoalsandStrategies.Doestheentityhaverealisticgoalsandsuitablestrategiestoachievethem?

Resources. Is it identifying and allocating adequate assets, people, and other resources tosolveproblemsorpursueopportunities?

OrganizationalStructure.Doesithavetherightstaffandlineunitsforthetasksathand?CapabilitiesofPeople.Doesitunderstandtheabilitiesandskillsofitspersonnelandemploy

themtopursuegoalswheretheycansucceed?Systems.Aretheentity’scommunicationchannels,operatingsystems,anddeliverynetworks

designedtosupportefficientoperations?Risk Identification. Does the organization have an effective means for scanning for the

impacts from external economic, competitive, technological, legal, regulatory, and other

changingcircumstances?

StrategicRiskandKnowledgeAknowledgeeconomyisalocal,national,regional,orglobalsystemthatusesknowledgetoproduce economic benefits. The phrase was popularized by Peter Drucker in The Age ofDiscontinuity(Harper&Row,1968).Asbarrierstotradedroppedanddevelopingcountriesused technologyandeducation to raiseworker skill levels and increase interactionsbeyondtheir borders, the world morphed into a true global knowledge economy. Strategic riskmanagementaddressesthedangersandopportunitiesthataccompanythistransformation.

Corporatestrategistsrecognizethatgovernmenteconomicdatadoesnotreflect thefactorsthatmake amodern economy strong.A nation’s economic level is not understood solely intermsofitsphysicalassets,rawmaterials,andlabor.Rather,anadditionalshadoweconomyexistsasaresultofinvestmentinintangibles.Someexpendituresconsumeresources,aswiththe burning of oil. Others strengthen an economy, as with education and research anddevelopment. The existence of a shadow economymeans that strategistsmust recognize theexistenceoftwodistinctsystems:

1.PhysicalEconomy. Production and consumption activities that reflect theuseof physicalassets,consumptionofrawmaterials,employmentoflaborandtheworkforce,andconsumerandbusinessspendingongoodsandservices.

2.ShadowEconomy.Aseparateeconomicmachinethatreflectsindividualandorganizationalinvestmentsinintangiblesthatstrengthentheeconomyratherthanconsumeitsresources.

PursuitofKnowledgeOrganizations pursue knowledge when it yields new product innovations and adds to theknowledgebase of industry and themarketplace as awhole.Thepursuit of knowledge is aprecursor to riskmanagement efforts that solve problems and allow adaptation to changingconditions.Threetypesofknowledgepursuithavebeenidentified:

1.PureResearch.Thiscategorycoverseffortstodiscoverbasictruthsinscience,technology,healthcare,environment,andotherareaswhereempiricaldatacanbeobserved.Ithasnospecific end goal, although its findings are often subsequently incorporated into practicalapplications. It is performed largely by universities, pharmaceutical and chemicalcompanies,biologists,andscientistsandissupportedbygovernmentornonprofitfoundationfunding.

2. Applied Research. Applied researchers are seeking solutions for specific problems.

Funding is provided by industry, the military, and nonprofit groups seeking a particularoutcomethatsolvesasocialorotherproblem.

3.Development. These efforts create a new or revised product or application by bringingtechnology,materials,orprocessestoimproveexistingproducts,services,oractivities.

SAMSUNGSTRATEGICRISK

In1993,chairmanLeeKunHeevisitedLosAngeles.HeobservedthatSonyproductsstoodout,whereasSamsung’swerelostinthecrowd.WhenhereturnedtoKorea,heputlessfocusoncostsavingandahighemphasisondevelopinguniqueproducts.Between2000and2005,Samsungearned100citationsattopdesigncontestsintheUnitedStates,Europe,andAsia.Samsung’srevenuesjumped25percentin2005,anditsprofitsdoubled.By2007,Samsung’sgreatdesigncatapultedittothetopranksofglobalbrands.Tobesuccessfulwithitsstrategy,Samsunghadtoovercomethetraditional

respectforeldersandworkers’reluctancetospeakoutofturn.Samsungcreatedaseparatedesigncenternearthecompanyheadquartersbutnotinit.Ithaditsownuniqueculture.Therewasnodresscode.Someyoungerstaffersdyedtheirhairgreenorpink.Allemployeeswereencouragedtospeakupandchallengetheirsuperiors.Designersworkedasequalsinthree-tofive-personteams.LessonLearned:Strategicriskisthefailuretorespondtoconditionsthatareharmfultosuccess.Whennewstrategiesareneeded,boldnesscanproduceimpressiveresults.

HistoricalPerspectiveofStrategicRiskAnumberofdevelopmentsleduptothepresentpracticeofstrategicriskmanagement.Suddenchangedestroyedentities thatdidnot adapt to it. Ifwe takeahistoricalview,wecan thinkabout how many risks we would have seen coming if we had been alive at the time theyoccurred.We start by observing that riskmanagement has changed as theworld hasmovedfrom theAgriculturalAge to the IndustrialAge.Think about the eighteenth century.We hadhorsepower,windpower,andwaterpower.Horsescouldbeconnectedtoharnessthepowerofmultipleanimalspullinginthesamedirection.Windmillscoulddosomethings,andsailingvesselsmovedpeopleandcargo.Waterpowerwaslimitedtothespeedandvolumeofriversflowingoverwaterwheels.Theuseof levers, inclinedplanes,andother toolsmultiplied theamountofpowerthatcouldbecreated.

Asweenteredthenineteenthandtwentiethcenturies,New-comenandWatt’ssteamenginecreated massive power to produce textiles, machinery, and other goods. Rotary motionallowed the steam engine to drive locomotives. Factories distributed goods widely. Steel,

electricity, and the elevator allowed the construction of taller buildings and a greaterconcentrationofpopulationincities.Airconditioningmadesubtropicalareasnewcentersofmajorbusiness.

Whatisthelinkbetweenstrategicriskandthesedevelopments?

RisingRiskLevel.Accidents, injuries,wars,andcompetitorsare farmoreprevalent inanIndustrialAgeenvironment.

Virtually Unlimited Opportunities. To earn a living, we had more options than shoeinghorsesorbutcheringanimals.Instead,theworldbecameastage,and,withtherightstrategyandalittleinnovationandenergy,wecouldplayonit.

QuestionWhatisthecommonthreadthatlinksproductivitydevelopments?

AnswerTheansweristheemergenceofnewrisksandaneedfornewtechniquesofriskmanagement.These developments occurredwithout an explicit recognition that peoplewere dealingwithrisk.IntheageofERM,wedealdirectlywithriskandopportunity.

FROMTHEAGRICULTURALAGETOTHEINDUSTRIALAGE

Year Event

1712

Steamengine.Newcomen’sinventionmadetheIndustrialAgepossible.Previously,wewerelimitedtopowercreatedbylinkinghorses,oxen,orevenelephantsorderivedfromtheforceofwaterrushingdownaslope.

1769Condenser.Watt’sinventiondidevenmore.Itmadethesteamengineapracticaltooltogeneratereliablepower.Ittook57years,butnowwereallyhadsomethingbig.

1782Rotarymotion.Wattalsofiguredouthowsteamcouldturnawheel.Thishadapplicationsinfactories,anditalsoopenedadoorforsomethingthatcouldmovegoodstodistanceplaces.

1829

Locomotive.Stephensonjoinedthepracticalsteamenginewithrotarymotion,enablingrailroadstochangethequantityofgoodsandthenumberofpeoplewhocouldmovelongdistancesinrelativecomfort.

1852Elevator.Steelmaybestrong,butpeoplecouldclimbonlysohighonaregularbasis.TallbuildingswerefeasibleonlyafterOtisdevelopedelevators.Skyscraperswouldcomenext.

1856 Steel.Bessemerdiscoveredsomethingbetterthanironforrailroadtracksandbuildings.Thiswouldbebig.

1871Dynamo.Thisdevice,whichconvertssteamtoelectricity,wasBenFranklin’sdreamahundredyearsearlier.Allsortsofnewrisksandopportunitieswerenowonthehorizon.

1911Airconditioning.Ittook40yearsorso,butcomfortablehomesandskyscrapersinsummerwereonthehorizon.Peoplecouldliveandworkyear-roundincomfortinsouthernclimates.

StrategicRiskandSynergyThemovementfromtheAgriculturaltotheIndustrialAgewasdrivenbynewinventions.Thisenergyoperated independentlyand thencame together inwonderfulsynergy.Asanexample,considerimprovementsincommunications.Peopleinagriculturalsocietiesknewlittleof theworldoutsideanarrowterritory.Atypicalvillagerintheseventeenthcenturyknewasmuchinformation about theworld aswould be contained today in a single issue of a newspaper.Whatnewspaper?TheNewYorkTimes.NottheSundayissue,mindyou.Aweekdayissue.

The expansion of commerce was accompanied by faster ways to move information andpeople.Over a centuryor so, theworldwent from thehighly important and innovativedot-dash-dot of the telegraph to the blindingly swift and often annoying advent of the Internet.Transportation was equally innovative. The steamboat was a major advance over watertransportthatreliedonsailingandwindpower.Therailroadrepresentedagiantadvanceoverthehorseandcarriage.Thefreedomandspeedofautomobilesandairplanescouldhardlyhavebeenimagined100yearsearlier.

Whatdoesthismeanforstrategicrisk?Historytellsusclearlythatweshouldnotignorethesynergiesoutsideourimmediatespanofvision.Fororganizations,thisistheresponsibilityofacentralriskfunction.

COMMUNICATIONSDEVELOPMENTS

Year Event

1837

Telegraph.Morsedevelopedameansoflong-distancecommunicationthatallowedinformationtomovefasterthanpeopleandtheiranimals.ThecombinationoftrainsandtelegraphwouldallowRussiatotakeoverdistantempiresandenablecompaniestoreactquicklytochangingmarketconditions.

1876

Telephone.Bellgaveusbetterlong-distancecommunication.Nolongerdidinformationmoveoneletteratatime,withdotsanddashes.Nordidwehavetowaitforfeedback.Oralresponsescouldbeobtainedimmediately.

1920

Radio.Radiomeantthatasinglemessagecouldbedisseminatedtomanypeoplesimultaneously.Itledtomajordevelopmentsinadvertising,entertainment,propaganda,andemergencywarningsystems.

1923Television.TVwasbetterthanradiobecauseavisualcomponentwasaddedtoaudiomessages.Ittookabout25yearsfortelevisiontobecomecommerciallyviable.

1995Internet.Theultimatetoolforsharinginformation,disseminatingurgentmessages,andreceivingcommunicationsthatwewanttoshareandsometimeswanttoblock.

TRANSPORTATIONDEVELOPMENTS

Year Event

1807 Steamboat.Steamboatswerefasterthansailingvesselsandsoonwouldbelarger.

1830sRailroads.Thisdevelopmentprovidedtransportationthatwasfasterthancoveredwagonsandtheponyexpress,whichwouldbothbeobsoletein40years.

1889Automobile.Carsofferedmoreflexiblelandtransportationthantherailroads.Theyallowedpeopletospreadoutandmadeleisuretravelanoption.

1903 Airplane.Fasterandmoreflexiblethantheautomobile,airplaneswerealsolikelytochangethenatureofwar.

1939 Jetplane.Thesewerereallyfast.PeoplecouldbeinIndiainthemorningandinEnglandintheafternoon.

StrategicRiskandToolsofKnowledgeWhat is the common link among the steam engine, telephone, jet plane, and other changeagents?Theanswer is technology,arguably themost important single factor in strategic riskmanagement.Peopleneededarisinglevelofknowledgeandskillstounderstandandusenewtechnology.Theygotitfromnewtoolsintwophases.

PhaseOne.Thiswasslowand tooka long time. It includesearlychanges inourability tomanipulatenumbersandwords.Ittookalongtimetoarriveattheaddingmachineandthecalculatingmachine.Similarly,Gutenberg’smovabletypereplacedhandwrittendocumentsandallowedforthecreationofsignificantbooks.Centurieslater,thetypewriterfollowed,itselfshovedasidebypunchcardmachinesthatsortedandprioritizedinformationneeded

tounderstandisolatedtransactions.PhaseTwo. This was a seismic leap in our ability to handle numbers, words, and data.

Startingwith largemachinesusedbygovernmentsand largecompanies, itmorphedwithminiaturizationintothepersonalcomputer.Now,individualscanhandlenumbers,words,anddata,augmentedwithnewcapabilities ingraphicsandcommunications.The Internetandmobiledevicesaretheculminationofphasetwo.

KNOWLEDGEDEVELOPMENTS,PHASEONE

Year Event300B.C.

Abacus.Thisistheearliestknowntechnologyforcountingandperformingmathfunctions.

1450Movabletype.Gutenbergmadeitmucheasierandmuchlessexpensivetoprintbooks.Learningandamusementspreadwidely.

1820Addingmachine.AWesterntooltocranknumberssoonhadmultipleapplicationsincommerceandaccounting.

1833Calculatingmachine.Thisaddedmultiplicationanddivisiontotheeasyhandlingofnumbers.

1867Typewriter.Thetypewritermadeitmucheasiertoputwordsonpaper.Thenumberofcommunicationsskyrocketed.

1889Punchcardmachine.IBMgaveusatoolthatcountedinventoryanddidalotmore.

KNOWLEDGEDEVELOPMENTS,PHASETWO

Year Event

1946Electronicdigitalcomputer.Thecomputergaveusasingledevice,howeverlargeinitsfirstversion,thatcouldhandlewords,numbers,anddata.

1947 Transistor.Replacingvacuumtubes,thesemadethecomputerfaster,smaller,andmorereliable.

1958 Integratedcircuit.Thisnewdevelopmentmadethecomputerevenfaster,smaller,andmorereliable,replacingthetransistor.

1976 Personalcomputer.Thiswasareallybigstepforward.

1979 Electronicspreadsheet.Ifwordprocessingwerenotenough,thisguaranteesthebusinessneedforpersonalcomputers.

StrategicRiskandOpportunitySince1980

Asweclosedthetwentiethcentury,therewasanaccelerationintherateofchangeinproductsandmarkets.Developmentssuchasthefollowingincreasedbothdangerandopportunity:

1980–1995. Personal computers provided new tools for handling words, numbers, data,graphics,andcommunications.

1991–2005.We created and expanded communications networks, using the Internet to linkpeopleandorganizations.

1995–2006.WesawtheamazingriseofindustryinChina,accompaniedbygrowingeconomicstrengthinotherdevelopingcountries.

2002–2009.Pocketcomputingsupplementedandreplacedpersonalcomputers,dayplanners,telephones,andtelevisions.Cellphonesbecameubiquitous.Peoplewerefreetotaketheirofficesandhomeswiththemanywheretheywent.

2008–2014.Mobiledevicesandappscompletedthestory.Ifyoucandoitonacomputer,youdoitonthemove.

ScanningPost-2014Fromthishistoricalperspective,weknowwhereweare—orwherewe thinkweare.Whatcomesnext?Whatsourcesofstrategicriskareonthehorizon?Herearesomenominees:

EmergingNations.Chinaand India,with36percentof theglobalpopulationandgrowingeconomies, need constant surveillance.We should not overlook emerging countries andregionsaswell,particularlyPakistan,Indonesia,andtheMiddleEast.In2002,everybodywas investing inChina.When intellectualpropertyproblemssurfaced in2004, the focusswitchedtoIndiaandopportunitiesinMumbai,Chennai,andBangalore.

DevelopedNations. The financial crisis that began in 2008 caused the landscape to shiftagainwithcrisesinhomemortgagesintheUnitedStatesandalaterEurocurrencycrisis.

TurbulentNations.TheArabSpringin2010anddemonstrationsinEgypt,Ukraine,Thailand,and elsewhere created chaos that destroyed many prior strategies for economics andpolitics.

Technology andKnowledge. Everything a business needswith respect to information andstrategiescanbecarriedinsmallportabledevices.Allofourplansandproprietarysecretscan be leaked via the Internet or misbehavior. Today’s innovative new product istomorrow’s obsolete relic. Strategic risk tells us to check constantly the validity of abudget prepared just a fewmonths ago, a strategy that tookmuch time to create, and anassumptionthatseemedquitereasonablejustyesterday.

Logistics.Acompany’srawmaterialsarelikelytocomefrom20suppliersin15countries,anditscomponentsareprobablyfabricatedinsixdifferentcountries.CzechswhoupdatemassivedatabasesandMexicanengineerswhoupgradecomputerandtelecommunications

systemsallsupportthesupplychain.ProductsdesignatedforcustomersinNorthAmericaareshippedat the lastminute throughthecongestedandvulnerableportofShanghai.Wemustcarefullymanageredundancyandstabilityinthesupplychain.

CyberRisk.Thisisamassiveexposure.Chapter17examinesitindetail.

EnergyAllbyItselfMaybethebiggeststrategicriskinvolvesourrelianceonfossilfuels.In2013,thedailyworldoil consumption was 91million barrels a day. Globally, we had the long-term capacity torefine somewhere between 89 and 90 million barrels a day, depending on the number ofrefineriesthatareoffline.Withminorexceptions,oilcompaniesandotherswerenotmakinganefforttoexpandrefiningcapacity.

Whoconsumedoil in2013?TheUnitedStatesconsumed19millionbarrelsaday,or21percent of the total. The larger European Union consumed 15 million. China increased itsconsumptionfromafewmillionbarrelsdailyashorttimeagoto11millionbarrelsadayin2013.

Finally, let us scan internally.Who provides the oil products that fuel 90 percent of theworld’stransportation?Theanswerisoilcompanies,OPEC,andcountriesoutsidetheMiddleEastthathaveoilreserves.Governmentswereaskingtheproviderstoincreaseproductionandinvestinrefiningcapacity.Thiswould,however,tieupproviders’capital,lowergasprices,andreducetheirprofits.WiththeexceptionoftheUnitedStateswithshaleoilandRussiawitheconomicneeds,whywouldanyoneagreetodothat?

Acentralriskfunctioncannotpredictthefuture,butitcanalertmanagementandboardsofdirectorstostrategicrisks.Itislikelythattheworldwillneedmoreoilinthenearfuturewithrefiningcapacity thatmaynotkeepupwithneeds.Toanyboard,CEO,chief riskofficer,orpersononthestreet,aneconomicstructurebasedonfossilfuelsposesastrategicrisk.

BoeingVersusAirbusThecompetitionbetweentheairplanemanufacturersBoeingandAirbusisinstructiveforwhatitrevealsabouttheimportanceofERMascompaniesmakestrategicdecisions.Strategicriskreachesitspinnacleonreallybigalternativeswhenacompanycangoonewayoranotheranda great deal rides on the outcome. Thiswas the situation betweenBoeing andAirbus after1998 when they were locked in a duel to sell wide-body jets to the major Asia-Pacificcarriers.Themanufacturerstookdifferentroadsinthatbattle:

Boeing’sStrategy.Boeingput its developmentmoney into the787, a planewith a seatingcapacityof from200to300passengers.The787 isattractive toairlines that flysmaller

passengerloads.Itisalsofuel-efficientbecauseithasonlytwoengines.Airbus’sStrategy.Airbus pursued a strategy based on the belief that airlineswouldwant

largerplanes tooperate fromcrowdedairporthubs. Itdeveloped theA380, a jumbo jetalreadydescribed.Itiscapableofcarryingfrom500to800passengers,hasfourengines,andis25percentlessfuelefficientperpassengerseatthanthe787.

TheBoeingandAirbusstrategiesrecognizedinherentrisks.Developmentcostswereextensivebecausenew technologieswere required.The successor failureofeachcompany’s strategywasdependentondecisionsbyairlinesandgovernments,whichwereoutsidetheircontrol.

LessonLearned:Twoorganizationscanviewthesameriskopportunityanddrawmarkedlydifferentconclusionsastothestrategicriskitposes.

CUSTOMERSTRATEGIES

Inmakingtheiroriginaldecisions,BoeingandAirbushadtoassessthelikelystrategiesoftheairlinesonroutestructures.Twomodelswerebeingconsidered:

HubandSpoke.Thisstructureexistswhenanairlineusesonemainairportasatransferpointtogetpassengerstotheirintendeddestination.Travelersmovebetweenairportsnotservedby direct flights by flying to the hub and changing planes en route to their destinations.Hubsareusedforbothpassengerandcargoflights.

Point to Point. The second structure occurs when an airline flies passengers and cargodirectlybetween twodestinationswithout passing through a central hub.Nonstop flightscanbepopularamongfliersbecause theyrequire less travel time.Airlines thatusehubswouldbemorelikelytobuytheA380.

Airlines flyingpoint topointwouldprefer the787.Theairlinesmightnotdecideuntil bothplaneswerereadyfordelivery.

BoeingandAirbusalsohadtoincorporatefuelpricesintotheirpredictionsaboutbuyers’likelystrategies.Ifairlinesexpectedafutureriseinfuelprices,thefuel-efficient787wouldbepreferable. If they expect onlyminor price increases, the larger, four-engine plane couldbeadvantageous.

Another customer issue involved the development period for the planes.Both companieshadtargetdates,butproblemsalwaysarise.Thedeliveryofnewaircraftisoftendelayed.Iftheplaneswerenotreadytoflybytheplannedstartingdatesfordeliveries,whatwouldbethereaction of customers? Would they abandon the contracts or refuse to purchase additionalaircraft?

LessonLearned:A component of strategic risk involves assessing the strategies of relatedparties.Amisjudgmentcanleadtoseriousfutureproblems.

TECHNOLOGYRISKS

When a strategy requires new inventions or untested systems, the risk level rises. Both theBoeing 787 and the Airbus A380 required aircraft technology that did not exist when thedecisiontobuildeachplanewasmade.Thismagnifiedtherisk.

TheA380would be larger than any prior aircraft. Itswingspan is huge, at 262 feet (80meters). The physical size poses all sorts of problems. Can Airbus build such an aircraftwithindevelopmentcosts that caneventuallybe recaptured?Wouldknown technologyaboutelectrical, computer, and other systems on the plane translate smoothly into the machineryneededonajumbojet?

Boeing had different technology issues. The 787 has a one-piece carbon compositefuselage. This new technology had never been previously used in commercial aircraft. Itallowsmanufacturerstobuildaplanethatis15percentlighterthanaplanemadeofaluminumsheetsandrivets.Boeing’sadvancesincarbon-fiberlayeringdemonstrateditscommitmenttoresearchanddevelopment,butthatisnotthepoint.Whathappensifcarbon-fiberlayeringdoesnotwork?

LessonLearned:Strategic riskcanbebig.As it turnedout,bothcompanieshad technologyproblemsthatslowedthedevelopmentanddeliveryoftheplanes.

MARKETRISKS

Theoverall size of amarket is a critical variable in strategic riskmanagement. If adequatedemand does not materialize, a project can fail even if all other issues are resolved. Thedeliverydate for theBoeingand theAirbusplaneswasforecast tobe2005.Thecompanieshadmanypossiblesalesfrom2006to2025whenthedemandfornewcommercialjetaircraftmight be 25,000 units. The growth rates were forecast at 5 percent annually for passengertrafficand6percentforcargo.

Thesizeofthemarketdependsontwofactors,bothofwhichmustbeaddressedinsizingupamarket.

Load.Thepercentageofpassengersorcargoperavailablespaceonanaircraft.In1980,loadrateswere 63 percent of capacity.By 2005, airlineswere doing better, at a 75 percentload.Anaircraftfleetcanneverreach100percent,butairlinestypicallyseekagoalof80percent.

Utilization.Thepercentageoftimeanaircraftisintheaircarryingpassengersorcargo.

LessonLearned:Insomecases,strategicriskismanagedbyintuition.Inothersituations,weneedquantitativedata.AnERManalysiswouldencourageawidesweepingscanofeconomicandpoliticaldevelopmentsaroundtheworldpriortoforecastingthesizeofamarketfortheseaircraft.

ADJUSTMENTSTOSTRATEGIES

Bothcompaniesranintoproblemsthatrequiredadjustmentstotheirinitialstrategy.Boeing’searly sales successwith the 787 encouragedAirbus to counterwith theA350, a newplanedesignedtocompetewiththe787.In2004,AirbusannouncedthattheA350wouldbecloseinsizetothe787andthatthefirstplaneswouldbedeliveredin2010.

Boeing,foritspart,counteredtheA380.PriortotheA380,theBoeing747wasthelargestplanein thesky.In2005,Boeingannouncedthat itwouldproduceanewversionof the747withacapacityof450passengers. Itwoulduse thesameengineandcockpitas the787andhaveparts interchangeablewith those for the earlier 747models.Although smaller than theA380,thisplanewouldbeindirectcompetitionwithit.

LessonLearned:ERMarguesthatorganizationsmustscanforchangesinconditions,monitorstrategiesforcontinuingrelevance,andmakeadjustmentsassituationschange.

INTERRELATEDRISKSATBOEING

As Boeing developed the 787, the situation was clouded by unrelated developments. Theboardhadtodealwithaseriesofscandals,includingthefollowing:

EmployeeMisconduct.In1997,KennethBranchleftLockheedMartin, taking25,000pagesofLockheed’sproprietaryintellectualcapital.HejoinedtheBoeingsubsidiaryMcDonnellDouglas,whichusedthedocumentstocompetewithLockheedMartin.In1999,aBoeingemployee blew the whistle. The result was that Boeing lost $1 billion in governmentbusiness,andLockheedMartinsuedfordamages.

ConflictofInterest. In2003,DarleenDruyunwas the topprocurementofficer for theU.S.AirForce.SheprovidedBoeingwithpreferentialtreatment,awardingitalargecontract.Shortly thereafter, Boeing’sCFO gaveDarleen a high-level job at Boeing. Both partieswenttojailin2004afterbeingfoundguiltyofconflictofinterest.

PersonalScandal.BoeinghiredHarryStonecipherin2004tocleanupthecompanyaftertheAir Force procurement scandal. TheBoeing board of directors fired him in early 2005after learning that he previously had a personal relationshipwith a femaleBoeing vicepresident.At the same time,Boeingclaimedattorney–clientprivilege to avoid releasinginformationshowingthatmaleemployeesatBoeingearnedmorethanfemales.

LessonLearned:Strategiescanoftenbederailedbyinterrelatedrisk.Inthissituation,Boeingwasfortunate.Thescandalscausedotherproblemsandfinanciallossesbutdidnotseriouslyhurtthesalesofthe787.

AFTERMATH

Unrelatedtotheoriginalrisks,theBoeingplanefinallyenteredservicein2011anddevelopedwhat can only be considered to be a black swan when it experienced electrical systemproblemswithitslithium-ionbatteries.TheincidentsincludedtwoelectricalfiresthatledtheU.S.FederalAviationAdministration to stopall flightsandundertakea safety investigation.After four months, flights were resumed. Minor continuing electrical problems wereoccasionallyreportedthroughearly2014.

STRATEGICRISKOUTCOME

After dealingwith scandals,Boeinghired JamesMcNerney asCEO in2005.His extensiveexperiencewasinbrandmarketingatProcter&Gamble,consultingatMcKinsey,andaircraftmanagement at General Electric. His objectives for Boeing were to improve productivity,undertake global sourcing by purchasing components from around the world, and increasefundingsothatBoeingwouldbeagloballeaderinresearchanddevelopment.

McNerney got Boeing back on track, but development problems delayed delivery. Heestablishedanewschedule,withproductiontostart in2009.Asof theendof2008,Boeinghad900orders for the787,withdeliverydates rangingout to2017.AsBoeingandAirbusviedwith the 787 andA380, other planeswere sellingwell.Historically, the best year forsales of large commercial airliners was 1989, when 1,600 units were sold. In 2005, salessurpassedthatnumber,withAirbusselling1,055aircraftandBoeingselling1,002.

Anupdatein2014showsstrongresultsforbothBoeingandAirbuswiththe787andA380strategic decisions. In 2013,Boeing delivered 65 787s.As of early 2014,Airbus had totaldeliveriesof128A380s.

LessonLearned:TheexperiencesofBoeingandAirbusareamazingwhenviewedinanERMframework.Bothcompanieswereclosetoabet-the-companystrategywiththedevelopmentoftotallynewairplanes.Asof2008,wedidnotknowtheoutcome—whowillwinandwhowillsurvive.ItisnotclearthateithercompanyundertookanERMevaluationpriortomakinghigh-riskdecisionswiththe787andA380.Fromthefacts,wecanseeaneedforathoughtfulERManalysiswhenacompanyseekstoseizeamassiveriskopportunity.

TheFaxMachineandStrategicRiskOne storyof the change from industrial organizations to knowledgeorganizations shows theimpactofsmallandseeminglyunrelatedeventsanddevelopments.AttheheartofthestoryaretheUnitedStatesShoeCorporationinCincinnati,Ohio,andtheinventionofthefaxmachine.

INDUSTRIALAGEORGANIZATION

A central risk function in the 1970s would have observed large organizations with formal

hierarchicalstructuresandanIndustrialAgemodelofefficiencyand,infairness,inefficiency.Individualshadformaltitlesandresponsibilities.U.S.ShoehadbeensuchastructuresinceitsfoundingastheStern-AuerShoeCompanyin1879,whenitopenedasmallfactoryintheheartofCincinnati.

Mr.Wang,acompositefigureinourstory,wasabusinessmaninTaiwaninthe1980swhowanted to seize a risk opportunity. Could he take advantage of the availability of a newcommunications device, the fax machine? Even today, many people do not understand itssignificanceinglobalcommerce.

The fax machine changed long-distance communication from oral, on the telephone, ortedious, on the Telex machine. Lengthy, complex written communication could moveinstantaneously around the world. Labor costs were low in Taiwan, and the Taiwanesegovernmentwassupportingindustrialization.Theworldhadagrowingconsumerdemandforsneakers. Mr. Wang was ready. Mr. Wang accepted faxed orders to manufacture sneakers.When Sears inChicago ordered onemillion pairs of sneakers, the purchasing agent sent toTaiwana50-pagefaxwithsizes,design,colors,andotherspecifications.Mr.Wangbrokeupthe fax and sent 5 to 10 pages to his neighbors or partners around the island. When therecipients received orders for sneakers along with detailed specifications, they startedproduction.

AssumethatMr.Wang’sassociateswereproducingthreemillionpairsofsneakersin1987andthathisrevenueswere$35million.Canweestimatethetotalnumberoffull-timepositionsinhiscompanyandtheU.S.dollarvalueofhiscapitalassets?Amazingly,theoperationwassmaller than a single staff department at U.S. Shoe. He might have had 10 people, familymembers and friends. In terms of capital assets, he operated out of a small office with atelephone,afaxmachine,andminorequipment.Hedidnotmanufacturesneakers,soheranaleanandlow-costoperation.

Figure12-1showsMr.Wang’sbusinessstructure.WehaveinsertedrandomChinesenamesintotheexhibittorepresentMr.Wang’sbusinessassociateswhorantheirownmanufacturingoperations. In this transitionorganization, independent entrepreneursweregroupedaroundacenteror“headquarters.”Thecenterperformedafewadministrativefunctions,mostlytomatchhigh-qualityproductswithWesternbuyers.

FIGURE12.1.MR.WANG’SCIRCULARORGANIZATION.

Wecanobservetheabsenceofvicepresidents,assistantvicepresidents,supervisors,andmanagers,nottomentionanelaboratehumanresourcesfunctionhandlingtimesheets,vacationdays,andannualperformancereviews.

In industrial organizations, a vice president represents the highest position in middlemanagement. A defining characteristic is that such a person has a secretary. The vicepresident’sjobistorelaypoliciesfromseniorexecutivestolower-levelemployees,establishgoals,appraisesubordinates,preparereports,andattendmeetings.

Below the vice president, middle managers do basically the same things; that is, theyperform redundant functions.Belowmiddlemanagers, secretaries greet visitors, answer thetelephone, type letters, file documents, and schedule appointments and meetings. NobodyperformsmostofthesedutiesforMr.Wangbecausehedoesnotneedthem.

Strategically, Mr. Wang had a competitive advantage over U.S. Shoe. As the low-costprovider,hecouldexpecthigherprofitsand long-termvalue.Moreover, lowercosts lead tolower prices. When Mr. Wang’s prices drop below the costs of competing Industrial Agemanufacturers,theirbusinessbecomesunprofitableandeventuallymustbeabandoned.

The real impact ofMr.Wang touchedmany entities beyond shoemanufacturers. He andotherslikehimwereabouttochangetheIndustrialAgeorganization.Thefaxmachineallowedinformationtocrossbordersbyelectronicmeanswithoutinterference.Productsandserviceswerelikely tofollow,causingborders todeclinein importanceandevendisappear.Thefaxmachinealsothreatenedtheexistenceofmyriadlanguages,inasmuchasEnglishwaslikelytobecome the global tongue. If Mr. Wang or family members knew English, they couldcommunicatewiththeworld’sdominanteconomicpower.Allothercountrieswouldlineuptounderstand the most important language in the world. In addition, the fax machine changedproductivity. Sears was no longer paying higher wages by the hour—essentially paying fortime.NowSearsandMr.Wangpaidforsneakers.Thefaxmachinewasincreasingefficiencyandchangingemploymentpractices.

These developments had a major impact on the Industrial Age hierarchy and culture.Pressure built to eliminate redundant middle management and other positions. Individualsrecognized they could not spend an entire career climbing a corporate hierarchy. Neworganizational forms and relationships were created. Partnerships replaced business units,

productionmightnotbealine-and-stafffunction,andcompanieswouldsellproductsproducedbypartnerslikeMr.Wang.

AFTERMATH

Thefaxmachineprovidesabundantevidenceofmanagingstrategicriskbyidentifyingchangingconditions and developing new strategies. So what happened to the United States ShoeCompany?The company recognized that changeswere occurring and altered its strategy. In1985, it reduced itsdependenceon shoes. In2008, the companyhad49,000employees andalmost$3billioninannualrevenues.Youmaynotknowitsname,butperhapsyouknowsomeof its brands, which include Lens Crafters, Casual Corner, Petite Sophisticate, and AugustMax.

ConclusionStrategicriskisaseriouscomponentofenterpriseriskandopportunitythatcrossesoperations,finance,andotherunits.Itisnotlikelytohaveasingleriskowner.Toensureattentiontoandvettingofstrategies,ERMsuggeststhatacentralriskfunctionbeassignedtheresponsibilitytoscanforrisksandopportunitiesandtosharethemwithkeyplayers.

CHAPTER13

SUBCULTURERISK

RISKQUOTE:Ourloyaltiesmusttranscendourrace,ourtribe,ourclass,andournation;andthismeanswemustdevelopaworldperspective.

—MARTINLUTHERKINGJR.,CIVILRIGHTSLEADER

RISKQUOTE:Whydotheycallitrushhourwhennothingmoves?—ROBINWILLIAMS,COMEDIAN

Ford-ToyotaRowingContestFordandToyotadecidedtohaveacanoerace.Bothteamspracticedlongandhard.Onthebigday,theJapanesewonbyamile.TheAmericans,verydiscouragedanddepressed,decidedtoinvestigate.Aseniormanagement teamlearned thatToyotahadeightpeople rowingandonepersonsteering.Fordhadeightpeoplesteeringandonepersonrowing.Fordhiredaconsultantwhoconfirmedthefindings.

Fordacted.Itreorganizedtofoursteeringsupervisors,threeareasteeringsuperintendents,onesteeringmanager,andonerower.ThecompanyimplementedaRowingTeamQualityFirstProgram to give the rowing person greater incentive to work harder. It included meetings,dinners,freepens,andacertificateofappreciation.

Theteamsmetagainthenextyear.TheJapanesewonbytwomiles.AgainFordresponded.It laidoff therowerforpoorperformance,halteddevelopmentofanewcanoe,andsoldthepaddles. It distributed themoney savedand theproceeds from the saleofpaddles to seniorexecutives.

EPILOGUE

TheFordandToyotastorywastoldinthefirsteditionofthisbook.ItwaswrittenbeforethereformsintroducedbyAlanMulally.HejoinedFordin2006andtookoverarestructuringplandesignedtoturnarounditsmassivelossesanddecliningmarketshare.Mulallynotonlyusedautomation to improveFord’soperations.Hechanged theculture.Thestoryof theFordandToyota rowing contest is obsolete in 2014 but serves as a reminder on the importance of

culture.

SubcultureRiskJustasstrategicriskisnottheresponsibilityofasingleriskowner,culturalexposuresaretheculmination ofmultiple units and activities. In spite of the success ofMr.Mulally at Ford,subculturerisk,sometimescalledhierarchyrisk,isinherentinalargeentity.Theconceptdatesback to the mid-1800s, when growing organizations developed a structure to managerelationships, tasks, and behavior. Elaborate sets of rules accompanied the growth, so eachentitytookonalifeandbehaviorofitsown—or,moreaccurately,thelivesandbehaviorsofdifferentunits.

First,weneedtodefinetwoterms.

Organizational culture consists of the shared values, attitudes, behaviors, and beliefs ofindividualswhowork together for a common goal.A subculture has its own individualculturethatmayormaynotbealignedwiththeoverallvaluesandbehaviorsoftheentity.

Subculture risk refers to problems that occur because unit cultures vary in terms of theirability to operate effectively within a larger structure. Next, we need to consider twoissues in managing subculture risk. The first deals with cultural values—assumptions,convictions, and beliefs about how people should behave. Alternatively, values areprinciplesorstandardsthatareconsideredworthwhileordesirable.Valuesdeterminehowindividuals and groups react to the world around them. Subculture risk arises fromdifferencesinvalues.

CHARACTERISTICSOFVALUES

FormedEarly.Peopledevelopvaluesearlyinlife,andtheyarequiteresistanttochange.Theydevelop fromourexperienceswith individualswhoare importanttous.Theyarisenotfromwhatpeoplesaybutratherfromhowothersbehavetowardus.

Inherently Right or Wrong. Values define what is right and what is wrong. Aperson does not need external standards or direction to tell right or wrong.Knowingwhat isright is intrinsic.Apersonknowswhat is “right”andresistsorrejectswhatis“wrong.”

Subjective in Nature. A value itself cannot be proved correct or incorrect. It isneithervalidnorinvalid,neitherabsolutelyrightnorwrong.Ifwecanprovethata statement is true or false, it cannot be a value. Values tell people how tobehavewhetherornotanyevidenceexiststosupportthebehavior.

BureaucracyasaStructureThe bureaucracy is the dominant structure of large organizations. It has specific valuesindependentof thevaluesof the individualsandunits that arepartof the structure.Problemareasinclude:

Integrity. The organization has a standard for doing business and ethical behavior. Someindividuals agreewith these standards and complywith them.Others disagree.Do theyresisttheentity’sguidance,policies,andexpectations?

Use of Knowledge. One person relies on facts. Another person relies on emotion. Areindividualsandunitscomplyingwith internalcontrolproceduresand theuseofdataandfeedbackwhenmakingdecisions?

InterpersonalRelations. One personmakes others feel comfortable.Another upsets them.Howdo individuals and units resolve conflicts among employees, suppliers, customers,andothers?

Sharing.Oneperson shares information.Anotherguards it.Can theorganizationprotect itsintellectualcapitalwhileprovidinginformationthatindividualsandunitsneedtoachievetheirgoals?

DEALINGWITHVARYINGVALUESINABUREAUCRACY

StandardProcedures.Theorganizationhasdetailedpoliciesthataresupposedtobe followed by everyone.When a problem arises, a manager checks writtenpoliciesforacourseofactiontosolvetheproblem.Weallmustfollowthesamerules.

FormalDivisionofResponsibilities.Theentityhas identifiedpositionsand tasks.Responsibilitiesareassignedtopositions,andindividualsinthosepositionsaredirectedtoperformtasks.Employeesarelimitedtonarrowjobs,andmanagerschecktoseethattheyfollowpolicies.

Chain ofCommand. Every individual has a position in a formal hierarchy. Eachperson reports to a bosswho reports to another boss.Many individuals havesubordinateswhomayalsohave individuals reporting to them.Bossesenforcetherules.

Impersonal Relationships. The entity is focused on tasks and individuals toperform them. If a person leaves, another “qualified” person is assigned thetasks.Theorganizationpursuesnewmanagersandotherworkersonthebasisoftheirobjectivequalifications.Relationshipsarenotpersonal.Managersdonotdofavorsfor“friends.”Theyfollowtherules.

UnderstandingSubcultureRiskAlthough bureaucracy is the dominant structure, subcultures are shaped bymany factors.Toidentify subculture risks, acentral risk functionmust firstunderstandwhat ishappening inaunit.

One starting place is the mission, a brief statement of the role assigned to the unit. Is itroutine?Isitchallenging?Doesitrequirecreativity?

Anotherfactoristheboss.Whatistherelationshipbetweenthepersonalcharacteristicsoftheunitmanagerandthoseoftheentityandoftheindividualsdoingthework?Ifanewbossseeks behaviors that are inconsistent with the values of the entity or of his or hersubordinates,problemswillquicklyarise.

Athirdfactoristhebehaviorsofthelower-levelworkers.Theseemployeeshavebothvisibleandhiddenvaluesthatdeterminewhethertaskswillbesuccessfullyaccomplished.

One approach to understanding subculture risk addresses decision making and problemsolving.AnERMsystemismorelikelytobesuccessfulifithelpskeymanagers,lineandstaffpersonnel,andworkersinteractandshareinformation.Dogeneralbehaviorpatternswithintheunit support or harm successful performance? How does the subculture deal with routinesituations, unexpected developments, and conflicts?Howdoes the unit learn and internalizenewknowledge, skills, andbehaviors? Ifweunderstandhowa troublesomeunit learns,wecanhelpittochangeitsbehaviortobemoreinlinewiththeenvironmentandthevaluesystemofthelargerentity.Conversely,individualswhofailtolearntherightlessonsorwholearnthewronglessonscancausedamagetotheentity.

ERM encourages the reduction of subculture risk. The central risk function seeks tounderstanddifferentsubcultures.Executivesencourageunitsandindividualstousesoundandstableapproaches toproblemsolvingconsistentwith thebusinessmodel.EffectivedecisionmakingiscoveredinmoredetailinChapter14.

CharlesHandyonCultureERMcanusemanymodelstoobservesubculturerisk.Perhapsthemostpowerfulmodelwasdeveloped by Charles Handy, a British management thinker. He identified four dominantsubcultures in large organizations, which he described in detail in two books, Gods ofManagementandTheAgeofUnreason.

Handy recognized that the Industrial Age had shaped the world as we know it. Asorganizations grew larger, they needed a structure. A hierarchical organization called abureaucracy became the norm.Handy observed that units in the bureaucracy contained fourdistinctcategoriesofsubculture,eachwithitsownrisks.

HANDY’SFOURSUBCULTURES

1. Bureaucratic Culture. It values standard procedures, divisions of responsibility,andimpersonalrelationships.

2.Spider’sWebCulture.Inthisenvironment,allpartiesfocusontheleader.3.TeamCulture.Teamsconsistofcollectionsof individualsworking togetheronacommongoal.

4. Individual Culture. In this culture, each person has his or her own specialties,knowledge,andgoalsandhasonlyalimitedorientationtotheorganizationitself.

BureaucracyCultureThefirstorganizationalmodelisthemostfamiliar.Itisthecultureofthebureaucracyitself.Itscharacteristicsareasfollows:

Leaders. A bureaucratic culture has many leaders, with power diffused throughout thestructure.Thechiefexecutiveofficerisall-powerful,butpowerissharedwithindividualsateverylevel.Eachpersonhasapositioninthestructure,andgenerallypeoplestaywithintheleadershiprolesauthorizedfortheposition.

Results. A bureaucratic culture achieves its greatest efficiencies when many people mustwork together to provide products or services. Large organizations tend to bebureaucracies.

Primary Loyalty. Employees feel that their primary loyalty is to the organization. Whensomeoneaskswhatanemployeedoes,theresponseislikelytoidentifytheentity.

Governance.Bureaucraticculturesaregovernedbyrules.Tolearntherules,peoplearetoldto read written policies. The mechanism to create change is simple: Managementdistributesnewwrittenrulesandregulations.

IndividualGoal.Thegoalistoprovideproductsandservicesconsistentlyoveralongperiodoftime.Thecultureseeksorderandpredictability.Individualsareindangeriftheyhaveseparategoals.Free thinkingandentrepreneurial individualsareusuallynotwelcomeortolerated.

ManagementStyle.Themanagementmechanismsextendthroughtheentirestructure.Peoplewhoviolatecompanypoliciesorproceduresarepunished.Peoplewhocomplywith therulesarerewarded.

Skills. Bureaucrats improve skills by attending formal training programs. Managementidentifies new skills that are needed. The human resources department arranges formaltrainingtoteachthem.

Spider’sWebCultureThe spider’s web represents a distinctly different organizational model, one that reflects apowerfulleader.Althoughitmayhavethehierarchyofabureaucracy,allauthority,power,andresponsibilitydependonthepersonincharge.Theseareitsdefiningcharacteristics:

Leader. This person can be characterized by a number of terms. Because he or she cansurvive alone, the person is a jungle fighter. Because the person demands undyingallegiance,heorsheisthetriballeader.However,perhapsthebestdescriptivetermisthespider.Inaspider’sweb,thestructureisnotimportant.Aperson’slocationinthewebissecondary.Thekeyisthelocationoftheindividualrelativetotheheadoftheunit.If theheadoftheunitisoffended,itcanquicklymovetoanyindividualorlocationinthewebandattack.

Results.Aspider’swebproducesitsbestresultsinacrisis.Ifacompanyhasatighttimetabletodevelopasoftwareproduct,decisiveleadershipmaybethekeytosuccessorfailure.Ifcosts are rising quickly and bankruptcy is threatened, a spidermay be able to save theorganization.

PrimaryLoyalty. The individualwho is part of this culture develops an identitywith theleader.Employeeswhoareaskedabouttheirjobsusuallyidentifytheboss.

Governance. This organization has a simple answer to instituting new policies andprocedures. It fires theexistingpeoplewhodonot fit thenewmodel andbrings innewpeoplewhohavetheneededskillsorabilities.

IndividualGoal.Thespider’sweborganizationplacesahighvalueonstatementsmadebycrediblepersons.Whoiscredible?Anyonewhoisclosetotheheadoftheunit.

ManagementStyle.Howdoesthespider’swebmanagetheactivitiesoftheorganization?Itgivesresponsibilityandpowertothoseindividualswhoareloyaltotheheadoftheunit.Ifadecisionneedstobemade,thefirstquestionis,“Whatwouldtheleaderdo?”Thenthedecisionismade.

Skills.Howdopeopleinthiscultureimprovetheirknowledgeandskills?Theanswerisbytrialanderror.Theorganizationtriessomething.If itworks, it repeats thebehavior; if itdoesnotwork,ittriessomethingelse.

TeamCultureThethirdtypeofsubculturefocusesonindividualswhoworktogether.Itisalsocalledthetaskorproblem-solvingculture.Itscharacteristicsarethese:

Leader.Themanagerisaworkingmemberoftheteam,behavinglikethecoachofanathleticevent.Theleaderworkscloselywiththegroupontheplayingfield.

Results. The team culture excels in situations where individuals must solve problemstogether.Aproblemmayrequire theskillsofafinancialanalyst,marketingspecialist,ordata processing technician. The coach encourages each individual to participate in thegroupproblem-solvingprocess.

PrimaryLoyalty.Eventhoughclearlyvisible,acoachdoesnotprovidetheprimaryidentityforanindividual.Theidentityofasoccerplayerisasa“goalie”or“striker.”Similarly,intheteamculture,individualsidentifywithataskorfunctionalarea.

Governance.Tomanage,theteamcultureseekstopersuadeothermembersoftheteamandobtainagreementongoalsormethods.People look to eachother rather than to a leader(spider)ortotherules(bureaucraticculture).

IndividualGoal.Teamcultureshaveindividualswhodonotwanttoprovidethesameproductorserviceyearafteryear:“Thisyearwesolveoneproblem;giveusanewproblemfornextyear.”

ManagementStyle.Managersfocusonpastdataorperformance.Thegoaliewhoisallowingtoomanyopposinggoalsandishurtingtheteamwillbereplaced.Similarly,inthiscontext,if the individualperformswell, relatively littlemanagementwillbe imposed.Followingtherulesanddemonstratingloyaltytothecoacharelessimportant.

Skills. The subculture develops new skills and abilities anywhere where individuals canimprove their skills. People learn during strategy sessions. They learn when they areplayingthegame.Theylearnafterthegameisoverandbeingdiscussed.

IndividualCultureThe fourth subculture is concerned with enabling individuals to do their own thing. Itscharacteristicsareasfollows:

Leader.Effectiveindividualsinthisgrouparenoteasytofind.Theorganizationiscomposedof a group of craftspersons. In many cases, they are loners pursuing their own uniquemissions.For example, facultymembers in auniversitywork in the classroom,but theirrealgoal is topursuea researchagenda.Whenacceptingapositionasachairpersonordean,theytendtobelost.Managementandtheachievementoforganizationalgoalsisnottheirthing.

Results.Anindividualcultureisatitsbestwhenasingleindividualcanserveclientsbyusinghis or her skills. It works in a law firm where each partner has a specialized skill.Similarly,amedicaldoctorcanbuildareputationforsuccessfullyperformingaparticularformofcomplexsurgery.

PrimaryLoyalty.Individualsareloyaltotheirindividualskillorknowledgearea.Itmightbeadisciplineoraprofessionsuchasaccountancy,computerprogramming,orlaw.

Governance.Tomanageanindividualculture,theheadoftheunitmustgaintherespectoftheindividualsintheunit.Themanagingpartnerinalawfirmmustconvincethekeypartnersof theneed for change.Similarly, thedeanmust convince the faculty in auniversity thatchangeisnecessary.

IndividualGoal.Themost important thingfor individuals is theability toachievethegoalstheysetforthemselves.Theywantsupportfromtheorganizationbutnotinterference.Theydonotwanttohelpwithothergoalsortohavetodealwiththeirfellowworkers.

Management Style. Individual cultures allow professionals to concentrate on their mainareasofinterest.Organizationaladministrativetasksareperformedbypersonshiredtodothem.For example,hospitals, law firms, andcollegeshire administratorswho trynot tointerferewiththephysicians,lawyers,andprofessors.

Skills.Inmostcases,individualsinsuchgroupsdonotdevelopnewskillsatthesametime.Skillisbuiltonanindividualbasisbytotalimmersioninanewarea.Thus,anaccountantstudiesthenewtaxlaw;adoctordevelopsnewsurgicalskills.

CulturalControlandEffectivenessToreducerisk,ERMshouldpayattentiontobothcontrolandeffectivenessinvariouscultures.Controlistheefforttoensurethataspecificoutcomeisachieved.Itmaybedirect,aswhenanindividualmanagesataskandallcriticalactivitiesanddecisionpoints.Alternatively,itmaybeindirect,aswhenamanagerestablishesdevicesandtechniquestomonitorprogresstowardgoalsandreviewscriticalactivitiesanddecisionpoints.Wehavealreadyseenthatdirectandindirect forms of control have applications in enterprise risk management. The chief riskofficerorotherleaderofacentralriskfunctionisnotlikelytohavedirectmanagementcontrolover risks. Rather, the chief risk officer exerts control through the indirect process ofinfluencingriskowners.

Similarly, risk is reduced when subcultures are working in alignment with the businessmodel. Which culture is the most effective culture for achieving short-term goals? Whichculture values speed? Which one values accuracy? Which one works only if the unitcoordinateseffectivelywithotherunits?Whichoneworksonlywhentechniciansworkontheirownprojects?Whichonemustdeveloplinkageswithotherentitiestoproduceresults?

FELONSINOURMIDST?

Afelony—aggravatedassault,arson,embezzlement,robbery,murder,orkidnapping—isaseriouscrime.Afelonisapersonwhocommitsafelony.Organizationsdonotintentionallyhiremanysuchpeople.Ordothey?ERMencouragesscanningsubculturesasitexpandsthesearchforenterprise

risk.Considerthelessonsfrom“TheRealEnronRisk,”anarticlebyNancyParsons

intheAugust2002issueofRiskManagement.Ms.Parsonscontraststheenergytraderwhoassumesrisktoearnprofitswithanincarceratedfelonwhohasassumedriskoutsidethelegalsystem.Shefindsseveralsimilaritiesbetweenenergytradersandincarceratedfelons:Asastart,anenergytraderseekstooutpacecompetitionbyquicklycapturinglucrativedealswithinthecomplexhedgemarketsforpetroleum,gas,coal,andotherenergycommodities.Anincarceratedfelon,priortoconfinement,assumesriskoutsidetheboundariesofthelegalsystemwhiledealingwiththeneedtooutpacetheauthorities.Sheidentifiesthefollowingcommontraits:

Philosophy.Bothbehaveasthoughtheydeservemorethanothers.Theybelievetheyareentitledtotakepropertyawayfromothersandkeepitforthemselves.

Goal.Theywanttowinandseenothingwrongdoingsoattheexpenseofothers.OrganizedChaos.Lifeisanadventurelivedontheedgeofsociety.BreakingofRules.Theydonot identifywithculturalnorms.Therulessimplydonotapplytothem.

Relationships. They are seen as being deceitful and reckless. This limitsmeaningfuloraffectionateinteractionswithothers.

Interactions. They are seen as insensitive and impulsive and tend not to dealeffectivelywithothers.

Energy traders and incarcerated felons also have common differences, including thefollowing:

Charm.Traderstendtoexudecharmandevenappeartobegracious.Felonsareoccasionallycharmingbutaremorelikelytobeharshandevenabrupt.

ManipulatingSkills.Tradersseemtohaveanatural-bornabilitytoconvinceotherstotrustthem.Felonsdonot.

Success.Ahighpercentageoftradershavehistoricallybeensuccessful.Fewarepunishedbythesystem.Thereverseistrueforfelons.

Intelligence.Traderstendtobebright,sharp,andquick.Felonsareoftencleverbut not particularly noteworthy for their skills at assessing the relationshipbetweenriskandreturn.

LessonLearned:ERMsuggeststhatculturalriskisaproductbothoftheexistingcultureandkeypersonnelwhoareaddedtoitorremovedfromit.Asanexample,assumeacompanyisexperiencingproblemsasaresultofagingproductsanddecliningfinancialresults.TheboardofdirectorsisconsideringhiringanewCEOwhofitstheprofileofanenergytrader.Shouldthecompanyhiresuchanindividual?Theanswershouldtradeofftheneedforaturnaroundwiththeimpactofanenergy

traderprofile.

RecognizingtheSubcultureToalignaculturewithabusinessmodel,weneedtounderstandwhatmakesittick.Thetwo

appendicestothischapterprovideadditionaldetailtohelpwiththiseffort.

ConclusionThe risk identifiers in each of the four subcultures described byCharlesHandy help framesubculturerisk.Signalscanbequitevisibleastowhetheracompanyhasabureaucratic,team,spider’sweb,orindividualculture.

Enterprise riskmanagement leavesuswitha final thought.After readingaboutsubculturerisk, wemight be inclined to ask two questions. First, which culture is themost common?Second, which is preferred by most individuals? The answers are widely accepted: Mostculturesarebureaucratic,butamajorityofpeoplepreferateamculture.

APPENDIX13A

CHARACTERISTICSTOIDENTIFYSUBCULTURES

Thisappendixcontainstipsonhowtoidentifythedominantcultureinacompany.

Leadership.Leadershippatternsvarybycultureasfollows:

Bureaucracy Manyleaders;diffusedpowerSpider’sweb Oneleader,whoisgivenundyingallegianceTeam ManagerascoachIndividual Leaderhardtofind

PersonalIdentification.Peopleidentifythemselvesasfollows:

Bureaucracy “IworkatACIIncorporated.”Team “Iworkinthemarketingarea.”Spider’sweb “IworkforMr.Jones.”Individual “Iamanaccountant.”

CreatingChange.Thecompanycreateschangeasfollows:

Bureaucracy ChangetherulesTeam PersuadeSpider’sweb ChangethepeopleIndividual Gainrespect

WhatIsValued.Individualsplaceahighvalueonthefollowing:

Bureaucracy OrderandpredictabilityTeam VarietyoftasksSpider’sweb ClosenesstothespiderIndividual Personalfreedom

ExercisingControl.Managersexercisecontrolasfollows:

Bureaucracy EnforcingtherulesTeam ComparisonswithpastperformanceSpider’sweb GivingpowertoloyalindividualsIndividual Hiringprofessionaladministrators

Learning.Gainingnewknowledgeineachcultureoccursby:

Bureaucracy AttendingformaltrainingprogramsTeam DevelopingnewskillsanywhereSpider’sweb TrialanderrorIndividual Totalimmersion

Effectiveness.Culturesachievegoalsasfollows:

Bureaucracy Succeedsonlyifitdevelopslinkageswithotherentitiestoproduceresults

Team Probablythemosteffectivecultureforthemodernorganization

Spider’sweb EffectiveonlyiftheunitcoordinateswithotherunitsIndividual Worksifindividualsmeettheneedsofotherparties

Decisions.Thedecisionsmadeineachcultureareusuallyasfollows:

Bureaucracy WorstdecisionsTeam BestdecisionsSpider’sweb FastestdecisionsIndividual Slowestdecisions

APPENDIX13B

SUBCULTURERISKINHIGHSCHOOL

Thefollowinganalysisborrowsfromanop-edcolumnwrittenforTheNewYorkTimes(April30, 2006) by David Brooks, who compares organizational culture, and hence cultural risk,with a stereotypical high school. The language, some of it controversial, belongs to Mr.Brooks.

Scanningtheorganizationfor internalrisksrequiresabroadperspective.Aknowledgeofpsychology and sociology is likely to be more useful than training and experience in riskmitigation. To illustrate this belief, we will use the American high school class structure.AccordingtoBrooks,individualsassimilatetherulesofthecultureinwhichtheylivestartingatbirth,butitisduringthehighschoolyearsthattheyformmostoftheirvalues.Inthetypicalhighschool,weseeindividualswhofitandgiverisetocertainstereotypes.Wecovereachinturn.

JocksThisisaclassicstereotypeofamaleaged14to18andcarryingonfurtheruntilheis25orso,who engages in active team sports. In high school, this individual develops selfish andaggressive behavior that comes from physical strength. The stereotype portrays a jockwithcharacteristicslaterseeninorganizations:

Intelligence.Arenottoobright,butneitheraretheydumb.Tobeasuccessfulathlete,mustbesmartenoughtomasterplayingthegame.

Education.Although the individual stays in school,often through fouryearsof college, thegoalisnottobecomeenlightenedbynewconcepts.Theknowledgebaseisfullyformedbytheageof13.Nonewlearningtakesplace.

Appearance. Have high self-esteem from exercise and fitness activities. Even if nothandsome,consider themselves tobegood-lookingandhaveall theconfidence thatgoeswithsuchlooks.

InterpersonalRelationships.Aresociallysuccessfulandadmiredbyothers,butthesuccessis shallow.They are not respected for integrity, compassion, or depth of feeling. If theystopplayingsports,eitheronthefieldorintheircareers,theybecomeinvisible.

Attitude.Inspiteofsocialsuccess,jockshaveanattitude.Theydonothavecompassionfor

othersorempathyfor“losers.Inmanycases,theirbehaviorturnstooutrightbullying.

AthletesWeshouldnotconfusejockswithathletes.AccordingtoBrooks,anathleteinhighschoolandcollege is an individual who engages in sports as part of a broad success pattern. Typicalcharacteristicsare:

Intelligence.Brightenough todomore thanplay thegame.Realizes thesocialbenefits thatcomefromnotbehavinglikeajock.

Education.Mayormaynotbeagoodstudentbutcontinuestolearn.Appearance.Physicallyfitandconfident.InterpersonalRelationships. Excellent on all levels exceptwhen dealingwith individuals

whoarejealous,cynical,orunhappy.Attitude.Hasapositiveoutlookthatgoesbeyondsports.

NerdsandTechies“Nerdisaderogatorytermforsomeonewhopursuesanintellectualorobscureactivitywithasingle-minded focus. In high school, most nerds are the techies who display an obsessiveinterestincomputersandothertechnologies.Characteristicsofnerdsare:

Intelligence.Tendtobebrightinthenarrowareaoftheirpassion.Theythinktheyarebrightoverall.

Education. Learn by total immersion. They spend most of their learning and social timeimprovingspecificknowledgeandskills.

Appearance.Tendnottocarewhattheywearorhowtheyareperceived.Theydonotcareifotherslikethem.

InterpersonalRelationships.Havefewfriendsorotherrelationships.Iftheyhavefriends,therelationshiptendstobelimitedtothespecificareaofmutual,intenseinterest.

Attitude. Often excluded from social activities and are not accepted as friends; can haveattitudeproblemswhendealingwithothers.Insomecases,theyjustwanttobeleftalone.Inothercases,anegativeattitudecanshowitselfinmanyways,fromsocialineptnesstooutrightanger.

PopularPeopleA popular person is on the highest rung on the high school social ladder. Given mostadolescents’ need for acceptance, popularity becomes almost a drug on which to get high.Typicalcharacteristicsofpopularpeopleare:

Intelligence. May be smart or not. If smart, the individual will play down his or herintelligence. If not smart, the individual will display social skills that create theappearanceofintelligence.

Education.Mayormaynotbelearningnewconceptsbutisconstantlyworkingonimprovingskillswithpeople.

Appearance.Apopularpersonisagood-lookingperson.Ifafemale,sheispretty;ifamale,heishandsome.

InterpersonalRelationships. Relationships are the passion of the popular person, just assportsisthepassionofthejockandtechnologyisthepassionofthenerd.Apopularpersonworksonpopularityasafull-timejob.

Attitude.Hasagreatattitudeandiswelllikedandadmired.Whynot?

ThugsJustasthepopularpersonisatthetopofthesocialscale,thethugisatthebottom.Brookssaysthis individual takes advantage of others through intimidation and force, either verbal orphysical.Girlscanfitthemoldbyexcludingindividualsfromasocialcircle.Boyspickfightsandotherwisebullyweakerstudents.Characteristicsofthisgroupare:

Intelligence. If bright, does not use it visibly and fails to understand the long-termconsequencesofdysfunctionalbehavior.

Education. May mature over time or through a life-changing experience. If the negativeresponse tohisorherbehavior is sufficiently strong,maychangebehavior. If not, somethugsbecomedishonestandpettyintheiradultlives.Somegotojail.

InterpersonalRelations. Somebringbadbehavior into theworkplace. It is fairlyobviousthattheseindividualswouldnotgetalongwithothersinastructuredenvironment.

Appearance. Conveys a tough image in all dealings with fellow students, teachers, andauthorityfigures.Thiscancontinueintoadulthoodwithcolleaguesandbosses.

Attitude.Hasabadattitude.Mostpeopleavoidthugsifpossibleinhighschool.Afterhighschool,peopleavoidthemwhenpossibleatwork.

AMoralityPlay?Brooks would argue that cultural risk deals with organizational conflicts that start inadolescence,aperiodwhenpeopleare trappedwith jocks,athletes,nerds,popularpersons,andthugs.Wecanaddrichnesstothestorybyrecognizingthathighschoolteachesusthatourlivesareshapedbytwomaincharacters:

One’s Adolescent Self. Whatever stereotype fits one most closely in high school, everyindividualwants tobe theheroofamoralityplay.Wewantwhatweneed,whether it islove, admiration, or power. Each person seeks to meet his or her unmet needs or tocontinuetoexperiencethejoyoftheneedthatwasmetinhighschool.

One’s Adolescent Opposite. This is the enemy of the hero. For a popular person, theoppositemaybeathug.Forajock,itmaybethenerd.

UnderstandingHighSchoolValuesCulturalriskinorganizationscontinuesthemoralityplaybeguninhighschool.Ifweidentifythe risk owner’s adolescent self and adolescent opposite, we can predict the attitudes andbehaviorsthathelpandimpedetheachievementofgoals.Maybewecanimproveasubcultureifwe recognize the jocks, athletes, nerds, techies, andpopular peoplewhen they aremixedtogether. As examples of problems that can arise, Brooks identifies the natural conflictbetweenhighschoolstudents,whoworkhardatclassassignmentsandhomework,andjocks,athletes,andpopularpersons,whodonot.Alltheprestigegoestothesecondgroup,nottothehardestworkers.Coolpeopledonotacknowledgenerdsandtechies.Studentswithhighgradesmaybemockedorisolated.

Thesepressuresareat therootofmanyaspectsofsubcultureriskasadolescentbehaviorcontinuesintoorganizations.Weseeitallthetime.Theaccountingdepartmentdoesnotlikethemarketing group. Nobody likes the accounting department. Former nerds and techiesexperience pleasure-inducing dopamine surges in their brains as they savor scandals andmisfortunes that harm their formerly popular and currently successful adolescent enemies.Manypeopleexperiencedsatisfactionat the jailingofformerEnronexecutives.Otherswerejoyful at the widely perceived failure of the administration of GeorgeW. Bush, seen as aformer“fratboy”fromYale.

Inadulthoodandinorganizations,theonce-upon-a-timepromkingsandqueensbringtheirownagendastothetable.AccordingtoBrooks,theytendtohavecoldlygraciousspousesandeffortlesslyslenderchildren.Still,itisnotenough.Formerpopularstudentsdislikesuccessfulnerdsandtechies.

Brookssuggeststhatculturalriskcanbemanagedbymeetingtheneedsofallformerhighschool students—matching jocks with geeks. Jocks know that geeks should never manageanything.Geekslearntheymustspeakslowlysothatthejockswillunderstandthem.Matching

geeks with popular kids will get things done. One gets the job done; the other has theinterpersonalskillstogainsupportfromothers.

LessonLearned:TheBrooksmodelseemsusefulbutshouldbeusedwithcare.NoteveryonewillagreewithBrookswhenthe theory isapplied toreality.ForeveryU.S.presidentsince1976,Brooksmight argue for the followingdescriptions. Some seemcontroversial.Doyouagreewiththem?Ifyes,doesittellwhoyouwereinhighschool?Ifno,doesitalsotellwhoyouwereinhighschool?

BillClinton:Apopulargeek,well-balanced,interesting,andneuroticJimmyCarter:Interesting,maybeneuroticRonaldReagan:Well-balancedanddullGeorgeH.W.Bush:Well-balanced,alittleinterestingGeorgeW.Bush:Well-balancedanddullBarackObama:Cool,calm,collected,andinspiring

CHAPTER14

LEADERSHIPRISK

RISKQUOTE:I’vemissedover9,000shotsinmycareer.I’velostalmost300games.Twenty-sixtimesI’vebeentrustedtotakethegame-winningshot…andmissed.I’vefailedoverandoverandoveragaininmylife.AndthatiswhyIsucceed.

—MICHAELJORDAN,STARBASKETBALLPLAYER

RISKQUOTE:Ifeelthatluckispreparationmeetingopportunity.—OPRAHWINFREY,BUSINESSWOMANANDTVPERSONALITY

Acritical risk involves the leadership of the entity and leaders of key units and initiatives.Rarelydiscussedinconversationsaboutenterpriseriskmanagement,thefailureofleadershipcan be linked directly to unexpected losses and missed opportunities. In this chapter, weexamineleadershipasacomponentinanERMprogram.

BehavioralRiskBehavior refers to the actions or reactions of an organism, usually in relation to itsenvironment.Behaviorcanbeconsciousorunconscious.Apersoncanknowthatabehaviorishappeningorcanreactautomaticallytoastimuluswithoutconsciousthought.Thebehaviorcanalsobevisibleorhidden;itcanbeobservable,oritcanbeshieldedfromview.Behaviorcanbe voluntary or involuntary; a person can control the behavior, or it can be driven byuncontrollable emotions or events. Finally, it can be appropriate or inappropriate, meetingnormsofthecultureorviolatingthosenorms.Behavioral risk arises in a setting with specific characteristics. Bad behavior can take

placeanywhere,butitisnotbehavioralriskifitdoesnotoccurinanorganizedsystemwithgoals.Topresentleadershiprisk,individualsmustdisplayinappropriatebehaviorthatviolatesthenormsoftheentity.Themisbehaviormusthaveanegativeimpact,causingeitheralossoramissedopportunity.

ERMrecognizesthatmanagementisnotthesameasleadership.

Management. Comes from the Italian for “handle a horse,” which derives from the Latin

wordforhand(manus).Itisaprocessforgettingthingsdonethroughpeople.Itdirectsthedeploymentandmanipulationofresources,whetherhuman,financial,material,intellectual,orintangible.

Leadership.Doingtherightthingattherighttimetogetpeopletoperforminatimelyfashion.Anexposureariseswhenanorganizationhasweaknessesintherolesplayedbythosewhoareexpectedtomanageandthosewhoareexpectedtolead.ERMaddressesexposuresthatarisefromthoseweaknesses.

In an ERM framework, organizations have specific expectations. A manager stabilizes anorganizationusingpowerfromhisorherpositionintheorganizationalhierarchy.Aleader,ontheotherhand,isexpectedtoenergizeanorganization.Derivingpowerfromhisorherabilitytoinfluenceothers,aleaderhasthepotentialtoexertbroadinfluence.

Althoughorganizationsoftenthinkthatmanagementandleadershipinvolvethesamerisks,ERMrecognizessomekeydifferences:

GoalOrientation.Leadershaveamoreexpansiveviewof theworld thanmanagers.Theylookbeyondshort-termgoalsorrequirements.Managerstendtofocusonthetasksathand.

Vision.Aleader’svisionismuchlargerthanthevisionofamanager.Theleadergraspstherelationshipbetween theorganizationand the largerworld in termsofopportunities andchangingcircumstances.

Values. Leaders and managers have different value systems. Managers respect people,relationships, structure, and policies. Leaders respect intangibles and understand theemotionalandunconsciouselementsintheinteractionbetweenthemselvesandothers.

ERMscans internally toensure thatmanagersare located inareaswherestability isneededand leaders are situated in areas where change is needed. Some issues related to thedeploymentofmanagersandleaderscanarise:

MultipleConstituencies.Willagoodmanageroragoodleaderbemoreeffectiveindealingwithmultipleconstituencies?Itdependson theculture. Ina traditionalhierarchy,agoodmanagercanusetheauthorityofhisorherpositiontokeeporganizationalunitsfocused.Ina team culture, a good leader is more likely to be effective dealing with conflictingrequirementsofothers.

Speed andComplexity.Will an effectivemanager or an effective leader bemore able tohandle complex and rapidly changing situations? Evidence indicates that effectiveleadership works better than effective management in complex and rapidly changingsituations.

Communication Skills. Is a good manager or a good leader better at sharing ideas andstrategies? Evidence shows that verbal communication is the key to distinguishing goodleaders. Leaders talk more than managers, measured simply by the number of wordsspoken. Can a manager be effective without a high level of verbal interaction? Many

studies support thebelief that leadership is not appreciated in amanagement role in theabsenceofverbalcommunication.

StrategicandSituationalLeadershipTwoconceptsareparticularlyimportantwhenassessingleadershipweaknessesandstrengths:

1.Strategic Leadership. An effort to properlymanage people, resources, and behavior inorder to solve problems and make correct decisions. The process starts with goalidentification.Whatdoes theorganizationneed todo to sustain competitive advantage? Itincludesstrategy.Howwill theorganizationpursue thegoal? Itevaluatesskills.Does theorganizationhavetheleadershipskillstochoosetherightstrategyandimplementit?

2.Situational Leadership. As formulated by Blanchard and Hersey in the 1960s, leadersshouldmatchactionstothesituation.Differentbehaviorsareneededindifferentsituationstoachievestrategicgoals.Situationalleadershipdoesnotrefertoaprocess.Rather,itdealswith a specific action. First, there must be a need for action. We are dealing with anindividualinrelationtoasituationatamomentintime.Second,theentitymustbeseekinganadjustmenttoexistingpractice,lookingfortheindividualtoconsiderbehavioralchoicesin light of new realities. Finally, the individualmust take an action.Success is judged intermsofthegoalofdoingtherightthingattherighttime.

SituationalLeadershipStylesERM is concernedwith strengths andweaknesses indifferent subcultures and the impact ofbehaviorresultingfromfoursituationalleadershipstyles.Theyare:

1.Directing.Theleaderdefinestherolesandtasksoffollowersandsupervisesthemclosely.Theleadermakesthefinaldecisions.

2.Coaching.Theleaderdefinesrolesandtasksbutseeksinputsfromfollowers.Theleadermakesthefinaldecisionafterconsultationwiththeteam.

3. Supporting. The leader shares goals and delegates many decisions on the approach toachieving thegoals.Followersexercise themostcontrolover thesituation inconsultationwiththeleader.

4.Delegating.The leader isconcernedonlywithoutcomesand theachievingofobjectives.Followersmakedecisionsonstrategiesandcoursesofactionthatleadtotheachievementofgoals.

BILLGATES,INTERNETLEADERSHIP

Intheearly1990s,MicrosoftwasdevelopingatechnologytocompetewiththeInternet.Oneday,BillGatesreversedtheeffort,broughttheMicrosoftleadersandsoftwaredevelopersintoaroom,anddirectedthattheystoptheprojectandstartworkingonprojectstobuildtheInternet.Isthisanexampleofstrategicorsituationalleadership?

Answer

Itisboth.

StrategicLeadership.BillGateslaunchedaprojecttobuildMicrosoftNetworktocompetewiththeInternet.Whenherealizedthattheprojectwasnotmakingtheprogress he expected, he sought a new strategy. The success of InternetExplorerisanexampleofstrategicleadership.

SituationalLeadership.OnceheknewthatMicrosofthadtochangedirection,hewasted no time switching to a winning long-term strategy. The speed anddecisivebehaviorheexhibitedareanexampleofsituationalleadership.

CompetenceandCommitmentDevelopment level refers to the competence and commitment of individuals who follow aleader.Riskisreducedwhentheleadershipbehaviorrecognizesthatlevelofcompetenceandcommitmentofothers.Ifapersonisnotcompetenttoperformataskthatrequirescertainskills,thetaskshouldnotbeassignedtothatperson.Ifanindividualisnotcommittedtosuccess,thisisa red flag that endangers the achievementof agoal. In the frameworkof competence andcommitment,leadershipmustadjusttobeeffective.

We can identify multiple situational development levels for units and individuals. Someexamplesareasfollows:

LowCompetence,HighCommitment.Lacksspecificskillsrequiredtoachieveagoalbutiseagertolearnandtakedirection.

SomeCompetence,LowCommitment.Cannotdothejobwithouthelpandisuncomfortablewiththesituation.

HighCompetence,VariableCommitment.Fullycapablebutlacksconfidenceormotivationtodothetask.

HighCompetence,HighCommitment.Comfortablewiththetaskandhastheabilitytodoitwell.

JÜRGENSCHREMPP,COMPETENCEANDCOMMITMENT

JürgenSchremppwastheCEOofDaimlerBenzwhenthecompanymergedwithChryslertobecomeDaimlerChrysler.Heservesasanexampleofstrategicandsituationalleadership.Healsoshowsusthedangeroflowcompetenceandlowcommitment.SchremppheadedtheaerospacedivisionofDaimler-Benzpriortobecomingthe

firm’sCEOin1995.HeledtheacquisitionofFokker,aDutchaircraftmanufacturer,in1993,atatimewhenFokkerwashavingseriousproblems.HewasnotabletofixFokker.AfterreceivingsubsidiesofbillionsofDeutschemarks,Fokkerfiledforbankruptcy.In1998,SchremppledDaimlerBenztoacquireChryslerfor$38billion.In2007,Daimlersold80percentofChryslertoCerberus,aprivateequityfirm,for$8billion.BothFokkerandChryslerappeartobefailuresofstrategicleadership.AtthetimeofthemergerwithChrysler,Schremppdescribedtheunionas“a

mergerofequals,amergerofgrowth,andamergerofunprecedentedstrength.”Intheensuingyears,situationalleadershipwasdesperatelyneeded.DaimlerandChryslerhadmarkedlydifferentcompensationstructures,managementstyles,andvalues.InthemajorChryslermarketsegments,manufacturershadchronicovercapacity,buyershadmanychoices,andpeoplewereconcernedabouttheenvironmentaldamagedonebytheinternalcombustionengine.Moreover,ChryslerwasaninefficientmanufacturercomparedtoToyotaandothers.Inlate2000,JürgenSchremppwasquotedinaGermannewspaperwitha

statementthathealwaysintendedChryslertobeasubsidiaryofDaimlerChrysler.Partofhisstatementread,“TheMergerofEqualsstatementwasnecessaryinordertoearnthesupportofChrysler’sworkersandtheAmericanpublic,butitwasneverreality.”The“merger”withChrysler,withitslowcompetenceandevenlower

commitment,wasafailureofstrategicleadership.The2001statementthatheliedin1998,atthetimeofthemerger,wasMr.Schrempp’sfailureofsituationalleadership.

HowLeadersDecideAfinalERMviewofleadershipinvolvesthenatureofdecisionmaking.Tofullyunderstandsubculture and leadership risk,weneed to recognizehowpeople solveproblems andmakedecisions.Approachestodecisionmakingcanbebasedononeoffivefactors:

1. Facts. This is the use of empirical data, observable phenomenon, or other supportinginformationtoverifyadecisionwithlogicandevidence.

2.Beliefs.Thisinvolvesacombinationofasearchforfactsandsubjectiveinterpretationsby

problemsolversordecisionmakers.3.Feelings. Even if people start with facts or beliefs, they have feelings that intensify ordiminishthevalueandaccuracyofthosefactsandbeliefs.

4.Opinions. In many cases, an individual’s value system overtakes facts and beliefs. Theperson makes a judgment, perhaps accompanied by intense feelings, and brings it to thedecision-makingprocess.Itiscommonforindividualstoattempttomaskopinionsasfactsandbeliefs.

5. Assumptions. Assumptions are beliefs held without reflection. People take things forgranted, even when no observable or intuitive factors support a belief. Sometimes,assumptionsarecorrectandreasonable.Othertimes,theyarenot.

We know that leadership risk is reduced if leaders get the correctmix of facts, beliefs,feelings,opinions,andassumptions.Theycanusetheseguidelines:

Beliefs.Leaders, likeeveryoneelse,makeriskmitigationdecisionsandsolveproblemsonthebasisofwhattheybelieve.Itisthatsimple.

Facts. Leaders use facts to shape beliefs. Contrary to many views, facts are not true inthemselves.Nor are they something that canbe “proved.”Rather, they are supportedbyevidence. For strategic leadership,we need to gather evidence to support a decision ormitigate a risk. For situational leadership, we use evidence from earlier experience toshapeourbeliefinavaliddirectioninthecurrentsituation.

Feelings.Leadersknowthatfeelingsintensifydiscussionsonrisk.Theyshouldbeconsciousof their own feelings that might lead them in the wrong direction. They should alsoconsider the feelings of others that might take a risk mitigation strategy in the wrongdirection.

Opinions.Leadersknowthatopinions,basedonunknownsourcesandpossiblybiased,donotcountformuchwhenmitigatingriskorpursuingriskopportunities.

Assumptions.Everybodyassumesthings,butthesourceoftheassumptionmaybeunknowntotheindividual.Leadersshouldcontinuallyassesstheirownassumptions.

TOYOTA:STRATEGICANDSITUATIONALLEADERSHIP

SayakaKobayashistudiedintheUnitedStatesandthenjoinedToyotaMotorNorthAmericain1997.In2003,shewastransferredtothecorporateplanningdepartmentinNewYork.Inthespringof2005,HideakiOtaka,theCEOofToyotaN.A.,transferredthe41-year-oldwomantohisofficeashispersonalassistant.InMay2006,Sayakafiledalawsuitallegingsexualharassmentandidentifiedthe

followingincidents:

September2005.Onabusinesstrip,HideakisummonsSayakatohishotelroom

atnightandgropesher.October2005.Hideakisendsheragreetingcardandnecklace. November 2005. Hideaki takes her to lunch, to a museum, and for a walk inCentral Park and attempts another groping. Sayaka reports the incidents tohumanresources.Nothinghappens.

December2005.AToyotaexecutiveadvisesSayakatomeetalonewithHideakitodiscussthesituation.Sheagrees.Duringthemeeting,Hideakisaysthatbothheandshehavebehavioralproblems.Hecriticizesher fornot thankinghimfortheroseshesentonherbirthday.Tendaysafterthemeeting,HideakipromotesSayaka.SheremainspartoftheCEOoffice.

January2005.Toyota’sgeneralcounseladvisesSayakatoconsiderheroptions,including resigning.Hideaki learns that Sayakawasmarried onDecember 30.He tells her that he would not have bothered her if he had known she wasgettingmarried.

LessonLearned:ThebehaviorallegedisinappropriateinbothJapaneseandU.S.cultures.Thatisnottherealriskissue.Asculturalexpectationschange,failuretohavepoliciesthatmeetlegalrequirementsisafailureofstrategicleadershiprisk.Toyota’sfailuretorespondtothecomplaintwasafailureofsituationalleadership.

QuestionERMcanidentifymanydimensionsofleadershipriskandtheirimpactonriskstrategies.InanERMframework,leadershiptrumpsmanagement.Hereisaquickexample.Figure14-1showsan organization chartwith the position ofUnitA filled andUnit B vacant.Where does themanagerandleadergotofilltheUnitBvacancy?

AnswerDifferentplaces.

Manager. Almost always, the first place to look is to the heads of subunits 6 through 9.Managersclimbahierarchy.Theylookbelowthemtofillpositions.

FIGURE14.1.LEADERSHIPANDANORGANIZATIONCHART.

Leader.TheleaderdefinesthequalitiesneededintheheadofUnitBandthengoeswherevernecessarytofindsomeonewiththosequalities.Thevacancycouldbefilledwithsomeonefromsubunits6through9,subunits1through5,orelsewhere.

Inthissituation,leadershipcanhelpanorganizationmatchitsappetiteforriskwiththelevelofriskitaccepts.Goodmanagementisbeneficialinmanyways.Goodleadershipiscriticalfordealingwithenterpriserisk.

IKEABestPracticesIKEAisaprivatelyheldDutchcompanyofSwedishoriginthatsellshomefurnishingproductsaroundtheworld.In2013,ithadgrossrevenuesinexcessof$25billionfrom338storesin40countries.Thefirmiswidelyrecognizedforinnovativeproductsandefficientoperations.

Leadership at IKEA is not an action, a decision-making process, or an alignment ofstrategieswithgoals.Effectively, it isastateofmind.Manycompaniesassessthequalityofleadership in terms of financial success, such as increasing shareholder value. They pursueexcellentmanagement for thatspecificpurpose. IKEApursuessomethingelse.Leadershipatthe company means contemporary design, low prices, wacky promotion, and customerenthusiasm.Failtohavetheseinyourstore,andyouarenotaleader.Conversely,ifyouhavethem,theyquicklyleadtofinancialsuccess.Eveninthe2008globaleconomiccrisis,peoplestillshoppedatIKEAstores.

The management of leadership risk at IKEA was directly linked to recognition of howleadersachievehighperformance.Inthecaseofaretailfurniturecompany, leadershipisallabout the external world responding to the entity and,more specifically, to the experience.IKEA’s state ofmind is an image of lifestyle for customers around theworld.Walk into anIKEAstore,andyourbraintellsyouthingsaboutIKEA,suchas:

“Wehavearrived.”“Werecognizetheimportanceofaffordablecontemporarydesign.

“Wehavegoodtaste.”“Weseekastrongvalue-to-pricerelationshipinourpurchases.

Perhapsthemostinterestingaspectofthestateofminddealswiththeword“we.”Whois“we”?Ifyouanswerquickly,youwillsayIKEA.Ifyoureflectonitforamoment,“we”isthecustomer, and perhaps his or her friends, family, and peers. Once “we” is the customer, itbecomes,byextension,IKEAitself.

High-PerformanceLeadershipManagingleadershipriskatIKEAisblendedintoahigh-performancestrategyasanemployer,andithasseveralcomponents:

Autonomy.Itstartsrighthere.Employeesmakethedecisionsandhaveauthority.Performanceexpectationsmeancustomerservice.

Hierarchy.IKEAdoesnothavemuchgoingonhere.Therigidbureaucracyfoundinsomanycompanieswhentheyreachacertainsizedoesnotimpedetheautonomytocreateastateofmind.

Culture.IKEAstrivestobefamilyfriendly.ParentsandsiblingsmayfightbutnotatIKEA.Everybodycanfindthingsthatarefun.

Value.Finally, IKEArecognizes thatan importantbeliefofshoppers is that theyaregettingvaluefortheirmoney.OK,yes,thestorehaslowprices,butthatwasonlyhalfofthevaluepictures.Thestateofmindcombinedfrugalityandstyle.Themerchandisewasnot“cheap.Itwaspractical,stylish,andalsoreasonablypriced.

LeadershipatIKEAtakesadvantageofthebeliefs,facts,emotions,andassumptionsnotoftheleadersthemselves,butratherofthecustomers.Peoplebelieveinagoodexperienceandhave evidence of good shopping. They assume the shoppingwill be fun, and this creates apositive state ofmind.An example occurredwhen IKEAopened a new store in 2005.Thecompanyoffered$4,000 ingift certificates to the first person in line and ahundred smallerprizestothenext99peopleinlineattheopeningofitsAtlantastore.RogerPenguino,a24-year-oldemployeeofAppleComputer,arrivedsevendaysbefore theopeningandpitchedatent.Twothousandpeoplewereinlinewhenthedoorsfinallyopened.

ThestateofmindgotbetterinthesameyearwithanewIKEAstoreopeninginLondon.ThestoreinAtlantahadopenedatnineinthemorning,buttheoneinLondonopenedatmidnight.Atlanta’s2,000peopleinthelineweredwarfedby6,000atthedoorinLondon.Noonewasinjured in the crush inAtlanta,whereasLondon had 26 injuries, including six that requiredhospitalization.TheAtlanta store stayed open for 12 hours, but theLondon store ran out ofgoodsandclosedin30minutes.

IKEA operates around the world and clearly shows that it has its enterprise risk

management efforts in place. It pursues the upside of risk and aligned risk ownerswith thebusiness model. Moreover, it scans the horizon for changes in circumstances and newopportunities.ItscourtshipwithIndiain2007–2009isagoodillustration.ItdecidedthattheIndianmarketwouldbeattractive,anditpursuedentry.Athoroughscanofthemarketsloweddown theeffort. IKEArecognized that India lackedbasic infrastructure,hadanunstableandcorruptsupplychain,didnotcreatemodernregulationsforforeigndirectinvestments,andhadnot reformed troublesome tax and import duty structures. The company noted soaring landpricesandhadquestionsaboutwhethertherightstateofmindcouldbecreatedforcustomerandemployees.Inearly2009,IKEAdecidedtopostponeitsplanstoenterthemarketinIndia.In2014,itstartedtoreconsiderthedecision.

Lesson Learned: The IKEA focus on creating a customer state of mind produces strongfinancialresults.Theprivatecompanydidnotfileanannualreporttothepublicbutprobablyhad$36billioninsalesin2013and$4.5billioninprofitasitcontinuedgrowthbyopeningnew stores. With its ups and downs—more of the former than of the latter—IKEA is acorporatemodelfortheupsideofmanagingleadershiprisk.

CHAPTER15

LIFECYCLERISK

RISKQUOTE:It’sgonnabealongharddrag,butwe’llmakeit.—JANISJOPLIN,SINGERANDSONGWRITER.

RISKQUOTE:Thesuperiormanmakesthedifficultytobeovercomehisfirstinterest;successonlycomeslater.

—CONFUCIUS,CHINESEPHILOSOPHER

OrganizationalLifeCycleArealityisthatlinesofbusinessstartup,growtomaturity,and,inmanycases,enteraperiodof stagnationordecline.Thechallenge foracentral risk function is tounderstand lifecycleriskandidentifythestageofthelifecyclefordifferentunits.Thestagesare:

Start-Up.Thebirthofaunit. Itoccurswhenacompany investsmoney inanewoperation,assignsmanagersandworkerstobuildtheunit,anddesignsaproductorservicetobringittomarket.Theunitfocusesonabusinessmodel.

Growth. The period of rapid expansionwhen the unit has brought products or services tomarketandnowseeksstronggrowthofrevenuesandexpansionoftheworkforce.

Peak. After a period of growth, the unit reaches maturity. If successful, the unit sells itsproducts or services at prices and volumes that produce strong profits. It experiencesslowergrowth.

Decline.Atsomepoint,thebusinessmodelmaynolongermatchthemarket.Thiscanleadtodeclinesinprofitsandmarketshare.If theunitfails to implementarenewalstrategy, theorganizationmayshutdowntheunit.

Lifecycleriskreferstoafailuretomanageexposuresortoseizeopportunitiesduringanyofthestages.Examplesinclude:

Start-UpUnit.Thepossibilitythattheproductwillneverbereadyorthatthemarketcannotbeaccessedordeveloped.

GrowthUnit.Theexposureifgrowthstallsbeforetheunitreachesastablelevelofsales.PeakUnit.Thepossibilitythattheentityisproducingandsellingmatureproductsbutwillnot

beabletosustainitssuccess.DecliningUnit.Thisunitislosingmoneyorsoonwillbelosingmoney.Managershaveideas

forchangingcoursebutmaynotbesuccessfulreversingthetrend.

SharingLifeCycleInformationAcentralriskfunctionaddsvaluewhenitidentifiesthelifecyclestageofunitsandsharesthatinformationwithriskowners.Inanylargecorporation,theentityhasitsgoal,butsodoeseachunit.Areunitgoalsalignedwiththebusinessmodel?

ERMrecognizesthatrisksmaybedifficult to identifyindifferentstagesof thelifecycle.Start-ups normally do not want to reveal development problems. Growth units tend to beoptimisticaboutsuccessevenastheyencounterobstacles.Peakunitsfocusontheupside,notonexposuresormissedopportunities.Decliningunitsmaydeliberatelyhidebadnews.

LifeCycleGoalsThe central risk function can share the reality that different stages have different goals, nomatterwhattheentitygoal:

DecliningUnit.Thegoalissurvival.Theunit is tryingtohangonandtofindnewproductsandmarketstoavoidclosure.

PeakUnit.Theunitaimstoincreaserevenues,makemoreprofit,andmaximizesuccess.GrowthUnit.Thegoalistoincreaseunitsales.Theunitneedsmoreunitsalestobestableto

speeduptherecoveryofdevelopmentcostsandtostartearningaprofit.Start-Up.Theaimistoenterthemarketandprepareforabrightfuture.

LifeCycleTacticalFocusOrganizations have a tactical focus that varies by life cycle stage. It covers such issues asthese:What is the entity’s primarygoal?What does everyonediscuss at planningmeetings?What dominates the budget discussions?The central risk function can identify the life cyclestageofaunitandexplainthefocustoariskowner.Thiscanoftenhelpmoveaunitclosertotheorganizationalgoals.

DecliningUnit. Focus is lower costs. The unit is losingmoney. Sales are declining.Newproductsarenotsuccessful.

PeakUnit. Focus is onmaximizing profits. The unit knows its customers andmeets theirneeds.Themottois,“Milkthemarkets.”

GrowthUnit.Focusisonsalesvolume.Unitsneedvolume.Start-Up.Focusisonproductdesign.Thecompanyneedsafinishedproduct.

PlanningHorizonsA planning horizon is the length of time that management believes will be required for asuccessfuloperation.Planninghorizonsvaryatdifferentlifecyclestages:

ShortTerm.Normally a fewmonths to a year, this planning horizon focuses on near-termprofits.Planningisoftendrivenbybonusplansforcorporateexecutives.

Medium Term. Generally a period from one to three or five years. The emphasis is onreliable products, services, and markets. Planners want to ensure the consistency ofoperationsbeyondthecurrentyear.

LongTerm.Aperiod inexcessof threeyears tosevenyearsorbeyond.Plannersevaluatecapital investments, changing technology, and other factors to help achieve long-termstabilityandpermanencyofoperations.

A central risk function can help risk owners understand that they must coordinate riskmitigationwiththeplanninghorizonofaunit.Ifimmediateactionisneededforaunitlookingfarintothefuture,ariskstrategyisindanger.Hereisthehorizonatdifferentstages:

DecliningUnit.Shortterm:Surviveanotheryear.PeakUnit.Mediumterm:Keepsuccessgoingforawhile.GrowthUnit.Mediumtolongterm:Buildmarkets.Start-Up.Longterm:Completeproductsandfindmarkets.

GrowthasaRiskFactorGrowthmay be defined as an increase in revenues, profits, cash flow, or assets. Themostcommon goal of a corporation is to grow revenues or profits.Growth of assets can reflectinefficiency,aswhenanorganizationaddsequipmentandthendoesnotneeditwhensaleslag.

Organizational growth is a risk factor. Growing units tend to have greater opportunitiesaccompanied by higher risk levels.ERMshould recognize the risks associatedwith growth

goals.Asorganizationspursuegrowth,acentralriskfunctioncanhelpriskownersunderstandthat

life cycle stagesaffect thekindofgrowth that is sought.This informationmaybehelpful inmovingunitstogrowthstrategiesalignedwiththebusinessmodel.

LIFECYCLESTAGESANDDEFINITIONSOFGROWTH

DecliningUnit.Reductioninlossesorexpenses.PeakUnit.Increaseindollarsales(profitsandcashflowfollow).GrowthUnit.Increaseinunitsales(pursuingbreak-even).Start-Up.Increaseinprojectdeadlinescompleted.

RiskswithChangeManagingchangereferstothewayanentitymakesanessentialdifferenceinagoal,process,activity,orventurethatamountstoalossoforiginalidentityorasubstitutionofanewstrategyforanexistingbehaviororcourseofaction.ERMprogramsrecognizethatchangeposesrisksfor organizational units and individuals. The central risk function can identify the likelyresistancetochangeandhelpriskownersdealwithunitsindifferentlifecyclestages.

LIFECYCLESTAGESANDRESISTANCETOCHANGE

DecliningUnit.Mayshowrisksthatresultindecisiontocloseunit.PeakUnit.Maydivertunitfromprofitgoals.GrowthUnit.Mayshowthatproductwillnotreachviablesaleslevel.Start-Up.Mayshowdevelopmentcostoverrunsormisseddeadlines.

GMandToyotaLifeCycleRiskNote:Thisstory isbasedonaarticle thatappeared inTheWallStreetJournal onMay24,2006.

ToyotaandGeneralMotorsofferaviewoflifecycleriskintheirmanufacturingplantsinSanAntonioandArlington,Texas.In2006,GMhada50-year-plus,agingplantinArlington,Texas.ToyotaopenedanewplantinSanAntonio.Acomparisonofthetwoplantsshowsthefollowing:

GM Toyota

Annualvehicles 200,000 200,000Workspace(squarefeetmillion) 3.75 2.2Property,acres 249 2,000Workers 2,800 1,600Hourlywages $28 $22Hourlytotallabor $35 $28Laborcostpervehicle $1,800 $800

Toyota was in an earlier life cycle stage, opening as it did a new facility. This gaveToyota’soperationconsiderableadvantages.SmallerandlightermachinerytookuplessspacethansimilarbutolderequipmentintheGMplant.Toyotahadlesscomplexmachinerythatwaseasier to install, operate, and repair and was less likely to break down. Toyota’s newautomatedmachineryrequiredfewerlaborerstooperate,maintain,andrepair.

LessonLearned:Priorto2006,GeneralMotorsfailedtoupdateandmodernizeitsoperations.ThusittrappeditselfinanuncompetitivelifecyclepositionbecausethedisadvantagesitfacedinTexaswere repeated at otherGMplants.GeneralMotors protected declining operationsrather than creating new business processes to meet changing conditions in automobilemarkets.These behaviors,whichwere found at Ford andChrysler aswell,were visible in2006andearlier.Theycametoaheadinlate2008whenthethreeautomakerswereforcedtoaskCongressforabailout.Bythen,itmayhavebeentoolateforERM.

ERMImplementationandLifeCyclesDifferent challenges arise as entities implement ERM in each stage of the life cycle. Theyincludethese:

Priorities.ManagerswillseektofitERMintoaprioritylistofprojectsthatareunderway.ERM will take time away from other activities. How important is the program incomparisontoday-to-dayactivities?

Goals. Managers have goals handed down from senior managers. They are expected toachieve them.Domanagers perceive that anERMprogram increases the likelihood thattheywillreachthegoals?

Workloads.Managersarebusy.Often, they faceaday-to-day frenzy inapursuitofgreaterproductivity.Withheavierworkloadsandexpectationsforefficiency,domanagershavethetimetodevotetotheproject?

Money.ThecostsofanERMprogramareoftenchargeabletodifferentbudgets.Theymightinvolve expenses without yielding visible revenues to offset them. Do people want tofinanceERM?

AmajordifficultywithimplementinganERMprogramistodealwithproblemssuchasthefollowing:

Coordination.Unitsmay be unprepared for coordinating riskswith other units. Thewholeideamaynotbeconsistentwiththeprocessesandproceduresthathavebeeninplaceforaconsiderableperiodoftime.

Planning and Linkages. Units lack strategies and mechanisms for managing risks in aframeworkbeyondtheirboundaries.Interactionwithmanyunitsmaybeinfrequent.Insomecases,aunitmaybecompetingwithanotherunitforfavor,resources,orattention.Inothercases,hostilitybetweenunitsmayexist.

View of ERM. A unitmay see ERM as a threat to organizational stability and individualgoals.Everyoneknowsthecurrentrelationshipsandexpectationsbutworriesaboutwhatthenewsystemwillmean.

FundingforERMAn organization finances its ongoing activities from cash provided by operations. As theymovethroughthestagesofthelifecycle,unitshavedifferentcashflowpictures:

Start-UpandGrowthStage.Cash flows are negative for units in the start-up andgrowthstages. Start-ups need funding to bring a product tomarket.Growth units need funds tofinanceexpansionstoreachbreak-even.

DecliningStage.Cashflowsareeithernegativeorsoontobenegative.Decliningunitsneedmoney,orthinktheyneedmoney,tocoverlossesandtofinanceeffortstoturnaroundtheunit.

PeakUnit.Cashflowsarepositive,oftenquitepositive.

Given this situation,wheredo theunitsget themoney to finance the future? Itmustcomefromthepeakunit,wheretheoverageistheonlysourceofinternalfunding.Assumenowthatthe futureproject isERM. If anorganizationhasmanydeclining,growth, and start-upunits,fundingforERMmayhavealowpriorityinbudgetdiscussions.

PriorityforERMThenext issue involves theprioritygiven to the implementationofERM.How important isERMtounitsineachstageofthelifecycle?TheansweristhatERMisnotimportant.Instead,itthreatenseachunit:

Start-UpandGrowthUnits.ERMisseenasadistraction.Managershaveajobtodoandwishtogetonwithit.

PeakUnit.ERMisnotperceivedasbeingneeded.Managersbelieveall isgoingwellandquestionwhatERMcandoforthem.

DecliningUnit.ManagersperceiveERMasathreat.Itmayuncoverthehopelessnessofthesituation.Theydonotneed

that.

DEADHORSEBEHAVIOR

Oneofthemostdifficultsubculturedecisionsinvolvesdecliningunits.Atwhatpointdoyoupulltheplug?Dakotatribalwisdomsaysthatwhenyoudiscoveryouareridingadeadhorse,thebeststrategyistodismount.ModerncorporationshavenotalwaysbeenaswiseastheirNativeAmericanbrothers.Wecanidentifyotherstrategiesforhandlinglifecyclerisk:

Buyastrongerwhip(increasenegativeincentives).Changeriders(firepeople).Saythingslike“Thisisthewaywealwayshaveriddenthishorse”(“Everythingisokay”).

Arrange to visit other sites to see how they ride dead horses (seek externalsupport).

Createacommitteetostudydeadhorsesintoday’sbusinessenvironment(slowdowntheprocess).

Changethespecificationsforwhatconstitutesdead(lowerexpectations).Hirecontractorstoridethedeadhorseandchargedouble(seeifsomeoneelsecandothejob).

Harnessseveraldeadhorsestogetherforincreasedspeed(burytheunitinotherunits).

Provideadditional funding to increase thehorse’sperformance (seeka financialrescue).

Award the riderahugebonus for reducing thehorse’soperatingcosts (changecriteriaforevaluation).

PoliticsofERMThepoliticsofanorganizationcanbeamajorfactorinanERMimplementation.Thedeclining

unitcanbeaparticularproblem,eventhoughitmayneedERMthemost.Theunitmaybepastits peak, but it still has a number of senior and powerful executives. The number of vicepresidenciesinaunittendstorisewithtimeandmaybeslowtodropwhentheunitmaturesand then declines. As the declining unit is the most likely to resist ERM, it also hasconsiderableseniorexecutiveclout.Resistancemaybefierce.

Another political issue arises with cultural risk. Facts, beliefs, feelings, opinions, orassumptionswillbecomefactorsineffortstoslowdownanERMimplementation.Thestart-upandgrowthunitsoftenbelievetheyarethefutureoftheorganizationandwillusebeliefs.Thepeak unit may point to the evidence showing their current success and thus use facts. Thedeclining unit may use beliefs intensified by feelings. The message: “We were once great[feelings],”or,“Wecanbegreatagain[beliefs].”

Tocounter resistance to the implementationof anERMsystem, theorganizationneeds toovercomenegativefeelings,opinions,andassumptionswithdifferentmessages.Tothestart-upand growth units, the message can be that ERM offers benefits that increase the chance ofsuccessinthefuture.Tothepeakunit,themessagecanbethatERMcankeeptheunitontop.Tothedecliningunit,itcanhelptopointoutthatERMmightsolvesomeofitsproblems.

ConclusionLife cycle exposures pose a variety of risks to an organization. Any ERM effort shouldrecognize thestageof the lifecycleofeachoperatingunitand includeastrategyfordealingwith varying goals, needs, and concerns. An independent central risk function can bringconsiderable light to thedarknessofbehavioroftenfound insituationswherereal intentionsarehidden.

CHAPTER16

IBM,MICROSOFT,ANDAPPLE

RISKQUOTE:Wemadetoomanywrongmistakes.—YOGIBERRA,BASEBALLPLAYER

RISKQUOTE:Nottohavecontroloverthesensesislikesailinginarudderlessship,boundtobreaktopiecesoncomingincontactwiththeveryfirstrock.

—MAHATMAGANDHI,INDIANPOLITICALANDSPIRITUALLEADER

Inthepriorchapter,weexaminedtheorganizationallifecycleandthechallengesitpresentstoenterpriseriskmanagement.Inthischapter,wehavethestoriesofcompaniesthatconfrontedlife cycle in different ways. Although they were not necessarily aware of enterprise riskmanagementwhentheydealtwithlifecyclerisk,wecansharethestoriesofIBM,Microsoft,andApplefromanERMperspective.

IBMatItsPeakThomasWatsonSr.ledIBMformorethan40years(1914–1956)andwasresponsibleforitsdistinctivebusinessmodel.Duringhistenure,apowerfulcultureemerged.

PersonalGrooming.Menworetiesanddarksuits.HighEnergy.Employeespromotedcompanyprideandloyalty.Customer Service. The buyer came first. Every effort had to satisfy the users of IBM

machines.EmployeeRewards.Thecompanypaidsalariesthatwereabovemarketandoftenwellabove

market.

ThomasWatsonJr.tookoverin1952andserveduntil1971.Thesuccessionwasgoodnewsforthecompany.WatsonSr.hadresistedelectroniccomputers,claimingtheywerecostlyandunreliable.Hemissedcompletelytheoncomingbusinessdisruptionfromcomputers.

QuestionMr.Watson Jr. disagreedwith his father and IBMexecutives about the future of computers.Whatdidhedo?

AnswerHe started up a new business. He hired hundreds of electrical engineers to design andmanufacturemainframe computers. The tactic was extraordinarily successful. The IBM 360computersetthestagefortheso-calledmainframecomputer.Itwasadisruptiveinnovation.

QuestionIBMdecidedtoleasethe360shorttermtoitscustomers.Afteracertainnumberofmonths,theusercouldreturnthemachinewithnopenalty.Oritcouldberenewedonanevergreenlease.With90days’notice,returnitatanytime.Wasthisadisruptiveinnovation?

AnswerYes,forthreereasons:

Cost.TheIBM360wasexpensive.Leasingloweredtheup-frontcosts.Flexibility.Thecustomerdidnothavetopayapenaltytoswitch.Continuity. IBMkeptupgrading themachine.BystayingwithIBM, thecompanyminimized

disruptionfromcomputerprocessingfailures.

QuestionDidthecustomersreallyhavetheflexibilitytochange?

AnswerThiswasthegeniusofthestructure.

Switching toAnotherVendor. Itwasprohibitive.All the systemsand softwarewouldnotworkonacompetingcomputer.

CreatingNewSoftware.Aswitchmeantexistingsoftwarewouldbeworthless.Acompanywouldincurthecostofrewritingitsexistingprograms.

Obsolescence.AswitchmightbeamovetoamanufacturerwholaggedIBM’shugeresearchand development. The company that switched could have an obsolete system in a few

years.

TheIBMstrategyproducedawidelyquotedsaying.Inspiteofthehighcost,“NobodyevergotfiredbychoosingIBM.”

QuestionHowdidIBMrespondtocustomerfearsofwastingmoney?Answer

UpgradableMachinery.The360wasdesignedtobeupgraded.Anattractivemessagewas,“StartsmallandgrowwithIBM.”

ComputerCenterOperation.IBMwouldoperatethecomputeranditsancillaryequipment.Allexpenseswerecoveredintheleasepayments.Asthe1970scametoaclose,IBMhadgoodreasonforitsseniorstaff tobearrogantinthefaceofcompetition.IBMownedtheworldofmainframecomputers.Lifewasgood.

IBMinDeclineThepersonalcomputerbecameathreattoIBMinthe1980s.Themainframewasthenameofthe game, and it had to be protected at all costs. The company put its name on a personalcomputer but opposed challenges to the dominance of the mainframe. IBM and mainframeadvocatesfoughtthegoodfight.Eventually,asweknow,theylost.

Thestruggleagainstpersonalcomputerswasaclassicexampleof failing to respond toadisruptive innovation. IBMbelieved itknewwhatwasbest for its customers. Its executiveswerestunnedwhen theirdecisionsproducedaneardisaster.By the late1980s, IBMwas infinancial trouble. In 1992, IBM suffered a $5-billion loss, the largest single-year corporatelossatthattimeinU.S.history.

IBMResurgenceThe IBM board brought in Lou Gerstner in 1992. The former head of Nabisco found amanagement structure with disturbing characteristics. Executives focused on their owndepartments to the detriment of customers.Managers focused on products they had, not onthoseusersdemanded.Performanceelementssuchasrewards,flexibility,andteamworkweremissing.

Question

WhatdidGerstnerrealizeabouttherealproblematIBM?

AnswerThe contextwaswrong.The firmdidnot have thebigpicture.Neitherwas it innovating inreactiontodisruption.Gerstner’stenureatNabiscotoldhimcorporationsstillneededlarge-scalesystems.WherecouldhegowithPCs?EventuallyhesoldthePCdivisiontoLenovo.

Gerstnerchallengedemployeestoinnovatebydeliveringcompleteinformationsystemsthatsolvedcustomerproblems.Figure16-1describesanexample.Thestrategywassuccessfulinreversingthecompany’sdecline.

MicrosoftGrowthPaulAllenandBillGatesformedMicrosoftin1975.Theirbigbreakcamein1980whenIBMsignedMicrosofttoprovidetheoperatingsystemfortheIBMPC.AllenandGateshadneveractuallydevelopedsuchasystem,sotheypurchasedoneandcustomizeditforIBM.

BillGatessearchedforthenextbusinessdisruptioninvolvingcomputers.Tofigureitout,hehadtooverlookpublicquotes:

WatsonMisquote.Anumberofpeoplepredicted theneedforonlya fewcomputers in theentire world. Uses would be weather forecasting, military operations, and managingelectricity grids. Thomas Watson Sr., IBM CEO from 1914 to 1956, was incorrectlyquoted,“Ithinkthereisaworldmarketformaybefivecomputers.”AlthoughWatsondidnotsayit,manypeopleagreedwiththeviewpoint.

OlsenQuote.KenOlsen,founderofDigitalEquipmentCorporation,wasquotedin1977,andearlier in this book, “There is no reason anyone would want a computer in his or herhome.”

FIGURE16-1.IBMSOLUTIONFORAIRFLIGHTSCHEDULING.

Situation.Theschedulingofflightswasanenormousburdenforairlines.

Aircraft.Thecompanyseeksoptimalplacementofplanestostart theirrouteseachday.End-of-daylocationsshouldmatchneedsforearlymorningflights.

FlightCrews.Pilotsandflightattendantsliveallovertheworld.Whatistheoptimumschedulingsothattheycanbehomeratherthenputtingthemupinhotels?

TicketPricing.Howcantheairlinepriceticketstomaximizerevenues?SeatingLoads.Whatkindofpricingandotherincentivescanfillaircraft?

IBMSolution.Thecompanybuiltanewbusiness.

Design of Software. A teamof engineers, business analysts,mathematicians, andothersdesignedalgorithmsforschedulingallaspectsofairlineoperations.

Programming. Information specialists, systems programmers, and computerintegrationpersonneldevelopedturnkeysoftwaretoimplementthealgorithms.

Service. The company leased and managed the software so that airlines couldincrease their efficiency, lower the cost of operations, and optimize ticket salesandaircraftloads.Outcome.Theserviceprovedtobeinvaluabletoairlines.Theybecameloyal

customersforprofitablenewservices.IBMhadreinventeditself.

MicrosoftPeakThedominanceofitsoperatingsystemcarriedMicrosoftevenhigher.BillGatesrealizedthatpeopleneededpersonalcomputersinfourareas.ThecompanyintroducedMicrosoftOffice,anintegratedsoftwarethatranseamlesslyinitsWindowsoperatingsystem.

1.Words.Inthe1960s,IBMintroducedwordprocessingtorunonitsmainframecomputers.Bythe1980s,WordPerfect,WordStar,andMultiMatewerebigonPCs.MSWorddeposedthemall.

2.Numbers.Theelectronicspreadsheet,pioneeredbyVisiCalc,becamethenumberprocessorfor thePC. Itwas never improved andwas replacedbyLotus 123untilMicrosoftExcelovershadowedit.

3.Graphics.MicrosoftPowerPointallowedtheexchangeofwords,numbers,andimageswithMSWordandExcelandbecametheprimarypresentationsoftwareonpersonalcomputers.

4.DatabaseManagement. Microsoft Access cornered this market partially by interactingwiththeotherproductsinMicrosoftOffice.

MicrosoftDeclineBythemid-1990s,BillGateswasnotfindingnewinnovationsandseemedtohavelostinterestatMicrosoft.HeturnedhisenergytophilanthropywiththeBillandMelindaGatesFoundation.Itworkedwithpartner organizations around theworld to tackle critical problems involvinghunger,poverty,healthcare,andeducation.Thenonprofitorganizationpursuedcollaboratingondisruptiveinnovationsthatimprovethelivesofpeopleandqualityoflifefortheplanet.

AppleRiseEverybodyknowsAppledesigns,manufactures,andsellspersonalcomputers,cellphones,andother electronic products and services. It started with high-quality graphics and was apowerfulforceincomputerdesign,desktoppublishing,andeducationalmarkets.Itcreated300millionairesamongitsearlyfounders,investors,andemployees.

In theearly1980s, theboardofdirectorsbecameconcernedaboutSteveJobsasCEO.ItsoughtJohnScully,aseasonedPepsimarketingveteran,tojoinAppleasCEO.Jobsapparentlyagreedwiththedecision.AccordingtoApplelore,JobssaidtoSculley,“Doyouwanttosellsugared water for the rest of your life? Or do you want to come with me and change theworld?”

SculleyjoinedApplein1983.

AppleDeclineIn1985,SteveJobsandJohnSculleygotintoapowerstruggle.TheboardsupportedSculley,and Jobs resigned from Apple and started up another company. During the Sculley years,Appleintroducedmanyproducts,butthecompanybegantostruggleinthe1990s.

AppleReboundIn1997,SteveJobsreturnedtoAppleandimmediatelymadesignificantchanges.Aftermanyyears of avoiding its competitor,Apple partneredwithMicrosoft onApple versions ofMSWindowsandMSOffice.Jobs tookApple intoadvancedvideoediting,digitalapplications,music,andphotography.ApplepartneredwithIntelformicrochipsandMicrosoft.ThesestepseliminatedApple’sisolationfromthemainstreamofcomputerprocessing.

Question

DidthepartnershipswithIntelandMicrosoftcreateadisruptiveinnovationforApple?

AnswerNotreally.Thoseactionsdidnotevensignalwhatwasabouttohappen.Thecompanystoppedmakingcomputersitsmainfocus.In2007,ApplelaunchedtheiPhone,iPodTouch,andiPad,completely disrupting themarkets for mobile phones, portablemusic players, and personalcomputers.

QuestionWhatwastheroleofAppleStoresintherebound?

AnswerItbecameadisruptiveinnovatorinelectronicsretailing.Thefirmopenedmorethan400storesin13countriesby2010.Appleproductsandperformancebecametheenvyof theworld. ItscashpositionatonepointwassaidtobeaslargeasthatoftheU.S.government.

EPILOGUE

Theyear2011endedonasadnotewhenSteveJobsdied.Hehadledthestart-upandgrowthof Apple. He returned when it was faltering badly and resurrected it to new heights. Hisdecision-making style is an example of how the right CEO can guide an entity through theorganizationallifecycle.

ConclusionThus,withIBM,Microsoft,andApple,wehaveinsightsintotheorganizationallifecycle.Insomecases,theCEOsrespondedtobusinessdisruption,andinothercasestheycausedit.Theexperiencesshowthedynamicnatureofdecisionmakingwhenorganizationsfacechangeandthepossibilityofdeclineornewopportunities.ArelatedlessonisthattherightCEOcanmakeabigdifferenceintimesofnewtechnologiesandotherchanges.

PARTFOUR

SPECIALTOPICS

ATTHISPOINT,thestructureandcomplexitiesofenterpriseriskmanagementarelargelybuilt.Whatenhancementscanweoffer?

Cyber Risk. The Internet and new technologies bring a variety of risk andopportunities. We cover some of the most dangerous aspects ofcommunicationsandnewtechnologies.

Collaboration.Riskmanagementisimprovedwhenweworktogether.OrganizationalRiskEfforts.Let’stakealookatafewstories.ModernRiskManagement.Whatisthebackground?Whereisittoday? Evolving Risk Management. What are some techniques that we need toknow?

RiskManagers.Whoarethey?Whatdotheydo?Howdotheythink?

CHAPTER17

CYBERRISKMANAGEMENT

RISKQUOTE:Inaworldthatischangingreallyquickly,theonlystrategythatisguaranteedtofailisnottakingrisks.

—MARKZUCKERBERG,FOUNDEROFFACEBOOK

RISKQUOTE:Ihavecometoworryaboutfewthingsasmuchasthegatheringcyberthreat.

—PREETBHARARA,U.S.ATTORNEY,SOUTHERNDISTRICTOFNEWYORK

Themerging of computers, communications, networks, data storage systems, themedia, andcurrenteventshascreatedanextraordinaryrisk landscape thatwillchallengeriskmanagers,brokers, and insurance companies well into the future.Wewill take a look at some of theissuesthatwillshapecyberriskmanagement.

CyberRiskThis is a tangible or intangible, insurable and noninsurable exposure that arises fromtechnology.Itfocusesonequipmentandsystemsthatsupportingbusinessoperations,includingthe delivery of business products or services and the management of the entity’s records,reports,andcommunications.Figure17-1showsexamplesofcyberrisks.

FIGURE17-1.EXAMPLESOFCYBERRISK.

Information Loss. Stolen Social Security numbers, health care records, or userpasswords.

Physical Assets. Cyber attacks from remote locations can damage or destroymachineryandequipment.

FinancialLoss.Thisincludesstolenbankaccountorcreditcardnumbers.Operational Loss. Examples are external attacks that shut down, alter, or destroy

operationsorthatdamagebusinesssupportsystems.

Theareaofinsurablecyberriskhasgrowndramatically,alongwiththeadvancesincomputingandcommunicationstechnology.Figure17-2showsdataonattacksoncomputerizedandlinkedinformationsystemsin2013.

FIGURE17-2.2013U.S.CYBERATTACKSINPERSPECTIVE.

DataforOrganizationsintheUnitedStates:900+successfuldatabreachincidents.200+millionrecordsstolen.75+percentofattacksbyhacking.70+percentusedspecialsoftware(malware).90+percentwouldhaveeasilybeenstoppedwithsimplecontrols.

EstimatesofRiskManagementIssuesinCyberAttacks:90+percentofattacksinvolvedservers.90+percentwerediscoveredbythirdparties.85+percenttookweeksormoretodiscover.80+percentweretargetsofopportunity,notpriortargetsidentifiedforattack.

U.S.GovernmentActivity:TheFBI:Identifiedtensofmillionsofstolencreditcards.Avoidedeconomiclossesof$300–$500million.Notifiedhundredsofcompanies,governmententities,andeducational institutionsof

unauthorizedentryintosystems.

MaliciousSoftwareManyseriousformsofcyberriskinvolvesoftwarethatusestheInternettoattackinformationsystems.Anewvocabularyhasbeencreated.Herearesomekeyterms:

Malware.Hostile, intrusive,orannoyingsoftware thatdisruptscomputeroperation,gatherssensitiveinformation,andgainsunauthorizedaccesstoacomputersystem.

Virus.Acommonformofmalwarethatcanreplicateitselfandspreadtoothercomputers.Itisspreadeasilyvia theInternet,disruptscomputeroperation,gatherssensitive information,orcausesthesystemstomalfunction.

Rogueware.Softwarethatintroducesmalwaretoacomputer.ItmaypopupanywhereontheInternet.Atypicalapplicationoccurswhentheuserreceivesamessagethatthecomputerisinfected.A“vendor”offersorsellsadownloadthatclaimstoerasethevirus.Instead,the

roguewareinstallsmalware.Drive-byDownload. Software is installed on a computerwithout the user’s knowledge. It

mayoccurwhenauser isvisitingawebsiteandclickingona link. It canoccurwhenapersonisviewingane-mailmessageorclickingonapop-upwindow.

TrojanHorse.Stand-alonemalware that residesonacomputerwithout injecting itself intofiles. Itmasqueradesasa legitimatefileorprogram.Itcansteal informationorharmthehostcomputer.

Some malicious software has earned a widespread reputation in the world of riskmanagement.

Stuxnet.Attacks the software and equipment of industrial systems. In 2010, it targeted theSiemens system-regulating hardware and software in the Iranian nuclear program. Themalwaredestroyedordamagedmanycentrifugesystemsused toenrichuraniumtobombquality.

Flame/Skywiper. Attacks computers running Microsoft Windows. It was identified as themostsophisticatedandcomplexmalware in theworld in2012. It stole information fromcomputersinMiddleEasterncountries,includingonenotableattackagainstIran’sMinistryofOil.Flame/Skywiperisquitepowerful.Itcancaptureimagesofcomputerscreens,copye-mails and instant-message chats, turn on remotemicrophones, monitor keystrokes andnetworktraffic,anduseBluetoothtechnologytospreadtodevicesthatarenotconnectedtotheInternet.

LossAssessmentCyber risk covers thewaterfront of riskmanagement and insurance, creating losses in fourareas:

1.PhysicalDamage.Avarietyofperilstohardware,facilities,transmissiontowersandlines,satellites,andrelatedtangibleproperty.

2. IntangibleDamage. Financial damage restoring or replacing software, lost data, failedcommunications,hackedoperatingsystems,andothervulnerablecomponentsofsystems.

3.Business Interruption. The loss of hardware or intangible components of systems thataffectstheabilitytoconductoperations.

4.LiabilityExposure.Thismaybe the largest riskofall.With interconnectednetworksandnearlytotalrelianceontechnologyfortheconductofoperations,organizationsfacemassivelawsuits.

Physicaldamagetotangiblepropertyincludes:

GeneralPropertyDamage.Computersandcommunicationsfacilitiesandequipmentcanbedamagedbyfire,floods,hurricanes,andotherperils.

PhysicalDisturbance.With high levels of complexity, sophistication, and miniaturization,technologicalequipmentisexposedtoavarietyofdangersfromaccidentalorintentionalmisuseorbreakage.Onecomponentcantakedownanentirenetworkorsystemandcausewidespreaddestruction.

PowerSurges.Everythingrequirespower.Insomecasesasystemneedsasurprisinglylargesourceofelectricity.The risk isadouble-edgedsword.Too littleenergycancollapseasystem, shut it down, or cause it to malfunction. Power surges can burn out sensitivecomponentsandevendestroytotalsystems.

Human Errors, Bad Design, orMalicious Behavior. We build technology with fail-safemechanisms, butwe can never be sure that all contingencies are covered. Peoplemakemistakes. Systems designers fail to consider all possible risks. Hackers are a constantworry.

Inadditiontopropertydamage,intangibledamageincludes:

User Error. As with physical damage, people make mistakes. Through accident orcarelessness,peoplecancausedatatobelost,stolen,ordamaged.

Malware.We already describedmalicious software that gains access to private computersystemsanddamagesthem.

Sourcesofcyberliabilityriskarefoundintwocategories:

1.Assets ofOthers. This involves the failure of a computer or communications system toprotect the assets of a customer or other party. A virus from our system can physicallydestroyequipmentownedbyothers.

2.IntangibleFinancialDamage.We can barely imagine the amount of damage that can bedone as the result of a loss of data, the compromise of intellectual property, or businessdisruption.Ifafinancialservicescompanysuffersthecompromiseofmillionsofsensitivefinancial,personal,health,orotherrecords,theliabilityexposurecouldbeenormous.

Figure17-3describescyberlosses.

FIGURE17-3.INTERNETCYBERLOSSES.

Credit Cards. In 2012, parties used computers and the Internet to steal 50,000creditcardsandpersonaldatafrombanksandhotels.Policearrested24peoplein the United States, the United Kingdom, Bosnia, Bulgaria, Norway, andGermany.

Operation High Roller. In 2012, parties in the Netherlands attacked 60 banks andstole $74million from the accounts of commercial firms and private individuals.The money, which ranged from 500 to 100,000 euros per transaction, wastransferredtoanonymousaccountsinotherpartsoftheworld.

“AppleCall-in”Scheme.PartiesusedtheInternettostealcreditcardinformationandthen fraudulently used them to obtain products fromApple. It appears that theysubsequentlysoldtheproductsusingpostingsontheInternet.

TargetDataLoss. In2013,Target revealedamajordatabreachwhere110millionconsumer credit and debit cardswere compromised.Hackers gained access tocustomer names, card numbers, expiration dates, and security codes. TargetencouragedcustomerswhoshoppedatitsU.S.storestomonitortheircreditanddebitcardsforirregularactivity.Timemagazinetentativelyidentifieda17-year-oldRussianteenasthehacker.

Cyber risk liability lawsuits are most likely to allege negligence. Like all lawsuits, aplaintiffprovesnegligencebyshowing:

UnreasonableBehavior.Thedefendanthadaccesstoanotherparty’sconfidentialinformationanddidnotprotectit.

DutyandFailuretoAct.Thedefendanthadanobligationtoinstallbettersecuritysystems,implementeffectivesafeguards,ortakeotherstepstoprotecttheplaintiff.

OccurrenceofLoss.Plaintiffswerefinanciallyharmedbythereleaseofdata,thebreakdownof a computer system, the loss of communications or other capabilities, or some othercauseofdistress.

ProximateCause.Theharmwascausedbypartieswhobroke into thedefendant’ssystem,damagedordestroyedphysicalassetsordata,orundertookotherdamagingaction.

QuestionAclassactionlawsuitwasfiledinSeattlein2010againstSallieMae,agovernment-supportedagency that makes student loans. It claimed the agency authorized actions that violated theTelephoneConsumerProtectionAct (TCPA). Itmade anumberof nonemergency autodialedcallsandautomatedtextmessagestotheborrowers’cellulartelephonesinanefforttocollectonoutstandingstudentloandebt.DidSallieMaehavetopaydamages?

AnswerSallieMaesettledthelawsuitbypaying$24milliontotheborrowersandtheirlawyers.

QuestionA computer hacker accessed the computer system ofDesigner ShoeWarehouse (DSW) anddownloadedcreditcardandcheckingaccount informationfrom1.4millionDSWcustomers.Followingthedatabreach,DSWincurredlosses,legalfees,andexpensesof$5million.DSWsought coverage for the losses under a commercial crime policy. The company argued thatcoverageexistedunderapolicyendorsementprovidingcoveragefor“lossfromthetheftofanyInsuredpropertybyComputerFraud.”The insurerdenied theclaim.DSWfiledsuit inOhiofederalcourtseekingcoverageforthedamages.Isitlikelythatitwillwinthelawsuit?

AnswerDSWdidwin.TheU.SCourtofAppealsruledthatlossesresultingfromthetheftofcustomers’bankinginformationfromaretailer’scomputersystemarecoveredunderacommercialcrimepolicy.

ManagingCyberRisksCyberriskmanagement isuncharted territoryformanycompanies.Riskmanagersareaskingspecificquestions:

Doweunderstandtheexposure?Whatarewedealingwithineachoperatingarea?Canwe quantify the exposure?Do any of our historicalmodels apply?Are consultants or

otherpartiesdevelopingtoolstoevaluatefrequencyandseverity?Canwe reduce exposure?What actions are takingplace in areas suchasnetwork security,

authorizationtoaccessdata,andsafeguardstoshutdowncompromisedsystems? Can we incorporate more sophisticated risk management techniques? What are the best

practicesforsecurity?Whatnewrisksareappearinginthetechnologyenvironment?Whatareourrealexposures?Whatwouldbetheimpactofaprivacybreach?Howstrongis

ournetworksecurity?Whatshouldbeourresponseto“off-the-shelf”coveragesavailablefrominsurers?

Dowehavespecialneedsthatneverexistedpreviously?Whatarethenewconditionsfordatarestoration or indemnification to others for loss of their data? Do we have newmediathreats? Can outside parties steal data and demand ransom or threaten extortion for itsreturn?

Are theproductsbeingofferedby insurancecompanies theproductsweneed?Howdoweknow?

BuyingCyberRiskInsuranceRiskmanagersaskdifferentquestionswithrespecttothepurchaseofinsurancetocovercyberrisks:

We cannot buy everything. Are we interested in first-party, third-party, or both insurancecoverages?Doweneedtoprotectourownequipmentorthedamageoursystemscandotothesystemsofothers?

Whatiscovered?Ifwedecidetopurchaseapolicy,doesitreallydothejobweneed?Whatisthesignificanceoftheexclusions?Doweneedendorsementsforadditionalcoverage?

QuestionA hospital collects and stores information from patients and doctors. It has a cyber riskliability policy that covers damages and defense costs for a security breach. The policyexcludescoverageforabreachofcontract.Asecuritybreachoccursthatcreateslawsuitsfrompatientsanddoctors.Doesthepolicycoverlosses?

AnswerIt may not cover lawsuits filed by doctors because it excludes coverage for a breach ofcontract. Thiswould be the case if the doctors have confidentiality agreements included intheiremploymentorservicescontracts. In thatcase, losseswouldbeacontractualfailure tomaintainconfidentialityofrecords.

Cyberpoliciesfrequentlyareissuedinconditionswheretimeisoftheessence.Adamageddataorcommunicationssystemoftenneedstoberepairedorrestoredtoavoidlargenegativeconsequentandrelatedindirectlosses.Apointofcontentionmayariseduringtheprocessingofclaims as insurers weigh the cost of emergency actions versus the less costly, slowerresumptionofservices.Caremustbetakenbyallpartiestounderstandandacceptrestrictionsforactionsafterclaimsarefiled.Emergencyrepairspaidbytheinsuredmaybedeniediftheyareoutsidethepreapprovedconditions.

QuestionAn insuredhad adata securitypolicywith apreapproved consent list. It had adatabreachfromanunknownpartyinSouthAfrica.Itreceivedaransomnotetoreturnthedata.Ithireda

locallawyerwhopaidaransomandtookbackthedata.Itfiledforreimbursementoflegalfeesanddamages.Isthereimbursementcoveredunderthepolicy?

AnswerItdependsonanumberoffactors.Didtheinsuredhavecontractualpermissiontohiresomeoneoff the list under certain circumstances? What is the wording of the consent provision?Desirablewordingforallpoliciesisconsent“notunreasonablywithheld.”Thisisespeciallyimportantincyberriskcoverage.

Manycyberpoliciesinvolverisksbywhichotherpartiescaneffectivelycausetheinsuredtosufferaloss.Theycansufferalossthemselves.Theriskmanagerandinsurermaywanttoinclude second parties under a policy. An example would be officers of a company ornonprofit organization. Vendors and suppliers with access to the data or communicationssystemcouldbecometargetsoflawsuits.Evencustomersmayhaveexposurebecausetheyareintegratedwithpurchasingorotheractivities.

The taskofdecidingwhether toaddacyber riskpolicy toanexisting insuranceprogramusuallyinvolvesajointdiscussionbetweenariskmanagerandtheorganization’sbroker.Theyseektodeterminetherisksthatarecoveredbyvariousliabilitypolicies.Thentheyassesshowanunacceptableriskmightbecoveredunderaspecialtycyberriskpolicy.

However the decisions are made, cyber risk policies should be coordinated with otherproperty and liability properties. These include property coverages, including boiler andmachineryandgeneralandprofessionalliabilitypolicies.

QuestionThelaptopcomputerofaseniorvicepresidentataconsumercreditcorporationwasstolen.Someoneusedthecomputer todownloadcustomerrecords.Theresultwasthat thecompanyhadtopaydamagesandlegalfeesof$600,000.Whatkindofliabilitypolicycoversthisloss?

AnswerIt may be covered by a cyber policy, a general liability policy, or a director and officerspolicy. The risk manager needs to examine the coverages and exclusions to answer thequestion.

QuestionABCComputerServiceshasalong-termcontracttomanagetheinformationsystemsactivitiesofanexporter.Aspartoftheagreement,ABCsignedahold-harmlessagreementiftheexporterissuedfordatasecurityorotherinformationtechnologylawsuits.Adatabreachresultedina

$750,000judgmentagainsttheexporter.DoesABChavetoreimbursetheexporter?

AnswerABCmayhavetoreimbursetheexporterfortheloss.Theanswerdependsonthedetailsoftheagreement, including limitations of liability and the responsibilities of the exporter. Theansweralsodependsonthedetailsofthedatabreachwithregardtofactorssuchasnegligenceandusererror.

IncidentResponsePlanNo area of operations formost companies needs a detailed crisis response planmore thaninformation services. The plan should include the names of people assigned to respond tosystems failures and the outside partieswho can assist inmitigating damage. It should alsoinclude timelynotificationprocedures toaffectedand interestedparties toavoid thedamageandlawsuitsarisingfromthedirectsystemfailure.

Many organizations have identified a group of individuals to design and implement anincidentresponseplan.Thisorganizationalcommitteeidentifiessafeguardstoprotectpeople,processes,assets,andtechnologyandmakesrecommendationstoreducecyberrisk.Itsworkisanintegralcomponentoftheentity’scyberriskmanagement.

QuestionWhichofthefollowingrisksidentifiedforthe2016Olympicsareinsurablecyberrisks?

Physicalattacksoncomputersortelecommunications.Destructionofthecommunicationssystemsusedbysecurityofficials.Electricitypowerblackouts.Malwareattacksoncomputersystems.

AnswerAllof themcouldbe coveredby insurance.TheOlympicsCommitteewouldbe required toretainalargeportionofeachexposureandwouldtakeextensiveriskmanagementactionstoavoidloss.Theseexposureswouldbecoveredinconsiderabledetailinanincidentresponseplan.

MafiaboyAttackCyberattacksbeganalongtimeago,atleastintermsofInternetyears.MichaelCalce,atthetimea15-year-oldboy,tookdownYahooin2000.Theattackresultedininsurabledamageof$1.2billion.Theteenagerwaspunishedwitha$250fine,restricteduseof theInternetforaperiodoftime,andeightmonthsoftimespentinajuveniledetentioncenter.

SonyPlayStationAttackIn 2011, Sony’s PlayStation network was attacked by a so-called external intrusion.PlayStation users were blocked from playing online. The outage lasted 24 days. Personaldetails from 77 million accounts were stolen. Subsequently, lawyers filed 58 class actionlawsuits.Thelossamountedtoaninsurablecostof$2billion.Sonyhadsignificantinsurancecoverage:

PropertyDamage.ThiswasprovidedbyaZurichcommercialgeneralliability(CGL)policyfortangiblelossestopropertyandequipment.

CyberEndorsements.Thecompanyhadmultiplegeneralliabilitypropertyinsurancepolicyendorsementsfor“damageordisruptiontoelectronicdata.”

HackerLanguageHackershavetheirownlanguage.Anentirevocabularyisusedtodescribecyberactivities.Itchangeseveryday.Sometermsare:

Zero Day. This is a tool developed by elite hackers. When launched, it is an unknownmalwarethatissharedwithclosefriends.Thehackerrealizesthatantivirussoftwarerelieson“signatures”toidentifymalware.Althoughtheprotectivesoftwarecanbeeffective, itcannotdefendagainstmalwareuntilsampleshavebeenobtainedanddefenseshavebeendevelopedanddistributedtousers.

Honeypot. This is a trap set to detect, deflect, or counteract a zero day attack. Computersecurityspecialistscreateasitethatappearstobepartofanetworkbuthasnoinformationofvalue toattackers.Althoughitseemstocontain informationofvalue toattackers, it isactuallyisolated.Whenattacked,thesecuritypersonnellearnthesignatureofthemalwareanddevelopsoftwaretoblockit.

WateringHole.Thishappenswhenanattacker targetsaparticularorganization ina three-stage process. It guesses or knows websites accessed by employees. It infects thesewebsiteswithmalwareandwaitsuntil amemberof the targetedgroupaccesses the site

andgetsinfected.Themalwareisbroughtbackintothetargetorganization.

QuestionIstherecoveryfromacyberattackonacomputersystemexpensiveforacompany?

AnswerSomeestimatesofthecostofcyberattacksin2012are:

$1.2billion.Thisistheannualpaymentsforcyberinsurancepremiums.$8million.Thisistheaveragecostofdatabreach. $200. This is the cost per compromised data record. It is not clear how this numberwas

reached.A2014estimatefortheattackonTargetestimatedacostof$5perrecord.Bankruptcy.Thisistheoutcomeformanycompaniesthatsufferedalossoftheirintellectual

property.

QuestionWhatcoveragescanbeincludedinacomprehensivecyberpolicy?

AnswerAcyberinsurancepolicycouldcoverlawsuits,extracostsandexpenses,intellectualpropertytheft,privacyviolationlawsuits,lostbusiness,publicrelationsfees,civilfines,andextortiondemands.

WikiLeaks2010LeakWikiLeaks,aninternational,online,nonprofitorganization,publishessecretinformation,newsleaks,andclassifiedmedia.Itcollectstheinformationfromanonymoussources.Thegrouphasreleasedanumberofsignificantdocumentsthathavebecomefront-pagenewsitems.In2010,WikiLeaks released 250,000 cables sent between 2006 and 2010 from the U.S. StateDepartmentandU.S.embassiesandconsulates.Itwasthelargestsetofconfidentialdocumentseverreleasedintopublicdomain.ThecablesshowedtheU.S.spyingonalliesandtheUnitedNations. They also showed the government lobbying forU.S. corporations and secret dealswith various countries. Perhaps most damaging were documents showing confidentialgovernmentactionsignoringcorruptionandhumanrightsabuses.ThosedocumentsshowedthatthegovernmentliedtoU.S.citizens.

QuestionThe Wikileaks ability to obtain classified documents from the U.S. government shows aweaknessinsecuritysystems.Itappearstobealmostatotalcollapseofsafeguards.Howdoyouthinkariskmanagershouldreacttosuchanincident?

AnswerWikiLeaks increased the level of caution that alreadywas a characteristic of riskmanagersfacingcyberexposures.Thereleaseofdatadidnothappenbecauseofafailureof the technology.Instead,ArmySpecialistBradleyManning illegally downloaded to unsecured computer equipment hundreds of thousands ofsecretdiplomaticcables.Hehadaccessasa resultofbeinganadministrativeassistant toahigh-rankinggovernmentofficial.Wecanonlywonderaboutthefinancialcostofasimilarleakbyalargebusinessornonprofitorganization.

AuthorizedUserExposureWilliamSullivan,anemployeeworkingforCertegyCheckServices(CCS),stole3.2millioncustomerrecordswithcreditcard,banking,andpersonalinformation.Hesoldtherecordstomarketingfirms.HeandhiscompanywerenamedinaclassactionlawsuitchargingCCSwithnegligence.Thesuitwassettledforupto$20,000perpersonforunreimbursedidentitytheftlosses.

QuestionWhatshouldacompanydoaboutthepeopleresponsibleformanagingcyberrisk?

AnswerIt should form a team with qualified members to address cyber risk. The team could becomposedofindividualssuchas:

TheriskmanagerThechiefinformationofficerThegeneralcounselRepresentationfrommarketingRepresentationfromhumanresourcesRepresentationfrommanufacturing

QuestionWhatdoseniorexecutivesneedtoknowaboutcyberrisk?

AnswerCyberriskdecreaseswhentopleadersareinformedon:

The nature of cyber risk and recent developments in cyber exposures and techniques tomanagethem.

Specificrisksidentifiedbythecyberriskteam.Actionsbeingtakenbythecompanytomitigatecyberexposures. Structure of the company’s property and liability insurance and the protection it offers to

protecttheentityagainstcatastrophicriskfromacyberattack.

HackersandCyberRiskOneof the biggest concerns of riskmanagers dealswith a global community of individualswho attack computers. According to Chris Soghoian, Center for Applied Cyber SecurityResearch(chris@soghoian.net),manytermsdescribeitsmembers,including:

Hacker.Ahighlyskilledcomputergeekwhocangainentryintosecurecomputersystems.Cracker.Apersonwhobreaksintocomputersystemstodomischief. Script Kiddy. An individual who downloads automated hacking tools and launches them

againstrandomInternetprotocol(IP)addresses.Thegoalistopursuemischief.Honest Hacker. An individual not interested in mischief. Commonly, the person has no

respectforauthority,business,government,laws,property,“suits,”grooming,orpersonalhygiene. The goal is to punish people or organizations that do something bad on theInternet.

Arealityofcyberriskisthatnotallhackersarethesame:

Criminals.Thesecyber attackers are interested inmoney.They seek to steal it or extort it.Theydonotcarehowtheygetit.

Governments.Nationsoftheworldhaveextensivehackingactivities.Theyseekinformationfrom and about other governments. They also pursue military, economic, and otherinformation. Everyone does it. This became quite clear during theArab Spring in 2011whenTunisiaandEgypthackedcomputersystemstoidentifyandpursuedemonstrators.Itbecame abundantly clear in 2013 when Edward Snowden released confidential CIA e-

mailsandthenfledforasylumtoRussia. Activists. These individuals protest against policies they do not like. Activists believe

governments,politicians,corporations,andwealthyandpowerfulindividualsignorethem.Theyattacktheirperceivedenemies.Includedinthisgrouparemanyhonesthackers.

Securitypersonnel have long recognized thedangers fromcriminal hackers.Now,honestactivisthackershavebecomeamajorconcern.Theyattackspecificareas,including:

Copyrights.Theydonotlikethefactthatpeoplehavetopayforinformationorentertainment.Theycreate software thatallows thedownloadingofcopyrightedandproprietarymusic,movies,books,andotherknowledge.

Censorship.Theystronglyopposeeffortstorestrictfreespeech.TheycanbeviciousagainstgovernmentsorcompaniesthatseektocensortheInternet.

Oppression.Theyprotecteachother.Theydonotlikeattacksonotherhonestactivisthackers,includingWikileaksandJulianAssange,itsfounder.

Surveillance.Theydonotwanttobeknowntothepublicorauthorities.Theyattackagenciesorothersthattrytoidentifythemorthatcollectinformationabouttheiractivities.

AnonymousAnonymousisanonlinecommunitywhosemembersconsiderthemselvestobehonesthackers.TheyapplytheAnonymouslabeltothemselves.ManymembersareunknowneventhoughthegovernmenthasarrestedsomeofthemTheyundertakecollaborative“hacktivism”inretaliationforself-perceivedbadbehavior.ThemembersofAnonymousareabigconcernintheworldofcyberriskmanagers.Figure17-4isalistofwarningsidentifiedwithAnonymous.

FIGURE17-4.ANONYMOUSWARNINGS.

GetReadyforAnonymous.Ourcommunityisseriousanddangerous.Wearetheimmunesystem,defenders,andenforcersoftheInternet.IgnoreAnonymousatyourownrisk.

Ourcommunityisactive:

Wearetechsavvy.Wehavemany,manymembers.Wetakedowncompanies.Youwillseeouractivities.WetrolltheInternet.Welikepranksagainstthepowerful.Wedelightinjuvenilehumor.Wearepoliticallymotivatedagainstbadbehavior.

EventhoughmembersofAnonymousarenotseekingpublicity,somemembershavebecomewell-known.Someexamplesare:

DmitrySklyarov(2002).HewasaRussianwhogotannoyedwhenAdobeencryptedeBooksblockingbraillereaders.Dmitrybuiltsoftwaretobreakencryption.HewasarrestedattheDEFCONconference,putinjailforthreeweeks,andwasstrandedintheUnitedStatesforsix months. Adobe suffered no damage. The company apparently decided that Dmitry’sactionswereagoodidea.

GeorgeHotz(Geohot)(2011).HeobjectedtothefactthatSonydidnotallowindividualstocreate their own games on Sony Playstation. He developed software that cracked thePlaystationcodestoallowself-developedgamesandpiratedcontent.Sonysuedhimforanestimated $170 million loss of revenue. As a result, Anonymous launched the attackdescribedaboveasanexternalintrusiononthecompany’ssystem.

QuestionDid George Hotz (Geohot) and Anonymous attack Sony because it had less security thanMicrosoftorNintendo?

AnswerNotatall.Geohotinitiallywastryingtodowhatheconsideredtobeagoodthing.WhenSony

sued him, the company messed with the Internet. The Anonymous message was clear anddevastating:DonotmesswithAnonymousortheInternet.

ArabSpringMembers of Anonymous showed their political power in 2011 with their participation ineventsinTunisiaandEgypt:

Tunisia.AstreetvendorwasfrustratedbycorruptionintheTunisiangovernment.Afterpolicearrestedhim,beathimup,andseizedhiscart,hesethimselfonfireasaprotestagainsttheconfiscation of his wares and the harassment and humiliation inflicted on him by amunicipalofficialandheraides.Riotsbrokeout.Subsequently,rumorscirculatedthattheTunisiangovernmentwascensoringtheInternet.Anonymousmovedin,sendingsoftwaretohelppeopleusetheInternetandcellphonestoattackcorruption.Theangerandviolencebecamesointensethatitbroughtdownthegovernment.

EgyptDay ofRevolt. Shortly after the start of riots in Tunisia, similar protests began inEgypt. After three people were killed, the Egyptian government took down the nation’sInternet access to inhibit the protesters’ ability to organize. Anonymous attacked thewebsitesoftheEgyptianMinistryofInformationandothers.Subsequently,thegovernmentfell.

FOOTNOTEAfter the Anonymous attack, Internet access was restored in Egypt. As a result of theAnonymous attack, the Egyptian Ministry of the Interior was not able to restore its ownwebsites.Atthattime,anAnonymousmembergloatedonTwitterinabriefmessage:

“Welcome back to the Internet, Egypt.Well, except for http://www.moiegypt.gov.eg.Youstaydown.Youstaydown.”

BayAreaRapidTransit(BART)A particularly tough Anonymous attack took place in 2009 against a public transportationagency in San Francisco. In January, a BART police officer shot a man. The event wascaptured on digital video and cell phone cameras. Photos and videos were disseminatedwidelyontheInternet.Thesituationproducedprotests,riots,looting,andarson.

In2011,anotherBARTpolicemanshotaknife-wieldingdrunkenmanonasubwayplatform.ThissparkedmoreprotestsonBARTplatforms.Whenorganizersannouncedaplannedproteston BART property, the agency turned off cell phone towers to stop phone calls on its

platforms.AccordingtoBART,themovewastoprotectpublicsafety.Anonymouswent crazy.The Internetwent crazy.Anonymousdefaced the transit agency’s

“myBART”website and released personal contact information about hundreds of the site’susers.OneparticularlyviciousattacktargetedLintonJohnson,theBARTchiefpublicaffairsspokesperson,whoclaimedcredit for recommending the shutdown.Anonymous released thefollowingmessageontheInternet:

RT@OpBART:LintonJohnson.Wehave14embarrassingphotosofyou.Youhave24hourstostepdown.#OpBartcc:SFBart.

WhenMr.Johnsondidnotresign,Anonymousreleasedthephotos.

MegauploadAfinalAnonymousstoryinvolvesanattackonanonlinefilehostingservice.Megaupload,aHongKong–basedcompany,wasshutdownbytheU.S.JusticeDepartmentin2012.Itsownerswere indicted for piracy and copyright infringement. The Hong Kong authorities froze $40millionworthofassets.Inretaliation,AnonymousattacksbroughtdownwebsitesoftheU.S.DepartmentofJustice,theFederalBureauofInvestigation(FBI),theUniversalMusicGroup,andmanyotherorganizationsinvolvedinthecase.ItwasthelargestAnonymousattackuptothattime.LearningfromtheBARTepisode,theU.S.governmentdidnotreleasethenamesofU.S.governmentofficialsinvolvedintheaction.

RespondingtoAnonymousThreatsThefirststepindealingwiththethreatsofInternetattacksistorecognizecertainrealities.

Hackersrespecttechnology,buttheydonotlikelawyers.Anorganizationneedstothinktwicebeforesendingoutthelawyers.

When a problem surfaces that can attract social media attention, fix the problem. Do notattack.

Neverthreatenanyonepublically,particularlyanindividualorotherpartythatwouldappearweakinanInternetposting.Nobodylikesabully.

IgnoreAnonymous.Donotstirupitsmembers.Remember theStreisandeffect. It refers to the2003effortsbyAmericanentertainerBarbra

StreisandtosuppresspicturesofherhomethatappearedontheInternet.Onceinformationreaches the Internet, any attempt to suppress it has the unintended consequence of

publicizingitmorewidely.Onceitisonline,youcannotremoveit.Donotengageincensorshiporsurveillance.Donotgivecustomerdatatothegovernment.Includetheinformationsystemstaffinriskdiscussions.Donot forgetabout theneed forworld-classelectronicsecurity.Wesawanexampleof its

value. After the exposure of documents by WikiLeaks, Visa, MasterCard, and PayPalsevered links withWikileaks, denying it access to funds. Anonymous attacked all threeorganizations.Because they had powerful security specialists and systems, they sufferedonlyminordamage.Withgoodsecurity,Anonymoushurtsless.

ConclusionWhenwearedealingwithcyberrisk,weneedtobecarefulnottoupsetpeopleontheInternet.Is hacking, theft, and embarrassment bad? From a riskmanagement perspective, it does notmatter. This is the world we live in. An organization’s actions on the Internet can hurt it.Companies must rethink how they use their legal team and public relations messages.Unpopularactionscanproduceretaliation.

CHAPTER18

COLLABORATIONFOREFFECTIVERISKMANAGEMENT

RISKQUOTE:Halftheliestheytellaboutmearen’ttrue.—YOGIBERRA,BASEBALLPLAYER

RISKQUOTE:Moneywasneverabigmotivationforme,exceptasawaytokeepscore.Therealexcitementisplayingthegame.

—DONALDTRUMP,BUSINESSMAN

Collaboration

Collaborationoccurswhen twoormorepartieswork together to achieve commongoals. Inrisk management, it increases available knowledge, shares it, creates learning from newviewpoints,andproducesacooperativeeffortindevelopingconsensus.

Managementdealswithactivitiestoimproveorganizations.Leadershipinvolveseffortstohelpothersachievetheirgoals.Wemightaskwhethercollaborationrequiresleadership,thatis, a vision ofwherewe are going. The answer is that leadership is often not a necessity.Resultscomesimplyfromparticipation.

GroceryAcquisitionAgrocerystorechainwasintheprocessofnegotiatingthepurchaseofanothergrocerychain.Thegoalwastoupgradetheacquisitionandconverttheacquiredlocationstothecompany’sownstores.Ariskmanagerwaspartofthenegotiatingteam.

QuestionWhatrolecansheplayinthatcapacity?

AnswerShevisitedastoreandobservedtheintentionto“gut”theinterior.Shelearnedthestorewasbuiltata timewhenasbestoswasusedas insulation.Sheconfirmedall thestorescontainedasbestosinthewalls.Statelawprovidedtheguidelinesforasbestosabatement.

Asbestosdoesnothavetoremovedfromclosedwalls.Ifawallisopened,asbestosabatementmustbeperformedontheentirebuildingbyalicensedasbestosabatementcontractor.Norenovationordemolitionactivitiesmaycommencethatdisturbanyasbestos-containingmaterials.

This finding changed the deal. The acquisition price was lowered as a result of a revisedanalysis.

WikipediaAccuracyNature investigated collaboration accuracy. It used a peer review process to compareWikipediaandtheEncyclopediaBritannica’scoverageofscience.Errorswerefoundinbothencyclopedias.Whatdoyouthinkwastheaveragenumberoferrorsperscienceentry?

AnswerThetwosourceswerequitecloseintermsoferrors.Wikipediahadanaverageoffourerrorsperarticle.Theencyclopediahadanaverageofthree.

QuestionThomasChesneyofNottinghamUniversityconductedadifferentstudyofaccuracy.Heasked55graduate students toexamineoneWikipediaarticleeach.Somewereexperts in the fieldmatchingthearticle.Somewerenotexperts;theyhadnotstudiedinthefieldofthearticle.Didthestudentsfindmanyerrors?

AnswerAsmallpercentageofstudentsfounderrors.Bothgroupsrankedthearticlesasbeingcredible.Wecanobserveoneinterestingdifferenceinviewpoint.Theexpertgrouprankedtheirarticlesasmorecrediblethanthenonexpertgroup.

SwarmTheoryThe value of enterprise risk management rises dramatically when a central risk functionsupplementstheriskowners’effortstoidentifyriskandopportunities.Ifanorganizationfindshidden sources of risk ideas, it can respond early to threats andmove to take advantage ofopportunities. The idea of scanning the horizon was enhanced by a July 2007 NationalGeographicarticletitled“TheGeniusofSwarms.”Twoconceptsstoodout.First,aswarmisa large body of individual organisms that move together in the pursuit of a goal. Second,swarmtheorydescribeseffortstounderstandthesuccessofswarms.

The article startedwith the information that 12,000 species of ants currently live on theplanet in colonies that date back 140 million years. As a behavioral trait, ants organizehighwaysalong the shortestpath to thenearest food source,buildelaboratenests, and stagemassiveraidsonothercreatures.Suchsuccessfulbehaviorseemstoshowthatantsarecleverengineers,architects,andwarriors.According to theentomologists—entomology isabranchofzoologythatstudiesinsects—whowrotethearticle,nothingcouldbefurtherfromthetruth.As these scientists pointout, “When it comes todecidingwhat todonext,most antsdonothaveaclue.”

Anantcolonycancontainmillionsofindividuals,dividedintoworkers(commonlysterilefemales),drones(fertilemales),andqueens(fertilefemales),noneofwhichhaveanyvisionfor the colony. Instead, leadership arises from thecollective actionof the colony,or swarmintelligence.Simplecreaturesfollowsimplerules.Eachpartyactsonlocal information.Noonehasthebigpicture.

Howdo ants find food?They communicate by touch and smell.Early-morningpatrollersseekfoodoutside thenest. Ifmanycomebackquickly, itmeans theyhave foundfood.Next,foragersgoout.Ifmanycomeback,itmeansthatmuchfoodwasfound.Everybodythengoesout,followingachemicalpathcalledapheromonefoodtrail.

Bees also display swarm intelligence. When selecting a new hive, scouts go out. Anindividualbeereturnsanddanceswithenthusiasmforaspecificsite.Moregoouttosearchfora site.When a site attracts even as few as 15 bees, it becomes the choice. Entomologistsbelievethesitechosenisusuallythebestamongcompetingsitesforthenewhive.

A real-life example of swarm theory in risk identification is found inChapter 10,whichdealswithAirbus and the Power8 program that addresses the risk of developing theA380jumbojet.Theriskanalystomittedtheexposurethatwouldoccurifthegiantplanecouldnotlandorwas perceived as too big to land at a sufficient number of airports.When teamsofSaint Peter’sUniversityMBAcandidateswere assigned to study theA380 as anERM riskidentificationproject, twoof the teamsdiscovered thatmanyairportswereunable tohandlethe aircraft. They added airport risk to Airbus’s exposures. Almost immediately, the otherteamsswarmedbyaddingtherisktotheirownlist.

Anotherexample is thestoryrelated inChapter2about theValentine’sDaydisruptionofoperationsatNewYork’sJohnF.KennedyAirportandthestrugglesofJetBlueairlinestodealwith the aftermath. It is unfortunate that JetBlue did not have a central risk function sharing

exposures.Surely,somelittle“ant”wouldhaveidentifiedthenegativeeffectsofadisruptionatJFK.WemightevenhaveexpectedadisruptionpheromonethatwouldleadrightuptotheCEO.Apublicrelationsdisastercouldhavebeenavoided.

We cannot claim that ERM discovered swarm theory, but James Surowiecki spotted aversionofit.Hebelievedthatassessmentsmadeindependentlybydiverseindividualswouldprovide more accurate forecasts and more successful outcomes than decisions and centralguidance emanating from experts. This assessment was presented in his 2004 book, TheWisdomofCrowds.Effectively,heoffersariskmanagementapplicationofswarmtheory.

It also appears that companieshavediscovered swarm theory.ThepreviouslymentionedNationalGeographicarticledescribestheeffortofAirLiquidetofindthebestroutesforitsdeliverytruckstofollow.Ittrackedtheroutestakenbyindividualdriversandinsertedthedataintoacomputermodelalongwithplantscheduling,weather information,marketpricing,andtruckrouting.Thesoftware“pheromone”resultedinhugesavings.OthercompaniesthroughoutEuropeusetheprocesstodevelopdeliveryandtelecommunicationsnetworks.

It is time for ERM to incorporate swarm theory into its efforts to improve riskidentification.Companieswilllikelyidentifyandmitigatemanyexposuresiftheyincorporatethecollectivewisdomofthe“coloniesandhives”thatarescatteredthroughoutanorganization.

GoldCorpCollaborationTapscott and Williams’s book, titled Wikinomics—How Mass Collaboration ChangesEverything (Penguin,2006),containsastory that illustrateshowwecanchangeaculture toseizeopportunity.

GoldcorpwasagoldminingcompanyheadquarteredinTorontowithminingoperationsinRedLake,Ontario.Gold depositswere running out, and geologists had no new ideas.RobMcEwen, thecompany’sCEO,attendedaconferenceatMIT in1999.Heheard the storyofhowLinusTorvaldshadusedtheInternettodevelopthecodefortheLinuxoperatingsystem.Thousands of anonymous programmers contributed to the development of Linux. The storyinspiredMcEwen toconsidera similarbroadeningofknowledge to the taskof findinggolddeposits.He returned to his company and released to the Internet all its geologic data from1948through1999.Heinvitedallgeologiststohelpthecompanyfindnewdeposits.

TheactualprojectwastheGoldcorpChallenge,whichtookplaceinMarch2000.Prizesofmore than a half-million dollarswere offered for the best estimates of the location of golddeposits.Morethan1,000individualstackled400megabytesofdata.Theycamefromeveryconceivablebackgroundanddiscipline.Submissionsweremadeby,amongothers,geologists,mathematicians,consultants,graduatestudents,andmilitaryofficers.Appliedmath,advancedphysics,artificialintelligence,chaostheory,andothertechniqueswereallusedtoanalyzethedata.

The resultswere astounding.Entries identified 110potential large deposits, half of themneverpreviouslyidentified.RobMcEwenorderedthat$10millionbespentfollowingupon

the suggestions, drilling in the deepest andmost remote areas of themine. Substantial golddepositswerefoundin80ofthesites.Thecompanygrewinrevenuesfrom$100millionto$9billion.

Lesson Learned: A danger in all four of Handy’s cultures is that people will not shareinformation, a critical requirement of ERM. GoldCorp and other examples suggest thatcollaboration in cultures can produce high-quality results. Collaboration requires aninteraction among knowledge, mutual learning, creative decision making, and solutions toproblems. The process can repeat itself indefinitely. If an organization does not have acollaborationculture,itmightfaceahighlevelofsubculturerisk.

CHAPTER19

CERBERUS,JPMORGAN,ANDLEHMAN

RISKQUOTE:Weshallnotflagorfail….Weshallfightonthebeaches,weshallfightonthelandinggrounds,weshallfightinthefieldsandinthestreets,weshallfightinthehills;weshallneversurrender.

—WINSTONCHURCHILL,BRITISHSTATESMAN

RISKQUOTE:Idon’twanttoachieveimmortalitythroughmywork….Iwanttoachieveitthroughnotdying.

—WOODYALLEN,MOVIEPRODUCER

CerberusandChrysler

The story of Bob Nardelli from Home Depot, begun in Chapter 3, continues with hisacceptanceoftheCEOpositionatChrysler.AfterCerberusacquiredthecompany,theboardand senior executives knew that something bold would be needed to turn around Chrysler.CerberushiredMr.NardelliinAugust2007.

Wedo not knowhowCerberus evaluated the turnaroundofChrysler.AnERMapproachcouldhavebeenused.Theboardsimplyhadtoask,“Whatareourseventotenmostcriticalrisks?” In many boardrooms, and perhaps at Cerberus, the question would produce anuncomfortable silence, followed by a vigorous andmaybe even rancorous discussion. Thenboardmembers would realize that it takes considerable work to understand risk across anenterprise.

Thefirst taskconfrontingMr.Nardelliwas to identify risksand todevelopagreementoncritical risks. InSeptember2007, five teamsofMBAcandidatesatSaintPeter’sUniversitytook on this task for Cerberus. The teams learned that Cerberus acquired Chrysler afterDaimlerChrysler could not fix its problems and also understood the serious nature of itssituation.TheydrewthisconclusionlargelybecauseCerberusbrought inMr.Nardelli.Nowthe task for each teamwas to identify a short list of critical risks. Figure 19-1 shows theresults.

FIGURE19-1.TEAM’SLISTSOFCRITICALRISKSFACINGCHRYSLER.

Team1Mr.NardelliProductionoverseasHousingandgaspricesWagesandbenefitsForeigncompetitionHybrid/fuelefficiencyRecalls

Team2Mr.NardelliReorganizationProductinnovationProductionSupplychainFinancialReputation

Team3Mr.NardelliLegacyhealthpensionFinancialChangesintechnologyProductionefficiencyCompetitionandmarketingRecruitmentandtraining

Team4Mr.NardelliProductionTechnologyLossoftalentResourcesProductLine

Team5ProductTechnologyFinancialLegacyhealthpensionCompetition

Basedontheselists,severalobservationscanbedrawn:

LeadershipRisk.Fourof the five teams identifiedMr.Nardelliasacritical risk.Willhismanagement styleworkbetter in the crisis environmentofChrysler than in thenoncrisissituationatHomeDepot?WouldMr.Nardellibepleasedtoseethelist?

GeneralRiskVersusSpecificRisk.Should therisks identifiedbebroadornarrow?Ifweidentify the wrong risk, the mitigation strategy we settle on will not matter. What canChryslerdoabouthousingandgasprices,itsownreputation,orcompetitionwhenitfacespressing issues from production efficiency, legacy pension and benefit costs, or supplychainexposures?

Short-Term Risk Versus Long-Term Risk. Where do we start? The company will notsurviveinthelongtermifitdoesnotaddressdeeplyembeddedrisks.Itwillnotsurviveintheshorttermifitrunsoutofmoney.

Oneinterestingobservationistheabsenceofculturalriskonanyofthefivelists.ItdoesnotseemreasonabletolimittheleadershipexposuretothestyleandskillsofthenewCEO.

OUTCOME

CerberusrolledthediceandwasboldinselectingMr.Nardellitodowhathedoesbest—getresults.ForMr.Nardelli,themovecontainedafairlylargerisk.Cerberussethisannualsalaryat one dollar, with other compensation rumored to be more than $30 million if Chryslersucceeded. Alas, it did not. In 2009, Chrysler filed for Chapter 11 bankruptcy, and BobNardelliannounced thathesoonwould leave thecompany.Subsequently,Chrysler formedastrategicalliancethatwaseffectivelytobecomeaFIATacquisitionofChrysler.Asof2014,thecompanywasstilloperatingaspartofFIAT.

EPILOGUE

Before leaving Mr. Nardelli, we might note one episode of his view toward risk andopportunity.InFebruary2008,heguaranteedbeforethewholeworldthatChryslerwouldwinitsfirstDaytona500racesince2002.ItwouldalsobethefirstracesincehebecameCEO.Hepromisedamillion-dollarbonustothewinningteam,andChryslerpaiditwhenaDodgeteamwontherace.ThismaybethelastriskmanagementstorytofocusonRobertNardelli.

JPMorganChaseandDerivativesThe financial crisis of 2008 had little impact on JPMorganChase.The company seemed toanticipate theU.S. housing crisis and carefully avoidedholding the toxic assets that hurt somany individuals and companies. This strategy was also followed under the leadership ofJamie Dimon, who had become the CEO of the bank a few years earlier. After the crisis,JPMorgangrewinsizetomorethan$2trillioninassetsin2013.

Justpriortothe2008crisis,Mr.Dimonchangedthebank’sinvestmentstrategy.Previously,thebankalwayssought relativelysafe investments thatprotected itscapitaland the fundsofcustomers. The new set of objectives pursued profits from trading in complex financialinstruments,suchasderivatives.Theinvestmentsideofthebankendorsedthepolicyfully,andtradingbecamealargeandprofitablebusiness.

ThebankgaveincreasingauthoritytoBrunoIksil,aJPMorganderivativestradernicknamedthe“LondonWhale,”arecognitionofthesizeofhistrades.In2011,herisked$1billiononasinglegamble thatworked. ItearnedJPMorganahalfbilliondollars.After thissuccess, theskyseemedtobethelimit.Byearly2012,heheldexposedpositionsonmorethan$150billioninassets.

BoazWeinsteinwasaderivativetraderwhomanagedahedgefundwith$6billioninassetsundermanagement in2012.Hisfinancialcommunitynicknamewas“theMonster.”Weinsteinspotted a flaw in the trading strategy being followed by Mr. Iksil. Weinstein bought theJPMorganderivativesandsteadilyincreasedhisposition.

Themendueledwitheachotherformorethanhalfayearin2011and2012.Iksilsoldmore.Weinstein boughtmore. At first,Mr. Iksil held a profitable position on the dealings. Then,everythingcollapsed for JPMorganwhen themarket recognized theweakness in its strategy.The“Monster”hadbeatenthe“Whale.”Intheprocess,JPMorganexperiencedatotallossofmorethan$6billion.Subsequently,thebankfiredMr.Iksil.

EPILOGUE

Bruno Iksil, the “Whale” in the JPMorgan story, testified in a U.S. Senate subcommitteehearing investigating the activities of derivative traders. Iksil explained that he lost the $6billionwhileengagedin“tradesthatmakesense.”Hisriskmanagementstrategy:

Selltheforwardspreadandbuyprotectiononthetighteningmove.Useindicesandaddtoexistingposition.Golongriskonsomebellytranches,especiallywheredefaultsmayrealize.BuyprotectiononHYandXoverinralliesandturnthepositiontomonetizevolatility.

Itishardtobelievethatmanyofthesenatorsunderstoodhowthetrades“madesense”withthistestimony.ThecommitteedidrecommendandtheSenatedidapproveaplantoregulatefuturederivativetrades.

LehmanToxicAssetsIn2008,attheheightofthefinancialcrisis,LehmanBrothershadamajorriskexposure.Itheldsome$50billionoftoxicassets,mostlysecuredbymortgagesonhomesthatwereindangerofforeclosure.Asitnearedtheclosureofitsaccountingbooksandrecognitionofitsannualprofitorlossin2007,thecompanybelievedadisasterwouldresultfromexposingthesituation.

Asaprotectivestep,Lehmantransferredtoxicassetstoanoffshorebankingfirmunderanagreement to repurchase thema fewdays later after thecloseof theaccountingperiod.Theagreement temporarily removed the securities from the company’s balance sheet. This waslegalunderU.S.accountingpractices.Thus, theLehmanauditorsdidnothaveto identify thetoxicassets.

In 2008, the decline of home values forced the firm into bankruptcy. Lehman was thenaccused of using cosmetic accounting techniques to improve the appearance of its finances.Lawyerssaidthiscreateda“materiallymisleadingpicture”ofthefirm’sfinancialconditionin2007and2008.Itisalessoninriskmanagementgonewrongtorecognizehowthedeceptionwasachieved.Figure19-2showsabalancesheetofahypotheticalfirmsimilartotheLehmanBrothers sheet just prior to closing the accounting records in 2008. The firm’s assets aredividedintothreeparts,withoneofthembeingtoxicassets.

FIGURE19-2.BALANCESHEET($BILLIONS)

Assets DebtandCapitalCash $300Debt $400Securities 500Capital 450Toxicassets 50

Total $850 Total $850

Shortlybeforeclosingthebooks,thehypotheticalfirmsignsarepurchaseagreementtosellthe$50billionoftoxicsecuritiesandthenbuythembackafewdayslater.Figure19-3showsthenewbalancesheetwithanincreaseincashreplacingthetoxicsecurities.

FIGURE19-3.BALANCESHEETATCLOSING($BILLIONS).

Assets DebtandCapitalCash $350Debt $400Securities 500Capital 450Toxicassets 0

Total $850 Total $850

Afewdays later, the companybuysback the securities at theprice set in the agreement,perhaps a fee set at $1billion.Figure19-4 shows the balance sheet at the start of the newperiod.

FIGURE19-4.BALANCESHEET,STARTOFNEWPERIOD($BILLIONS).

Assets DebtandCapitalCash $299Debt $400Securities 500Capital 449Toxicassets 50

Total $849 Total $849

EPILOGUE

Lehmanisnolongeraninvestmentbank,anditwilltakemanyyearstosettlethelawsuitsfiledbyinvestorsagainstafirmthatcausedlossesbypracticingthiskindofaccounting.In2014,itis not apparent thatmany financial reforms have been instituted to end abusive practices infinancialtransactions.

CHAPTER20

RISEOFMODERNRISKMANAGEMENT

RISKQUOTE:Itiseasytoflyintoapassion.Anybodycandothat,buttobeangrywiththerightpersontotherightextentandattherighttimeandintherightway?Thatisnoteasy.

—ARISTOTLE,ANCIENTGREEKPHILOSOPHER

RISKQUOTE:Yougainstrength,courage,andconfidencebyeveryexperienceinwhichyoureallystoptolookfearintheface.Youareabletosaytoyourself,“Ilivedthroughthishorror.Icantakethenextthingthatcomesalong.”

—ELEANORROOSEVELT,FIRSTLADY

Wepauseatthispointtoidentifyriskmanagementconceptsandeventsthatcontributedtoourabilitytoscanthehorizon,identifyrisksbroadly,andusetechnologytoshareexposureswithriskowners.

RiskManagementSupersedesInsuranceFromthelate1800s,industrialorganizationsrecognizedtheimportanceofinsurance.Still, itwasnotuntilthe1960sthatwelearnedfullythelessonfromtheword“inspection”inthenameofHartfordSteamBoiler.“Inspection”comesbefore“insurance.”Amilestoneoccurredinthe1960s after Massey-Ferguson appointed Douglas Barlow as the first risk manager. Riskmanagement now trumps insurance. Recognizing the new reality, the American Society ofInsurance Management changed its name to the Risk and Insurance Management Society(RIMS)in1975.

FormationofCaptivestoRetainRisksAcaptiveinsurancecompanyeffectivelyretainsaportionofhazardrisksforcompaniesthatdonotwant to transfercertainexposures to insurancecompanies.After thefoundingof thefirst

captive,inBermudainthe1960s,organizationsgainedamoresophisticatedunderstandingofinsurable risk. A captive allows an economical retention of high-frequency, low-severityexposures such as vehicle accidents and employee injuries. Efficiencies are achieved byprocessing claims with a captive rather than an unrelated insurer. Captives also can be acriticalriskmanagementtool.

RiskManagementAddressesLiabilityBythe1980s,riskmanagersfacedtherisingcostofliabilitylawsuits.Newlegaltheoriesandcourtjudgmentsproducedimpliedwarranties,expressdisclaimers,andstrictliability.Courtsawarded punitive damages to compensate injured parties for real and perceived pain andsuffering. At the pinnacle of freewheeling lawsuits, courts awarded judgments for psychicinjuriesandevenhypotheticaldamages.Thenumberofclassactionandmedicalmalpracticelawsuits grew exponentially. New risk management practices created safer products andservices,aswellasnewbehaviors.

DeclineofHistoricalDataAsexplainedinChapter1,whenHurricaneAndrewstruckFloridain1992,riskmanagersandinsurance companies were forecasting losses on the basis of historical data. Risk analystsknewthatpaststronghurricanescausedthelossof10to20percentoftheroofsofhomesinstricken areas. This did not happenwithAndrew.Historical data was based on the use ofmasonry walls and tile roofs. A 1980s boom in Florida produced different forms ofconstruction and substandard workmanship. After Andrew, every single roof in manysubdivisions was gone. Insurers were reminded that actuarial data has to be examinedcarefully, assumptions must be tested, and underwriting must be augmented by qualitativeassessments.

PerformanceRiskAugmentsHazardRiskAsthe1980sended,corporateboardswantedtorewardCEOsforimprovingtheperformance.Bonusesweretiedtorisesinthemarketpriceofthestock.WhentheDowwentfrom3,500inthe early 1990s to 11,000 after 2000, the rising tide lifted all boats. CEO compensationproducedspectacular rewardsformediocreperformance.Theweaknessofcompaniesunderstress after 2000 caused boards to realize that business and operating risks exceeded thedangerposedbymosthazardrisks.TheirinterestturnedtoERM.

ERMandCyberRiskAsdiscussed inChapter17,newEnglishwordsarose to identifyexposures fromelectroniccommunications: “hackers,” “scams,” “spam,” “viruses,” “phishing,” “pharming,” “illegaldownloading,”“identitytheft,”“spyware,”and“cyberterrorism.”Andthesejoinedoldterms,suchas“creditcardfraud”and“industrialespionage,”asafocusofriskmanagement.

WarRiskTheterroristattacksofSeptember11,2001,exposedtheinsuranceindustryandotherstothepossibilityof catastrophic loss causedbyhumanaction. Individuals and small groups couldexposeanationtomassivelossespreviouslyassociatedwithwars.AdirtybombinNewYorkCity could cause $800 billion ormore in insured losses. Insurance reserveswere half thatamount. This new realization reachedmaturitywith the financial crisis of 2008.More thanever,riskobserversknewtheimportanceofaneffectiveprogramtoprepareforandtorespondtocriticalexposures.

OutlawEnvironmentsGlobal sourcinganddistributioncausedanexpansionofoperations into remoteareasof theworld. Companies discovered corruption that permeates governments and the legal andbanking systems. Counterfeit products and brands, violations of patents and copyrights, andtheftofintellectualpropertybecamerampant.Manycompanieslackedeffectiveriskmitigationstrategiesorremediestofightback.ThisisacurrentchallengefacingERM.

EnvironmentalRisksTemperaturesandoceanlevelsarerisingintheearlyyearsofthetwenty-firstcentury,evenasnaturalresourcesaredeclining.Theincreasedmobilityofbillionsofpeopleonasmallplanethas created interrelationships of economies and politics and other complex exposures.Governmentsmay be unable tomobilize resources until after a crisis occurs. Even then, asHurricaneKatrinashowedin2005andthetsunamiinJapanshowedin2011,theresponsetoanenvironmentaldisruptionmaybetoolittletoolate.

Conclusion

It is hard to escape the conclusion that, with the exception of global nuclear destructionimposedbytwosuperpowers, theriskofwhichhasperhapsreceded, theworldhasbecomemoreandmorerisky.Enterpriseriskmanagementisthelatestdevelopmentineffortstoidentifyand deal with critical risks.We will see whether ERM holds the answers to mitigate ourlargestexposures.

CHAPTER21

EVOLVINGERM

RISKQUOTE:Championsaren’tmadeinthegyms.Championsaremadefromsomethingtheyhavedeepinsidethem—adesire,adream,andavision.

—MUHAMMADALI,BOXER

RISKQUOTE:Itisimpossibleforamantobecheatedbyanyonebuthimself.—RALPHWALDOEMERSON,POETANDESSAYIST

When I arrived at Saint Peter’s University in 2004, I asked permission to put the words“specializinginenterpriseriskmanagement”onmybusinesscards.Ireceivedthatpermission.Sincethen,everytimeIhandsomeoneacard,heorshesayssomethinglike,“Oh,I’veheardofenterpriseriskmanagement.Exactlywhatisit?”

That would be a fine reaction to a new idea that needs more traction. It is, however,something of a sad commentary on the status ofERM,which has been around for 15 or soyears. Since 2002, riskmanagers, internal auditors, actuaries, theCommittee of SponsoringOrganizations(COSO),andothershavepromotedERMintheirorganizationsandprofessionalassociations.A2008Googlesearchof“enterpriseriskmanagement”produced3,670,000hits.At the same time,Amazonwas selling books and articles onERM, including the definitiveCOSOEnterpriseRiskManagement: IntegratedFramework, discussed in Chapter 6. This230-page comprehensive description of ERM is supported by professional associations ofaccountantsandauditors.In2004–2006,theRiskandInsuranceManagementSociety(RIMS)formed an ERM online discussion group, established an ERM Center of Excellence, andofferedariskmaturitytoolforevaluatingERMprograms.

Oneof theAmazonarticles, fromtheApril2004 issueofRisk&Insurancemagazine, istitled“ERM:AllTalk,LittleAction.”Althoughwehavemajorimprovementsince2004,weneedtorethinkhowwepresentERMsothatitcanevolveinorganizationsandtoconsidertheproblemsandquestionsthatimpedeERMimplementation.

FourProblemsforERMWecanidentifyfourproblemsthatmustbeovercomeasERMevolves:

1.Definitions2.Riskcategories3.Failuretotellagoodstory4.“Normal”times

PROBLEM1.DEFINITIONS

EverybodyhasapersonaldefinitionofERM.Wehavealreadycoveredanumberofthem.Fairenough,butwheredowegofromthere?Nomatterwhatthedefinition,ERMsoundslikealotof work. Will ERM produce results different from those achieved with existing riskmanagementprocesses?

PROBLEM2.RISKCATEGORIES

Brokers and others use different risk categories as they promote ERM. We have alreadycovered approaches to categorization championed by Marsh, Aon, and others. All offerinsightsintoERMwhileleavingapracticalproblem.Intermsofaccountability,responsibility,and process, most companies are not structured so as to match their risk categories.Organizations do not have an operational riskmanager, an external factors riskmanager, acapacity-for-changeriskmanager,andsoon.Thesolutionistoalignriskmanagementwiththebusinessmodel.Unfortunately,thisdoesnotappeartobewidelyacceptedintheliteratureofERM.

PROBLEM3.FAILURETOTELLAGOODSTORY

AnotherproblemisthattherealvalueofERMislostintheweedswhenwefocusheavilyonprocesses,internalcontrols,anddetails.Boardmembers,seniorexecutives,andevenmiddlemanagers do not see the real benefit. Instead, they face a cumbersome model offering anexpensivewaytomanagerisks theyalreadymanage.Manymanagersonlypaylipservice toSarbanes–Oxley,Basel II,andERM.In theirhearts, theybelieveall threeweredesignedbybureaucrats,professors,orregulatorswhodonotreallyunderstandrisk.

PROBLEM4.NORMALTIMESFormanyyears,riskanalystshaveusedquantitativetoolstomeasurerisk,withvalueatrisk(VaR)beingacommonmodel.VaRassumedaso-callednormalmarketandmadeshort-termprojectionsinthatmarket.Itmeasuredriskinaportfolioofinvestmentsandoffsettheriskandopportunitiesineachinvestmentcomparedtoallotherinvestmentsintheportfolio.Figure21-1givesanexampleofthetechnique.

FIGURE21-1.VALUEOFCURRENCYATRISK.

Analysis

Acompanyborrows30millionpesosatatimewhenithas40millionpesosasreceivablesfromforeignsales.Innormaltimes,90percentofthereceivablesarecollected.Themaximumexchangeratefluctuationbetweenthepesoandthedollarisforecasttobe20percent.Thevalueatriskis1.2millionpesosinnormaltimes.

Debt 30millionpesosReceivables(40millionpesos×90percent) 36millionpesosExposure 6millionpesosFluctuation 20percentValueatrisk 1.2millionpesos

BlackSwanAcompanythat’sbelievestheexposureis1.2millionpesosisnotpreparedforablackswan.Supposeeconomicorpoliticalconditionsaffectthepeso,causingcustomerstodefaultontheirobligations. The companywould not collect its receivables. Further suppose the currenciesexperienceamuchlargerfluctuation.Thecompanywouldstilloweitsfulldebt.Inthatcase,thevalueatriskismuchhigher.

Debt 30millionpesosReceivables(40millionpesos×10percent) 4millionpesosExposure 26millionpesosFluctuation 60percentValueatrisk 15.6millionpesos

Theproblem in the figure is that theanalysisassumesanormalmarket.AnERMevaluationwouldexpandtheinvestigation.

IndustryorCountryNorms.Aretherewidevariations?SimilarFirms.Whichsimilarfirmsarethebasisforcollectionsofreceivables?HistoricalTrends.Whatistheevidencethatthefuturewillbethesameasthepast?Future Expectations. Can we be sure we know that what happened before will happen

again?CommonSense.Thisisacatchall.Whatdoescommonsensetellusabout“normal”?Thisis

notadifficultquestiontoanswerinanERMcontext.Simplystated,itisnolongernormaltobenormal.

ERMacknowledgesthevalueatriskmodels.Forshort-termprojections,wecangetprettywellwithina95percentconfidencerange.Youcanacceptmultiplerisks.Youcanstudythemand give them amathematical dimension.You can staywithin parameters 95 percent of thetime.Youcanimproveyourperformance95percentofthetime.Thereinliestherealchallengeto VaR analysis. Ninety-five percent fails to account for risk. It is the other 5 percent thatcontainsbothdisasterandopportunity.

Long-TermCapitalManagementNassimTalebreinforcesthedangerofVaRapproacheswithastory.LTCMwasasuccessfulhedgefundthatmadeextensiveuseofquantificationtradingmodels.ItusedVaRmodelsthatincludedthepossibilityofaregionalfinancialcrisis.Unfortunately,themodeldidnotconsidertwofinancialcrisesatthesame.WhenbothAsiaandRussiacollapsedin1998,sodidLTCM.Themodelsworked95to99percentofthetime.Thelast1percentwasfatal.

Whatwasthe lessonlearnedbyfinancialriskmanagersfromthecollapseofLTCM?Theevidence is not good. It appears they concluded LTCM was a one-in-a-million event thatwouldneverhappenagain.Asaresult,theyexpandedtheuseofquantitativemodels,formingamembershipassociation.TheProfessionalRiskManagers’InternationalAssociation(PRMIA)had50,000members in184countries in2008andofferedaprogramofcertificationonriskmanagement.

ERMdoesnot totallydenigratevalueat risk. It simplyrecognizes thatVaRis focusedonincreasingreturnwhileunderstandingtheriskof95percentofevents.DavidViniar,CFOofGoldmanSachs,sawVaRas“ausefultool.”Hesaid,“Themoreliquidtheasset,thebetterthetool. The more history, the better the tool.” He is right that more history of the past isinstructiveifthefutureisthesameasthepast.Whathappenswhenthefuturedeviatesfromthepast? How do we answer the risk question, “Who will provide funding during a marketcollapseorliquiditycrisis?”

OnMay5,2008,thestockofAmericanInternationalGroupwaspricedat$40ashare.Witha95percentchanceofaccuracy,aVaRmodelcouldhaveforecastthelikelyprice,highprice,andlowpriceonDecember31,2008.Ifthathappened,whoreallycaresaboutthemodelusedto forecast the price?Nomodelwould have been anywhere near the 2008 closing price of$1.69ashare.

SpeedingUptheImplementationofERMWhatarethesolutionstotheseproblems?

Definitions.Thisiseasy.Let’ssimplysaythatERMisanefforttocoordinatethemanagementof risks that an organization faces, skippingmore complex definitions because they add

littlevaluetothediscussion.Risk Categories. This solution has already been proposed. Match risk categories to the

businessmodel and strategyof theorganization.Themodel includes the (1) value to becreated by the entity; (2) architecture of the firm; (3) network of partners for creating,marketing, and delivering value; and (4) capital, assets, and other resources needed togenerate sustainable profits.Thebusinessmodel contains both thedownsideof risk andriskopportunities.UseitinERM,andalignitwithC-suitefunctionalareas,majorbusinessunits,andkeyinitiatives.

TheStory.Tellit.MostERMstoriesarecomplex,buildingontraditionalriskmanagement.Invariably,thestorystatesthebenefitsofcoordinatingallriskacrossanenterprise.Thenitencourages a process with five to seven steps. This approach can work nicely fortraditional risk,and itdoes. It fallsshort in thebroaderperspectiveofERM.Weneedadifferentstory.Tellaboutanewriskstructurethatworkswiththeexistingbusinessmodel.Identify the current structures where goals are pursued and risk is being managed.Additionally,showthebenefitofaddingacentralizedriskmanagementfunctiontoaugmentexistingbusinessgoalsandriskmanagementefforts.

CommonSense.Takeamomenttoapplyitastheriskassessmentisunderway.

Wecanreinforcethismessagewithexamplesofsubparperformancebyorganizationsthatfailedtorecognizecriticalexposures,includingthesenotableindustries:

AutomobileManufacturers.Theyfailedtoseethefutureimpactofdefined-benefitpensionplansandlifetimehealthcareforretirees,aswellastheimportanceofmodernizingtheirmanufacturingfacilities.

Airlines.Theyfailedtomakeadjustmentstobecompetitiveinthewakeoflow-costcarriersandrisingoilprices.

Financial Institutions. The financial crisis of 2008 was driven by commercial banks,investmentbanks,and insurancecompanies that thought theyhadnoseriousexposures intheirportfolios.

We can hardly blame the CEOs of car companies, airlines, and banks for the failure toidentify internalandexternal risks.Theirwatch isoftenas littleas three to fiveyears.Whoneeds to look for trouble? Instead, we could ask the board of directors to insist on acentralizedriskidentificationstructureaspartofanERMprogram.

TheFutureofERMWehavetakenajourneythatbeganin1998whenorganizationsbegantorealizetheywerenotrespecting risk interaction in their financing and operations. Progress was slow, but two

approachestoERMdeveloped:

1.Hazard ERM. Traditional risk managers focused on insurance and loss control. ERMsought to bring various silos together andhelp themunderstand relationships among theirexposures.

2.FinancialERM.Individualswhomanagedinvestments,ratesofreturn,workingcapital,andtheadequacyofcapitalfocusedontheinteractionamongfinancialassets,reportedearnings,andcashflows.Effortsweresupportedbycomputermodelsthatusedquantitativetoolstomanagemoneyandforecastfutureresults.

In 2014,we see a different picture ofERM. It focuses on neither hazard nor financial risk.Rather,itisbuiltaroundacentralriskfunctionthatconstantlyscansforchangesonthehorizon.Whatishappeningintheorganizationitselfwithregardtostrategies,leadership,subcultures,and life cycles? Scanning can find obstacles to achieving the upside of risk as it uncoversnegativeconditions.Afterscanning,itisimportanttosharethefindingssothatriskownerscanmakeadjustments.

Lesson Learned: The discussion on evolving an ERM program leads us to the followingrecommendations:

ERMDefinition.Donotspendtoomuchtimeonthem.RiskCategories.Alignriskcategorieswiththebusinessmodel,recognizingfunctionalareas,

majoroperatingunits,andkeyinitiatives.CentralRiskFunction.Installsuchafunction,ledbyaseniorexecutive.Makeitaproactive

entitythatscanstheexternalenvironmentandinternalculture,seekingchangingconditions,emerging trends,marketdevelopments,advances in technology,andcompetitivebusinesspractices. Encourage it to collect information on strategies, subcultures, leadership, lifecycles,anddevelopmentsonthehorizon.Whenrisksoropportunitiesarefound,sharethemandtheirpotentialimpact.

A Good Story. Help key managers and stakeholders understand how ERM increases thelikelihoodofidentifyingemergingexposuresandopportunitiesthatthreatenorensurelong-termsustainability.

ConclusionERMcanwork inorganizationsof all sizes.Themegacorporationcanuse it in a structuredhierarchical systemwith riskowners.A singlebusinessunit canuse it aspart of theparentsystemor even in isolation.A smaller organization can seek to understand the challenges itfacesasitseekstogrowandprosper.

ThisistheclosingmessageofERM.Managingriskisnotabouthundredsorthousandsof

unorganizedexposures.Itisaboutgettingvaluefromanefforttounderstandtheimpactoftheinterrelationships of risk and opportunity. With new technology, we can expect a renewedinterestingettingitrightwithenterpriseriskmanagement.

CHAPTER22

MODERNRISKMANAGERS

Inthecaseofsawmills,itisnotaquestionofifitwillburnbutwhenitwillburn.—LANCEEWING,PROMINENTRISKMANAGER

RISKQUOTE:Ajuryconsistsof12peoplewhodeterminewhichclienthasthebetterlawyer.

—ROBERTFROST,POET

RiskManagerRoles

Clearly,themodernriskmanagerrolestartswiththecultureoftheorganization.Someentitieswanttheriskmanagertohaveanarrowroleasessentiallyabuyerofinsurance,aprocessoroflegalandotherinsurableclaims,andanadvocateforsafety.Othersseetheriskmanagerinawider role,oftenwith the titleofenterprise riskmanagerorevenchief riskofficer.A2004surveyfoundthatsuccessfulriskmanagerstookonthreedistinctroles:1. Strategic Player. This individual designs risk management programs. The position hassignificant responsibilities for activities that have an impact on the bottom line. Theindividualbringsbroadexperienceinproduction,marketing,finance,orotherareasandhastheconfidenceoftheCEOandboard.Further,theriskmanagerhaspersonalchemistrywiththechiefmarketing,finance,andothertop-levelexecutives.

2.Competent Risk Manager. This individual seeks to reduce hazard risks through losscontrol, safety techniques and training, or the mechanism of insurance. This individualadvisesmanagersonriskstrategiesandisrecognizedforbringingahighlevelofskilltothejob.Theriskmanagerislikelytohavesignificantinsuranceandriskmanagementexperienceandstrongskills in risk identification,assessment,andmitigation.Thisplayercanexpect,andwillget,supportandencouragementfrommanagersinotherunits,includingproduction,finance,humanresources,andlegal.

3.Risk Specialist. This individual performs technical tasks such as purchasing insurance,managing insurance claims, or supervising employee safety and physical security. The

responsibilities are narrow in scope but also important. These individuals usually haveyears of experience as insurance agents or brokers, underwriters, or claims processors.Manycompetentriskmanagersstartoutasriskspecialists

RiskManagerLevelsAsecondwaytocategorizeriskmanagersisbylevelofresponsibility:

1. A Level. This is the highest risk management position in the organization, withresponsibilityforrisktransferandmitigation.NotallA-levelriskmanagersworkinERM.

2.BLevel. The person in this position is an important decision maker but does not haveultimateauthorityformajorriskmanagementdecisions.TheB-levelriskmanagergenerallypurchases insurance, settles claims, and otherwise makes important risk managementdecisions.

3.CLevel.Thispersonrecommendsoradvisesonriskmanagementactivitiesandstrategies,buthigher-levelexecutivesmakemostofthedecisions.AC-levelriskmanagercollectsandinterpretsdataonlosses,helpsprocessclaims,andpreparesreportsonlosscontrolandthetotalcostofrisk.

Manypeopleusethetitle“riskmanager.”Weshouldnotethatthetitle’smeaningvariesfromorganizationtoorganization.

ProfilesofRiskManagersWecanidentifythecharacteristicsofthe35,000orsoU.S.riskmanagers:

Education.Mostarecollegegraduates.MostA-level riskmanagershavegraduatedegrees,commonlytheMBAbutwithasizablepercentageofmasterofscienceandlawdegreesinthemix.

WorkExperience. The experience prior to becoming a riskmanager varies. Sixty percenthave backgrounds with insurance carriers, brokers, or service providers, whereas 20percent come from consulting, government, legal, or financial backgrounds. Twenty-fivepercent haveprior in-house riskmanagement experience aswell. (That’smore than100percent:Afewpeoplehavetwokindsofexperience,sotheycounttwice.)

ReportingLine.Abouthalfreportinthefinancearea.Lessthan20percentreporttotheCEO.Compensation.Salaryandbenefitshavebeenrising in recentyears.Most riskmanagersat

largefirmshavepackagesexceedingsixfigures,andafewgoashighas$500,000ayear.TheRiskandInsuranceManagementSociety(RIMS)publishesaperiodicsurveyofrisk

managercompensation.

AreasofAttentionWhatdoriskmanagersactuallydoonthejob?Wecanidentifyfourareas:

1.HazardorInsurable.Risksthataffectproperty,people,andtangibleassets.2.Operational.Affectingtheproductionandmarketingactivities.3.Financial.Affectingtheavailabilityofresources.4.Strategic.Affectingthemissionandgoals.

Riskmanagersestimate that theyspendup tohalf their timeonhazardand insurablerisk,notablypurchasinginsurance.Mostcompaniesidentifythisareaasthemostimportantpartoftheriskmanagerjob.Increasingly,riskmanagersarebroadeningtheirscopetoincludeotherareas.

ChiefRiskOfficerThe chief risk officer (CRO) title first appeared in a 1988 PeatMarwick study on globalcapitalmarkets.ThefirstCROwasJamesLamofGECapital,in1993.Sincethen,thepositionofCROhashaddiversemeanings,andthereislittleagreementontheresponsibilitiesthatgowithit.Banks,insurancecompanies,andotherfinancialinstitutionswereearlyadoptersinthe1990s.The titlewasusuallygiven tosomeonewith responsibilities forbalancingexposuresacross financial investments and holdings, complying with regulatory and statutoryrequirements, andprovidingsecurityand internalcontrolson the flowofdataandaccess toinformation.

After 2001, the title made slow progress in nonfinancial organizations, but a renewedinterestinERMmayspeedupitsacceptanceinpubliclytradedcorporations.AswewatchtoseewhetheraCROtitlegrowsinpopularity,wecanobservethatthetitlehastwomeaningsandsetsofresponsibilities.

1.FinancialCRO.Manages financial and internal control functions, such as portfolio risk,compliance,creditandcommodityrisk,andthesecurityofinformationtechnology,data,andsystems.Theindividual is trainedinfinance,actuarialscience,andauditingoraccountingandhasmajorexperienceasafinancialorinvestmentanalyst,treasurer,orcontroller.Thereporting line leads directly to theCFO.Alternatively, the title can reflect the additionaldutyofaseniorfinanceexecutive,suchasatreasurerorcontroller.

2.NonfinancialCRO.Helps identify risksandopportunitiesandshares theknowledgewith

riskowners.Thisindividualcanhaveanykindoftrainingandexperience,includingfinance,business administration, engineering, or law, and has a significant understanding of theindustry,linesofbusiness,andtheexternalenvironment.ThisCROcoordinatesriskthroughanindirectprocessofinfluence,ratherthantakingthedirectapproachofthefinancialCRO,who solves problems with computers and technology. The nonfinancial CRO buildsrelationshipswithriskowners.

ChiefStrategyOfficer(CSO)Aspartofacentralriskfunction,anorganizationmightbelieveitneedsachiefstrategyofficer.Strategicriskisdefinedasexposuresormissedopportunitiesthat threatentheorganization’sability to align entitygoalswith thepathways topursue thosegoals.Strategic risk covers alackofvision,faultyplanning,emergingoraggressivecompetitors,andtheinabilitytorespondto changing conditions in the business environment. We need to face a fact. Most C-suiteofficers are busy people with significant responsibilities. They lack the time and often theskillstoscanthehorizonforstrategicrisksandopportunities.

The model of a chief strategy officer and nonfinancial chief risk officer recognizes thatcorporatestrategiesevolve fromfocusingonopportunities,notonexposures.TheCROrolehasmuchtocontributeonceastrategyisidentifiedtohelpensurethatenterpriseriskfactorsare identified and vetted. The development of the strategy itself, with its innovation andcreativityaspects,maybeaprecursortotheCROrole.

CROandCSOAreasofFocusInthethree-positionapproachtoriskmanagement,eachindividualhasadifferentfocus.

1.FinancialCRO.Looks outside and inside the entity,with primary activities dealingwithcomputers,financialinstitutions,andtheorganization’sfinancedepartmentsupportstaff.

2.Nonfinancial CRO. Works inside face to face with risk owners, business unit heads,internalaudit,andcomplianceandworksoutsidetoscanthehorizon.

3.CSO.Worksinsideandoutsidetheentitybutlargelywithseniorexecutivesandtheboard.

PaulBuckley,TycoRiskManagerPaulBuckleyjoinedTycoin2002after29yearsintheBellsystem,finishingasriskmanagerofLucentTechnologies.He receivedmany awardswhile atAT&T andLucent, and hewasnamedRiskManageroftheYearin2000byBusinessInsurancemagazine.

Paul’s storybegins in thewakeofSecuritiesandExchangeCommission investigationsofaccounting improprieties. Tyco’s former CEO, L. Dennis Kozlowski, was indicted andconvicted on fraud, conspiracy, and grand larceny charges. Paul joined Tyco inMay 2003,afterthescandalbroke.Hisviewwasthatitwastherightplacetobefromariskmanagementperspective.Tycohadanewboardandmanynewseniorexecutives.Topmanagementwantedtodo it right and set the tone from the top that itwouldnot tolerateeven theappearanceofcompromisingbehavior.

Thenewenvironmentmeantbigchangesforriskmanagement,whichhadpreviouslybeenlimitedtoactivitiessuchasbuyinginsurance,processingclaims,andhelpingwithlosscontrol.Paul developed a new centralized risk management strategy, bringing all units together inunifiedprograms.Hehadaccess to topofficers.Thelearningenvironmentwasexciting,andthesupportfromhisdirectlineofseniormanagementwasexceptional.Hestated,“Iwouldnotbeasgoodariskmanagerhaditnotbeenforthisexperience.”

ChrisMandel,USAARiskManagerIn 2006,ChrisMandelwas riskmanager atUSAA,with enterprise riskmanagement in histitle. Chris is a former president of theRisk and InsuranceManagement Society (RIMS), aformerBusiness Insurance magazine Risk Manager of the Year, and an award winner forUSAA’sERMprogram.Chrishasbeenalong-timeERMproponent.

Chris believed that ERM had made substantial progress since 2000. He received dailycommunicationsfromconsultantsandbrokersaboutERMproductsandservices.Heobserveda linkage between ERM and other key initiatives, including Sarbanes–Oxley compliance,regulatoryemergingrequirements,andeffectiveinternalandexternalauditfunctions.Hesawevidencethatoperations,control,andfinanceprofessionalswereexpressinganinterestinandconcernaboutmanagingeffectivelyexposuresthataremorethanthetypicallyinsurablerisks.

Chrisbelievesthatthemostimportantelementofagoodriskstrategyisdesigningittoalignwiththecompanyanditsculture.Herecognizestheneedformanagementtoaddressthemostsignificantrisksfacingtheentitybutalsoarguesthatmanydifferentmodelscanwork.Onesuchmodelholdssubject-matterexpertsinspecificriskareasaccountableforrisksinpartnershipwithaseniorriskprocessleader.

Chrisalsoaddressesinsurablerisk,thestock-in-tradeofmostriskmanagers.Hebelievesthattraditionalriskmanagersareproperlypreparedforalargerrolebecausetheyhaveadeepandbroadunderstandingofhowkeycompanysegmentsinteract.Riskmanagersknowhowtobuildrelationshipsacrosskeybusinesssegments.Hepointsoutthatithelpsiftheyhaveasolidunderstandingoffinanceandbusinessmanagement.

LanceEwing,Harrah’sRiskManager

LanceEwingwasvicepresidentofriskmanagementofHarrah’sEntertainmentandisapastpresident of RIMS. He is an active advocate of risk management education, serving as aninstructor for theNationalAlliance for InsuranceEducation andResearch, based inAustin,Texas.

LanceEwing,likemanyriskmanagers,startedinaninsurancecompany.Thoseearlydaysspent assessing risks for high-hazard industries such as sawmills and logging companiesshapedhisriskmanagementphilosophy.Lancelearnedquicklythathiscustomersdidnotwantinsurance.Theywantedtobringdownlossesandtheconsequentcosts.

After five years in insurance, Lance became risk manager for the Philadelphia schooldistrict. During a six-year tenure, he dramatically reduced losses, resulting in significantsavings.Inthelate1990s,hedidthesameatGESExpositionServices.Intime,hebecameavicepresidentatHarrah’s.Fourweeksafterhisarrival,HurricaneKatrinadestroyedthreeofHarrah’s major casinos in Mississippi and Louisiana. Thirty days later, Hurricane Ritadamagedthecompany’shotelandcasinoinLouisiana.Itwasbaptismbyfireforallparties.

Lance and Harrah’s responded quickly and forcefully. The company engaged in crisismanagement, reaching out to employees, guests, clients, and local Gulf Coast communities,quicklyrestoringsomestability.ThispartofthestoryisnicelytoldindetailintheApril2006edition ofRiskManagement magazine. In a longer-term response, Harrah’s sold damagedproperties in Gulfport and Lake Charles to provide resources to build a new $1 billionpropertyinBiloxi.MaybeLanceiscorrectinoneofhisfavoritesayings:“Whateverdoesnotkillyouonlymakesyoustronger.”

GeorgeNiwa,PanasonicRiskManagerGeorgeNiwabelievesthattheMatsushitaGrouphadasolid“businessbasicphilosophy”thatwaswellunderstoodbyall employees.Hestronglyencourages riskowners ineveryunit toprovidecasestudiestohelpthestaffunderstandpossibleriskscenarios.CallingERM“valuechain riskmanagement,” he expects risk owners to “draw” a risk scenario as part of everyannualriskassessment.

Niwa believes that “[t]here is no business management without risk management.” Acompany should build risk management practices into the organizational culture and applytechniquesconsistentlythroughouttheenterprise.Thismeansthatriskmanagementmustgouptotheleveloftopmanagementandgainstrongsupportforitsefforts.

PartofNiwa’ssuccessisthathehadthreeriskmanagementchampionsintopmanagement:anexecutive inchargeof riskmanagementand legalaffairs, theCFO,and thechief strategyofficer.Thissupportallowedhimtocreatebothglobalandgroupriskmanagement,freeingthecompany from the traditionalmanagement style of isolating risks in silos.He notes that thecompanywasworkingonvisualizingriskssothatallriskownerscouldseethemclearly.

SusanMeltzer,AvivaRiskManagerSusanMeltzerrosesteadilyinriskmanagementtobecomeavicepresidentatAvivaCanada.AftergraduationfromCarletonUniversitywhereshemajoredinEnglish,shetookapositionwithaninsurancebrokerandsubsequentlytransferredovertoriskmanagement.Sheobservedthatitisonethingtogetariskmanagementjob;itisanotherthingtohavetheskillstomanagerisk.Thekeystosuccessarebasedonknowledge,relationships,andsharingofbestpractices.

SusanwassosuccessfulthatshebecamepresidentoftheRiskandInsuranceManagementSocietyin1999.Inthisroleandafterward,shegotinvolvedwiththeInternationalFederationof Risk and Insurance Management Associations (IFRIMA). She has spent her careerencouraging insurers, brokers, and riskmanagers to keep current on risk trends by taking aglobalperspectiveand forging relationshipswithpeersaround theworld.Sheobserves thatsomeareasoftheworldwereaheadofotherswithrespecttoERMandidentifiesEuropeandAustralia as leaders in applying cutting-edge concepts and technology to mitigate risk in aworldofterrorism,naturaldisasters,andpandemics.

AhiddenmessageinherphilosophyisMeltzer’sabilitytonetworkwithriskprofessionals.Susan believes that risk management does not get interesting until risk managers join thediscussion. Without excluding brokers, insurers, auditors, or others from an exchange ofinformation,theriskmanagermusthaveaplaceatthetable.

CentralRiskManagementCommitteeThisisaformalbodyestablishedtoprovideadviceonERM.ItisonetoolforinvolvingtheboardandseniormanagersinanERMprogram.Inmostformulations,wecanidentifycommoncharacteristics.

Purpose.Advise seniormanagement and theboardonpolicies tomanage the full rangeofrisks facing the enterprise.This broadens the advising role beyond the riskmanagementarea.

Activity. Meet periodically to discuss risks and to make recommendations. If committeemembersareusingamodernHTEPsystem,theywillhaveinsightstopostontheplatformandideastoshareatacommitteemeeting.

Role.Actproactivelytoencourageallmanagersandprofessionalstoparticipateinidentifyingandmitigatingcriticalrisks.

DENOUEMENT

RISKQUOTE:Nobodyshouldpintheirhopesonamiracle.—VLADIMIRPUTIN,RUSSIANPOLITICIAN

RISKQUOTE:Somuchofwhathappensinlifeisoutofyourcontrol,buthowyourespondtoitisinyourcontrol.That’swhatItrytoremember.

—HILLARYCLINTON,AMERICANPOLITICIAN

InFrench,adenouementistheendofacomplexsequenceofevents.Inthearts,itisthefinaloutcomeofthemaindramaticcomplicationinaliterarywork.Soit isthatourjourneyends.Whatdidwelearn?First,riskisbestmanagedinaframeworkofalignmentwiththebusinessstrategy,accountableriskowners,andarecognitionthateveryriskmaybeaccompaniedbyaopportunity.A central risk function and aknowledgeofERMare tools used to identify andshareexposuresandopportunities.Welearnedaboutnewandpowerfultechnologytovisualizerisk relationships and documentmitigation efforts.We looked at often overlooked exposurewith weaknesses in strategies, cultures, and leadership—risks that cross hierarchicaldivisions.Wereadstoriesofsuccessandfailureofriskmanagement.Weconcludedwithanintroductiontothepeoplewhomanageriskformajororganizations.

Thisistheexpansionofanentirelynewparadigmonaconceptthatis25yearsold.Ifwemoveenterpriseriskmanagementfromthecomplexandcerebral,wefindthat theconcept issolid.Itproducesbenefitsfororganizations.Itcanhelpusmakesenseoutofacomplexworld.IfthisbookhelpsmakeERMmoreaccessible,thejourneywillhavebeenwellworthit.

INDEX

abacus,158accuracy,collaborationand,250–251acquisitions,collaborationin,250activisthackers,243,244actuarialdata,limitationsof,4adaptationtochange,151addingmachine,158adjustable-ratemortgages(ARMs),58–59,61–62TheAgeofDiscontinuity(Drucker),151TheAgeofUnreason(Handy),176AgriculturalAge,154,155AIG,seeAmericanInternationalGroupAirbus,161–167,252AirbusA380jumbojet,126–133airconditioning,155airflightscheduling,IBMsolutionfor,219–220AirLiquide,253airplane,157A-levelriskmanagers,276Ali,Muhammad,onchampions,266Allen,Paul,219Allen,Woodyonachievingimmortality,255onmankindfacingacrossroads,3onnotbeingsomeoneelse,87

Amazon.com,riskmanagedby,13–14AmericanInternationalGroup(AIG),271andfinancialcrisisof2008,63,64missedrisksat,53nearcollapseof,68visualizingexposureat,35–36

AmericaOnline(AOL),57Andersson,Bo,19–20Anonymousonlinecommunity,243–248antcolonies,251–252AOLTimeWarner,57Aon,71

Apple,232declineof,221growthof,221resurgenceof,222–223

appliedresearch,153approvedpatents,inproductlaunches,143ArabSpring,160Aristotle,onbeingangry,262ARMs(adjustable-ratemortgages),58–59,61–62Assange,Julian,243assets,inHTEPs,97assumptions,asdecision-makingfactor,198–199athletes(subculture),187Atlantaicestorm(2014),45–46AugustMax,170Australia,47authorizeduserexposure(cyberrisk),241–242autoindustry,25–29,272automobile,157AutoNation,28AvivaCanada,283

backupdatainRiskonnect,99atutilitycompanies,108

bailouts,and2008financialcrisis,63–64bananas,deliveryof,132–134bankruptcy,asremedyforautoindustry,27–29banksmortgagepracticesat,59–60,62responsibilityof,infinancialcrisisof2008,64

Barlow,Douglas,262BayAreaRapidTransit(BART),246–247BearStearns,68behavior,192–193behavioralhazard,7behavioralrisk,192–194beliefs,asdecision-makingfactor,198,199Bell,AlexanderGraham,156Berra,Yogionarrivingataforkintheroad,18

onlies,249onmakingmistakes,215onnotknowingwhereyou’regoing,139

Bessemer,Henry,155Bharara,Preet,oncyberthreat,227BillandMelindaGatesFoundation,221TheBlackSwan(Taleb),46blackswan(s),45–56Atlantaicestorm(2014)as,45–46Blockbusterand,51–52definitionsof,46–50andevolutionofERM,269–270andperceivedlevelsofrisk,54andriskexperts,52–54andsilentevidence,55

Blanchard,Ken,195B-levelriskmanagers,276Blockbuster,51–52bloodbanks,incentivesat,60–61boardofdirectorsatHomeDepot,43–44involvementof,36–38

Boeing,161–167bosses,175BPOilexplosion,134–136Branch,Kenneth,165brandrecognition,inproductlaunches,141Brooks,David,186,189–191Buckley,Paul,280Buffet,Warrenonderivatives,34–35onresponsibilityforBerkshireHathaway,113

bureaucracyculture,176–177bureaucraticstructure,173–174burnrate,inproductlaunches,142Bush,GeorgeH.W.,191Bush,GeorgeW.,191businessdisruption,atutilitycompanies,107BusinessInsurancemagazine,281businessmodelaligningERMwith,xii,32–34

inERMimplementation,106–107needfor,atHomeDepot,41–42

businessprocessdocumentationof,97ERMas,114

BusinessWeek,20

Calce,Michael,238calculatingmachine,158capabilities,people’s,75,151capitalrisks,withproductlaunches,142captives,263Carlin,George,onnotknowingwhat’sgoingon,30Carter,Jimmy,191Carter,Rob,onFedEx’sbusiness,149Case,Stephen,57cashflowrisk,75CasualCorner,170catastrophes,inenterpriserisk,12catastrophicloss,11CCS(CertegyCheckServices),241CDOs(collateralizeddebtobligations),60censorship,243CenterforAppliedCyberSecurityResearch,242centralriskfunction,xiicreationof,34–35atHomeDepot,42–43

centralriskmanagementcommittee,284Cerberus,13,44,255–257CertegyCheckServices(CCS),241chainofcommand,174Chamberlain,Neville,onpeacewithhonor,53changeadaptationto,151aslifecyclerisk,209

Chatter,118,122–123Chesney,Thomas,251Chevron,135chiefriskofficer(CRO),278–280chiefstrategyofficer(CSO),279–280Chileanminerescue,137–138

China,159–161ChryslerCorporation,13,25–29,197–198,255–257Churchill,Winstononfoolsbeingright,57onneversurrendering,255

Cisco,91claimsadministration,118C-levelriskmanagers,276–277Clinton,Bill,191Clinton,Hillary,onrespondingtowhathappens,285cloudusage(Riskonnect),99–100coachingstyle(situationalleadership),195collaboration,77,249–254andaccuracy,250–251inacquisitions,250definitionof,249atGoldCorp,253–254inISO31000,84andswarmtheory,251–253

collateralizeddebtobligations(CDOs),60commitment,andleadershiprisk,196–198CommitteeofSponsoringOrganizations(COSO),69,266communication,developmentsin,156–157communicationskills,ofleaders,194Comparefunction,124compensation,ofriskmanagers,277competence,andleadershiprisk,196–198competentriskmanagers,riskmanagersas,276complexity,leadersand,194computers,158,159,216–218computerviruses,229condenser,155confidence,excess,78conflictofinterest,165Confucius,onfocusingondifficultytobeovercome,205constituencies,ofleaders,194contingentloss,asinsurablerisk,6contractualcommitments,26–27contribution(s)ofERM,30–44aligningriskaccountabilityas,32–34assigningriskownersas,31–32

creatingcentralriskfunctionas,34–35employingstandardriskevaluationprocessas,38–39installingHTEPas,35–36involvingtheboardofdirectorsas,36–38recognizingupsideofriskas,30–31usedbyHomeDepot,40–44

control,180–182,185Cook,James,47coordination,andlifecyclerisk,211copyright,243Corleone,Michael,onstrategy,xiCOSO(CommitteeofSponsoringOrganizations),69COSOEnterpriseRiskManagement—IntegratedFramework,69–71,266–267componentsof,70–71definitionsin,71structureof,70

costsinautoindustry,25–27andcyberrisk(cyberattacks),230–233,239–240andlifecyclerisk,211–212

crackers,242creatingchange,184creditcardtheft,232creditriskdefinitionof,76managed,ininternationalexample,16

crises,inenterpriserisk,12criticalloss,11CRO(chiefriskofficer),278–280CSO(chiefstrategyofficer),279–280currencyrisk,75currencytranslation,123–124currentcustomerrelationships,inproductlaunches,141customerbehavior,inproductlaunches,141cyberattack(s)costsof,239–240andhackerlanguage,238–239Mafiaboyattackas,238

cyberrisk,264costsof,230–233examplesof,228

malicioussoftwareas,229–230WikiLeaksasexampleof,240–241

cyberriskinsurance,234–237cyberriskmanagement,227–248andAnonymousonlinecommunity,243–248andincidentresponseplan,237–238andinsurance,234–237questionsfor,233–234

DaimlerA.G.,13DaimlerBenz,197–198DaimlerChrysler,197–198,256Dangerfield,Rodney,onhisparents,139databackup,99inriskmapping,88–89securityof,inRiskonnect,100dataresources,124

“deadhorse”behavior,212–213Deal,Nathan,45debtrisk,75Decidefunction,124decisionmaking,185ERMandimproved,77,114andleadership,198–199riskmanagementin,76,84withRiskonnect,98–99

decline(life-cyclestage),206–209,212atApple,221atIBM,218atMicrosoft,221

DeepwaterHorizondisaster,134–136definiteloss,5definitionsofERM,267,271delegatingstyle(situationalleadership),196deliverycapability,asproductriskinproductlaunches,142DellComputer,136–137derivatives,35,258–259design,153DesignerShoeWarehouse(DSW),233designfeatures,ofrisktechnology,101–102

details,avoidingtechnical,114development,153developmentlevels,196–197Dimon,Jamie,258directingstyle(situationalleadership),195disabilityclaims,124–125disasters,inenterpriserisk,12DishNetwork,52distortion,54diversiondecisions,HTEPappliedto,132–134Dodd–FrankAct,65–68dot-comfrenzy,58DowJonesIndustrialAverage,264downpaymentassistance(DPA)mortgages,61drive-bydownloads,229Drucker,Peter,151TheDrunkard’sWalk(Mlodinow),55Druyun,Darleen,165DSW(DesignerShoeWarehouse),233dynamo,155

EADS,127,131earthquakenotification,116–117economy,physicalvs.shadow,152education,ofriskmanagers,277effectiveness,180–182,185Egypt,160,245–246Einstein,Albert,oncomprehensibilityoftheworld,87electricitygeneration,106electronicspreadsheets,seespreadsheetselevator,155emergencies,11,129emergencyresponseteams,118emergingnations,159–160Emerson,RalphWaldo,onbeingcheated,266employeemisconduct,165EncyclopediaBrittanica,250encyclopedias,250energy,asstrategicrisk,160–161energytraders,felonsand,181–182enterpriserisk,10–12

enterpriseriskmanagement(ERM),18–29andautoindustrybailouts,25–29asbusinessprocess,114asdecision-makingsupport,114definitionof,19–20evolutionof,266–274andlifecyclerisk,210–214needfor,20–24politicsof,213–214riskvs.uncertaintyin,18–19

environmentalrisks,265Ericsson,72,73Erisk.com,71ERM,seeenterpriseriskmanagementethicsandbureaucraticstructure,173ERMand,21

EuropeanUnion,161evolutionofERM,266–274andblackswans,269–270fourproblemsfacing,267–269andfutureofERM,272–273andlong-termcapitalmanagement,270–271andspeedofimplementation,271–272

Ewing,Lance,275,281–282excessconfidence,recognizing,78execution,andstrategicrisk,74,151expandingtheview,withproductlaunches,143,144experts,54expropriationrisk,15–16extremeimpact,ascharacteristicofblackswans,47‘‘Extremistan,’’48–50

facts,asdecision-makingfactor,198,199factualinformation,overvaluationof,54faxmachine,167–170FederalAviationAdministration(FAA),166FederalBureauofInvestigation(FBI),228,247FedEx,strategicriskmanagementat,149–150feelings,asdecision-makingfactor,198,199felons,energytradersand,181–182

FIAT,29,257fiduciaryresponsibility,ERMand,21Fields,W.C.oncheating,61onworldasadangerousplace,45onworryingaboutyourheart,126

financial‘‘bubbles,’’47financialchiefriskofficer,278–280financialclusters,90financialcrisisof2008,57–68,160,258aftermathof,63–64andDodd–FrankAct,65–68exposuresleadingto,61–62historyof,58–61asparallelwithGreatDepression,64–65andspeculativefrenzies,57–58warningsignsfor,62–63

financialERM,272–273financialinstitutions,272financialloss,228,231financialriskandriskmanagement,13–14forutilitycompanies,106–107forWebvanandAmazon.com,14

financialriskmanagement,73,75–76FinancialStabilityOversightCouncil,66,68Flame/Skywiper,229–230flightscheduling,IBMsolutionfor,219–220Florida,hurricanedamagein,3–4FloridaStateInsuranceDepartment,3Fokker,197Forbes,51Ford,Henry,31FordMotorCompany,136,172,210andautoindustrybailouts,25–29riskaccountabilityat,33–34

Fortune,41Franklin,Benjamin,155onlikelihoodofbeingattacked,126onreadingtheobituarypage,69

frequency,ofrisk,8–10,23

Frost,Robert,onjuries,275function,asapproachtoERM,72

Gandhi,Mahatma,onhavingcontroloverthesenses,215Gates,Bill,196,219–221GECapital,278GeneralMotors(GM)andautoindustrybailouts,25–29inventorymanagementat,19–20lifecycleriskat,209–210

Geohot,244–245Gerstner,Lou,218–219GESExpositionServices,282Gladwell,Malcolm,onerrorscausingplanecrashes,113globalization,115–116GM,seeGeneralMotorsgoalsinbureaucracyculture,177ofleaders,193lifecycle,206–207andlifecyclerisk,211andstrategicrisk,74,151

GodsofManagement(Handy),176GoldCorp,253–254GoldCorpChallenge,254governanceinbureaucracyculture,177inindividualculture,180inspider’swebculture,178inteamculture,179

governmenthackingby,243responseof,toGreatDepression,65responsibilityof,infinancialcrisisof2008,63–64

governmenteconomicdata,152GreatDepression,64–65Gretzky,Wayne,ontakingshots,149growthatApple,221aslifecyclerisk,208–209

aslifecyclestage,205–209,211–212atMicrosoft,219–220

Gutenberg,Johannes,157–158

hackerlanguage,238–239hackers,242–243hactivism,244Handy,Charles,175–176,183,254Hardball(Stalk),40Harrah’sEntertainment,281–282HartfordSteamBoiler,262TheHartfordSteamBoilerInspectionandInsuranceCompany(HSB),6HarvardBusinessReview,43–44,139Hastings,Reed,onNetflixfounding,51hazardERM,272hazardrisk,264leisuretimeandincreasein,31andriskmanagement,5

hazardriskmanagement,73–74heatmapsinNYUHTEP,115asrisktechnology,104,105

hedgingrisk,76Hersey,Paul,195hierarchyrisk,seesubcultureriskhigh-performanceleadership,202–204highschool,subcultureriskin,186–191high-techelectronicplatforms(HTEPs),xiiatHomeDepot,43inimplementationofERM,81installationof,35–36linksin,116asrisktechnology,97–98seealsoHTEPapplication(s)

historicaldatadeclineof,263–264limitationsof,4

Hitler,Adolf,47,53Holz,George,244–245HomeDepot,40–44Honda,inventorydifferentiationat,20

honesthackers,242honeypot,239HongKong,247HotelEuropa,15housingconstruction,andrealestatemarket,62HTEPapplication(s),126–138AirbusA380jumbojetas,126–133BPOilexplosionas,134–136Chileanminerescueas,137–138diversiondecisionsas,132–134supplychainsas,136–137tropicalstormdisruptionsas,134

HTEPs,seehigh-techelectronicplatformshub-and-spokemodel(airlines),162–163HurricaneAndrew,3–4,263–264HurricaneKatrina,265HurricaneRita,282

IBM,158declineof,218peakof,215–218resurgenceof,218–219

IBM360computer,216–217ideas,andperceivedlevelofrisk,54IFRIMA(InternationalFederationofRiskandInsuranceManagementAssociations),283IKEA,leadershipriskmanagementat,201–204Iksil,Bruno,258–259illusionofunderstanding,54I.M.Ericsson,72–73imagination,andperceivedlevelofrisk,54implementationofERM,69–84approachesto,72–73areasaffectedby,73–76benefitsof,77withCOSOframework,69–71andexpandingscopeofERM,76–77HTEPin,81increasingeffectivenessof,77–78withISO31000framework,82–84leadershipriskin,78premisesof,78–80

procedureof,80risktechnologyand,104–111speedof,271–272strategiesin,76

incentivesatbloodbanks,60–61forsupportingERM,79

incidentresponseplan(cyberriskmanagement),237–238incidentresponsesystems,119–121incidents,inenterpriserisk,11India,159–160individualculture,179–180individualsinbureaucracyculture,177inindividualculture,180inspider’swebculture,178inteamculture,179

Indonesia,160IndustrialAge,154,155,176informationinHTEPs,97multilanguage/multicurrency,123–124overvaluationof,54sharing,84,100,114,174onspreadsheets,95sufficient,78

informationloss,ascyberrisk,228informationtechnologyrisk,76insurableriskasfinancialrisk,76andriskmanagement,5–6intraditionalriskmanagement,7

insurancecyberrisk,234–237earthquake,116–117andhurricanes,3–4modernriskmanagementand,262–263atSouthwestAirlines,118

integratedcircuits,159Intel,222intellectualpropertyrisks,withproductlaunches,143

interactionamongrisks,77interest-onlymortgages,59,61–62interestraterisk,76interestrates,dropin,62internalauditasoperationalrisk,74intraditionalriskmanagement,7

internalcontrolasoperationalrisk,74intraditionalriskmanagement,7

InternationalFederationofRiskandInsuranceManagementAssociations(IFRIMA),283Internet,157,196andArabSpring,245–246packagetrackingvia,149–150

InternetExplorer,196interpersonalrelations,andbureaucraticstructure,174investmentrisk,75iPad,115Iran,229,230IrrationalExuberance(Shiller),47ISO31000framework,82–84

Jackson,Michael,28Japan,265JetBlueAirways,22–24,252jetplane,157Jobs,Steve,221–223jocks,186–187JohnF.KennedyAirport,252Jones,JohnPaul,ontakingrisks,69Joplin,Janis,onmakingit,205Jordan,Michael,onfailure,192JPMorganChase,258–259

King,MartinLuther,Jr.,ondevelopingaworldperspective,171knowledgeandbureaucraticstructure,173developmentsin,158–159pursuitof,152–153andstrategicrisk,151–153,157–159andtechnology,160

knowledgeeconomy,151

knowledgeofthemarket,inproductlaunches,141knownsilentevidence,55Kobayashi,Sayaka,199–200Kozlowski,L.Dennis,280KPMG,71

Lacey,Kevin,135–136Lam,James,278leaders,184inbureaucracyculture,176inindividualculture,179–180managersvs.,193–194inspider’swebculture,177–178inteamculture,178

leadershipanddecisionmaking,198–199definitionof,193high-performance,202–204situational,195–196strategic,195

leadershiprisk,192–204asbehavioralrisk,192–194andcompetence/commitment,196–198IKEA’smanagementof,201–204inimplementationofERM,78Toyota’smanagementof,199–201

learning,185LeeKunHee,153legalhazard,7LehmanBrothers,68,259–261lendingcapital,andfinancialcrisisof2008,59–61Lenovo,91,218LensCrafters,170Levitt,Stevenonincentives,60–61onself-interest,59

liability(-ies)inHTEPs,97andmodernriskmanagement,263

Liebowitz,Michael,onRiskonnectHTEPatNYU,113–115lifecycle

goalsin,206–207organizational,205–206tacticalfocusin,207

lifecyclerisk,205–214changeas,209andERM,210–214atGeneralMotorsandToyota,209–210growthas,208–209planninghorizonsformanagementof,207–208

Lincoln,Abraham,onremainingsilent,3linkages,andlifecyclerisk,211linksHTEP,116real-time,123

liquidityrisk,75LloydsofLondon,117LockheedMartin,165locomotive,155logistics,160longterm(planninghorizon),208long-termcapitalmanagement(LTCM),270–271Lotus123(software),220Lowe’s,42,43loyaltyinbureaucracyculture,177inindividualculture,180inspider’swebculture,178inteamculture,179

LTCM(long-termcapitalmanagement),270–271

Mafiaboyattack,238majorlosses,11malicioussoftware,229–230malware,229,231,239managementinautoindustry,26–28inbureaucracyculture,177definitionof,193inindividualculture,180riskmanagementas,114inspider’swebculture,178

inteamculture,179managers,leadersvs.,193–194Mandel,Chris,280–281Mandela,Nelson,onrisingwhenwefall,18Manning,Bradley,241marketrisks,withproductlaunches,139–141MarshandMcLennan,71Marx,Groucho,onsecretoflife,69Massey-Furguson,262MatsushitaGroup,282–283McDonnellDouglas,165McEwen,Rob,253–254McNerney,James,166‘‘Mediocristan,’’48–50mediumterm(planninghorizon),208Megaupload,247Meltzer,Susan,283MerrillLynch,63,68Mexico,136Miami,Florida,4MicrosoftandApple,222declineof,221growthof,219–220leadershipat,196peakof,220–221

MicrosoftAccess,221MicrosoftExcel,220MicrosoftPowerPoint,220MicrosoftWindows,229–230MicrosoftWord,220MiddleEast,160military-stylemanagementmodel,40minorlosses,11missionstatement,175Mlodinow,Leonard,onsilentevidence,55mobiledevices,asrisktechnology,115–116modernriskmanagement,262–265captivesin,263cyberriskin,264environmentalrisksin,265

hazardriskin,264andhistoricaldata,263–264insurancevs.,262–263liabilityin,263andoutlawenvironments,265performanceriskin,264warriskin,264

modernriskmanager(s),275–284PaulBuckleyas,280andcentralriskmanagementcommittee,284characteristicsof,277chiefriskofficeras,278–280chiefstrategyofficeras,279–280LanceEwingas,281–282levelsof,276–277ChrisMandelas,280–281SusanMeltzeras,283GeorgeNiwaas,282–283responsibilitiesof,277–278rolesof,275–276

monetarydecline,asinsurablerisk,5Moody’s,21,22moralhazard,7Morrell,Bob,85–86Morse,SamuelF.B.,156mortgagecrisis,seefinancialcrisisof2008mortgagerisk,76movabletype,157–158Mulally,Alan,27,29,172multicurrencyinformation,123–124multilanguageinformation,123MultiMate,220Munger,Charlie,35

Nabisco,218Nardelli,Robert,255–257asChryslerCEO,27asHomeDepotCEO,40

Nasdaq,58NationalAllianceforInsuranceEducationandResearch,281NationalGeographic,251,253

NationalWeatherService,45–46NaziGermany,47nerds,187–188Netflix,51Netherlands,232Newcomen,Thomas,154,155newcompetitors,asmarketriskinproductlaunches,141TheNewYorkTimes,186NewYorkUniversityHTEP,113–115Nissan,20Niwa,George,282–283Nokia,72,73nonfinancialchiefriskofficer,279,280nonlegacytechnology,employmentof,77nuclearenergy,106

Obama,Barack,191objectivesdashboard,103–104OccupationalSafetyandHealthAdministration(OSHA),135oilconsumption,160–161oilspillexample,8Okeechobeehurricane(1928),4Olsen,Ken,onhavingacomputerinthehome,149,219OPEC,161operationalloss,ascyberrisk,228operationalriskandriskmanagement,12forWebvanandAmazon.com,14

operationalriskmanagement,73–74OperationHighRoller,232opinions,asdecision-makingfactor,198,199opportunities,strategicriskand,159–160OrderlyLiquidationAuthority,67organizationalculture,172organizationallifecycle,78,205–206organizationalsilos,113organizationalstructureandstrategicrisk,151asstrategicrisk,75

OSHA(OccupationalSafetyandHealthAdministration),135Otaka,Hideaki,199–200

Otis,Elisha,155outlawenvironments,265outlierrisk,ascharacteristicofblackswans,46overvaluationoffactualinformation,54

packagetracking(FedEx),149–150Pakistan,160palladium,incatalyticconverters,33–34Parsons,Nancy,181–182passengers,inAirbusA380study,129patents,inproductlaunches,143peacetimeenvironments,wartimevs.,78peak(life-cyclestage),205–209,212atIBM,215–218atMicrosoft,220–221

PeatMarwick,278performancerisk,78,264personalcomputers,159,218personaldebt,62personalidentification,184personallinkage,andperceivedlevelofrisk,54personalscandal,165PetiteSophisticate,170pheromones,252,253PhillipsN.V.,72–73physicaleconomy,152physicalriskascyberrisk,228managementof,ininternationalexample,16–17intraditionalriskmanagement,7

planning,andlifecyclerisk,211planninghorizons,207–208platforms,Riskonnect,99–100pocketcomputing,159point-to-pointmodel(airlines),162policiesandprocedures,174politicsofERM,213–214popularpeople(subculture),188–189possibility,andperceivedlevelofrisk,54Power8program,127–129,252powersurges,231

PRIMA(ProfessionalRiskManagers’InternationalAssociation),270printingpress,157–158priorities,andlifecyclerisk,210,212problemsolvingasstepinstrategicriskmanagement,150asstrategicrisk,74

process,asapproachtoERM,72productdevelopment,141productlaunches,139–145capitalriskswith,142expandingtheviewwith,143,144intellectualpropertyriskswith,143marketriskswith,139–141productriskswith,141–142riskprofilefor,143,144

ProfessionalRiskManagers’InternationalAssociation(PRIMA),270punchcardmachine,158pureresearch,152–153Putin,Vladimir,onmiracles,285

qualitystandards,productlaunchesand,142

radio,156railroads,155,156,157ratingagencies,and2008financialcrisis,64Reagan,Ronald,191‘‘TheRealEnronRisk’’(Parsons),181–182realestatemarketexposuresin,61–63riseof,58–61

real-timelinks,101–102,123regulatorycomplianceFrank–DoddActandstreamliningof,66forlendingcapital,60asoperationalrisk,74intraditionalriskmanagement,7forutilitycompanies,106

researchapplied,153pure,152–153

TheResilientEnterprise(Sheffi),72resources,andstrategicrisk,75,151

responsibilitiesdivisionof,174ofmodernriskmanagers,277–278

resultsinbureaucracyculture,176inindividualculture,180inspider’swebculture,178inteamculture,179

resurgenceofApple,222–223ofIBM,218–219

revenuetarget,90rightfromwrong,knowing,173riskaccountabilityalignmentof,32–34inISO31000,84withriskclusters,87

RiskandInsuranceManagementSociety(RIMS),70,262,267,277,281riskcategories,267–268,271riskclusters,87–94hierarchyofsubrisksfor,90–93onHTEPs,35interactionsin,93,94riskmappingfor,88–89structureof,87–88usingspreadsheetsvs.,89,90

riskdashboards,102–104riskdata,101riskexperts,52–54riskidentificationinRiskonnect,98instandardriskevaluationprocess,38asstepinstrategicriskmanagement,150andstrategicrisk,74,75,151

Risk&Insurancemagazine,267riskmanagement,3–17anddefinitionsofrisk,4–5effectofHurricaneAndrewon,3–4andenterpriserisk,10–12andfinancialrisk,13–14andhazardrisk,5

andinsurablerisk,5–6ininternationalexample,15–17asmanagement,114andoperationalrisk,12principlesof,forISO31000,83assciencevs.art,52andseverity/frequencyofrisk,8–10andstrategicrisk,12–13traditionalmethodsof,6–8

RiskManagementAssessment(RMA),21,22riskmanagementinformationsystem(RMIS),97–98RiskManagementmagazine,282riskmanagers,modern,seemodernriskmanager(s)riskmapping,88–89Riskonnectdevelopmentof,85–86andrisktechnology,98–100atSouthwestAirlines,118–119

riskownerdashboard,104riskowners,xiiassignmentof,31–32,38inbusinessmodel,33dashboardsfor,104atJetBlue,24lackof,atHomeDepot,41atNYUHTEP,114andriskclusters,87–88instandardriskevaluationprocess,38

riskprofiles,143,144risk(s)acceptanceof,82–83identificationof,instandardriskevaluationprocess,38interactionamong,77perceivedlevelsof,54recognizinginteractionamong,77severity/frequencyof,8–10uncertaintyvs.,inERM,18–19

riskscores(Riskonnect),103riskspecialists,riskmanagersas,276risktechnology,95–125Chatteras,122–123

dataresourcesfor,124designfeaturesof,101–102forearthquakenotification,116–117inERMimplementation,104–111futuregrowthof,108,110–111andheatmaps,104,105HTEPsas,97–98,116incorporatingrelationshipsinto,102andlimitationsofspreadsheets,95–97managingdisabilityclaimswith,124formobiledevices,115–116NewYorkUniversityHTEPas,113–115real-timelinksas,123RiskconnectHTEPas,98–100andriskdashboards,102–104SouthwestAirlinesHTEPas,118–122userfeaturesof,100–101word/currencytranslationas,123–124

RMA(RiskManagementAssessment),21,22RMIS(riskmanagementinformationsystem),97–98rogueware,229Roosevelt,Eleanor,onlookingfearintheface,262rotarymotion,155rules,inbureaucracyculture,177Russia,156

SaaS(SoftwareasaService),100SaintPeter’sUniversity,252,266AirbusA380studyby,128–130HomeDepotstudyby,41–44

salesability,141Salesforce,100,118–119SallieMae,233Samsung,91,153SanDiego,California,62SanFrancisco,California,117SanJosé,Chile,minedisaster,137–138Schrempp,Jürgen,197–198scriptkiddy,242Sculley,John,221–222Searchfunction,124

Seattle,Washington,233secondroundoffinancing,142September11,2001terroristattacks,136,264severity,risk,8–10,23shadoweconomy,152Sharefunction,124Shaw,GeorgeBernard,onalifespentmakingmistakes,95Sheffi,Yossi,72Shiller,RobertJ.,on2008financialbubble,47shortterm(planninghorizon),208significantloss,11silentevidence,55Silverstein,Larry,9–10Simspon,NicoleBrown,55Simspon,O.J.,55situationaladjustments,76situationalleadership,195–196skillsinbureaucracyculture,177inindividualculture,180inspider’swebculture,178inteamculture,179

Sklyarov,Dmitry,244software,malicious,229–230SoftwareasaService(SaaS),100Soghoian,Chris,242Sony,153SonyPlayStationattack,238,244–245Sougarret,Andre,137SouthwestAirlines,118–122speculativefrenzies,57–58spider’swebculture,177–178spreadsheetselectronic,159,220limitationsof,95–97usingriskclustersvs.,89,90

St.Petersburg,Russia,15–17stability,ERMand,21Stalk,George,40StandardandPoor’s(S&P),21standardprocedures,174

standardriskevaluationprocessemploymentof,38–39atHomeDepot,44

start-up(life-cyclestage),205–209,211–212steamboat,157steamengine,154,155steel,155Stephenson,George,155stockmarketcollapseof1929,65Stonecipher,Harry,165storiesfailuretotellgood,268,271andperceivedlevelofrisk,54

stormalerts,45–46strategicdecisions,76strategicleadership,195strategicplayers,riskmanagersas,275–276strategicrisk,149–170energyas,160–161andthefaxmachine,167–170historicalperspectiveof,153–155andknowledge,151–153andknowledgetools,157–159andriskmanagement,12–13andsynergy,155–157trendsandopportunitiesinvolving,159–160forWebvanandAmazon.com,14

strategicriskmanagement,74–75,150–151atAirbus,161–167atBoeing,161–167definitionof,73atFedEx,149–150

strategy(-ies)asapproachtoERM,72andstrategicrisk,74,151

Streisand,Barbra,247Streisandeffect,247Stuxnet,229subculturerisk,171–191bureaucracyas,176–177andbureaucraticstructure,173–174

culturalcontrol/effectivenessforreductionof,180–182definitionof,172–173andindividualculture,179–180understanding,174–175

subculture(s)ERMincorporatedinto,84CharlesHandyon,175–176atHomeDepot,42–43identificationof,183–185andspider’swebculture,177–178andteamculture,178–179

subrisks(forriskclusters),90–93Sullivan,Chesley‘‘Sully,’’31Sullivan,Martin,35–36,53Sullivan,William,241Sun-Tzu,onstrategy,xisupplychainHTEPappliedto,136–137redundancyandstabilityin,160

supplychainconcentration,90–92supplychaindisruption,90,92supportingstyle(situationalleadership),196supportsystem,asproductriskinproductlaunches,142Surowiecki,James,253surveillance,243survival,ERMand,20swarmtheory,251–253synergy,andstrategicrisk,155–157systems,andstrategicrisk,75,151systemsoftware,99

tacticalfocus,lifecycle,207Taleb,Nassim,46–48,52,53Tapscott,Don,253Targetdatabreach,232TCPA(TelephoneConsumerProtectionAct),233teamculture,178–179techies,187–188technicalcompetency,142technicaldetails,avoiding,114technology

employmentof,inERM,77atFedEx,149–150andknowledge,160nonlegacy,77forutilitycompanies,107seealsorisktechnology

telegraph,156telephone,156TelephoneConsumerProtectionAct(TCPA),233television,157Thailand,136,160thugs(subculture),189Tillinghast,71TimeWarner,57TowersPerrin,21,22Toyotainventorydifferentiationat,19–20leadershipriskmanagementat,199–201lifecycleriskat,209–210

traditionalriskmanagement,6–8transistors,159transportation,developmentsin,156,157trends,andstrategicrisk,159–160trojanhorses,229tropicalstormdisruptions,134Trump,Donaldonhowyou’remeasured,95onmoneyasmotivator,249

thetruth,andperceivedlevelofrisk,54tsunami(Japan,2011),265Tunisia,245Twain,Mark,onlies,45Tyco,280typewriter,158

Ukraine,160unauthorizedaccess,100uncertainty,riskvs.,inERM,18–19UnitedAutoWorkers(UAW),26,28UnitedStatesoilconsumptionby,161

andWikileaks,240–241UnitedStatesShoeCorporation,167,170unitmanagers,175UniversalMusicGroup,247UniversityofMichiganAnnualCustomerSatisfactionSurvey,43unknownsilentevidence,55unpredictability,ascharacteristicofblackswans,47upsideofrisk,xi–xiiandenterpriserisk,10HomeDepotand,40andincreasedleisuretime,31ininternationalexample,16–17recognitionof,30–31

U.S.AirForce,165U.S.Airways,31–32U.S.JusticeDepartment,247U.S.MarineCorps,150U.S.PostOffice,150USAA,280–281usererror,231userfeatures,ofrisktechnology,100–101utilitysector,ERMimplementationat,104–111

valuationrisk,76valueatrisk(VaR),268–271values,173,194variability,10Viniar,David,270viruses,computer,229vision,194Visualizefunction,124

Wagoner,Rickonbankruptcy,28asGeneralMotorsCEO,27

TheWallStreetJournal,209warrisk,264wartimeenvironments,peacetimevs.,78wateringhole,239Watson,Thomas,Sr.,215,219Watson,Thomas,Jr.,216Watt,James,154,155

Webvan,13–14Weinstein,Boaz,258WikiLeaks,240–241Wikinomics—HowMassCollaborationChangesEverything(TapscottandWilliams),253Wikipedia,250Williams,AnthonyD.,253Williams,Robinonfightingwithuglypeople,57onrushhour,171

Winfrey,Oprahonluck,192onthenewyear,30

winterstormwarnings,45winterstormwatches,45winterweatheradvisories,46TheWisdomofCrowds(Surowiecki),253WordPerfect,220wordprocessing,220WordStar,220wordtranslation,123–124workexperience,ofriskmanagers,277workloads,andlifecyclerisk,211WorldTradeCenter(WTC),9–10wrongsilentevidence,55

Yahoo,238

ZeroDay,239Zuckerberg,Mark,onnottakingrisks,227