CHAPTER 1
Enterprise Risk Management Case Studies
An Introduction and Overview

JOHN R.S. FRASER

Senior Vice President, Internal Audit, and former Chief Risk Officer, Hydro One Networks Inc.

BETTY J. SIMKINS

Williams Companies Chair of Business and Professor of Finance, Oklahoma State University

KRISTINA NARVAEZ

President and Owner of ERM Strategies, LLC

Businesses, business schools, regulators, and the public are now scrambling to catch up with the emerging field of enterprise risk management.

-Robert Kaplan (quote from Foreword in Fraser and Simkins, 2010)

Most executives with MBA degrees were not taught ERM. In fact, there are only a few universities that teach ERM. So some business school graduates are strong in finance, marketing, and management theory, but they are limited in terms of critical thinking, business acumen, and risk analysis skills.

-Paul Walker1

THE EVOLUTION OF ENTERPRISE RISK MANAGEMENT

Over the past two decades enterprise risk management (ERM) has evolved from concepts and visions of how risks should be addressed to a methodology that is becoming entrenched in modern management and is now increasingly expected by those in oversight roles (e.g., governing bodies and regulators). As Felix Kloman describes in his chapter "A Brief History of Risk Management," published in Fraser and Simkins (2010), many of the concepts go back a very long time and many of the so-called newly discovered techniques can be referenced to the earlier writings and practices described by Kloman. However, it is only from around the mid-1990s that the concept of giving a name to managing risks in a holistic way across the many operating silos of an enterprise started to take hold. In the 1990s, terms such as integrated risk management and enterprise-wide risk management were also used. Many thought leaders, for example, those who created ISO 31000,2 believe that the term risk management is all that is needed to describe good risk management; however, many others believe that the latter term is often used to describe risk management at the lower levels of the organization and does not necessarily capture the concepts of enterprise-level approaches to risk. As a result, the term ERM is used throughout this book.

As ERM continues to evolve there is still much discussion and confusion over exactly what it is and how it should be achieved. It is important to realize that it is still evolving and may take many more years before it is fully codified and practiced in a consistent way. In fact, there is a grave danger now of believing that there is only one way of doing ERM. This is probably a mistake by regulators who have too eagerly seized some of these concepts and are trying to impose them when the methods are not fully understood, and in some cases the requirements are unlikely to produce the desired results. As Fraser and Simkins (2010) noted in their first book on ERM: "While regulatory interest can force ERM into companies, if not done well, it can become another box-ticking exercise that adds little value."3

The leading and most commonly agreed4 guideline to holistic risk management is ISO 31000. However, it should be mentioned that in the United States the COSO 2004 Enterprise Risk Management-Integrated Framework has been the dominant framework used to date. Many organizations are currently adopting one or the other of these frameworks and then customizing them to their own context.

WHY THE NEED FOR A BOOK WITH ERM CASE STUDIES?

Following the success of the earlier Enterprise Risk Management: Today's Leading Research and Best Practices for Tomorrow's Executives by Fraser and Simkins (2010), we found through our own teaching experiences, and by talking to others, that there was an urgent need for a university-level textbook of ERM case studies to help educate executives, risk practitioners, academics, and students alike about the evolving methodology. As a result, Fraser and Simkins, together with Kristina Narvaez, approached many of the leading ERM specialists to write case studies for this book.

Surveys have also shown that there is a dire need for more case studies on ERM (see Fraser, Schoening-Thiessen, and Simkins 2008). Additionally, surveys of risk executives report that business risk is increasing due to new technologies, faster rate of change, increases in regulatory risk, and more (PWC 2014). As Paul Walker of St. John's University points out in the opening quote of the 2014 American Productivity & Quality Center (APQC) report on ERM, "Most executives with MBA degrees were not taught ERM. In fact, there are only a few universities that teach ERM. So some business school graduates are strong in finance, marketing, and management theory, but they are limited in terms of critical thinking, business acumen, and risk analysis skills." Learning Centered Teaching (LCT), as discussed in Chapter 2, is an ideal way to achieve this. Using LCT and the case study approach, students actively participate in the learning process through constructive reflective reasoning, critical thinking and analysis, and discussion of key issues. This is the first book to provide such a broad coverage of case studies on ERM.

The case studies that follow are from some of the leading academics and practitioners of enterprise risk management. While many of the cases are about real-life situations, there are also those that, while based on real-life experiences, have had names changed to maintain confidentiality or are composites of several situations. We are deeply indebted to the authors and to the organizations that agreed so kindly to share their stories to help benefit future generations of ERM practitioners. In addition, we have added several chapters where we feel the fundamentals of these specialized techniques (e.g., VaR) deserve to be understood by ERM students and practitioners. Each case study provides opportunities for executives, risk practitioners, and students to explore what went well, what could have been done differently, and what lessons are to be learned.

Teachers of ERM will find a wealth of material to use in demonstrating ERM principles to students. These can be used for term papers or class discussions, and the approaches can be contrasted to emphasize different contexts that may require customized approaches. This book introduces the reader to a wide range of concepts and techniques for managing risks in a holistic way, by correctly identifying risks and prioritizing the appropriate responses. It offers a broad overview of the various types of ERM techniques, the role of the board of directors, risk tolerances, profiles, workshops, and allocation of resources, while focusing on the principles that determine business success.

Practitioners interested in implementing ERM, enhancing their knowledge on the subject, or wishing to mature their ERM program, will find this book an absolute must resource to have. Case studies are one of the best ways to learn more on this topic.

This book is a companion to Enterprise Risk Management: Today's Leading Research and Best Practices for Tomorrow's Executives (Fraser and Simkins 2010). Together, these two books can create a curriculum of study for business students and risk practitioners who desire to have a better understanding of the world of enterprise risk management and where it is heading in the future. Boards and senior leadership teams in progressive organizations are now engaging in building ERM into their scenario-planning and decision-making processes. These forward-looking organizations are also integrating ERM into the business-planning process with resource allocation and investment decisions. At the business unit level, ERM is being used to measure the performance of risk-taking activities of employees.

As these case studies demonstrate, ERM is a continuous improvement process and takes time to evolve. As can be gleaned from these case studies, most firms that have taken the ERM journey started with a basic ERM language, risk identification, and risk-assessment process and then moved down the road to broaden their programs to include risk treatments, monitoring, and reporting processes. The ultimate goal of ERM is to have it embedded into the risk culture of the organization and drive the decision-making process to make more sound business decisions.

SUMMARY OF THE BOOK CHAPTERS

As mentioned earlier, the purpose of this book is to provide case studies on ERM in order to educate executives, risk practitioners, academics, and students alike about this evolving methodology. To achieve this goal, the book is organized into the following sections:

• Part I: Overview and Insights for Teaching ERM
• Part II: ERM Implementation at Leading Organizations
• Part III: Linking ERM to Strategy and Strategic Risk Management
• Part IV: Specialized Aspects of Risk Management
• Part V: Mini-Cases on ERM and Risk
• Part VI: Other Case Studies

Brief descriptions of the contributors and the chapters are provided next.

PART I: OVERVIEW AND INSIGHTS FOR TEACHING ERM

The first two chapters provide an overview of ERM and guidance on ERM education. As we have pointed out, education on ERM is crucial and more universities need to offer courses in this area. Our conversations with many ERM educators and consultants highlight how extremely...