How Top Companies Assess R isk , Manage

Exposure , and Se ize Oppor tun i t y

Second Edition

American Management AssociationNew York Atlanta Brussels Chicago Mexico City San Francisco

Shanghai Tokyo Toronto Washington, D.C.

John J . Hampton

F U N D A M E N TA L S O F

Excerpt from

EnterpriseRisk Management

PAGE iii................. 18585$ $$FM 08-06-14 07:54:16 PS

CONTENTS

Introduction xi

(full table of contents)

Part One. Essentials of Enterprise Risk Management 1

1. Hazard and Enterprise Risk Management 3

Hurricane Andrew. Definitions of Risk. Hazard Risk. Insurable

Risk. Traditional Risk Management. Severity and Frequency.

Enterprise Risk. Operational Risk. Strategic Risk. Financial Risk.

Conclusion.

Appendix 1. Russian Frozen Chicken 15

2. Enterprise Risk Management 18

ERM Defined. The Need for ERM. Conclusion.

Appendix 2. GM, Ford, and the Chrysler Bailout 25

3. Contributions of ERM 30

Contribution 1: Recognize the Upside of Risk. Contribution 2:

Assign Risk Owners. Contribution 3: Align Risk Accountability.

Contribution 4: Create a Central Risk Function. Contribution 5:

Install a High-Tech Electronic Platform (HTEP). AIGs View of Risk.

Contribution 6: Involve the Board of Directors. Contribution 7:

Employ a Standard Risk Evaluation Process. Conclusion.

Appendix 3. Home Depot 40

4. Challenge of the Black Swan 45

2014 Atlanta Ice Storm. What Is a Black Swan? Blockbuster. Risk

Experts. The Failure of Experts. The Perceived Level of Risk.

Silent Evidence. Conclusion.

5. The 2008 Financial Crisis 57

Speculative Frenzies. History of the Crisis. Scanning for

Exposures. Visible Signs of Danger. Aftermath. Parallel with the

Great Depression. DoddFrank Act. Conclusion.

PAGE vii

vii

................. 18585$ CNTS 08-04-14 09:18:12 PS

viii Contents

6. Implementing ERM 69

COSO Framework. COSO Structure. COSO Components. COSO

Definitions. Approaches to ERM. Risk Management Areas.

Strategies and Situations in Risk Management. Expanding the

Scope of ERM. Benefits of ERM. Making ERM More Effective.

Leadership Risk. ERM Premises. How Do We Start? High-Tech

Electronic Platform (HTEP). Conclusion.

Appendix 6. ISO 31000 Framework 82

Part Two. Risk Management Technology 857. Risk Clusters 87

Cluster Risk Structure. Sophisticated Risk Mapping. Clusters

Versus Spreadsheets. Hierarchy of Subrisks. Interactions.

Conclusion.

8. Risk Technology in 2008 95

Rejection of Spreadsheets. High-Tech Electronic Platform (HTEP).

Riskonnect HTEP. User Features. Design Features. Relationships.

Risk Dashboards. Heat Map. CP&L ERM Implementation. Next

Steps. Conclusion.

9. New Technology in 2014 113

New York University HTEP. Mobile Devices. HTEP Links.

Earthquake Notification. Southwest Airlines HTEP. Collaboration

with Chatter. Real-Time Links to the World. Word Translation and

Currency Translation. Data Resources. Managing a Disability

Claim. Conclusion.

10. HTEP Applications 126

Airbus A380 Jumbo Jet. HTEP Opportunity with Bananas. Tropical

Storm Disruption. BP Oil Explosion. Ford Supply Chain. Dell

Supply Chain. Chilean Mine Rescue. Conclusion.

11. Product Launch Application 139

Market Risk. Product Risk. Capital Risk. Intellectual Property

Risk. Risk Profile. Expanding the View. Conclusion.

Part Three. Risks Without Risk Owners 14712. Strategic Risk 149

FedEx. Strategic Risk Management. Strategic Risk and

Knowledge. Pursuit of Knowledge. Historical Perspective of

PAGE viii................. 18585$ CNTS 08-04-14 09:18:13 PS

Contents ix

Strategic Risk. Strategic Risk and Synergy. Strategic Risk and

Tools of Knowledge. Strategic Risk and Opportunity Since 1980.

Scanning Post-2014. Energy All by Itself. Boeing Versus Airbus.

The Fax Machine and Strategic Risk. Conclusion.

13. Subculture Risk 171

Ford-Toyota Rowing Contest. Subculture Risk. Bureaucracy as a

Structure. Understanding Subculture Risk. Charles Handy on

Culture. Bureaucracy Culture. Spiders Web Culture. Team

Culture. Individual Culture. Cultural Control and Effectiveness.

Recognizing the Subculture. Conclusion.

Appendix 13a. Characteristics to Identify Subcultures 184Appendix 13b. Subculture Risk in High School 186

14. Leadership Risk 192

Behavioral Risk. Strategic and Situational Leadership. Situational

Leadership Styles. Competence and Commitment. How Leaders

Decide. IKEA Best Practices. High-Performance Leadership.

15. Life Cycle Risk 205

Organizational Life Cycle. Sharing Life Cycle Information. Life

Cycle Goals. Life Cycle Tactical Focus. Planning Horizons. Growth

as a Risk Factor. Risks with Change. GM and Toyota Life Cycle

Risk. ERM Implementation and Life Cycles. Funding for ERM.

Priority for ERM. Politics of ERM. Conclusion.

16. IBM, Microsoft, and Apple 215

IBM at Its Peak. IBM in Decline. IBM Resurgence. Microsoft

Growth. Microsoft Peak. Microsoft Decline. Apple Rise. Apple

Decline. Apple Rebound. Conclusion.

Part Four. Special Topics 225

17. Cyber Risk Management 227

Cyber Risk. Malicious Software. Loss Assessment. Managing

Cyber Risks. Buying Cyber Risk Insurance. Incident Response

Plan. Mafiaboy Attack. Sony PlayStation Attack. Hacker Language.

WikiLeaks 2010 Leak. Authorized User Exposure. Hackers and

Cyber Risk. Anonymous. Arab Spring. Bay Area Rapid Transit

(BART). Megaupload. Responding to Anonymous Threats.

Conclusion.

PAGE ix................. 18585$ CNTS 08-04-14 09:18:13 PS

x Contents

18. Collaboration for Effective Risk Management 249

Collaboration. Grocery Acquisition. Wikipedia Accuracy. Swarm

Theory. GoldCorp Collaboration.

19. Cerberus, JPMorgan, and Lehman 255

Cerberus and Chrysler. JPMorgan Chase and Derivatives. Lehman

Toxic Assets.

20. Rise of Modern Risk Management 262

Risk Management Supersedes Insurance. Formation of Captives

to Retain Risks. Risk Management Addresses Liability. Decline of

Historical Data. Performance Risk Augments Hazard Risk. ERM

and Cyber Risk. War Risk. Outlaw Environments. Environmental

Risks. Conclusion.

21. Evolving ERM 266

Four Problems for ERM. Black Swan. Long-Term Capital

Management. Speeding Up the Implementation of ERM. The

Future of ERM. Conclusion.

22. Modern Risk Managers 275

Risk Manager Roles. Risk Manager Levels. Profiles of Risk

Managers. Areas of Attention. Chief Risk Officer. Chief Strategy

Officer (CSO). CRO and CSO Areas of Focus. Paul Buckley, Tyco

Risk Manager. Chris Mandel, USAA Risk Manager. Lance Ewing,

Harrahs Risk Manager. George Niwa, Panasonic Risk Manager.

Susan Meltzer, Aviva Risk Manager. Central Risk Management

Committee.

Denouement 285

Index 287

PAGE x................. 18585$ CNTS 08-04-14 09:18:14 PS

INTRODUCTION

Risk Quote: Keep your friends close, and your enemies closer.Sun-Tzu, Chinese general and military

strategist, around 400 b.c.e.

Risk Quote: This was my fathers study. He taught me a lot ofthings in this room. He taught me to keep my friends close andmy enemies closer.

Michael Corleone in The Godfather (1976)

Welcome to the world of enterprise risk management (ERM), one ofthe most popular and misunderstood of todays important busi-ness topics. It is not very complex. It is not very expensive. It doesadd value. We just have to get it right. Until recently, businesseshave been getting it wrong.

The first edition of this book carried us into the heart of riskmanagement. It was mostly about how to do a better job of riskidentification. If we define the problem correctly, we reduce sur-prisesnot eliminate them, mind you, but get many of themunder control.

This book continues our journey with massive updates. Riskmanagement has changed dramatically since the 2008 financialcrisis. Recent developments in technology and communicationsdemand new approaches to manage risk and seize opportunity.They still build on the basic structure of ERM.

s Upside of Risk. Most people discuss risk as the possibility ofloss. This is totally insufficient because risk has an upside. A

PAGE xi

xi

................. 18585$ INTR 08-04-14 09:18:15 PS

xii Introduction

lost opportunity is just as much a financial loss as is damageto people and property. This is a key insight. Ask Sun-Tzu orMichael Corleone.

s Alignment with the Business Model. Within a framework forachieving goals, a single manager can supervise directly only alimited span of subordinates. Similarly, one person can overseea limited number of risks. ERM encourages us to create a hier-archy of risk categories aligned with the business model.

s Risk Owners. A single person should be responsible for everycategory of risk. When questions arise, we go directly to therisk owner. We will see an exception to this guideline in PartThree, where we address risks with no single risk owner.

s Central Risk Function. Although risks cannot be managed cen-trally, a central risk function acknowledges that some riskscross units and responsibilities. The function influences riskdecisions by scanning for changing conditions from a centralvantage point and sharing findings. This book argues that acentral risk function should not, itself, have responsibility formanagement decisions. Risk goes with the risk owners.

s High-Tech Electronic Platform (HTEP). ERM encourages theuse of new technologies. This book describes a cutting-edgetechnology and a revolutionary way to use it. The results areamazing.

The book is organized in four parts:

1. Part One. Essentials of Enterprise Risk Management. What isERM? What is not ERM? What are its key components? Why dowe need a central risk function, risk identification, a high-techplatform? We address risk management successes and failuresand cover lessons learned since the original publication of thisbook.

2. Part Two. Risk Management Technology. This is big. In thefirst edition, we examined visualized risk relationships andbacked up the view with supporting detail. You will not believethe developments since 2008. Building on the success of

PAGE xii................. 18585$ INTR 08-04-14 09:18:15 PS

Introduction xiii

Riskonnect, we describe the High-Tech Electronic Platform(HTEP) that serves so many companies today. If we thoughttechnology was big six years agoand it wasit is amazingtoday.

3. Part Three. Risks Without Risk Owners. Some risks dependon collaboration, crossing, as they do, the silos of organiza-tions. With a central risk function and modern technology, weupdate strategic risk, subculture risk, leadership risk, and lifecycle risk. We examine how weak management practicesendanger success and how the absence of a clear and achievablevision can be destructive. Included are incisive stories aboutIBM, Microsoft, and Apple and their rise, decline, and efforts torebound.

4. Part Four. Special Topics. Here we fill in the picture of riskmanagement. Cyber risk management deserves a chapter of itsown. The importance of collaboration is demonstrated withexamples. The struggles of Cerberus, JPMorgan, and Lehmanare documented. Three chapters build our understanding ofmodern risk managers.

Our journey covers a mixture of concepts, tools, and stories thatadd richness and depth to managing enterprise risk. Modern riskmanagement is both popular and misunderstood, but, as we willsee, it is not overly complex. Nor is it expensive. It does add value.We just have to get it right. Is risk management a science? An art?A mystery? Or is it plain old common sense? In the followingpages, we update answers to these questions.

Contributors

In the first edition, we acknowledged many people who contrib-uted to this book. Chris Mandel and Lance Ewing, former presi-dents of the Risk and Insurance Management Society (RIMS),continue to encourage me to understand risk from a holistic view-point. Valery Vyatkin, my Russian partner, contributed ideas froma Russian perspective. Finally, thanks to Bob Nirkind from

PAGE xiii................. 18585$ INTR 08-04-14 09:18:15 PS

xiv Introduction

AMACOM books. His insight and wisdom kept this project oncourse.

Lets also remember my administrative assistant, Mary Sulli-van of Saint Peters University, who was once again invaluable increating the final product. My bride, Doreen, a book author in herown right, tells me regularly, Jack, dont talk about risk manage-ment. Nobody cares. She is also the person who gives me themost support for projects such as this book.

Updating this list is a single acknowledgment. Thanks to thepeople at Riskonnect, particularly Bob Morrell, Kelly Barton, Eliz-abeth Morrell, and Russell McGuire. They started the journey andbuilt the HTEP described in this book. An amazing job. Just askany of their clients.

J. HamptonLitchfield, ConnecticutMarch 2014

PAGE xiv................. 18585$ INTR 08-04-14 09:18:16 PS

Bulk discounts available. For details visit:www.amacombooks.org/go/specialsalesOr contact special sales:Phone: 800-250-5308Email: specialsls@amanet.orgView all the AMACOM titles at: www.amacombooks.orgAmerican Management Association: www.amanet.org

This publication is designed to provide accurate and authoritativeinformation in regard to the subject matter covered. It is sold withthe understanding that the publisher is not engaged in renderinglegal, accounting, or other professional service. If legal advice orother expert assistance is required, the services of a competentprofessional person should be sought.

Library of Congress Cataloging-in-Publication Data

Hampton, John J.Fundamentals of enterprise risk management : how top companies assess risk,

manage exposure, and seize opportunity / John J. Hampton.Second edition.pages cm

Includes bibliographical references and index.ISBN-13: 978-0-8144-4903-5 (alk. paper)ISBN-10: 0-8144-4903-4 (alk. paper)ISBN-13: 978-0-8144-4904-2 (ebook)ISBN-10: 0-8144-4904-2 (ebook)1. CorporationsFinance. 2. Risk assessment. 3. Risk management. I. Title.

HG4026.H274 2015658.155dc23

2014009521

2015 John J. Hampton.All rights reserved.Printed in the United States of America.

This publication may not be reproduced, stored in a retrieval system, or transmittedin whole or in part, in any form or by any means, electronic, mechanical,photocopying, recording, or otherwise, without the prior written permission ofAMACOM, a division of American Management Association, 1601 Broadway, New York,NY 10019.

The scanning, uploading, or distribution of this book via the Internet or any othermeans without the express permission of the publisher is illegal and punishable by law.Please purchase only authorized electronic editions of this work and do not participatein or encourage piracy of copyrighted materials, electronically or otherwise. Yoursupport of the authors rights is appreciated.

About AMAAmerican Management Association (www.amanet.org) is a world leader in talentdevelopment, advancing the skills of individuals to drive business success. Our missionis to support the goals of individuals and organizations through a complete range ofproducts and services, including classroom and virtual seminars, webcasts, webinars,podcasts, conferences, corporate and government solutions, business books andresearch. AMAs approach to improving performance combines experientiallearninglearning through doingwith opportunities for ongoing professionalgrowth at every step of ones career journey.

Printing number

10 9 8 7 6 5 4 3 2 1

PAGE iv................. 18585$ $$FM 08-06-14 07:54:16 PS

FundmtlEntrprsRiskMgt-TOC_sampleFundamentals of Enterprise Risk Mgmt - title pgFundamentals of Enterprise Risk Mgmt - TOCFundamentals Of Enterprise Risk Mgmt -IntroFundamentals Of Enterprise Risk Mgmt - copyright