Let us proceed on the basis that an enterprise is a group of legal vehicles, divisions, business units, and so forth that make up an organization. I like the term "organization,” because it seems to carry less connotation about the nature of the organization than, say, "company” or "business.” In my view, "organization” carries no connotation of size, operation, or objective; it could just as easily be a local symphony orchestra as it could be the U.S. Federal Reserve or Barclays PLC. So an "enterprise” is an organization.

Here we need to move away from the dictionary definition (with all due respect) and consider a more professional, as opposed to casual, definition. What we are really talking about is variability; that is, risk is anything that produces a distribution of various outcomes of various probabilities. From here on think of "risk” as meaning "uncertainty,” and imagine that we can represent that uncertainty as a distribution of possible outcomes of varying probabilities. I know we cannot always do that with a great deal of certainty or ease, and I am not suggesting we need to be able to. I am hoping that each time you read the word "risk” you will visualize a distribution of outcomes and associated probabilities. It might look like a typical normal (bell-shaped) distribution, or it might not; it does not matter.

In addition to defining risk, we need to consider those things that go hand in hand with risk. The SOAR (Strategic Objectives At Risk) methodology views risk in this context: Risk thrives on risk drivers or causes and manifests itself in events that have consequences (or outcomes). Let me repeat as this is an absolutely vital element to our definition of risk: Risk manifests itself in events that have consequences. Once you recognize that you are faced with a particular risk, you have to accept the fact that an event can happen and that it will have consequences. The SOAR methodology defines a process that (1) enables you to determine whether to take the risk and (2) prepares you for the consequence of an event. The other element in the risk universe is risk mitigation, or controls. The risk universe can be viewed in Exhibit 1.1.

In the exhibit, you can see what you often hear—for example, you might hear someone talk about:

From an organizational point of view:

I do not want to focus on the definition of risk, but I feel it necessary to comment on the definition of "risk” offered by Deloitte in "The Risk Intelligent Enterprise”:

Despite the fact that the definition recognizes only losses and adverse effects, Deloitte then goes on to say:

I ask you this: Why would anyone who accepts the Deloitte definition of "risk” be prepared for upside? Consider also this definition: "The key is not to predict the future, but to be prepared for it.”² The author, Pericles, fails to address the obvious question: "Prepare for what?”

It is sometimes difficult to articulate certain risks. The best way to get around this problem is to use the type of language employed in the examples given earlier. Let us say you are building a tunnel for a road under an existing structure (e.g., a city), and someone asks you to identify the risks you face. Do you say something like "tunneling risk”? Or "inaccurate measurement risk”? These are not very helpful responses. A more meaningful answer might be something like: "We might do something wrong that causes the tunnel to collapse and the stuff on top falls in, destroying buildings and killing people.” Without really giving any definition of or name to the "risk,” you have clearly articulated a driver (do something wrong), a possible event (collapse of the tunnel), and a couple of outcomes: Buildings collapse and people die. The truth is, it does not really matter what you call the risk, or even whether you can clearly articulate it. However, it is absolutely essential that you are able very clearly to define those things around the risk: the drivers, the controls, the possible events, and the possible outcomes.

Let us work backward through the risk paradigm starting with one of our strategic objectives as the desired outcome. In this case, the outcome we seek (or objective we aim to achieve) is to be recognized as the country’s best employer. Let us imagine that our distribution of possible outcomes includes us being rated as the worst, the best, or something in between. For ease, we will limit the outcomes to best, good, middle of the pack, poor, and worst. Our role, as enterprise risk management officers, is to manage a process that will provide the people responsible for the outcome (s) the best chance of achieving their desired outcome(s). The focus of that process must be on those elements that can influence the outcomes. From Exhibit 1.1, we can see that the elements that influence outcomes are (working backward from right to left):

In truth, I have included "risks” in my view of the risk universe only because I thought everyone would expect to see it there and that great numbers of readers would rebel if I did not include it. For the application of the SOAR process, I advocate that risks be stated as in the previous example (i.e., the one about increasing total revenues), for three reasons:

In the presence of risk drivers, the distribution of possible outcomes might look something like Exhibit 1.3.

Without any form of analysis whatsoever, let us assume that the greater the number of risk drivers, the greater the number of possible outcomes and that increasing the number of risk drivers flattens and broadens the distribution. This (assumed) effect can be seen in Exhibit 1.4.

The fact is, of course, that our assumption is not always true. It will not always be the case that more risk drivers leads to a flattening and broadening of the distribution of possible outcomes. Furthermore, a single driver of risk A may produce a different distribution of possible outcomes than a single driver of risk B; the driver of risk A may produce something like the tall, thin distribution in Exhibit 1.4 while the driver of risk B may produce the shorter, wider distribution. Which would you rather face?

Similar to the difference between distributions of outcomes influenced by few risk drivers and those influenced by many risk drivers, distributions influenced by controls should be taller and narrower than distributions not influenced by controls. That is really the primary responsibility of the enterprise risk management office—to raise and narrow the distribution (of possible outcomes) around the desired outcome. The identification and application of controls is the most critical element of the SOAR process and the main reason for the enterprise risk management office to exist. Controls do not always soften the blow; often they are designed to avoid the hit altogether. In language more suitable to the context, controls are measures that are put in place to reduce the probability or severity of an adverse outcome. It is unusual for a control to be designed to reduce both frequency and severity. The brakes on a car are a good example of a control that reduces both frequency and severity. If you did not have brakes, you can be pretty sure you would crash more frequently than if you did have brakes. If you had an accident without braking, you can be pretty sure the damage would be worse than if you had braked. An airbag, however, can reduce the severity, but it is not intended to address the likelihood of an accident. A quick word of caution on the use of controls: Be careful they do not incite recklessness. To continue the car theme a moment, have you ever been in a car when the driver has said something like "strap in” as he accelerates? The implication is that the driver thinks he can take more risk if the control is in place. In the context of application of the SOAR process, there is probably little to...