18/06/2010

Risk Management Professional –
Roundtable discussion

Enterprise risk management

Wednesday 12 May 2010

Chairman:
Geoff Taylor, executive director, Willis Corporate Risk Solutions.

Panel members:
Richard Archer, enterprise risk manager, Wellcome Trust.
Stephen Capon, head of country and credit risk management, political risk and credit, ACE Global Markets.
Elaine Heyworth, head of risk management, T-Mobile UK.
Val Jonas, chief executive, Risk Matters
Ludovic Relandeau, vice president UK operations, Mega International.
Tom Shiel, head of risk and insurance UK/Netherlands, Shell International.
Mark Wilford, director of risk, Rolls-Royce.


Taylor: There are a number of factors that have brought enterprise risk management (ERM) to the fore. One of the main questions that have arisen is that we’ve experienced a massive banking failure, yet banks claimed to be expert in ERM. Was that wrong or was it their approach that was wrong?

Heyworth: But what clearly came out of the crisis was that some banks were clearly very good at risk management – Barclays, for example, came out of it very well.
I joined the group as a health and safety manager and was immediately pushed through their risk management training programme. They taught you how to look at risk from a business strategic point of view. They engage at all levels of risk management with their risk managers. It’s taken very seriously and they are always ready to take advice and comments from experts to develop that programme. HBOS had Paul Moore, who clearly knew his stuff, yet they chose to ignore the advice he gave them.
It just didn’t happen that way at Barclays. John Varley, now their chief, went up through internal audit and took risk management very seriously. If an internal audit was failed, then it went right up to his desk and the CEO of that particular business function was carpeted for the failure. BIA, as Barclays’ internal audit was called, taken far more seriously than any other company I’ve heard of. We engaged with internal audit to ensure that everything was up to speed.
I was brought in after BarCap had failed its health and safety audit, because of my H&S experience. Next year they flew through it as risk management was taken so seriously. And that’s why subsequently the group was successful in weathering the crisis as its risk management was superb.

Wilford: Your point about ignoring warnings is critical. And it’s not just the banks – it applies equally to any other sector. ERM might not be a panacea for all ills, merely a means of providing better information to assist in better decision making. People can choose to ignore that advice or information and not to react accordingly.

Heyworth: And they have to take the consequences, which is clearly what happened at HBOS.

Taylor: Has anyone else had similar experience of risk management advice not being listened to?

Shiel: It’s all about the compliance culture, and the culture of the organisation, and whether it tries to ensure that everyone understands the rules and plays by them. It’s about they regard ERM as ‘nice to have’, or whether risk managers have the freedom to act. However many systems and however many compliance checks you have, the lead has to come right from the top and through the organisation if people are to understand that compliance is important. And it’s not just about risk management and compliance with the law and with rules and regulations or pricing – all of those things that can undermine a global business.

Jonas: There’s a need for the people at the top to set the right culture. In some organisations I’ve experienced it was the case that senior management didn’t want to hear any bad news. But that attitude has changed over the past 10 years and they now want to know everything. It’s the people at the next level down that don’t want to pass any bad news up to management level. If there’s a culture such as Elaine outlined, where people are brought in and are trained across all disciplines – and they understand each other’s issues and they way the whole company works – then they don’t get stovepiped. And that’s one of the ways you break down this intermediate ‘sponge’ level.
So in many organisations it’s no longer senior management that’s the main problem – only in as much as they’re defining and guiding how the people below them work.
You find this not just in corporates but also in government. I’ve worked a lot across the MoD and there’s a culture of not wanting to hear bad news, of wanting to appear successful and to have ticked the right box that pushes through a project or gains approval. This process is very robust, except that too often people are encouraged to change the numbers in order to make the approval work. So it’s that middle layer that’s often the barrier. Unless senior management breaks that down – and it’s their responsibility to deal with it – we won’t get ERM properly embedded.

Capon: Part of the problem with the banks was they were too siloed in their approach. The classic Basel II method meant there wasn’t enough integration or communication between the different groups. There was no real ERM.

Heyworth: Barclays was one of the first banks to actually place the chief risk officer – in their case Robert Leblanc – in front of the audit officers and the accounting process. He did this amazing presentation, which admittedly nearly put everyone to sleep because it’s very difficult to make it sound exciting or invigorating. But he was extraordinary and in nearly every analyst presentation since he was there explaining risk.

Wilford: But then it shouldn’t be something too difficult for them to explain. Because speak to any business person and they’ll tell you that they are handling risk every day.

Heyworth: Yes, they do it instinctively and not by numbers.

Wilford: But then ERM isn’t necessarily all by numbers. We should all be on the same page.

Taylor: So is there an issue here? My experience when I was based in the Netherlands, was that the banking guys were keen to monetise every risk and turn it into a number. There are some risks that you just can’t do that with, and that’s something that we all struggle with.

Relandeau: There are two basic natures of risk of governance in the mindset. Barclays’ methodology, as I understand it, was driven by an understanding of the universal ecosystem. To give a basic example, let’s say you’re flying from London to New York. The pilot reassures you that you’re insured in the event that the plane crashes. But that’s not want people want to hear – they’d prefer to have reassurance that the plane is safe, the processes for manufacturing the plane were under control and that air traffic supervision is working perfectly. As customer, this is what I’m interested in.
So there are two complementary aspects – one is learning to reassure and stabilise the financial markets through authorisation of companies. So we have solvency and Basel II that ensure there is enough capital in case we have a problem. But just as important is to have governance in place that ensures the excellence of the operations.
There were banks that were less well prepared for risk, or less well supervised, because they emphasised the financial aspects too much and didn’t pay enough attention to operational governance.
If we talk about the success of ERM responds to different logic, the control systems that we put in place are slightly different. Whereas if I do some process work for Pillar II, I’m not necessarily improving ERM.

Capon: And even Barclays was forced to raise additional capital as the cushion it had built up proved insufficient. The banks have traditionally been good at measuring expected losses, but terrible at measuring tail losses. The whole Basel II process has its emphasis on historic data and even the Basel modelling used by some of the investment banks on the market side has tended to use quite simplistic data. There just isn’t enough thinking ‘outside of the box’ or looking into the future to see where the new risks are coming from. To go back to my silo remark, where’s the risk aggregation?

Shiel: That’s important because much the same thing had been previously experienced in the London market in the late Eighties. Certain people were measuring risks and exposures in certain ways while others were looking at them completely differently.

Taylor: Is there then an issue about creating systemic risk? Because you might be doing very well within your organisation, but as in the London market example there was systemic risk as everyone was doing it. Part of the reason for the banking crisis was everyone doing things the same way? It’s about a diversification approach to ERM to make it more valuable, rather than just having a single approach.

Jonas: One of the problems with the banks – looking at it as someone outside the sector – is that they haven’t comprehended that risk is global and they were playing in global markets. They weren’t measuring risk against the global downside, so they were resilient to a local impact, but not to the property market falling through the floor across the world.
Our group specialises in risk analysis and it’s hard to get across to people, including senior managers that you might be 99% confident of your risk, but that remaining 1% may contain the very same amount of risk by value as that 99%. So the tail is very like, and while people think it’s 99% covered it’s not.

Taylor: It’s the Black Swan problem. In that 1% is a global meltdown, or the World Trade Center-type event.

Relandeau: They are difficult to control. Systems are so interconnected that it would mean you control systemic risk, supported by the organisation, which is virtually impossible.

Heyworth: The financial crisis was interesting as it showed that banks don’t learn from one another’s mistakes. In the late Eighties/early Nineties Barclays fell over quite badly form its property exposure. Everyone seems to think that RBS was brought down by its ABN Amro transaction, which had only a relatively minor part to play. It was their £200bn exposure to property.
Barclays had already learned from its earlier mistake not to overexpose yourself in property – and it was that huge liability that brought RBS to its knees. RBS clearly hadn’t learned from Barclays’ mistake.
The whole CDO episode involved banks imagining that they were selling risk, but they were selling it back to one another, which only made it systemic.

Jonas: And nobody gave the instruction ‘stop making money guys’ because we all wanted them to be successful – all of us who wanted our big houses and four cars.

Taylor: And if you look at a lot of banking failures, they resulted from people making lots of money, like Nick Leeson. The view was, he’s making lots of money so let him get on with it.

Wilford: Can I make a tangential point here? I’m not a banker, but listening to the conversation about systemic risk, the Black Swan point and the 1% of the tail severity emphasises that a good risk management process or culture should recognise that we’ll always face Black Swans. They’re so frequent that they hardly count as Black Swans any longer; the Icelandic volcanic ash is only one example.
That being the case, if you have a mature risk management culture, a key element must be business continuity. It’s not just about measuring or quantifying the risk. It’s thinking about how, when you get hit by something unexpected, you not just react to it but recover the business – in a new paradigm effectively. That’s what will separate the winners from the losers.

Jonas: The word ‘resilience’ was regularly being bandied about a few months back – although surprisingly it’s been less in evidence more recently. Resilience gives people more of a sense of looking forward, as opposed to compliance and other terminologies used in risk management. Resilience covers everything; it gives a holistic view of how your organisation can manage through whatever might be thrown at it. Too much risk management is regarded as something internal, although of course you can’t put in place all the things needed to meet every eventuality. I’m a fan of looking at the cause of everything as that’s the only way to manage it, but cause isn’t as relevant if it’s something that lies outside of your control such as an atomic cloud or a 9/11.
So what happens if the airlines are grounded? How resilient is your business.

Heyworth: Swine flu was treated as a crisis largely due to the media attention it attracted. But I was able to build in a huge amount of resilience; which-Mobile had never had before. I got a list of our key critical workers for each department. Rebuilding the resilience of their remote access was important, as suddenly they all started thinking that this could actually happen and forecasts were suggesting that we could lose around a quarter of our workers in one go to an epidemic.

Taylor: This leads on to looking at the strategic approach to ERM. Looking at historic data tells you nothing. There’s a lot of focus on using the ‘fear factor’ so ERM professionals…
But ERM isn’t just about protecting the outside, it’s also about opportunity.

Relandeau: Let’s say you’re examining product samples – if you have a huge number then it’s easy to detect the faulty ones. But in operational activity, people tend to do things very differently.
If we use the same statistical calculation on only low volumes, then you don’t get the same results. So are we using the right methodologies in the right context?

Shiel: To take up Elaine’s point, a competitive culture is important. In some sectors firms are willing to share lessons learned with their peers; in others – particularly pharmaceuticals, there isn’t that same readiness as firms feel doing so means also giving away their competitive advantage.
For ERM structures and disciplines, the more sharing of information there is, the better the risk management systems that can be developed.

Heyworth: Yet there was no reason for HBOS to have ignored the fact of the property crisis. In banking it becomes more public.

Capon: What shocked me when I joined Ace in 2002 – particularly looking at the Lloyd’s market and its syndicates – was the market’s complete lack of willingness to share data. Even though you had a third party handling claims and you could clean up the data.

Taylor: It’s because many people just don’t understand that sharing information is useful, or is it due to competitive advantage. If you manage risk better than your competitor, then that is an advantage. Take the BP oil spill – there would be a great advantage in sharing knowledge about what happened and how it could be prevented, because nobody wants an environmental disaster.

Heyworth: And if we don’t speak the language of business, then we’re not doing our job right. That’s the way we have to approach it.

Taylor: And reputational risk is a major part of it.

Capon: There have been previous incidents in the Lloyd’s market, particularly if you take political risk and credit risk back in the Eighties and Nineties that were serious enough to remove all capacity from the market. So you don’t have any market stability for the client. Sharing information and being willing to discuss the sorts of approaches you take helps to stabilise the market and ensure the capacity is there.

Jonas: But are individual companies brave enough to do that with other companies though? It usually takes an external regulatory or environmental body for that sharing to happen. Almost every industry has a regulatory body that could make that happen, but too often they’re weak and ineffective. If they could put much better ground rules in place in advance and steer the ‘lessons learned’-type exercises across the industry, that’s something the industry would welcome.

Wilford: So you’re saying regulators should take a different approach? They should behave rather more like the BarCap audit team – or at least have that same profile and culture.

Heyworth: The problem with the banking regulators is that generally they’re poorly-paid. It’s unfair to call them non-professional, but often they’re made up of individuals who failed to get the top banking positions.

Jonas: Major companies, relatively speaking, have unlimited resources compared with the regulators. When the electricity companies were privatised in the Eighties, that industry enjoyed huge resources while the regulator had none at all, which enabled companies to drive through the way privatisation was conducted. You’re not going to have enough money to put enough people in the regulatory role, which means the ones you do have must be really strong individuals.

Heyworth: And the really strong individuals ended up being poached by the banks.

Jonas: Just as an example, the defence sector became very strong thanks to certain individuals. The National Audit Office turned around their approach and the way they were perceived by industry – defence particularly – by becoming its friend, rather than its enemy. They went in with the focus of finding best practice and then identifying where they could improve, rather than finding all the flaws.

Heyworth: That’s exactly the approach I adopted with Barclays’ internal audit. Faced with an audit, everyone was absolutely terrified and I picked up the phone to the audit team. I said ‘What are you going to do? Let’s have a chat.’ Because the audit team offers a fresh pair of eyes looking at what you’re doing. So what if you’re doing something wrong? Someone has looked at it freshly, and seen where you’re going wrong. Surely that’s beneficial. Doesn’t that mean we get it right?

Archer: So people feel relieved after they’ve visited?

Heyworth: Absolutely! Building up relationships with those who are doing the audit provides a hugely valuable tool for ERM, looking at it differently with a fresh pair of eyes. When you’re so close to it that you can’t see the wood for the trees and you’re going to miss something. But it has to be collaborative – not ‘OMG, an audit. Stay away!’.

Jonas: Just picking up on the regulators again and the ‘lessons learned’ aspect across industry sectors, they don’t have either the remit or the people capable of managing multiple organisations. It takes a strong person to manage competitive companies.

Taylor: So does that mean we should scrap the regulators?

Heyworth: No – the problem with our regulators is that there’s no discipline, or any penalties for getting it wrong. The consequences are minimal. OK, RBS was brought to its knees as a consequence of poor risk management, but that was an exceptional consequence and an exceptional Black swan event. My problem is that most regulators lack teeth, nor have they been given any! Even if they don’t have the best people, or the most highly-paid – if someone said: ‘Get this wrong and we’re going to fine you 10% of your 10%’ then we’d see a difference!

Capon: To be fair, back in the Nineties when the Bank of England was overseeing the banks, then the regulator did have some teeth!

Taylor: Of course the banking crisis wasn’t triggered by a Black Swan, but simply by lending to people who were unable to pay the money back, repackaging it and then selling it on to each other. If they’d actually looked at it …

Capon: But it was also triggered by politicians.

Heyworth: Absolutely! Bill Clinton was a major culprit – he said “We need to lend money to impoverished people who need to get onto the property ladder”.

Taylor: With our benefit of hindsight, as the world’s prime panel of ERM consultants, how could we have prevented that? How would we have advised looking back at that? And would we have been heard?

Jonas: The ERM risk manager’s role is to understand the market, and it should have been the role of these people to note what was happening and identifying systemic risk. Probably many people – and a lot of bankers – actually did know what was going on. But they were making too much money to want to stop – and while they were doing so, and fuelled by the bonus culture which acted as a catalyst, there was just no incentive to stop.

Wilford: It’s about maturity as well. The ERM industry, and the people within it, is still going through a learning process. The focus in the first instance has been on insurance and compliance, although it’s now moving into the next stage of core processes and ultimately needs to reach into strategic decision making.
There is a need to understand the market and the landscape – and how you fit into it. Risk managers – and I don’t mean insurance risk managers in that sense – are still emerging from the compliance phase into the core process stage but aren’t yet at the strategic decision support stage.

Shiel: Isn’t there still a prevalent mindset that risk managers are there to remove risk?

Wilford: Yes and that perception still holds within the risk management sector. That’s a legacy of the insurance market.

Shiel: A lot of people look at the risk managers as the guy who’s going to prevent you from doing business.

Capon: But when I set up the political risk and credit market team at Ace our remit was to help develop new business and to spot opportunity as much as manage the existing risk.

Shiel: But really the role lies in getting people to understand risk; to understand the impact and probability and to make profitable decisions with that knowledge.

Heyworth: It helps to use the word ‘opportunity’ as often as the word ‘risk’.
To return to the strategic element; when I joined T-Mobile and had to review our swine flu contingency plan, my predecessor had been relatively difficult about it. He wanted the entire crisis management leadership team, our executive committee, around the table. I went into the meeting room, looked at all the senior people and said ‘You know, you’ve got a business to run. Why don’t you go away and nominate one person in your team and I’ll e-mail you once a week to advise how we’re dealing with swine flu.’
Immediate impact – listening to the business speak. I didn’t need the CFO or the MD sitting at the table to deal with swine flu. That immediately won me credibility.
It’s speaking that language of the business that’s so critical to strategic risk management, and talking about the opportunities for how it’s going to work.

Shiel: And you don’t make any profit without taking risk – taking measured, understandable, sometimes monetised and estimated risk.

Relandeau: Although the risk manager will never replace the individual who heads the business unit – the entity who, at the end of the day, is the only owner possible of that particular risk. Instead, the risk manager needs to bring the tools for those people to help them identify the main risks and what can be done about them, to set up the best processes, techniques and modelling of different kinds. It’s all about risk identification and bringing the risk under control. And eventually how to report risk in a consistent manner to provide a global exposure and some kind of global visibility to management – and at the same time also involve those business unit heads who, at the end of the day, are the only ones who really know what the risks are.

Taylor: It brings in this question of risk maturity and the progress of ERM in general.
The CEO and senior management own the risks absolutely. In the same way that they have someone in human resources advising them on how to hire and fire, promote and develop people – because it’s a specialist area – similarly they should have a risk adviser. So are we far enough along that progress curve, not just in how ERM is done, but also in how ERM reports to the board?

Heyworth: It completely depends on how badly the company has been burned.

Wilford: It’s not across the board yet by any means. Many companies are struggling with what they need to do to get there. They’re worried about the level of investment they need to make and other issues. They’re distracted by all this, when they really need to be bold, hold their nose and jump right in to see what happens. Because actually it’s much better for them when they do that.

Heyworth: At T-Mobile, where they see a problem they throw money at it to fix it. They see themselves as entrepreneurial in that approach. My speciality is root cause analysis – let see what were the causes so hopefully we don’t get any more coming through that particular pipeline. It represents a learning curve for them to start going down this route, whereas I know it works as I’ve seen it do so in practice.
To me, that’s an immaturity. At Barclays, risk management was mature and the bank has been around for 300 years whereas T-Mobile is a much younger company that’s been around 15 years.

Taylor: And of course Basel II required this approach.

Heyworth: Yes, so it’s very much down to maturity.

Jonas: Another barrier to risk management, which Mark touched on, is investment. I’ve not come across any companies that regard spending on risk management as something positive, although they do recognise that it’s something they need to invest in. But when it comes to actually putting money on the table it’s really hard to get that commitment from management. The maturity at senior management level needs to be improved. Not only do you need money at times to try and solve risks that might hit you, but there are also risks that you take that don’t you don’t need to spend money on, which you can decide to carry instead. Because you know what your recovery reaction would be and what exposure you’ve got, so then you can carry that risk and not proactively invest in managing it.
But there is a culture in many organisations, particularly in government, that you’re not allowed to proactively spend money on actions – they want you to do the actions, but it’s not built into the budget.

Relandeau: Do you think this is linked to the fact that perhaps people don’t feel responsible for the business.

Jonas: I think it’s more that people don’t understand that you expect to spend money against risk. It might be different in more mature organisations such as those in the banking sector that have a more financial approach to everything. But most government departments still don’t allow for contingency in the things they do.

Heyworth: Do you think that’s because we’re not selling it properly?

Jonas: Well, taking up your point about going to management and saying ‘I don’t need you, but I’ll keep you updated on development’ – executive boards generally don’t have enough confidence in their risk managers and the advice they’re getting. So is that the risk manager’s fault?

Taylor: That’s a good question. From personal experience, when you go up at budget time and say ‘I’d like another FTE, we’re going to do this and it’s going to improve our risk profile’, their reply is ‘Brilliant! Fantastic!’ Then they have a whole list of priorities and over here they could hire three salespeople, two marketers… and they can actually tag revenue to those positions.

Capon: But that’s there in your presentation when you go for the budget. The process that I have internally, for the business case, is both sides of it. How much revenue are you going to generate?

Wilford: You have to have the leadership that can understand, and therefore accept that this isn’t about revenue generation but about value protection. We’re not actually investing in capability that will produce a tangible and measurable financial benefit that can be measured in the short term. It’s about protecting the value of the organisation, which is financially and operationally more important in the long term. We’re not doing anything more than building a better mousetrap.

Heyworth: Business has two main drivers, making money and staying out of jail. We’re on the ‘stay out of jail’ card. That’s what we do. Every time someone asks me what I do, my reply is ‘I protect you!’

Relandeau: If you look at compliance, there are some companies that decide to take opportunity, that are sensitive to the notion of excellence internally. They know it’s the way to provide better services, to retain customers, to identify root causes of problems. So there are companies interested in more than merely staying out of jail, they want to gain sustainability over the mid- to long-term.
So our mandate is to demonstrate to and to educate the organisation that it’s not just a compliance issue, even if that’s what people are more sensitive to initially. It must be about protecting and creating value. At the end of the day, the risk mitigation should have an objective of compliance or performance
How capable is the organisation in identifying risk and mitigating it? It’s a general process that comes down to its general processes and practices and its mindset. The more resilient the organisation is, the better each of these will work.

Taylor: Richard, you work for a trust that possibly has slightly different objectives to a corporate. Does it make a difference to the role and how the role is seen?

Archer: Not really, we still operate in quite a corporate fashion. It’s still basically about helping people with what they want to deliver. So I regard it as very much the same.

Taylor: Because there is a question of whether ERM moves differently in different sectors.

Archer: Well there is a difference between the financial and non-financial sectors. ERM in the financial tends to be much more quantified and this quantification has made risk more explicit, supporting the development of the role of chief risk officer.

Jonas: Except that the oil majors such as BP and Shell are such huge organisations that they’re not dissimilar to banks in their size and complexity, and the amounts of money that they process.

Wilford: Even in the non-financial world you can use quantitative techniques to great effect. We’re starting to do that in our group, and it’s part of my theory about moving up that curve and getting to the top of the curve, which is where the next value piece is – to actually learn the techniques and apply them to the real world.

Archer: Are you quantifying reputation?

Wilford: But you don’t quantify reputation though. You need to step back and make those judgments. What the risk manager needs to be doing is responding to that challenge. You can’t bring risk down to a number, or a digit. It’s a mixture of several things, quantitative and qualitative variables.

Archer: So with the different aspects to risk exposure, how do you think people will go about meeting the risk appetite requirements that are expected with the new UK corporate governance code?

Heyworth: That’s the most frustrating part of that whole vision of Turnbull and what is risk appetite. It depends on so many diverse factors. I’d say that T-Mobile’s risk appetite is completely different to Deutsche Telecom’s.

Wilford: I’d agree. A far more relevant question is your risk tolerance than any degree of quantification at that level. Let’s understand risk tolerance – it’s how much can we afford to lose without actually going out of business. That’s the relevant question, far more than this risk appetite stuff.

Heyworth: It’s too airy fairy, you can’t pin it down.

Taylor: Some consultants have also realised this.

Heyworth: I couldn’t agree more. I had a long chat with Paul Hopkins of Airmic and we agreed that it’s hugely frustrating; it’s completely the wrong measure.

Wilford: Does that mean you always drive business completely within your risk tolerance? Can you take another view along the line of ‘although this could sink us, we want to play well within that’?

Capon: It’s just another parameter, when you’ve got a whole bunch of data in front of you and a lot of levers to pull. And that’s one of those levers.

Relandeau: Why are you saying that risk appetite and risk tolerance are not simply two faces of the same problem though?

Heyworth: Risk tolerance relates to how much you can afford to lose before your company goes belly-up. Risk appetite will be different, depending on the external drivers.

Wilford: One is the desired level and one is the actual level.

Heyworth: That is the real level as opposed to an aspiration level.

Jonas: Don’t you think both are useful? I’d agree that they’re two sides of the same coin.

Archer: The thing about risk appetite is that no organisation outside of the financial sector has implemented the concept top to bottom successfully.

Jonas: To take an example, we’re working on the Athlete’s Village at the moment. Their risk appetite is such that they have zero tolerance to being late. So every schedule analysis they do has to be done to 100% confidence.

Archer: Does that mean if they’re one hour late they wish they’d never tried?

Jonas: No, but it’s about giving messages to the organisation. So it’s one thing for those at the top to say ‘I know what my risk threshold is’, but risk appetite is a culture thing and giving people the right messages about how far they can go – in terms of should I be late, should I cut what I’m doing, should I spend more money on this? It’s like a message to give to the company

Taylor: And as Elaine pointed out, this changes from day to day as priorities change. So it might be OK to be late today, but not tomorrow.

Archer: For me that’s a target – the target is not to be late. And yes, to be late is totally unacceptable, but there will always be some residual schedule risk for construction projects, no matter how well schedule risks are managed. I would like risk managers to be brave and state the level of risk to be accepted.

Taylor: Although you might agree to be late on one project tomorrow as there is an opportunity over here to gain more benefit on another project. So I’m ready to lose a little bit here in order to gain a lot over there.

Jonas: But I’d never look at anything on such a local level as being a day late.

Taylor: As each business unit does…

Jonas: Yes, that goes back to the start of the conversation that stovepipes are bad. ERM will never work without lateral discussions across the organisation, and people above those business units who can provide the right level of oversight and negotiation between those people – and say ‘Yes, we are now going to let you be late, and that won’t be a black mark against you as this one needs to come in early’. So it’s more a problem than this lateral breaking down of stovepipes.

Heyworth: Risk appetite doesn’t work in that case. For me, an interesting aspect of risk appetite is that it’s regarded as a competitive advantage within the banking sector. The banks aren’t going to share their risk appetite with anybody.

Relandeau: My impression is that risk appetite doesn’t necessarily translate into risk tolerance. Because it’s basically the level of risk that managers or executives are ready to take for certain gain.
So taking your example of the project, if the attitude and mindset of the people is that it’s important for the project to come in on time, it means they’ll invest sufficient time to think through the project. And if they’re one day late at the end of it, they are putting in place a context in order to manage operations in a way that matches this risk appetite attitude. For me the two are necessarily linked. I may have a very aggressive appetite for risk that is central to my business strategy and a risk tolerance that is set at a different level. How can I explain this to my colleagues? There may be some hidden agendas, but they seem to be very much linked.

Shiel: To my mind both risk appetite and risk tolerance are determined by the investors. It is they who will test your risk appetite and risk tolerance, and mark your price accordingly. And if you don’t deliver on your commitments they can always spread their risk. And if they’re a big pension fund and you, as a major company, start breaking your promises and not delivering, not performing, you’re going to suffer.

Jonas: Organisations such as Standard & Poor’s and the credit ratings agencies are having a significant influence on risk management.
Right now the Greek debt crisis is hitting is. We’ve know about it for ages and that it’s all about reducing their ratings to junk status.

Heyworth: Well it’s all about poor risk management of their economy, not the ratings agencies.

Jonas: Exactly, but getting back to risk appetite and the nature of risk taking – everyone knows that Greece’s economy and the government’s approach has been disastrous. They made a conscious decision not to tackle debt, so we’ve known the country has been heading towards crisis for some time. But it’s only now that their rating has been downgraded, although they’ve generally been seen as a country to be avoided for some time. So that says that the ratings aren’t working because they should be forward-looking things, not backward-looking. If you measure a company on the previous year’s financial performance, then it’s history! And investors are investing in short, medium and long-term returns. So my interest is in the risk-taking attitudes that companies have.
Maybe appetite isn’t so good a description, but attitude – in this case the Greek government’s attitude to the debt crisis – that has put them in this position.

Heyworth: Actually, it’s the EU’s attitude towards the euro that has put Greece in this position. Ten years ago it wanted everyone to join the club and to do whatever it took. Let’s face it; they put a lot of money into Ireland and Greece so they could join the euro.. But then they neglected to carry out any supervision around the debt culture. That allowed the debt to escalate. Now in Ireland they’re taking steps – and so far no-one has been killed in any riots – to cut the public sector payroll by 15%. Can you imagine that happening here? The fault for the Greek crisis is embedded in France and Germany desperate to get the euro off the ground and not putting proper risk controls around it.

Capon: It’s actually worse than that even. They had a supervisory capability that was aware of dubious accounting for years, yet it took no action.

Heyworth: There were no consequential behaviour skills put into place, where the supervisory board went in and said: ‘Greece this isn’t good enough – you’re doing it all wrong and we’re going to slap sanctions on you’.

Jonas: And you’ll have to be removed if necessary.

Capon: Yet incredibly difficult if you have no federal or fiscal restrictions.

Heyworth: Although it’s not really federal, it’s political.

Taylor: But to steer the discussion back to ERM – the next question is that while it’s fantastic, and we’re agreed that it’s made lots of progress, where are we today. Are we now ready to move ERM up to the next strategic level mentioned by Mark? Or are we still at the process level? Is there an opportunity to step up to the next level?

Archer: People are there already. Every time you use information in making risk decisions at board level, it’s at a strategic level.

Shiel: But there’s still a little more work needed to get the discipline, vision and regulation right across the whole enterprise. There are so many skill sets that have grown up separately

Wilford: In many large organisations, particularly the FTSE 100 companies, there are elements of it, but it’s not all together in one body or one unit of the organisation.

Jonas: I’d say that fewer than half the companies out there are ready to start implementing ERM. Those most likely to succeed more quickly are those that have good specialist risk management expertise across many areas. They key problem lies in drawing all of them together. Where there’s no recognised risk management culture within the organisation, even in pockets, then the challenge is huge. As soon as you put an ERM initiative in place, then it starts asking the question of where the information is coming from. It doesn’t matter if the organisation has a strong health and safety culture, or a strong project risk culture, or a strong financial risk culture. Generally there must be an existing risk culture, some existing capability within the organisation already on which ERM can grow. If there’s little or nothing there, it’s going to take a much longer journey to get there.

Shiel: Another point here is that the big, successful companies are intuitively good ERM players. They do it at board level and throughout the organisation, which means there is a lot of intuitive ERM going on. They diversify their portfolios and make sure they’re resilient if they’re hit in particular areas. So they can keep going if the economy goes belly-up in this particular area, or in this particular country.

Capon: At Ace, we’re now at the cusp of that area you’ve been talking about. We’ve been pulling together all the information from our various skill sets and business areas. We appointed a group risk officer several years back to bring all the information together and coordinate it. So the stuff I’m producing for my underwriters on the front line for doing business is also being fed to the operational risk guys when they’re looking at the sales teams we’ve got in Thailand or the IT support we’ve got in India.

Jonas: The role of the risk manager is a lonely one. You’re an individual across a large organisation, and you have you work cut out in handling the board and senior management, and in making communication happen. That can happen quite quickly, as long as you already have all of these other things happening, and you can recognise and build on what they’re doing. But if you have to also start teaching them the first principles from a low level of cultural awareness, then you’re a drop in the ocean when it comes to getting people to start doing things properly.

Taylor: That raise the issue of what everyone’s experience is of the silo mentality? As you say, you may already have health and safety or business continuity there, so it’s a case of stringing it all together. But there is that silo mentality where individuals say ‘I don’t want people interfering with my bit – I’m head of security and no-one needs to know what I’m doing’. You still have to build that consensus among the teams already there.

Relandeau: Leaving financial risk to one side, they all have one thing in common. Non-financial risk is based on how all the different parts of the organisation operate. What are the processes, the value chain, who is responsible for what, who are the people and where is the critical data? So I agree you have to have a number of risk experts that are knowledgeable in assessing the risk, but in many organisations the framework is lacking to accommodate all of these different people who are coming to risk from different angles.
Each of these different people looks at similar processes from a different perception, so the ability to put these different risk practitioners together and give them a common framework is important. The need a common foundation and a common description of the business. What is generally missing is the ability to put those different risk practitioners and give them a common understanding of how all the different operations operate.
The risk is the various operations, the KPIs and everything else that people need to understand. The companies best placed to take the next step in risk management have a good understanding, and a shared understanding, of all the operations.

Archer: In terms of getting everyone to work together, this is much simpler with good leadership. If the head of security, for example, knows that he is expected to work with everyone then things happen – he can’t just lock his door and not speak to people. A good risk committee with senior people on it and good oversight can make these things happen. Sometimes, people can overcomplicate things.

Heyworth: I have quite a few security people working for me, all ex-military services, and they are all overly protective. Suddenly they’ve got somebody above them saying ‘Tell me what’s going on’. We have what we call a security risk steering board with 25 people around it from every single different aspect of the business. It’s where we come to from ERM and there’s a chair there who’s considered to be the enterprise risk manager. That board meets every six weeks and it’s where we pull everything together.

Jonas: The ability to break down silos is crucial. Once people have started talking to one another then they wonder how they ever could have done things differently. It’s the point at which the organisation actually starts to practice ERM. The defining point for me is when the specialised disciplines all get together in a room, and then they start opening up and talking about practical things.
Risk processes need to be in place in order to get the right information and data for people to make decisions, but you first need to break through the barrier that gets people talking to each other about their different risks and understanding the context in a business strategic sense. Until then, the company hasn’t got ERM at all.

Shiel: Particularly so if you have a large diversified business. It’s often the case that while one part of the business suffers another will reap the rewards. That means you do need to coordinate across the business, as some parts will say ‘this is a terrible thing – the price of oil has collapsed’ wile another has started raking the money in. Those offsets are critical – otherwise you’re disproportionately looking at your upstream risk

Jonas: That’s the definition of a balanced business – one part of it sees opportunity. If management isn’t looking at that opportunity, and seeing where it outweighs the risk, then the business is dysfunctional – and vulnerable to those initiatives being significant failures.

Taylor: Let’s move on to what we see as the future of ERM. Where is this going? Is there something that could arrest its development, or could it be accelerated?

Archer: It’s a question of how fast it progresses. It’s difficult to argue against the logic of wanting to identify risks and manage them well. The question is what’s the best way of doing ERM?

Taylor: So ERM is here to stay.

Wilford: Yes, because now the momentum is there.

Heyworth: And we have a tough five years ahead of us in the UK in starting to manage our deficits. We’ll always be seen as people who can help to reduce costs. If we position ourselves properly, we can take that role within our businesses and say ‘Our taxes are going to rise and everything’s going to get a bit tougher – this is how we can bring in our experience. And if we play that card properly now, at that start of that tough five-year period, we can get through them unscathed.

Wilford: We mustn’t forget that we operate in a global world and our American friends have recently made pronouncements to the SEC. The whole notion of chief risk officers and ERM is something that they now want to do. That inevitably will add to its profile, and possibly accelerate the process in the US.

Taylor: There could also be the risk that we see the US moving to more of a rules-based system.

Wilford: So that they lurch from Sarbanes-Oxley to something else that is just as bad. And that impacts on the rest of the world too. Europe is still very much insurance-focused in terms of risk management, but that will start to change.

Heyworth: Emerging markets will show that more value can be taken from the Chinas and Indias of this world.

Capon: That’s certainly an opportunity for ERM. Businesses are going to have to start looking more to these markets as that’s where the growth is.
Wilford: And let’s not also forget our colleagues in Australia and New Zealand, which are both very advanced in their thinking on ERM and their application of it. We just don’t get too much exposure to it over here.

Shiel: My prediction for the future, particularly in the energy sector, is that we’ll see more ‘rear window’ techniques and knowledge-based techniques used to start pricing forward-looking risk. And 90% is a reasonable way of doing it – there’s the other 10% risk that you’ll just take your eye off. You’ll spend so much time running your ruler over the actuary’s report, looking at the probability and the impact of things and the distribution curve that you’ll lose sight of the ‘tails’, which are the Black Swan events – such as what’s been happening recently in the Gulf of Mexico.
BP is not actually doing things any worse than its peers are – it’s rather like spinning the casino wheel and it could just as easily be Total’s turn next week.
So my worry is that we’re rather too reliant on actuarial models and software, so people become comfortable and lose sight of the tails.

Capon: That’s why it’s important to have communication back into the business, to have guys that manage the risk day to day around the P&L. So if you’re going to use the actuaries, then they understand what the business is all about and how it manages itself.

Shiel: And it’s not just about the numbers, it’s about the culture – having risk management in the business and on the shop floor.

Heyworth: It’s great to see high-profile risk managers out there talking about what they’re doing for their businesses and the benefits that we can bring. The trouble is that it’s risk, and therefore seen as a boring subject. There are a lot of risk leaders who should be getting out there more, making a noise and banging the drum.

Capon: Do people feel that initiatives – such as Maplecroft and Bloomberg creating an ERM index, which measures around 200 global corporates – are useful in this?

Jonas: I’ve got serious concerns about that sort of thing, having been in risk over 20 years. In that time I’ve seen lots of initiatives taking off, such as GRC and others – and every time it has been seen as a driver for making risk management happen. In my opinion each of them has undermined the job of doing proper risk management and led to compliance systems coming in.
Whether it’s Enron or WorldCom or other big failures. What happened was the management consultancies caused the problem and then it meant huge amounts of money went into compliance systems to solve them.
Every time you get an excuse for not doing risk management, and for getting people to take responsibility throughout the company, it undermines the ability to take it forward.
We have a small window of opportunity as you come out of the depths of recession, where people still remember the bad times and the pain and before you get to the point where things are taking off again. But it really depends on whether someone hijacks it with new initiatives that suggest if you put it in it will solve the problem within six months. But it won’t – until you get people to take responsibility and get risk management sorted out as a cultural thing inside your company then ERM won’t succeed.

Heyworth: A key problem is memory. People quickly forget what has gone on before; this was demonstrated in the banking crisis, still less than two years ago. Also as people at the more senior levels move out of the business world we’re going to lose things. What came out of the banking crisis was there were lots of young people doing things who had no previous experience of recession and how things can go wrong. They had no understanding of where that problem could be. And that’s going to happen again.

Relandeau: It’s also to do with the incentives that are put in place. These senior people can make a lot of money in a very short time, by taking a lot of risk for which they are not adequately supervised.

Heyworth: But the bonus culture is a bit of a red herring. Most of the banks are owned by the people working within them, so they are risking their own money. People are far too quick to throw in this bonus culture argument.

Relandeau: Yet it’s part of the problem though; traders don’t feel any sense of responsibility as they’re playing with other peoples’ money. There’s a short horizon of potential benefit to be made

Jonas: But people are more motivated by the desire to do a good job and being successful than they are by money. The bonus aspect is just in being rewarded for having done a good job. (Dissent from other panellists)

Relandeau: Enterprise risk management has a future, and while we need to clarify the debate and have more pragmatic methodologies, there’s no way ERM is going to disappear. The only way to achieve stability is to have in place a risk culture. There is a tremendous opportunity for the operational people to work with risk managers and provoke the re-adoption of the risk by the people who are doing the business.
If the two liaise with one another, there’s no reason why ERM shouldn’t improve over the coming years. It may take two years, it could take 10, but the trend is there,

Jonas: I’m hopeful there are capable people carrying out good risk management who will move up the organisation and are able to bring different people together. We are seeing people at senior management level already who recognise ERM and try to understand how it works and the benefits you can get out of it, not just from a financial point of view – such as the way you can motivate a team by doing something better. It can bring people together within the organisation. So there is a local leadership thing, although in pockets. And as these people move up, it will help the role of ERM.

Taylor: The young managers of today were more exposed to risk management. BCP and MBA programmes now have risk management modules and as more of these managers come through they’ll be more willing and able to accept it as a part of doing business.

Jonas: And they will say ‘I am where I am because I’ve carried out good risk management’. Although at the moment there are too many senior managers who think they’ve done a good job in risk management, when in fact they haven’t – they’ve just managed personal risk to help them get where they are instead of managing the company’s risk. There is a change as people move up the organisation; they are much more capable and knowledgeable

Capon: If you already have a philosophy in the company, then it’s those guys who feel that their neck is on the line and their money and they manage risk appropriately.

Jonas: It’s those organisations that already have an open infrastructure and are able to implement ERM now as we come out of difficult times that will see a significant competitive advantage. But only companies that have that level of maturity will have the level of resilience needed.
But I do fear that some new initiative will appear that hijacks this trend, and gives people an excuse not to practise ERM.

Taylor: By ‘new initiative’ you mean something completely different?

Jonas: Maybe another incarnation of GRC, because it’s in the interests of certain organisations to invent initiatives.

Capon: Like McKinsey.

Heyworth: But I don’t spend my time thinking about those things, although we know what it might be like.

Taylor: I like the term ‘sustainable business’ for corporate responsibility. But for young businesses it’s a case of ‘you’ve been in business for, say, 15 years – do you still want to be in business in another 100 years?’ What will make it successful to do that… that ability to recognise risks and carve a path.

Heyworth: An interesting thing about T-Mobile is that I’m not sure they think that way. They might not necessarily want to still be here in 2110, whereas Barclays is thinking its terms of its 500th anniversary. Mobile telecoms is such a fast-moving world all the time. Who knows where they might be in another 15 years.

Capon: Certainly internally we use the phrase ‘sustainability’ – learning from your mistakes and learning quickly It’s the ability to be really honest with yourself. We have a culture in which when we make mistakes we get together in a room and confess ‘I messed up!’

Taylor: I don’t know what the numbers are, but I believe that no more than 10% of companies in the FTSE 100 are those that have survived for 100 years or more. That tells you something about either scaleability or ability to manage risk over time. And perhaps in some of these sectors there’s a barrier to joining. Toyota’s had its problems but it’s unlikely any newcomer will supplant it as the barriers to becoming a major motor manufacturer are so huge. They might lose market share over the short term, but over the long term they’ll still be there.

Heyworth: And if you look at AIG and what they’ve done, they’ve changed their name, gone back to their core business and no-one refers to the old title any more. The past has been completely swept under the carpet. And as they don’t talk about it no-one around them wants to be bad mannered enough to mentioned that they screwed up. While I’m sitting there thinking ‘AIG was the biggest nuclear bomb of the whole financial crisis’.

Taylor: Although they did divorce themselves from that, as it was basically down to four traders.

Heyworth: But it’s still extraordinary how they’ve re-mapped who they are and made themselves again sustainable.

Taylor: Well, it’s been an interesting session. It seems we’re all pretty much on the same page – although it might have been interesting to have had someone holding contrarian views. We’re all agreed that ERM is here to stay, there are many benefits from implementing it, but it’s a question of doing it in such a way that creates value rather than it just being a process.