The Humble Cro (To Read!)

The Triumph of the Humble
Chief Risk Officer

Anette Mikes
Working Paper
14-114
May 23, 2014
Copyright 2014 by Anette Mikes

Working papers are in draft form. This working paper is distributed for purposes of comment and
discussion only. It may not be reproduced without permission of the copyright holder. Copies of working
papers are available from the author.
TheTriumphoftheHumbleChiefRiskOfficer
AnetteMikes
HarvardBusinessSchool
Abstract
Thispapertrackstheevolutionoftheroleoftwochiefriskofficers(CROs),andthetoolsandprocessestheyhave
implementedintheirrespectiveorganizations.Whilethecompaniesarefromverydifferentindustries(oneisa
powercompany,theotherisatoymanufacturer),theybothembracedtheconceptsandtoolsofEnterpriseRisk
Management.Overanumberofyears,atbothfirms,riskmanagementtransformedfromacollectionofoffthe
shelf,acquiredtoolsandpracticesintoaseeminglyinevitableandtailoredcontrolprocess.Thepaperinvestigates
theroleoftheCROinmakingthesetransformationshappen.ThetwocaseshighlightthattheroleoftheCROmaybe
lessaboutthepackagingandmarketingofriskmanagementideastobusinessmanagers,butinstead,thefacilitation
ofthecreationandinternalizationofaspecifictypeofrisktalkasalegitimate,crossfunctionallanguageof
business.Therebytheriskmanagementfunctionmaybemostsuccessfulwhenitresistsconventionalandconflicting
demandstobeeithercloseto,orindependentfrom,businessmanagers.Instead,byactingasafacilitatorofrisktalk
theCROcanenabletherealworkofriskmanagementtotakeplacenotinhisownfunction,butinthebusiness.In
bothcases,facilitationinvolvedasignificantdegreeofhumilityonthepartoftheCRO,manifestinlimitedformal
authorityandmeagreresources.Theirskillwastobuildaninformalnetworkofrelationshipswithexecutivesand
businessmanagers,whichallowedthemtoresistbeingstereotypedaseithercompliancechampionsorabusiness
partners.Insteadtheycreatedandshapedtheperceptionoftheirrolewhichwasoftheirownmaking:acareful
balancingactbetweenkeepingonesdistanceandstayinginvolved.
In the wake of the 20072009 financial crisis, continuing corporate debacles, and ongoing corporate
governancecallsfortheappointmentofchiefriskofficers(CROs)andriskmanagementcommittees,itis
particularly important to understand what role risk officers (may) play in organizational life. The
complianceimperativerequiresbankstoimplementafirmwideriskmanagementframeworkcomplete
with analytical models for the measurement and control of quantifiable risks. In addition, corporate
governance guidelines advocate the business partner role of risk management. In this context, the
question becomes: how do senior risk officers strike a balance between the twin roles of compliance
championandbusinesspartner?
The practitioner literature on risk management promotes the view that the chief risk officer should
focusondevelopingfruitfulinteractionsbetweenriskmanagersandtheorganizationsmanagerialand
executivelayers(EconomistIntelligenceUnitLimited,2010);forexample,bypositioningthemselvesasa
strategicbusinessadvisor(KPMG,2011:27).Therisingvisibilityofenterpriseriskmanagementandrisk
managersinorganizationsreflectsanapparentandongoingreconfigurationofuncertaintyintoanareaof
management(Power,2007),whichplacesdemandsontheriskmanagertobeaproactiveassessorand
communicator of uncertainty, capable of operating as a potential partner to business decision makers
ratherthanasareactivecontrolagent.
Seemingly, risk managers are riding a favorable tide with regulators, standardsetters, and some
emergingprofessionalassociationsadvocatingtheirvalue.Anincreasingproportionofcompanieshave
appointed CROs over the last decade, and surveys demonstrate that the proliferation of senior risk
officers is ubiquitous1. While only a minority of respondents tend to treat COSOs Enterprise Risk
Management(ERM)framework(COSO,2004)astheirblueprint,andmanydonotfollowanyparticular
standard or framework2, surveys generally agree that the numbers of companies embracing ERM (i.e.
reporting tohaveanERM framework and/oranERM policy) have reached the critical mass of60%
(RIMS, 2013;Deloitte,2013). Putting money to the proverbial mouth, companies havespent increasing
resourcesonriskmanagementandmanyareplanningtocontinuedoingso.3Yetthejuryisstillouton
ERMsactualvalueaddedaccordingtoasurveyofriskmanagers,carriedoutbyRIMSin2013,their
satisfactionwiththeirprogresswaswidelyvaried,andaccordingtoanothersurveyofCsuiteexecutives,
lessthanhalfbelievetheirorganizationhaveaneffectiveriskmanagementprogram(KPMG,2013).
Atbest,evidencetellsusthatorganizationsvarywidelyintheirdesign,implementation,anduseof
risk management practices and tools. At worst, risk management (or the appointment of CROs) is a
faddish phenomenon, taking up increasing amounts of resources yet proving incapable of closing the
expectations gap (Power, 2007) that is now alltoo evident between aspirations for better risk
managementandtheactualachievementsandcapabilitiesofriskmanagementfunctions.
1Arecentsurvey(Accenture,2013)ofasampleof446large,diverseorganizations(whichincludedfinancialservices(46%)andother
organizationsfromtheutilities,healthcare,lifesciencesandgovernmentsectors)foundthatthepresenceoftheCRO,orequivalentseniorrisk
officer,wasnearuniversalwith96%ofrespondentshavingonein2013(upfrom78%in2011).However,surveysthathavelessfocuson
regulatedindustriessuggestthattheacceptanceofCROs(andformalriskmanagementfunctions)couldbemuchlesswidespread31%in
globalfirms(AICPA,2010)andevenlowerinnonregulatedU.S.organizations.
2This2013surveyof1095riskmanagers(RIMS,2013)suggeststhat22%ofcompaniesadoptedtheCOSOframework,23%embracedtheISO
31,000standardand26%doesnotfollowanyparticularframeworkindefiningtheirenterpriseriskmanagementpractices.
3Aglobalsurveyof1,092respondentsfromdiverseindustries,carriedoutinlate2012(KPMG,2013)foundthatthelevelofinvestmentinrisk
managementhasgrownasapercentageoftotalrevenuesinthepastthreeyears,with66%ofrespondentsexpectingtheproportioninvested
inriskmanagementtoriseinthenextthreeyears.
Thispaperfocusesontwocompanieswheretheriskmanagementstaffhadsuccessfullydefinedand
brought about their version of risk management. Having traced the evolution of these two risk
managementfunctions,theirapparatus(toolsandprocesses),andtheirrelationshipwiththerestofthe
organization, I was struck, first, by the apparent success of these CROs at making risk management a
seeminglyinevitable,inconspicuouspartoforganizationallife.Overtheyears,theydevelopednewtools
thatseamlesslylinkedupwiththeworkofbusinessmanagers,creatingtheimpressionthattherealwork
of risk management took place in the business lines, and was carried out by employees. Yet the risk
managers (or rather, the riskfunction managers) retained a certain amount of attachment to these
practicesthatenabledthemtodemarcateriskmanagementastheirexpertiseandraisondetre.
Secondly, I was also intrigued by the paradoxical attitudes displayed by these CROs towards their
own work: they appeared to be tremendously confident and surprisingly humble. The CROs were
surrounded by corporate governance advocates, regulators, consultants and certified risk professionals
withavestedinterestintellingthemwhatriskmanagersshoulddoandbe.Buttheyhadtheconfidence
tosteerawayfromtheemergingconventionalwisdom,theriskmanagementstandardsandguidelines,
and the charlatans who advocated them. They took on the challenge to develop the idea of risk
management and its apparatus themselves. Yet at the same time, they displayed a lot of humility,
acknowledgingfailures,strugglesandimperfections.Theyregardedtheirworkunfinished.
Thirdly, these CROs sensed that the excessive use of certain kinds of riskmanagement vocabulary,
technology, and their uncritical adaption could harm, rather than further their cause. Irritated by the
proliferation of abstract vocabulary emanating from riskmanagement standards, these CROs tried to
learnandspeakthelanguageofthebusiness.Bycocreatingrisktoolsandasparseriskvocabularywith
those who were to use them, these CROs brought about inconspicuous risk talk managers were not
evenconsciousofspeakinganewlanguage,thatofriskmanagement.
Finally,theseCROsoperatedextremelyfrugallywithoneortwofulltimestaff,theyplayedtherole
ofthefacilitatorofrisktalk,andkepttheirresourcerequirementstoabareminimum.Theyplannedno
further investment in risk management, and did not ask for increases in their formal authority or
decision rights. Towards the end of the research horizon, at both companies the role of the CRO was
structurally demoted (one or two steps further removed from the CEO in the reporting hierarchy), yet
theirorganizationalreachandinfluenceremainedunchanged.
Thus,thetwocasestudiesdocumentwhatmightbecalledthetriumphofthehumbleCROoverthe
advocatesofevermorevisible,betterresourcedandhighlyindependentriskmanagers.Itisthetriumph
ofordinaryrisktalkandanunobtrusiveriskapparatusoverevermoresophisticatedriskmodelsandoff
theshelf IT programs that promise a comprehensive and elaborate display of risks. The following
sectionsaimtodescribethemovementsofthisevolution,asevidencedbythecasestudies.Istartwitha
brief description of the case sites and the research process. Second, I outline the evolution of the risk
apparatus and describe the work of risk management (riskwork) at the two companies. Third, I
describetheireffortsatfacilitatinginconspicuousrisktalkandunobtrusiverisktools.Next,Iillustratethe
mix of confidence and humility that characterized the attitude of these CROs towards their own
creations. Here I shall also describe how these CROs kept their span of control (Simons, 2005) narrow,
and even came to accept less formal authority, while (somewhat counterintuitively) they succeeded at
wideningtheirspanofsupport4.
Thecasesitesandresearchprocess
Electroworks, a major Canadian power utility, operated in an industry in which lack of reliability
could lead not only to financial and asset damage but also to human injury and death. The provincial
regulatory agency had capped the price that Electroworks could charge, while also requiring it to lead
conservationinitiativesthatwouldreducefuturerevenuesandearnings.Electroworkshadtomanagea
complex web of conflicting intereststhe agendas of government ministers, regulators, consumers,
environmental groups, aboriginal (first nation) landowners, and the capitalmarket debtholders that
had subscribed to the companys C$1 billion bond issue. I started field work at Electroworks in spring
2008.Through25interviews(seeAppendix1foralistofinterviews),Iaimedtoreconstructthehistoryof
ERMfromitsoriginalconsultantledintroductionthroughitstransformationtoitscurrentinevitable,yet
stillunfinishedandevolvingstate.
Magic Toyswas alarge, familyowned toymaker, operating within a highly competitive, fastpaced
industry, which essentially produces and markets fashion for kids. The majority of the companys
annualsalescamefromnewproductlaunches,whichelevatedtheimportanceofproductdevelopment
andinnovation.Thefirmsprimarycustomersweretheglobalretailerswhodistributedchildrenstoys.
Serving these retail chains with accurate and timely deliveries, and ensuring their fast shelfturnover
were of paramount importance in Magic Toys business model,whichaspired to possessworldclass
marketinganddistributioncapabilities.Inthiscontext,riskmanagementsrolewastoassistthesmooth
delivery of new product lines (each carried out asa separate project) and to prepare the company for
uncertainty.IstartedfieldworkatMagicToysin2010,andthrough44interviews(seeAppendix2fora
listofinterviews)withriskfunctionmanagersandbusinessexecutives,Itriedtosketchtheevolutionof
risk practices from formfilling to an established, actionable and consequential part of the annual
planningexercise.
Theevolutionoftheriskmanagementapparatus
Origins
Early 1999, in preparation for listing on the Toronto Stock Exchange, the board of directors at
Electroworks decided that the company should implement enterprise risk management (ERM), in
compliance with listing requirements5. They hired a succession of four consulting firms who (in the
wordsofthelaterchiefriskofficer)allcamethroughdoingERMtypestuff.Theywouldcomein.Theywould
doriskinterviews.Theywoulddoriskmaps.Theywouldchargeaquarterofamilliondollars,anddeliveranice
report.Butnothinghappened;therewasnoknowledgetransfer.Afterthisperceivedfalsestart,theCEOand
4InSimonsLeversofOragnizationalDesignframework,spanofcontrolindicatesthefinancialandnonfinancialresourcesthatmanagersand
employeescandrawoninordertoaccomplishtheirtasks.Spanofsupportindicatestheamountofsupporttheycanexpecttoreceivefrom
othersintheorganizationwhentheyreachoutforhelp.
5AlthoughElectroworkseventuallyabandoneditslistingplans,ERMremained.
CFOaskedtheheadofinternalaudit,RobertLewis6totakeonERMwithverylittledirective,outofa
sense of need conveyed by the board and the listing requirements. Originally hired from the banking
industry to be the head of internalaudit, Lewis had little expertise in any of the daytoday challenges
faced by Electroworks lineworkers, engineers, lawyers and customer service managers. Trained as an
accountantandexperiencedasaninternalauditor,Lewissawriskmanagementbothasachallengeanda
developmentopportunityforhiscontrolfunction.Herealizedthathecouldmakethisfunctionhisown,
andhaveawidespanofcontroloverdefiningwhatriskmanagementwastobe:
They[theCEOandtheCFO]decidedtheywantedERM.Theydidntknowwhatitlookedlike.Theywerejust
told[bytheboardandthestockexchange]thatitwasagoodthingtohave.InitiallyIsaid,No,IdontthinkI
shouldtakeiton.Ithinktheresaconflictofinterest,becauseofmyauditrole,butletmethinkaboutit,Illsleepon
itandgetbacktoyoutomorrow.So,IwenthomeandIthoughtaboutit,andIguessmyfeelingwasthatbefore
the consultants nothing had happened in the risk domain. Now after the consultants had left, nothing was
happening.Andwhileitmightbealittlebitofaconflict,Ifelt,well,itmightbefun.Illgiveitashot,butIllrun
itasacompletelyseparateproductline.
LewisestablishedaChinesewalltoseparatehisinternalauditrolefromhisriskmanagementone.
Recordsoftheriskworkshopswerekeptconfidentialandseparatefrominternalauditassessmentsand
noone,besideshimself,wasinvolvedinbothactivities.Hehadthehabitofsignalingwhichhathewas
wearingbyactuallyappearinginmeetingswithabaseballcapcarryingeithertheInternalAuditorthe
ERMlabel.
****
IncontrasttoLewis,CarlHirschman,7MagicToysCRO,spenthisentirecareerinthecompany,asa
financialcontroller.Thenotionofriskmanagementcametohimasanoutofthebluerequestfromhis
boss,theCFOin2007.Atthetime,MagicToyswasrecoveringfromaseriouscrisisthatsawhighstaff
turnover and the appointment of the companys first ever outside CEO (a former McKinsey
consultant). As part of the recovery, the board requested that the company should adopt risk
managementbestpractices.SimilarlytoLewis,Hirschamninitiallyrefusedtotakeontherole,butthen
endedupdefiningitforhimself:
[Initially,]Isaid,No,becausethatsacompliancejob,andIdontwanttospendtherestofmycareerdoing
compliance.Forgetit.Idonthavethepatienceforit.Thenextday,theCFOcametomyofficeandsaid,What
would it take? So I went to his office on the following MondayI spent most of the previous weekend reading
aboutriskmanagementandIsaid,Iwantriskmanagementtobeproactive.Iwanttorunastrategicprocess.I
wanttofocusonvaluecreationmorethanvalueprotection.Ididntwanttodocompliancevalidationallthetime.
AndtheCFOsaid,Yeah,goahead.
HirschamnsfirstrealizationwasthatmanyoftheriskareasdefinedintheERMframeworks,incase
of Magic Toys, were already monitored and managed by specific functions. In an internal memo, he
declared:Operationalriskishandledbyplanningandproduction.EmployeehealthandsafetyisOHSAS18001
certified.HazardsaremanagedthroughexplicitinsuranceprogramsITsecurityriskisadefinedfunctionalarea.
6Pseudonym
7Pseudonym
[Thefinancedepartment]coverscurrencies,hedgingandcreditrisks,And[thelegalfunction]isactivelypursuing
trademarkviolationsOnlystrategicrisksarenthandledexplicitlyorsystematically
Ratherthanpositioningthewouldberiskmanagementfunctionasanumbrellafunctionforallof
theseriskareas,Hirschmandecidedtofindanicheforitstrategicriskandcalledthenewfunction
Strategic Risk Management. Hiring only two employees, he searched for meaningful opportunitiesand
toolsthatwouldcontributetothemanagementofthebusiness.
Timelines
Over time, Lewis introduced a threephase enterprise risk management program, consisting of risk
workshops, biannual risk updates and, linked to the annual planning process, riskbased resource allocation.
Thefollowingtimelinesummarizestheevolutionofthesephases.
19992000
20002004
20042012
Facilitator
sofrisk
work
Forafor
risktalk
Consultants
CRO;riskteamof2and
InvestmentManagement
department
Workshops;onetoone
interviews;annualplanning
andresourceallocation
debates
Inhouseriskassessment
templates(forworkshopsand
investmentproposal
evaluation);
Headlinenewsupdatesfor
interviewdiscussion;
BiannualCorporateRisk
Profilereports
4050riskworkshops;
Biannualriskupdates
(interviews);
Annualplanning(withthe
involvementofinvestment
managementdepartment)
CRO;riskteamof2
Interviews
Risktools
Consultants
risk
assessment
templates
Frequency
offormal
risk
meetings
4projects
carriedout
bydifferent
consulting
firms
Workshops;onetooneinterviews;
annualplanningandresourceallocation
debates;blackswanworkshops
Asbefore,plus:
Inhousetemplateforblackswan
evaluation
512riskworkshops;
Biannualriskupdates(interviews);
Annualplanning(noinvestment
managementdepartment);
BiannualCROpresentationtothefull
board;
Adhocblackswanworkshops(from2008
on)
Initially,riskworkatElectroworkswasmanifestintheproliferationofriskmanagementworkshops
inwhichparticipantsevaluatedriskimpact,probabilityofriskoccurrenceandcontrolstrength(in
ordertogetasenseofresidualrisk).Theworkshopsachievedaconsensusassessmentoneachofthese
dimensionsbyrepeatedandanonymousvoting,withintermittentdiscussions,facilitatedbyariskofficer
(WorkshopFacilitator).Oncethemanagementteamhadassessedrisksandcontrols,theriskofficers
preparedariskmapatwodimensionalrankorderedchartofresidualrisks.
Twiceayear,inJanuaryandJuly,LewisandhisteampreparedaCorporateRiskProfilereportforthe
executiveteam(biannualriskupdates).HealsopresentedthereportinpersontotheAuditCommittee,
andfrom2004on,totheentireboardofdirectors.TheCorporateRiskProfilesummarizedtheprincipal
risksfacingtheorganization.
ToprepareforthefinalphaseoftheERMprocess(riskbasedresourceallocation),theinvestment
planningdepartmentandtheriskmanagementteamjointlydevelopedtemplatesforallocatingresources.
Engineers(challengedbytheinvestmentplanningdepartment)hadtoevaluatetheirproposalsinterms
ofcostandtheseverityoftheriskthattheirprogramaimedtomitigate.Theycalculatedabangforthe
buckindextoshowtheriskreductionperdollarspent,andrankedtheinvestmentprograms
accordingly.By2004,theengineeringteamsandtopmanagementwerebothsufficientlyfluentinrisk
andcostassessmentsthattheywereabletodowithouttheinvestmentmanagementdepartment.The
investmentmanagementdepartmentwasdissolvedyettheriskmanagementteam,andthepracticeof
riskbasedresourceallocation,remained.
In 2008, responding the global financial crisis and a worldwide concern with systemic risks and
blackswanevents8,Lewisandhisteaminitiatedsocalledblackswanworkshops,aseparateprocess
to focus executives and board members attention on lowprobability highimpact events that did not
normallycomeupduringriskworkshopsandthebiannualriskupdates.Thesediscussionsusedanew
template, asking directors to consider the velocity of the underlying trend and the companys
perceivedresiliencetosuchevents.Lewisdescribedtheseworkshopsasmoreathoughtexperimentthan
ariskworkshop.Theblackswanworkshopswereheldondemand(butatleastannually).Insightsfrom
theblackswanworkshopswerefedbackintothecompanysdisasterrecoveryplans.
*****
Thefollowingtimelinesummarizestheevolutionoftheriskmanagementprocessesandapparatusat
MagicToys.
20062008
2009
20102012
Facilitator
sofrisk
work
Forafor
risktalk
CROplusriskteamof
1
CROplusriskteamof2
CROplusriskteamof2
Risktools
Riskandopportunity
identification
Riskandopportunity
identification;
Adhocscenarioexercise
(failed)
Spreadsheettoolfor
Spreadsheettoolforrisk
riskandopportunity
andopportunity
identification;
identification;
BiannualERMReport BiannualERMReport;
Scenarios(externalDavos
scenarios)
Riskandopportunityidentification;
Regularscenarioplanning
Spreadsheettoolforriskand
opportunityidentification;
BiannualERMReport;
Scenarios(internallygenerated)
8PopularizedbyauthorNassimNicholasTaleb,ablackswanisanevent,positiveornegative,thatisdeemedimprobableyetcausesmassive
consequences.SeeTaleb,N.TheBlackSwanTheImpactoftheHighlyImprobable.AllenLane,2007.

NotingthatMagicBeanswasaprojectfocussedorganization(witheachprojectleadingtoanewproduct
releaseoraprocessimprovement),Hirschmandefinedriskatthelevelofprojects,asachange,which
negativelyimpactsourabilitytoachieveourtargetsandgoalswiththestrategiesandinitiatives
defined9andgavemanagersalistofexamples(lossofconsumeraffinity;lossofmajorcustomer;
changesinthecompetitivelandscape;lossofintegrity;majorsupplychaindisruptions).
HirschmansfirstdeliverabletotheMagicToysboardwasa15pagereportonthestrategicrisks
(includingatwopagebulletlistandasinglechart),asassessedbythebusinesslines.Thereportwas
basedonaspreadsheetthatHirschmandevelopedfortheinterrogationandcollectionofstrategicrisk
information.
Theboardreportsgotupdatedbiannually.Inbetween,Hirschmanandhisteamintroducedscenario
planninginanefforttohelpmanagersprepareforuncertainty,butalso,fortheperiodicreassessments
ofthe110riskstheycollectivelyloggedintheriskspreadsheet.Afteraninitialfiasco,thescenario
exercisewasredesignedforhigherrelevance,spreadandby2012,becameanintegralpartofMagic
Toysplanningprocess.
Inconspicuousrisktalkandunobtrusiverisktools
LewisacknowledgedthattheriskassessmentprocessatElectroworkswassubjective,notscientific.
Yettheriskworkshopswereaninstantandenduringsuccess,asexplainedbyoneriskofficer(the
WorkshopFacilitator):
Our original ambitious plan was to do twelve risk assessments a year. The senior executive team
embracedtheapproachsoenthusiasticallythatoneyearwedid60differentriskassessmentworkshops.My
role was to help executives tell their bosses about the risks they faced and how they were mitigating those
risks.Wehelpedthemmakejudgmentsabouttheadequacyofthemitigatingactionsproposedandtaken.
Inordertomaketheriskassessmentdiscussionsrelevant,theriskteamrealizedthattheirtools(risk
assessmenttemplates)hadtobeperceivedasrelevanttoo.Theyaskedseniormanagers,whohad
accountabilityfortheparticularriskareas(financial,regulatoryetc.),toreviewandapprovetheimpact
scalesannually.ThustheCFOdefinedandreviewedthefinancialscale,thechiefregulatoryofficer
reviewedtheregulatoryscale,andsoon.Intheend,theimpactscalerepresentedeverybusiness
functionsconcern,inparalleltoothersresemblingtoamultilanguagemanualthateveryone
concernedcouldread(seeAppendix3).Lewisdescribedhowbusinessmanagersusedthetemplate:
Letsassumewehadanenvironmentalspillof10,000litersofoil.Weaskpeopletovoteonascaleofone
tofiveastotheconsequencesifourcontrolsdidntwork.Afinancialpersoncouldusethefinancialscaleby
stating,thelasttimewehadanoilspill,itcost$10milliontocleanup;Icallita4.Theenvironmental
specialistcouldassessitsimpactbysaying,thiscouldcauseasignificantlocaloffsiteimpact,Iamgoingto
votea3.Theheadofpublicrelationssaysifitgetsreportedinthelocalpress,theTorontoStar,Iwould
9Internaldocument,Version2.0/15March2012
callita3.Ifthespillgetsintothewaterways,itwouldgetcoveredbythenationalpress,andthenImgoing
tovotea4.Eachpersonintheroomidentifiesadifferentimpact,basedonhisorherareaofexpertise.It
bringsalotofclarity.
Having cocreated the language of risk assessments with the business lines, Lewis also coopted
businessmanagersinsettingtheagendafortheriskworkshops.Priortoeachriskworkshop,Lewisrisk
teaminformallypolledparticipantsanddrewupagenericlistof6070potentialrisksorthreatstothe
business or the project being discussed. They emailed the list to the participating management team
askingthemtochoosethetenmostcriticalrisksfacingtheirbusinessorproject.Basedonthesechoices
the risk team narrowed the list to 810 risks. A risk officer then started the halfday risk assessment
workshopwiththepresentationoftheshortlistedrisks,andaskedparticipantstoconfirmwhetherthese
wereinfactthemostimportantrisksorwhetheranyothersshouldbediscussedindetailinstead.
Inordertopreparethebiannualriskupdates,Lewisdidaseriesofinterviewswiththetop30to40
executivesandconsultedothersources,suchasannualbusinessplansandriskworkshops.Butgenerally,
thesediscussionsweredrivenbymanagerialconcerns,whichLewismerelydirectedintoreporting
templates:
Itaketheonepagestrategicobjectives,thenewsupdateandthesummaryofthepreviousriskassessmentstoall
interviews,sothecontextisclearlyset.ThenIpullouttheemptyriskprofiletemplateandaskwhathadchanged,
whatisnew.Theriskassessmentscouldchangebecauseofthemitigationstepstaken,orbecauseofexternal
changesintheenvironment.Somepeoplegrabthetemplateandstartfillingitoutonthespot.Otherswillliterally
shuttheireyes,puttheirfeetuponthedeskandtellmewhatisworryingthem.
All three phases of ERM at Electroworks channeled risk information vertically and horizontally
throughoutthecompany,enablingexecutivesandemployeestodevelopasharedunderstandingofwhat
risks the company faced and what had to be done about them. Indeed, by 2008, Lewis noted that the
workshops facilitated the rise of participants understanding of their own risks in the context of those
facedbyothers:
Magicoccursinriskworkshops.Peopleenjoythem.Somesay,Ihavealwaysworriedaboutthistopic,andnow
IamlessworriedbecauseIseethatsomeoneelseisdealingwithit,orIhavelearneditisalowprobabilityevent.
Otherpeoplesaid,Icouldputforwardmypointandgetpeopletoagreethatitissomethingweshouldbespending
moretimeon,becauseitisahighrisk.
Atthesametime,participantswereusinganewvocabularyaspecific,yettothemunobtrusiverisk
talk,whichallowedthemtovoicetheirconcernsmoreprecisely.Lewispermittedhimselfabroadsmile
asherecalledwhatheconsideredashisteamsultimateachievement:
Themanagementteamgotsofamiliarwithcomingtoworkshopsandunderstandingwhatthescaleswereand
howtovote,thatitjustbecamepartoftheirlanguagetotheextentthattheystartedtodosomeofthestuffontheir
ownandnowthebigthrillformeiswhenIgotoamanagementmeeting,theyreusingalloftheERMterminology
withresidualriskandmitigationItsjustgreattosee[that]andtheyunderstandeachotherandtheyrereally
speakingacommonlanguage.
****
Inhispolicydocument(writtenfortheboard)HirschmaninsistedthatMagicToysStrategicRisk
Management(SRM)processesaredefinedtolargelycomplywiththeISO31.000standard.Hirschman
verydeliberatelyreferencedtheInternationalStandardsOrganization,asanexternalsourceofcredibility
thatmanagersrecognizedandassociatedwiththesamestandardsthatupheldthevaluesofqualityand
excellenceintheirmanufacturingoperations.YetHirschmandepartedfromISO31.000ashewas
definingSRMattheprojectlevel(notattheleveloftheenterprise).
HealsorecognizedthattheextensiveERMvocabularyemanatingfromISO31.000was
counterproductive:Initiallywecame[tomanagers]withalotofriskmanagementjargonandgotthrownoutof
thedoor.Nobodyunderstoodwhatwesaid.Ilearntquicklythatitsimportantforusriskmanagersmyteam
thatwespeakthelanguageofthebusiness.Wewanttomakeitassimpleandintuitiveaspossible.
Hirschmanrecruitedaformerprojectmanager(LynneMatte10)andsetouttoexplaintheraisondetreof
riskmanagementtoprojectmanagersintheirlanguage.Inseriesofmeetingswithprojectmanagers,
havingjokinglyagreedthataprojectisadreamwithadeadline,HirschmanandMattedeclared:Our
startingpointisthatourtaskistomakeyoushine.Whetheryoufailorsucceedwiththeprojectisyour
responsibility.Butwehavesometoolsandanapproachandaprocessthatcanhelpyousucceed,eveniftheworld
turnsouttobedifferentfromwhatyouhavehopedfor.
Hirschmanandhisteamchasedprojectmanagersforriskupdatestwiceayear,usingtheriskregister
(andExcelspreadsheet)asthechannelofcommunication.Buttheyalsohadtheconveningpowertoget
togetherseniormanagerstodiscussdiscretionarystrategicissuesandtheirimplicationsforthecompany:
Everynowandthen,thatis,everytimewechangestrategicdirection,Igatherpeople,specialistpeople,mostly
senior,mostlydirectors,seniordirectors,andacoupleofVPstodiscuss:withthisstrategicinitiative,whatdoyou
seefromyourperspective?Tellmeallabouttherisksthatsay:OK,nowwecantgotoAsia,orwehavetogoto
Asiainadifferentwaythanwethoughtwewould.ThenIupdatemyriskdatabasebasedonthat.
Hirschmansriskinquiriesbecamenotonlyubiquitous,butexpectedaswell,andmanagersstartedto
proactivelyshareriskinformationwiththeriskteam.Hirschmanrecalled,Whensomethinghappens,like
inthecaseoftheIcelandicashcloudorthetsunamiinJapan,atleastfifteenpeopleemailedmetosaydoyouhave
thisinyourriskdatabase?
In2009,Hirschmanandhisteam,lookingforincreasingsupporttheycouldprovidetothebusiness,
convenedaseniormanagersmeetingtodiscusstheimplicationsofasetoffourstrategicscenarios,based
onthemegatrendsdefinedbytheWorldEconomicForumin2008fortheDavosmeetings.Hirschmans
report,summarizingthediscussions,endedupinthebottomofeverybodysdrawer,becausenobodycould
relatetothescenariosthatwehavedone.
Havinglearntfromtheexperience,Hirschmanredesignedthescenarioprocesstoallowmanagersto
generatescenariosbasedontheirownworries,withtheriskteamprovidingmeresuggestionsforthe
10Pseudonym
10
dimensionsofuncertaintythatmanagerscanpickfromandfreelyaddto.Secondly,heinitiated
scenariodiscussionstoexplicitlysupportbusinessmanagerswiththepreparationoftheirannual
plans.Inthescenariosessionsmanagerslistedissuestheyhadtocontendundereachscenario,andthen
prioritizedthem(basedontheirlikelihoodandthespeedoftheiremergence).Thesessionsnever
concludedwithoutanhourlongdiscussionofActissuesmanagershadtoagreeexplicitlywhois
doingwhatbywhenaboutthefastemerging,mostlikelyissues.
Hirschmanconsideredtheintroductionofthefifthhour(andtheinclusionoftheActissuesinthe
annualbusinessplans)astheturningpoint:Andthatwasit.ThatfinaldiscussionmakessurethattheAct
issuesareactuallyactedupon.Itwasahintgiventousfromtwomembersofour[topmanagement].Thenitjust
becamepartofthebusinessplanningprocess.
ScenarioplanningbecamepartofMagicToysbusinessplanningprocessatin2013.Withthe
involvementof19topmanagersandover200otheremployees,23scenariosessionswereheld,affecting
21threeyearbusinessplans.Theheadsofthreebusinessareaschosetodeployscenarioplanning
upfront,asaninspirationtotheirregularplanningprocess,whiletheothersdeployedthesesessionsex
post,asawayofresiliencetesting.Hirschmanreportedthescenarioplanningsessionshelpedthe
managerscollectivelyidentify136Actissuesand80Prepareissues,whichsubsequentlyresultedin
adjustmentstotheMustWinBattlesandHowtoWinsectionsofthe21businessplans.
Confidence
With no formal qualifications or domain expertise to engage Electroworks engineers at risk
assessmentworkshopsandatresourceallocationmeetings,Lewisandhisteamactedasafacilitator.But
theydidtheirhomeworkinresponsetotheboardsrequestforanERMprocesstheyspentfourmonths
readingeverythingwecouldaboutit:publicationsbytheConferenceBoardofCanada,byTillinghast
TowersPerrin,theAustralianStandard436011,articlesandmanybooks.Intheend,Lewisconcludedto
doit[his]ownway:
Therehasbeenalotofbadliterature,alotofbadconsultants;alotofpeopleweregoingdownthewrongroad.
[ERMconsultants]wouldchargeus[afortune]todosomethingtheyprobablydidtheweekbeforeforsomeother
company.Intheend,IconcludedERMcanbesosimpleandsologicalwasitnotforthemanypeoplewhoseekto
complicateit.
LewisespousedpracticeofERMrequiredthreepeople(threepersonalitytypes):
Thefirstoneissomeonetomakeithappen.Thatsme.Okay,somebodywhowillpushdowndoors,isdriven,and
hasthecredibilityandauthoritytoopendoorsandmakeithappen.Thesecondisanicecharismaticpersonalitywho
peopleenjoyworkingwith.Andthatwas[theWorkshopFacilitator]anabsolutecharmer.Asuperniceguy,good
looking, charming, very knowledgeable, who became a very good [workshop] facilitator. The third one is a person
with an analytical mind who can managethe vast quantities of data [collected at theworkshops]. You dont find
thosecharacteristicsinthesamepersonsoIteamedthemtogether.
Heconsciouslydepartedfromconventionalwisdombydecidingtojuststartrunningworkshops:
11StandardsAustralia(2004)
11
Thetheorysaysgoon,trainandeducatepeopleonERMbygoingandgivingpresentations.Myanswertothis
wasNo,no,no,youhavetorunworkshops;thatsthewayyougetothersinvolved,engaged,andthatshowthey
learn,notbysittingthroughaPowerPoint.
By 2003, ERM at Electroworks was sufficiently established so that Lewis could judge it as a success
and confidently entered the wider ERM discourse by publishing articles and book chapters on
Electroworks ERM practice. Publcizing his approach to ERM was part of his campaign against people
whoseektocomplicateERM,butitalsoreassuredthecompanysmanagementteamandboardofdirectors
thatwewereaheadofthegameandourregulatorwassoimpressedwith[ourERM]thattheyaregoingtotake
andmandateitforeveryoneelsetodoitthisway[intheindustry].
****
Having examined several software packages and attended consultants presentations on risk
databases, Hirschman concluded that finding the right one [for Magic Toys] was rather difficult. He
endedupdevelopinghisownExcelspreadsheet(IveusedExcelsince1984,Iknowhowtodoit),which
wasmaintainedandupdatedbyoneofhisteammembers,basedonwrittenorspokeninputfromrisk
owners.
Hirschman continuously wheedled and cajoled business managers to send updates on risks and
actions.HeneverusedfiatandneverreferencedtheERMpolicydocumentsheappearedpermissive,
and lenient but at the same time, the downside consequences of not responding was implicit in these
communications.Hedescribedoneinstancewhenalateresponsecostamanagerholidaytimetocatchup
withhisriskreporting:
Itoldhim[theriskowner]:Ineedtoknowwhatyouredoing.Hesaid,sure,howdowedothismosteasily?Isay,
mosteasily,IvesentyoutheriskandIvesentyouthetemplateImusingforupdatingmitigations.Whoisdoing
whatandwhydowethinkitworks?Itsaquestionnaire.Andhesaid,Okay.Whendoyouneeditby?Isay,
Well,Icangetthereportouttwoorthreedaysafteryouredone,soyoudecide.ThedaybeforeChristmas,hesaid,
Ididntgettodoityet.IsitokayifIdoitafterChristmas?Isaid,Sure,butwehavetosendthereporttothe
boardbyxxx,andthatwouldbedemonstratingthatyouarenotincontrolofsomethingwethinkyouare
controllingsoAfterChristmas,headmittedthathespentthreehoursfillingintemplatesinhisholiday,togive
methatfeedbackbyJanuary,sowecanhaveitintheupdatedreport.
Hirschman made it clear to everyone that his responsibility concerned the design and facilitation of
theSRMprocessnotmore,notless.Hepushedbackonarequestforquarterlyriskreportsfromaboard
memberarguingthatoursisaseasonalbusinesswehavehalftheturnoverthelasttenweeksofChristmas;the
majorityoftherestaroundEaster.Itdoesntmakesensetomakeafirstandthirdquarterreport.Whentheboard
memberinsistedonthequarterlyreporting,HirschmanstoodhisgroundandpersuadedtheCEOthatit
wouldbeawasteoftime.Thedirectoryielded.
Havingfacilitatedthepreparationofthebiannualriskreport,theriskteamdidnotremainentirely
silent.Inthereport,therewasaseparatesectiondevotedtowhattheStrategicRiskManagementOffice
believes.HereHirschmancouldbeexplicitandchallenging:
InthelatestreportIjustsentoutinJune,Iputinthecommentsthatthisyearmaybethefirstonesince2005
thatwewillnotmeetourtargets.IhadtheCFOonthephoneassoonashesawthedraft,tellingme:Ourtargetis
11%salesgrowth.Thatnumberisnotinjeopardy.AndIsaid,Sorry,John,Idontagree.Itisinjeopardy.Ididnt
12
saywewontmakeourtargets.Isaidwemaynotmakeourtargets.InfactIthinkitsinserious,severejeopardy.
Wearegrowingbutyeartodate,wehadan8%growthonconsumersales,andyouwanttomakeit11%byhigh
season?Thatsnotadonedeal.Bynoway.Hestilldisagreedwithme,butallowedmetosendittotheboard.Next,
IhadtheVPMarketingonthephone.IhadtoexplainthatIranmyMonteCarlosimulationonourbudgetedand
yeartodatefiguresandwhatthatmeanstothem:Guys,youaregettinglatefortheparty,butyetyouarestill
cruisingat40mphonthehighwaywhynottakemorerisks,speeduptothe70youareallowedtodrive,ifthat
willmorelikelytakeyoutothepartyintime.
Overtheyears,Hirschmanformulatedaviewofriskmanagementthatputemphasisonitsenabling,
rather than constraining aspect, and he put it in writing in a series of papers and book chapters co
authored by a businessschool academic. Contradicting the corporate governance advocates and
guidelines that considered risk management as a line of defense in the internal control landscape,
Hirschmanemphasizedthattheroleoftheriskmanagementfunctionwastosupport,ratherthancontrol
managers:
I think one of the places where the traditional risk managers in other companies have problems is that they
emergedtheycomefromacontrolenvironment,internalauditorsomethinglikethat.Thatmeansthatwhenthey
walkinthedoor,youseethemasinternalauditcomingandcheckingyouup.Wedonotcomefromthatpartofthe
business.Weveneverbeenintothatactuallyuntilacoupleofyearsago,weneverhadaninternalauditfunction.
But,werecomingwithalicensetoaskquestionsthathelpthemsucceed.Because,wellSRMmaybeapartof
controlling,butitsactuallyapartofsupporting.
Humilityandfrugality
Whiletheriskteamremainedsmall,asperLewisoriginalvision(onepersonprovidingauthority;a
Workshop Facilitator and a Data Manager), its reach impacted much of the organization though
workshops,theannualplanningandthebiannualupdates.Lewisandteamwerequicktoacknowledge
that despite their perceived successes, their full vision for ERM was never accomplished, and perhaps
willneverbe.Lewissummarizedhistheoreticaldreamastheriskdashboardasoftwareenabled,
computerizedversionofhisriskreports,accessibleanytimebyanyseniormanager,providinguptodate
and fast graphic displays of all risk information, summarized into colourful risk maps and Top 10 risk
lists,withdrilldowncapabilityintoindividualitems.ButLewiswasconsciousthatElectroworksdidnot
havethesystems,skillsetorculturetoimplementsuchamodel.
Upon Lewis retirement in 2012, Electroworks did not recruit a new CRO the previous Workshop
Facilitator (Larry White12) became Director of Enterprise Risk Management (and no longer reported
directly to the CEO, but to the Treasurer). Unlike many ERM advocates, White did not perceive this
seemingdemotionoftheriskfunctionasaweakness:
Lotsofconsultants,lotsofpeoplespeakatconferencesabouttheimportanceofatopdowndrivenriskfunction,
supportedbytheCEOIthinkthatsactuallyavulnerability.YoucannotdoERMbyfiat,IdonotneedtheCEO
tosaytoourguysEverysixmonthsyoumustdoariskworkshopwith[White]andIwanttoseethereport.Buta
goodwayfortheCEOtosupportERMisinthewaysheasksquestions.Ourswouldsay[tothebusinessmanager]:
OK,Ivegotyourplan.Howcouldthisgowrong?Whatareyourrisks?Yourenotsure?Well,youknow,thereis
thisguyoverhereLarryWhitewhocanhelpyoufigureout.Whydontyougoandseehim,becausehellhelp
you figure that out? Then you can come back to me and we can make this decision. So Risk Management gets
12Pseudonym
13
pulledintothebusinessbecausethereisavacuumtofill,asopposedtomeimposingmyself,orsomebodyonmy
behalfimposingme,onthem.
AtElectroworks,theriskfunctionsspanofcontrol(intermsofresources,decisionrightsandformal
authority)remainednarrow,andevennarrowedovertime.However,thewillingnessoftheCEOandthe
business lines to participate in risk talk, made up for that frugality. Bringing about that wide span of
support via the proliferation of an unobtrusive, businessrelevant risk process and vocabulary, was the
riskteamskeyachievement.
****
AtMagicToys,Hirschmanfacedanumberofdebaclesashebuilthisownriskmanagementtoolsand
processes.Henotedthatthefirstcoupleofdatabasesdidntwork,thethirdonedid.Thistrialanderror
approachcharacterizedthedevelopmentofthescenarioprocesstoo.Aftertheinitialdisappointment,
Hirschmanwasreadytoadmittoseniormanagersthattheexercisefailedduetothelackofanyfollow
throughoraction.Despitethisacknowledgement,oneoftheseniormanagersexpressedsupportand
thatbecamethecatalystforthefurtherdevelopmentofthetool:
Inearly2011,Igottotalkbycoincidencewith[seniormanager]overacupofcoffee,andwegottotalkaboutthese
scenariosandhesaid,Youreallyhavesomethinggoodaboutthisscenariodiscussion,quitegreat.Whydidnt
work?Isaid,Ireallydontknow.IunderstooditdidntworkandIacceptthatitdidntwork,butIreallydont
knowwhy.Hesaid,Trytofigureitout.Seeifwecanmakeitwork.AndIwentbackwiththatandsaidtomyself
overandover,okay,whydidntitwork?,andcontemplatedwhyitdidntworkandeventually,Ifoundoutwhere
theflawswas:theownershipofthescenarios.
Hirschmanandhisteaminsistedthatintheriskdiscussions,whatevertoolwasusedtochannelthem,
managershadtokeeptheirthunder.Hirschmanexplained:
Managershatetobetoldwhattodoandthehighertheorganizationallevel,themoretheresentmentsoby
letting them run the show, and by limiting scenario planning to a halfday workshop for each team, we got the
proverbialfootinthedoor.
Theriskteamalsomadeitclearthattheirrolewasmerelyfacilitating,notadvising.LynneMatte,who
was a former project manager, had to actively fight a natural enough inclination to become more
directive: As a risk manager, you should never take over [the discussion]. Even if you know the solution, keep
yourmouthshut.Hirschmanadded:Itstheirdecision,itstheirperception,itstheirrisk.IfIstartedtoadvise
orcorrectthem,Iwouldstartowningthestuff,andIcantdothat.
Hirschman saw risk management as commons sense, and highlighted the importance of
understandingthebusinessandtheindustry.Hewascarefulnottotakeanycreditforthesuccessesof
the business. Commenting on Magic Toys eventual success at exceeding its 2013 sales targets, he
concluded:
There is a benefit to knowing whether you are taking the right amount of risk. You need to be able to take
chances,butyouneedtoknowhowmanychancesyoucantake.Wegrew25%lastyear.Icanttakethecreditfor
that,butIpushedtheball.Itoldeverymanagerwhowaswillingtolistenthatwefoundthatwewerenottaking
enoughrisk.Intheend,wewereabletoshiftproductsalesandsuddenlywewerethewinnersbecausewehadthe
products and we got more shelf space. We more than doubled our shelf space at Walmart. And with 200 million
14
peoplethroughthestoreseveryweek,thatmatters.IamnotpartofCorporateManagement[topmanagement],and
Icannottakecreditforanyofthis.Riskmanagementisavery,verysmallpartofthesuccesswevehad.
Despiteitshumblerhetoricofsimplicity,commonsense,Hirschmancreatedariskfunctionthathad
the ears of the board and senior management. This remained the case even when a management
reorganization left the CRO with a reporting line to the Treasurer (who then reported to the CFO).
ThoughformallytheCROwas4stepsremovedfromtheboardofdirectors,by2013heestablisheda
processthatshapedthediscussionofeverybusinessplan,andthebiannualboardmeetings.
Hirschman commented that despite his seemingly frugal resources (and small team of two) he
enjoyedawidespanofsupport.
IgetallthesupportandallthetimeIneed.IfIwanttogoontrainingortoaconference,Igetthefunding.I
havealltheresourcesIneed.Ihavetherighttofocusonstrategicrisksonly.Idontdoinsurance.Idontdovendor
riskmanagementoranythinglikethat.Otherpeoplearedoingthat.
Hirschmanalsobuiltaninvaluablerelationshipwiththefourthgenerationownerofthefamilyheld
firm,whohadjustgotappointedtotheMagicToysboard:
IbenefitfromthefactthatIknowtheguysinceheworediapers,literally.Hesayoungguy,hes32,heisjust
coming in and he wants to be a good owner and a good part of the board of directors. And he sees the risk
managementapproachasthebestwayhecanaddvaluetotheboardofdirectorsbecausenoneoftheothersreally
wanttobotherdiscussingthis.Itgiveshimapointofentrytosay:OK,whataboutthis?Whataboutthat?Andadd
positivelytothediscussion
By mentoring the young owner, Hirschmans role acquired another layer of significance. He was
becominginfluentialinthemannerofthefamousGreyEminencesofabygoneeraoperatingbehind
thescenesinanunofficialcapacityoftheirownmaking.
DiscussionandConclusion
Thispapertrackedtheevolutionoftheroleoftwochiefriskofficers(CROs),andthetoolsand
processestheyhaveimplementedintheirrespectiveorganizations.Whilethecompaniesarefromvery
differentindustries(oneisapowercompany,theotherisatoymanufacturer),theybothembracedthe
conceptsandtoolsofEnterpriseRiskManagement.Overanumberofyears,atbothfirms,risk
managementtransformedfromacollectionofofftheshelf,acquiredtoolsandpracticesintoa
seeminglyinevitableandtailoredcontrolprocess.ThepaperinvestigatedtheroleoftheCROinmaking
thesetransformationshappen.
TheCROatElectroworks,bythefacilitationofcontinuousrisktalkinworkshopsandfacetoface
meetings,overtenyears,hassucceededinorchestratingthecreationandproliferationofanewlanguage
(thatofriskmanagement),andestablishedprocessesthatregularlybroughtbusinesspeopletogether
fromdiverseplacesandhierarchicallevels,todiscussissuesofconcern.Farfrombeingselfevident,risk
talk,manifestin,forexample,15assessmentsofimpactandlikelihoodofrisk,andformally
documentedinriskmapsandlistsoftop10risks,tookalongtimetoproliferate.Thecontributionof
theCRO(andhissmallteam)wastocooptthebusinessinthecreationanduseofrisktalk.Bymerely
providingafewrudimentaryconceptsandaminimalriskvocabulary,theCROwasabletogetbusiness
peopletofillintroublinggapsinmeaning,andtoaddtherulesofuse,byforexampledelegatingthe
definitionof15impactscalestothoseabletomakesense,andalsotomakeuse,ofthem.Thefinaltest
15
oftheacceptanceofrisktalkwasitsformallinkingtoresourceallocationintheannualbudgeting
process,whichgaveriskmanagementpermanence,significanceandasenseofinevitability.
Thesecondcase,inaseemingcontrast,focusedonaCRO,whoinitiallytriedandfailedtocreate
linkagesofpermanenceandsignificancebetweensomeconventionalERMtools(similartothose
championedbyhiscounterpartabove)andthebusinesslines.Afteraperiodofsearch,theCROsettled
onalessconventionalriskidentificationtool,scenarioplanning,andfacilitateditstransformation,over
fiveyearsfromanadhocfuturegaugingexercisetowidelyacceptedrisktalkandaseeminglyself
evidentelementoftheannualbusinessplanningprocess.
ThetwocaseshighlightthattheroleoftheCROmaybelessaboutthepackagingandmarketingof
riskmanagementtoolstobusinessmanagers,butinstead,thefacilitationofthecreationand
internalizationofaspecifictypeofrisktalkasalegitimate,crossfunctionallanguageofbusiness.The
riskmanagementfunctionmaybemostsuccessfulwhenitresistsconventionalandconflictingdemands
tobeeithercloseto,orindependentfrom,businessmanagers.Instead,byactingasafacilitatorofrisktalk
theCROcanenabletherealworkofriskmanagementtotakeplacenotinhisownfunction,butinthe
businesslines.Inbothcases,facilitationinvolvedasignificantdegreeofhumilityonthepartoftheCRO,
manifestinlimited(andparadoxicallydecreasing)formalauthorityandmeagreresources.Theirskillwas
tobuildaninformalnetworkofrelationshipswithexecutivesandbusinessmanagers,whichallowed
themtoresistbeingstereotypedaseithercompliancechampionsorbusinesspartners.Insteadthey
createdandshapedtheperceptionoftheirrolewhichwasoftheirownmaking:acarefulbalancingact
betweenkeepingonesdistanceandstayinginvolved.
This analysis suggests that calls for increasing investments in risk management, and for the formal
inclusionofseniorriskofficersintheCsuitemightbemisguided.Inordertoclosetheexpectationsgap,
riskmanagersneedfirstandforemostcommitmentfromothersintheorganizationtoacceptarelevant
andsituationallycontingentversionofriskmanagement,tailoredtotheirneeds.Thusthesignofsuccess
of the humble CRO is not so much in her ability to go beyond the compliance role or turn into a
business partner, but in her ability to bring about consequential risk talk where it matters, in the
businesslines,helpingthosewhocarryouttherealworkofriskmanagementmanagingrisks.
16
References
Accenture.Accenture2013GlobalRiskManagementStudy:RiskManagementforanEraofGreaterUncertainty,
2013.
Committee of Sponsoring Organizations of the Treadway Commission (COSO). Enterprise risk
managementframework.NewYork,NY:AmericanInstituteofCertifiedPublicAccountants,2004.
Deloitte.GlobalRiskManagementSurvey,EighthEdition:SettingaHigherBar,2013.
EconomistIntelligenceUnitLimited,RiskManagementintheFrontLine,2010.
InternationalStandardsOrganisation(ISO).ISO31000:2009,RiskManagementPrinciplesandGuidelines.
Geneva:InternationalStandardsOrganisation,2009.
KPMG.RiskManagement:ADriverofEnterpriseValueintheEmergingEnvironment,2011
KPMG.ExpectationsofRiskManagementOutpacingCapabilitiesItsTimeForAction,May2013.
Power,M.K.OrganizedUncertaintyDesigningaWorldofRiskManagement.Oxford:OxfordUniversity
Press,2007.
RIMSandAdvisenLtd.2013RIMSEnterpriseRiskManagement(ERM)Survey,August2013.
Simons,R.LeversofOrganizationDesign.Boston,MA:HarvardBusinessSchoolPress,2005.
StandardsAustralia.AS/NZS4360:2004Riskmanagement(3rdedition).Sydney,Australia:Standards
AustraliaPublications,2004.
17
Appendix1ElectroworksInterviews
Interview
Date
5/7/2008
Initials
of Title(s)
interviewee
/
nature of meeting
attended
B.S.
ChiefFinancialOfficer
5/7/2008
J.F.
SeniorVicePresident,InternalAuditandChiefRiskOfficer
5/7/2008
R.Q.
Director,EnterpriseRiskManagement
5/8/2008
G.R.
Director,CustomerStrategy&ConservationOfficer
5/8/2008
G.V.D.
Director,AssetManagement
5/8/2008
J.T.
Director,IntegratedStrategy
5/8/2008
L.F.
ChiefExecutiveOfficer
5/8/2008
P.G.
Director,PublicRelations
5/9/2008
J.F.
5/9/2008
S.F.
ChiefRegulatoryOfficer
7/10/2008
J.F.
6/1/2009
G.V.D.
Director,AssetManagement
6/1/2009
G.S.
Engineer
6/1/2009
J.F.
6/1/2009
L.F.
ChiefExecutiveOfficer
6/3/2009
C.M.
ExecutiveVicePresident,StrategyandPlanning
6/3/2009
M.D.
SeniorVicePresident,CustomerOperations
6/3/2009
S.F.
ChiefFinancialOfficer
11/1/2011
J.F.&R.Q.
11/1/2011
M.D.
SeniorVicePresident,InternalAuditandChiefRiskOfficer&
SeniorVicePresident,CustomerOperations
11/1/2011
R.S.
VicePresident,CustomerServices
11/2/2011
J.F.&R.Q.
11/2/2011
N.L.&R.W.
SeniorVicePresident,InternalAuditandChiefRiskOfficer&
Manager,AccountManagementandGISProgramManager
7/16/2013
R.Q.
12/10/2013
R.Q.
Appendix2MagicToysInterviews
5/2/2012
H.L.
SeniorDirector,RiskManagement
5/2/2012
J.H.&T.P.
5/2/2012
J.K.
SeniorVicePresident,GlobalQualityandEngineering&Customer
ServiceAdvisor
SeniorDirector,OperatingModelLeverage
5/2/2012
M.N.
ChiefMarketingOfficer
18
5/2/2012
R.S.
SeniorVicePresident,CorporateAffairs
5/2/2012
5/3/2012
H.L.,A.M.B,&
L.M.
H.L.
SeniorDirector,RiskManagement;Director,StrategicRisk
Management;&SeniorDirector,ConsumerGoods
5/3/2012
J.P.P.
SeniorVicePresident,MarketGroupAsia&EmergingMarkets
5/3/2012
J.V.
VicePresident,DigitalBusiness
5/3/2012
L.T.B.&V.M.H.
VicePresidents,GroupTreasury
5/3/2012
T.N.&C.B.
6/25/2012
6/25/2012
ScenarioPlanning
Session
O.T.
Director,DigitalProgramManagement,Office,andQuality&
Manager,OutboundLicensing
6/25/2012
U.C.
VicePresident,AsiaandEmergingMarkets
6/26/2012
A.M.B.&R.F.
6/26/2012
K.F.C.&A.J.M.
Director,StrategicRiskManagement&SeniorStrategicRisk
Manager
SeniorManager,Finance&Manager,MarketLogistics
6/26/2012
R.F.
SeniorStrategicRiskManager
6/26/2012
SeniorStrategicRiskManager&SeniorDirector,RiskManagement
6/27/2012
R.F.&H.L.
(Morning)
R.F.&H.L.
(Afternoon)
R.F.&H.L.
(Feedback)
D.H.
Director,ExternalRelations
9/13/2012
J.K.
SeniorDirector,OperatingModelDevelopment
9/13/2012
K.F.C.&R.F.
9/13/2012
O.T.
HeadofEmergingMarketsOperations&SeniorStrategicRisk
Manager
CountryManager,AsiaandEmergingMarkets
9/13/2012
R.F.
9/14/2012
A.J.M.
Manager,MarketLogistics
9/14/2012
D.H.
Director,ExternalRelations
9/14/2012
K.F.C.
HeadofEmergingMarketsOperations
9/14/2012
R.F.
9/14/2012
U.C.
11/20/2012
H.L.
11/20/2012
K.F.C.
11/20/2012
O.A.
SeniorKeyAccountManager
9/17/2013
H.L.
9/17/2013
U.C.
9/18/2013
A.J.M.
Manager,MarketLogistics
6/26/2012
6/26/2012
19
9/18/2013
H.L.
9/18/2013
Teammeeting
Riskteam
9/18/2013
J.K.
9/18/2013
K.C.
9/18/2013
O.T.andK.C.
CountryManager,AsiaandEmergingMarkets;HeadofEmerging
MarketsOperations
9/18/2013
O.T.
11/15/2013
J.K.
11/18/2013
S.K.
SeniorVicePresident,ShopperMarketing&ChannelDevelopment
12/4/2013
H.L.
20

Appendix3
Objective
Electroworks:ObjectivesImpactMatrix
Attribute
Net Income
Credit Worthiness
FINANCIAL
Event
Net Income Shortfall
(after tax, in one year)
Change in financial ratios or
risk
CUSTOMER/
RELIABILITY
COMPETITIVENESS
SAFETY AND
ENVIRONMENT
4
Severe
3
Major
2
Moderate
1
Minor
>$150M
$75M$150M
$25M$75M
$5M$25M
<$5M
Event of default;
Unable to raise any capital due
to credit rating.
Credit rating downgrade to

below investment grade;
Unable to raise full amount
required capital.
Credit rating downgrade.
Hydro One Inc. put on credit

"watch".
Credit rating agencies and

bondholders express concern.
Value of the Enterprise
Loss in Value of Hydro One
Loss of >25% Value
Loss of 1025% Value
Loss of 5-10% Value
Loss of 1-5% Value
Loss of <1% Value
Public Profile
Negative media attention;

Opinion leader and public
Criticism
National media attention;

Opinion leaders/customers
nearly unanimous in public
criticism.
Provincial media attention;

Most opinion leaders/
customers publicly critical.
Significant local attention;

Several opinion leaders/
customers publicly critical.
Letter(s) to Minister
of Energy.
Letter(s) to Senior
Management.
Shareholder confidence
Owner/ shareholder
involvement in Hydro One
operations
Complete loss of confidence;

CEO and Board replaced by
the owner.
Extensive loss of confidence;

CEO or several Sr. Managers
replaced.
Credit Rating agencies and

bondholders express concern.
Confidence in question; owner

requests significant changes to
business plan.
Employee confidence
Employee Dissatisfaction
Widespread departures of key

staff with scarce skills or
knowledge.
Sharp, sustained drop in

employee survey results;
departures of key staff with
scarce skills or knowledge.
Sharp decline in employee

survey results; sharp increase
in grievances.
Modest decline in employee

survey results; modest
increase in grievances.
Some concern with

management decisions;
occasional requests from
owner for details.
Less than planned
improvements in employee
survey results.
Meet License Conditions
Loss of Credibility with

Regulators
General loss of Credibility;

Intrusive Involvement.
Some loss of Credibility;

Excessive Involvement.
Some Concerns re:

Competence; Difficult
Demands.
Increase in Reporting Detail

and Frequency.
Balanced; some challenges.
Reliable Delivery of
Electricity
Outages on the Hydro One

system
Outage affects:
>100,000 Customers
Distribution or
>1000MW Transmission for
more than seven days.
Outage affects:
40k-100k Customers
Distribution or
4001000 MW Transmission
for 47 days.
Outage affects:
10k40k Customers
Distribution or
100400MW Transmission for
24 days.
Outage affects:
1k10k Customers Distribution
or
10100MW Transmission for
424 hrs.
Outage affects:
<1000 Customers Distribution
or
<10MW Transmission for <4
Hrs.
OEB Service Quality Indices
Failure to Meet Service Quality

Indices
Achieve 25% of Overall

Expected Performance.




Direct Customers, Local

Distribution Companies,
Generators
Increase in customer
dissatisfaction with Hydro One
Numerous Direct Customers

initiate action such as bypass
or relocation; Numerous LDC's
default on bill payments;
Generator reluctance to locate
in Ontario leads to shortages.
Exponential increase in
customer lawsuits for direct
and/or collateral damage
believed to be caused by
Hydro One; Complaints to
provincial government
increase dramatically.
Customer associations step up

lobbying efforts for stricter
penalties against Hydro One.
One "large" customer

experiences significant
production losses due to
Hydro One actions/inaction;
high level (CEO, COO, etc.)
calls to Hydro One CEO's
office.
Increase in number of
customer complaints.
Residential and Small

Business Customers
Increase in customer
dissatisfaction with Hydro One
service quality
Significant numbers of
customers begin to default on
bill payments.
Exponential (>50%) increase

in call centre volumes and
complaints received by field
staff.
Call centre volumes increase

noticeably (25%); noticeable
increase in complaints
received by field staff.
Sharp deterioration in
customer satisfaction as per
survey responses.
Moderate deterioration in
customer satisfaction as per
survey responses.
Unit Cost Reduction
Failure to Reduce Unit Costs

(incl. overhead & non-billable
time)
Work Program Shortfall
Unit Costs increase by >25%
Unit Costs increase by 15%

25%
Unit Costs increase by 10% 15%
Unit Costs increase by 5%

10%
Unit costs not reduced
>10 Critical Projects late or;

<50% of noncritical work
completed.
5-10 Critical Projects late or

50%70% of noncritical work
completed.
35 Critical Projects late or

70%85% of non critical work
completed.
1-3 Critical Projects late or

>85% of non critical work
completed.
No Critical Projects late

>85% of non critical work
completed.
REPUTATION
REGULATORY
RELATIONSHIP
5
Worst Case
Work Program
Accomplishment
Employee: Workforce
Availability/ Safety
Change in availability (%) in

one year; Accident Severity
Rate.
Key functions/locations
unavailable > 1 week;
Employee fatality or major
permanent disability.
Key functions/locations
unavailable > 1day;
Employee critical injury.
Accident Severity Rate > 50%

above target.
Accident Severity Rate > 25%

above target.
Accident Severity Rate above

target.
Environmental Performance
Adverse Environmental Impact
Widespread offsite impacts

e.g., regional or municipal
water supply.
Multiple local offsite impacts

e.g., multiple residential
properties or private water
supplies.
Minor local offsite impact

e.g., a single residential
property or private water
supply).
Minor impact on Hydro One

Inc. property only.
Public Safety
Public Injuries with Hydro One

at fault.
Fatality or major permanent

disability.
Significant increase in number

of injuries.
Significant local offsite impact

e.g., a public thoroughfare;
Significant spill/release with
impact on Hydro One Inc.
property only
Moderate increase in number
of injuries.
Small increase in number of

injuries.
No change.

The Humble Cro (To Read!)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

The Humble Cro (To Read!)

Uploaded by

Copyright:

Available Formats

The Triumph of the Humble

Chief Risk Officer

Copyright 2014 by Anette Mikes

Credit rating downgrade to

Credit rating downgrade.

Hydro One Inc. put on credit

Credit rating agencies and

Value of the Enterprise

Loss in Value of Hydro One

Loss of >25% Value

Loss of 1025% Value

Loss of 5-10% Value

Loss of 1-5% Value

Loss of <1% Value

Negative media attention;

National media attention;

Provincial media attention;

Significant local attention;

Complete loss of confidence;

Extensive loss of confidence;

Credit Rating agencies and

Confidence in question; owner

Widespread departures of key

Sharp, sustained drop in

Sharp decline in employee

Modest decline in employee

Some concern with

Meet License Conditions

Loss of Credibility with

General loss of Credibility;

Some loss of Credibility;

Some Concerns re:

Increase in Reporting Detail

Balanced; some challenges.

Outages on the Hydro One

OEB Service Quality Indices

Failure to Meet Service Quality

Achieve 25% of Overall

Achieve 67% of Overall

Achieve 80% of Overall

Achieve 90% of Overall

Achieve 95% of Overall

Direct Customers, Local

Numerous Direct Customers

Customer associations step up

One "large" customer

Residential and Small

Exponential (>50%) increase

Call centre volumes increase

Unit Cost Reduction

Failure to Reduce Unit Costs

Unit Costs increase by >25%

Unit Costs increase by 15%

Unit Costs increase by 10% 15%

Unit Costs increase by 5%

Unit costs not reduced

>10 Critical Projects late or;

5-10 Critical Projects late or

35 Critical Projects late or

1-3 Critical Projects late or

No Critical Projects late

Change in availability (%) in

Accident Severity Rate > 50%