Читать книгу Implementing Enterprise Risk Management - Lam James - Страница 5
Preface
ОглавлениеConfucius said: “I hear and I forget. I see and I remember. I do and I understand.”
Indeed, the value of knowledge is not in its acquisition but in its application. I am grateful that I have had opportunities to apply risk management in a wide range of roles throughout my 30-year career in risk management. As a consultant, I've worked with clients with different requirements based on their size, complexity, and industry. As a risk manager, I've implemented enterprise risk management (ERM) programs while overcoming data, technical, and cultural challenges. As a founder of a technology start-up, I've worked with customers to leverage advanced analytics to improve their risk quantification and reporting. In the past four years, as a board member and risk committee chair, I've worked with my board colleagues to provide independent risk oversight while respecting the operating role of management.
These experiences have taught me that knowledge of ERM best practices is insufficient. Value can be created only if these practices are integrated into the decision-making processes of an organization. The purpose of this book is to help my fellow risk practitioners to bridge the gap between knowledge and practical applications.
In my first book, Enterprise Risk Management – From Incentives to Controls (Wiley, 1st edition 2003, 2nd edition 2014), the focus was on the what questions related to ERM:
• What is enterprise risk management?
• What are the key components of an ERM framework?
• What are best practices and useful case studies?
• What are the functional requirements for credit, market, and operational risks?
• What are the industry requirements for financial institutions, energy firms, and non-financial corporations?
In this companion book, the focus is on the how questions:
• How to implement an ERM program?
• How to overcome common implementation issues and cultural barriers?
• How to leverage ERM in all three lines of defense: business and operational units, risk and compliance, and the board and internal audit?
• How to develop and implement specific ERM processes and tools?
• How to enhance business decisions and create value with ERM?
The publication of my first ERM book was one of the most gratifying professional experiences of my career. The book has been translated into Chinese, Japanese, Korean, and Indonesian. It has been adopted by leading professional associations and university programs around the world. On Amazon.com, it has ranked #1 best-selling among 25,000 risk management titles. In a 2007 survey of ERM practitioners in the United States and Canada conducted by the Conference Board of Canada, the book was ranked among the top-10 in ERM books and research papers. In addition, the book has brought me countless consulting and speaking opportunities internationally.
In my travels, risk professionals most often request practical approaches and case studies, as well as best-practice templates and examples that can assist them in their ERM programs. Based on this feedback, I have structured this book to focus on effective implementation of ERM.
OVERVIEW OF THE BOOK
This book is organized into seven parts. Part One provides the overall context for the current state and future vision of ERM:
• Chapter 1 introduces the notion that risk is a bell curve. It also lays out the fundamental concepts and definitions for enterprise risk management. We also discuss the business case for, and current state of, the practice of ERM.
• Chapter 2 reviews the key trends and developments in ERM since the 2008 financial crisis, including lessons learned and major changes since that time.
• In Chapter 3, a new performance-based continuous model for ERM is introduced. This new model is more fitting for global risks that are changing at an ever faster speed (e.g. cybersecurity, emerging technologies). As part of this discussion, seven specific attributes for this new ERM model are provided.
• In addition to the board and management, other stakeholders such as regulators, institutional investors, and rating agencies are increasingly focused on ERM. Chapter 4 discusses their requirements and expectations.
ERM is a multi-year effort that requires significant attention and resources. As such, Part Two focuses on ERM program implementation:
• Chapter 5 lays out the scope and objectives of an ERM project, including the need to set a clear vision, obtain buy-in, and develop a roadmap. This chapter also provides an ERM Maturity Model and an illustrative 24-month implementation plan.
• One of the key success factors in ERM is addressing change management and risk culture. Chapter 6 describes risk culture success factors and the cognitive biases and behavior obstacles that risk professionals must overcome.
• Given the wide range and complexity of risks, having a structured and organizing ERM framework is essential. Chapter 7 provides an overview of several published frameworks and an ERM framework that I've developed to support performance-based continuous ERM.
The next four parts provide deep dives into the key components of the ERM framework. Part Three focuses on risk governance and policies:
• Chapter 8 discusses two versions of the “three lines of defense” model-the conventional model and a modified model that I've developed to reflect better the role of the board.
• Chapter 9 goes further into the important role of the board in ERM, including regulatory requirements and expectations, current board practices, and three key levers for effective risk oversight.
• Chapter 10 describes my first-hand experience as an independent director and risk committee chair at E*TRADE Financial. This case study discusses our turnaround journey, the implementation of ERM best practices, and the tangible benefits that we've realized to date.
• As expected, the rise of the chief risk officer (CRO) is correlated to the adoption of ERM. Chapter 11 discusses the evolution in the role of the CRO, including key responsibilities, required skills, and desired attributes. The chapter also provides professional profiles of six prominent current or former CROs.
• Chapter 12 focuses on one of the most important risk policies: risk appetite statement. This chapter provides practical steps and key requirements for developing an effective risk appetite statement.
Risk analytics provide useful input to business and risk leaders. Risk assessment and quantification is the focus of Part Four:
• Chapter 13 discusses the implementation requirements, common pitfalls, and practical solutions for developing a risk-control self-assessment process.
• What gets measured gets managed, so it is not enough only to identify and assess risks. Chapter 14 provides a high-level review of risk quantification models, including those designed to measure market risk, credit risk, and operational risk.
ERM can create significant value only if it supports management strategies, decisions, and actions. Part Five focuses on risk management strategies that will optimize an organization's risk profile:
• The integration of strategy and ERM, also known as strategic risk management, is covered in Chapter 15. The chapter outlines the processes and tools to measure and manage strategic risk, including M&A analysis and risk-based pricing. Case studies and examples of strategic risk models are also provided.
• Chapter 16 goes further into risk-based performance management and discusses other strategies to add value through ERM, such as capital management and risk transfer.
Board members and business leaders need good metrics, reports, and feedback loops to monitor risks and ERM effectiveness. Part Six focuses on risk monitoring and reporting:
• Chapter 17 discusses the integration of key performance and risk indicators, including the sources and characteristics of effective metrics.
• Once these metrics are developed, they must be delivered to the right people, at the right time, and in the right way. Chapter 18 provides the key questions, best-practice standards, and implementation requirements of ERM dashboard reporting.
• Once an ERM program is up and running, how do we know if it is working effectively? Chapter 19 answers this critical question by establishing a quantifiable performance objective and feedback loop for the overall ERM program. An example of a feedback loop based on earnings-at-risk analysis is also discussed.
Chapter 20 in Part Seven provides additional ERM templates and outlines to help readers accelerate their ERM initiatives.
Throughout this book, specific step-by-step implementation guidance, examples, and outlines are provided to support risk practitioners in implementing ERM. They are highlighted below:
• Example of a reputational risk policy (Chapter 4, Appendix A)
• ERM Maturity Model and benchmarks (Chapter 5, Appendix A)
• Practical 24-month plan for ERM program implementation (Chapter 5, Appendix B)
• 10-step process for developing a risk appetite statement, including examples of risk metrics and tolerance levels (Chapter 12)
• Implementation of the RCSA process, including common pitfalls and best practices (Chapter 13)
• Example of a strategic risk assessment (Chapter 20)
• Structure and outline of a CRO report to the risk committee (Chapter 20)
• Example of a cybersecurity risk appetite statement and metrics (Chapter 20)
• Example of a model risk policy (Chapter 20)
• Example of a risk escalation policy (Chapter 20)
SUGGESTED CHAPTERS BY AUDIENCE
Given its focus on ERM implementation, this book does not necessarily need to be read in its entirety or in sequence. Readers should select the relevant chapters based on the implementation phase and ERM maturity at their organizations. In general, I would suggest the following chapters by the seniority of the reader:
• Board members and senior corporate executives should read Chapters 1, 3, 6, 9, 10, 12, 15, and 19.
• Mid- to senior-level risk professionals, up to a CRO, should read the above chapters plus Chapters 4, 5, 7, 8, 11, and 16.
• Students and junior-level risk professionals should read the entire book.
