Latest Blog

I enjoyed this article about the ascent of the Chief Risk Officer, The chief risk officers are coming, published in July 2009 by Lloyds. Specifically, the differences between the risk manager and the CRO are interesting as described by Peter den Dekker, president of FERMA, the association of European risk managers.

  • The CRO is member of the board and part of the corporate decision-making body. He or she will be taking part in decisions about mergers and acquisitions, contracts, investments.
  • The risk manager is a facilitator … his or her job is to embed the company’s risk management policy and programme in its business processes, so that the company has the right culture…
  • Risk managers provide information that informs board decisions, but they do not make the decisions.

Click on the link above to read the complete article.

Originally posted by Riskview on October 12, 2009

I have started to get bothered by the way that the word RISK is used to mean almost anything – noun verb adjective.

It makes it almost impossible to understand what someone is trying to say about a risk or risk management topic. I am probably even more guilty than most. I was once told by an editor that I used the word over 100 times in an article.

One way that people misuse the word is in place of the word loss. For the most part, people are interested in minimizing losses, not risks. For some reason, risk seems to be a more professional word to use than loss. But we should be honest with ourselves and be clear about when we really mean losses. Looking forward, something can be a risk. Looking backwards, something can no longer be a risk, it is a loss or not a loss.

In addition, many folks want to define risk to have both upside and downside.

I think that they are being sloppy with words.

I think that they may trying to say that the concerns of risk managers are related to both the upside and downside.

Or they are trying to say that the upside part of Risk is the risk of foregone opportunities? That at least makes a little sense to me.

But if you really mean upside and downside, then that definition of Risk seems to me to be Orwellian. Like defining “hot” to include the temperature of ice. And your heating system to include your air conditioner.

It also seems that if you follow that line of reasoning to its logical conclusion, the only possible candidate for the CRO job is the CEO.

It seems that risk management is unhappy with only dealing with preventing bad things (losses) – it is so hard to get headlines if you are a defensive player on a sports team. The things that do not happen do not lead to bonuses.

But making sure that bad things do not happen (with greater frequency or severity than the risk appetite) IS the job of the risk manager.

So I would define risk as “exposure to the potential for a future uncertain adverse event”.

This definition does not follow Knight, who separates Risk and Uncertainty. Knight divides the two terms based upon the degree to which we know the distribution of outcomes. I combine them because I do not believe that there is a set of future events with known distributions and another set with unknown distributions (putting aside dice). I believe that there is a continuum of degrees to which we suspect that we know distributions of outcomes of future events.

So with this definition, I would suggest that there is no risk in an unknown future event where there are only positive outcomes possible.

I say this because there is more than enough to worry about on the downside regarding the management of potential losses.

Risk Limits always mean a limit in the amount of potential losses. I have never heard of any organization anywhere ever that has put a limit on favorable deviations.

For more by this author, please visit

Here is the latest white paper from KPMG called The Business Case for a Risk Executive: Leading Efforts to Avoid Surprises, Maneuver through Challenges, and Add Value. (See link below.)

Big title. Fortunately, the paper is only 12 pages in length when you include the canned metaphorical Getty images of the guy looking through binoculars and “business people” talking seriously in the hall. But I digress.

The paper summarizes what many risk practitioners already knew: before the recent economic crisis, what people thought was risk management was nothing but compliance, risk identification or audit and not the strategic tool enterprise risk management was intended to be.

Report reads: “… many organizations saw that they lack an integrated process for managing both emerging and high impact/low probability risks. They fight fires effectively after risk events occur, but have yet to focus on the future, anticipate potential scenarios, and consider how the organization should prevent or prepare for these risk events.”

Riskczar’s translation: they were doing nothing.

Some more revelations about organizations and their existing risk management from the report:

  • They were not managing their strategic risks
  • They did not identify, define and assign owners to their risks
  • They did not define their appetite for risk enterprise wide
  • They lacked a risk management champion with the authority to report risk across the organization

Riskczar’s translation: they were doing nothing.

The rest of the paper is quite good at explaining the need for a risk executive (RE). They break the silos of risk management, taking a holistic and strategic view of risk. A good RE makes sure that the President has no blind spots too. The risk executive idea is not a new idea either. (To learn more about this, read about the Chief Monitoring Officer in the book “Heads Up” by Kenneth McGee which is on my list of recommended books.)

I can speak to the need for a senior risk role first hand from two perspective:  I was accountable for building an ERM program for a large Canadian financial organization. And while the UK parent was keen about making ERM a systematic capability, there was little local management buy-in for the risk management process. Making my job more challenging, from a roles and responsibility perspective, I sat under the Head of Risk and Audit (ya, that’s right), who reported to the CFO. This structure did not work at all as the risk role was buried too far down the org chart.

On the flip side, the best job I ever had, from an org structure perspective, was when I had risk management oversight over the institutional equity trading business at HSBC Securities, about 10 years ago. I was hired by then CEO, Richard Nesbitt, currently the CEO of CIBC World Markets. Although my role was junior to CFO, COO and other VPs at the firm, I reported directly to Richard. My mandate was clear and I had his full support. His door was always open and as he put it, as long he didn’t see me, he knew I was doing my job.

Finally, for those of you in human resources looking to describe the skills requirements for this job, have a look at this KPMG report too. They explain that a risk executive must be a strategic thinker, project manager, facilitator, have deep industry and institutional knowledge (i.e., about the organization), and be an independent thinker who can gain the “confidence of the C-suite”.

Riskczar’s translation: that’s me!

Have a look at the white paper from KPMG or by clicking on the link below.

(Link was removed)

Here is an example of a press release by S&P for Endurance American Insurance Co. where they note that the organization’s management and enterprise risk management capabilities were assessed as part of their rating:

Credit analyst Taoufik Gharib added: “The ratings on Endurance reflect our opinion that the group has established a strong track record since it started its operation in 2001. We view the company’s management team and corporate strategy as positive to the rating.”

Endurance has a strong and seasoned management team with a strategy focused on consistent underwriting profits through market cycles.

The ratings are also based on the group’s strong competitive position, robust operating performance with prudent reserve practices, very strong capitalization, and excellent enterprise risk management.

Here is a pretty good article by Dale E. Jones, vice chairman and partner with Heidrick & Struggles, published at in which he writes about a report by the National Association of Corporate Directors.

Jones notes that the report “identified four critical areas that will warrant greater attention by directors in the coming days; two of these were risk oversight and transparency. I believe the placement of risk oversight and transparency as the first and second critical areas is intentional and appropriate.”

Some other highlights:

Most companies adequately address known risks, but it is the unknown risks that cause the most problems for companies. Some unknown risks can and should be detected and mitigated.

Overseeing known risk and revealing previously unknown risk is a critical area that will demand dedicated board focus to both ensure shareholder value and public trust.

I like how Jones points out how placing a high value on enterprise risk corporate transparency ensures organizations do not lose the trust of their stakeholders.