CHAPTER 1
Enterprise Risk Management Case Studies
An Introduction and Overview
JOHN R.S. FRASER
Senior Vice President, Internal Audit, and former Chief Risk Officer, Hydro One Networks Inc.
BETTY J. SIMKINS
Williams Companies Chair of Business and Professor of Finance, Oklahoma State University
KRISTINA NARVAEZ
President and Owner of ERM Strategies, LLC
THE EVOLUTION OF ENTERPRISE RISK MANAGEMENT
Over the past two decades enterprise risk management (ERM) has evolved from concepts and visions of how risks should be addressed to a methodology that is becoming entrenched in modern management and is now increasingly expected by those in oversight roles (e.g., governing bodies and regulators). As Felix Kloman describes in his chapter âA Brief History of Risk Management,â published in Fraser and Simkins (2010), many of the concepts go back a very long time and many of the so-called newly discovered techniques can be referenced to the earlier writings and practices described by Kloman. However, it is only from around the mid-1990s that the concept of giving a name to managing risks in a holistic way across the many operating silos of an enterprise started to take hold. In the 1990s, terms such as integrated risk management and enterprise-wide risk management were also used. Many thought leaders, for example, those who created ISO 31000,2 believe that the term risk management is all that is needed to describe good risk management; however, many others believe that the latter term is often used to describe risk management at the lower levels of the organization and does not necessarily capture the concepts of enterprise-level approaches to risk. As a result, the term ERM is used throughout this book.
As ERM continues to evolve there is still much discussion and confusion over exactly what it is and how it should be achieved. It is important to realize that it is still evolving and may take many more years before it is fully codified and practiced in a consistent way. In fact, there is a grave danger now of believing that there is only one way of doing ERM. This is probably a mistake by regulators who have too eagerly seized some of these concepts and are trying to impose them when the methods are not fully understood, and in some cases the requirements are unlikely to produce the desired results. As Fraser and Simkins (2010) noted in their first book on ERM: âWhile regulatory interest can force ERM into companies, if not done well, it can become another box-ticking exercise that adds little value.â3
The leading and most commonly agreed4 guideline to holistic risk management is ISO 31000. However, it should be mentioned that in the United States the COSO 2004 Enterprise Risk ManagementâIntegrated Framework has been the dominant framework used to date. Many organizations are currently adopting one or the other of these frameworks and then customizing them to their own context.
WHY THE NEED FOR A BOOK WITH ERM CASE STUDIES?
Following the success of the earlier Enterprise Risk Management: Today's Leading Research and Best Practices for Tomorrow's Executives by Fraser and Simkins (2010), we found through our own teaching experiences, and by talking to others, that there was an urgent need for a university-level textbook of ERM case studies to help educate executives, risk practitioners, academics, and students alike about the evolving methodology. As a result, Fraser and Simkins, together with Kristina Narvaez, approached many of the leading ERM specialists to write case studies for this book.
Surveys have also shown that there is a dire need for more case studies on ERM (see Fraser, Schoening-Thiessen, and Simkins 2008). Additionally, surveys of risk executives report that business risk is increasing due to new technologies, faster rate of change, increases in regulatory risk, and more (PWC 2014). As Paul Walker of St. John's University points out in the opening quote of the 2014 American Productivity & Quality Center (APQC) report on ERM, âMost executives with MBA degrees were not taught ERM. In fact, there are only a few universities that teach ERM. So some business school graduates are strong in finance, marketing, and management theory, but they are limited in terms of critical thinking, business acumen, and risk analysis skills.â Learning Centered Teaching (LCT), as discussed in Chapter 2, is an ideal way to achieve this. Using LCT and the case study approach, students actively participate in the learning process through constructive reflective reasoning, critical thinking and analysis, and discussion of key issues. This is the first book to provide such a broad coverage of case studies on ERM.
The case studies that follow are from some of the leading academics and practitioners of enterprise risk management. While many of the cases are about real-life situations, there are also those that, while based on real-life experiences, have had names changed to maintain confidentiality or are composites of several situations. We are deeply indebted to the authors and to the organizations that agreed so kindly to share their stories to help benefit future generations of ERM practitioners. In addition, we have added several chapters where we feel the fundamentals of these specialized techniques (e.g., VaR) deserve to be understood by ERM students and practitioners. Each case study provides opportunities for executives, risk practitioners, and students to explore what went well, what could have been done differently, and what lessons are to be learned.
Teachers of ERM will find a wealth of material to use in demonstrating ERM principles to students. These can be used for term papers or class discussions, and the approaches can be contrasted to emphasize different contexts that may require customized approaches. This book introduces the reader to a wide range of concepts and techniques for managing risks in a holistic way, by correctly identifying risks and prioritizing the appropriate responses. It offers a broad overview of the various types of ERM techniques, the role of the board of directors, risk tolerances, profiles, workshops, and allocation of resources, while focusing on the principles that determine business success.
Practitioners interested in implementing ERM, enhancing their knowledge on the subject, or wishing to mature their ERM program, will find this book an absolute must resource to have. Case studies are one of the best ways to learn more on this topic.
This book is a companion to Enterprise Risk Management: Today's Leading Research and Best Practices for Tomorrow's Executives (Fraser and Simkins 2010). Together, these two books can create a curriculum of study for business students and risk practitioners who desire to have a better understanding of the world of enterprise risk management and where it is heading in the future. Boards and senior leadership teams in progressive organizations are now engaging in building ERM into their scenario-planning and decision-making processes. These forward-looking organizations are also integrating ERM into the business-planning process with resource allocation and investment decisions. At the business unit level, ERM is being used to measure the performance of risk-taking activities of employees.
As these case studies demonstrate, ERM is a continuous improvement process and takes time to evolve. As can be gleaned from these case studies, most firms that have taken the ERM journey started with a basic ERM language, risk identification, and risk-assessment process and then moved down the road to broaden their programs to include risk treatments, monitoring, and reporting processes. The ultimate goal of ERM is to have it embedded into the risk culture of the organization and drive the decision-making process to make more sound business decisions.
SUMMARY OF THE BOOK CHAPTERS
As mentioned earlier, the purpose of this book is to provide case studies on ERM in order to educate executives, risk practitioners, academics, and students alike about this evolving methodology. To achieve this goal, the book is organized into the following sections:
- Part I: Overview and Insights for Teaching ERM
- Part II: ERM Implementation at Leading Organizations
- Part III: Linking ERM to Strategy and Strategic Risk Management
- Part IV: Specialized Aspects of Risk Management
- Part V: Mini-Cases on ERM and Risk
- Part VI: Other Case Studies
Brief descriptions of the contributors and the chapters are provided next.
PART I: OVERVIEW AND INSIGHTS FOR TEACHING ERM
The first two chapters provide an overview of ERM and guidance on ERM education. As we have pointed out, education on ERM is crucial and more universities need to offer courses in this area. Our conversations with many ERM educators and consultants highlight how extremely challenging it is to achieve excellence in ERM education.
Chapter 2, âAn Innovative Method to Teaching Enterprise Risk Management: A Learner-Centered Teaching Approach,â offers insights and suggestions on teaching ERM. This chapter covers the concept of flipping the classroom with learner-centered teaching (LCT), distinguishes it from traditional lectures, and describes how it can be used in teaching ERM. The LCT approach emphasizes active student participation and collaboration on in-class activities such as case studies versus the traditional lecture approach. This chapter provides several examples as to how LCT can be applied in teaching ERM, utilizing Fraser and Simkins' (2010) book. David R. Lange and Betty J. Simkins, both experienced ERM educators, team together to write this chapter. David Lange, DBA, is an Auburn University Montgomery (AUM) Distinguished Research and Teaching Professor of Finance. He has received many prestigious awards for both research and teaching from the University and from several academic associations. He has taught many courses in the area of risk management and has consulted in a significant number of individual and class insuranceârelated cases in both state and federal court. Betty Simkins, PhD, the Williams Companies Chair of Business and Professor of Finance at Oklahoma State University, is coeditor of this book.
PART II: ERM IMPLEMENTATION AT LEADING ORGANIZATIONS
Part II is a collection of ERM case studies that give examples of how ERM was developed and applied in major organizations around the world. Note that there is no perfect ERM case study and the objective is for readers to assess what they believe was successful or not so successful about these ERM programs.
The first case study in this book describes ERM at Mars, Inc. Larry Warner, who is the former corporate risk manager at Mars, Inc. and now is president of Warner Risk Group, describes the ERM program at the company in Chapter 3. Mars is a global food company and one of the largest privately held corporations in the United States. It has more than 72,000 associates and annual net sales in excess of $33 billion across six business segmentsâPetcare, Chocolate, Wrigley, Food, Drinks, and Symbioscience. Its brands include Pedigree, Royal Canin, M&M's, Snickers, Extra, Skittles, Uncle Ben's, and Flavia. With such complex business operations, Mars recognized the importance of providing its managers with a tool to knowledgably and comfortably take risk in order to achieve its long-term goals. Mars business units use its award-winning process to test their annual operating plan and thereby increase the probability of achieving these objectives.
The case study in Chapter 4 entitled âValue and Risk: ERM in Statoilâ was written by Alf Alviniussen, who is the former Group Treasurer and Senior Vice President of Norsk Hydro ASA, Oslo, Norway, and HĂ„kan JankensgĂ„rd who holds a PhD in risk management from Lund University, Sweden. HĂ„kan is also a former risk manager of Norsk Hydro. In this case study, the authors discuss ERM at Statoil, one of the top oil and gas companies in the world, located in Norway. In Statoil, understanding and managing risk is today considered a core value of the company, which is written into the corporate directives and widely communicated to employees. ERM is thoroughly embedded in the organization's work processes, and its risk committee has managed the transition from a âsiloâ-mentality to promoting Statoil's best interests in areas where risk needs to be considered.
Chapter 5, called âERM in Practice at University of California Health Systems,â is written by their former Chief Risk Officer (CRO), Grace Crickette, who is now the Senior Vice President and Chief Risk and Compliance Officer of AAA Northern California, Nevada, and Utah. The University of California's (UC) Health System is comprised of numerous clinical operations, including five medical centers that support the clinical teaching programs for the university's medical and health science school and handle more than three million patient visits each year. ERM plays an important role at the UC Health System and assists the organization in assessing and responding to all risks (operational, clinical, business, accreditation, and regulatory) that affect the achievement of the strategic and financial objectives of the UC Health System.
The descriptive case study in Chapter 6, written by Dr. Mark Frigo from DePaul University and Hans LĂŠssĂže, the Strategic Risk Manager of the L...