Comment by: Lorenzo Preve

This book is a compilation of cases in Risk Management, mostly Enterprise Risk Management (ERM) cases.  I like this idea since interesting ERM cases are quite scarce.  The cases are, mostly, a description of an ERM implementation with a series of questions at the end, and not a classic Harvard Business School case in which there is a decision moment, a dilemma to discuss and a decision to make.  They are still very interesting cases that can be useful for teaching purposes.  This is an extremely useful book for academics to get information about real life ERM implementations, and for practitioners that can gain experience through other professional managers’ experience.

The book starts by giving a brief discussion on the evolution of risk management and the reasons why it is important, and then (in Ch. 2) compares teaching through the Learner-Centered Teaching (LCT) and through the traditional Teacher Lecture (TL).  This chapter provides an interesting analysis of the advantages of LCT, and interesting insights for those who are not familiar with the case method, but can be safely skipped for those who already master it.

The cases, describe the ERM implementation at companies such as Mars, Statoil, the LEGO Group, United Grain Growers (UGG), Intuit, TD Bank, Zurich, General Motors and the Malaysian Media Company Astro.  Additionally, the book presents ERM implementations in non-corporate institutions, like the city of Edmonton, the University of California Health System, three UK Charitable Housing Associations, some Universities, the British Columbia Lottery, a Workers Compensations Fund and the City of Hope Police Service.  In the next few paragraphs I add some comments on the most remarkable issues for some of these cases.

Mars was an early adopter of ERM, and the case stresses implementation of ERM, with a detailed description of the workshops and lessons learned.  UGG, the other case of an early adopter of risk management, is extremely interesting.  After having identified weather as one of their major risk sources, they conceived an integral insurance solution that would insure all their risks into a single insurance contract.  Another interesting issue is related with the way they faced liquidity risk by striking a deal with Scotiabank, creating UGG Financial; UGG provided customers, administration and reporting, while Scotiabank provided the capital. Among the major UGG clients where the hog producers, who where bearing significant hog price risk.  After carefully studying the past performance of hog prices, UGG decided to provide hog price insurance to those clients that deserved it based on performance, generating competitive advantage through the wise assumption of risk.

I like the four-step ERM system implemented at Lego. I would like to remark their use of Monte Carlo Simulations to measure the risk impact in the organization and their stressing of the need to go beyond damage control, and move toward creating value.  I also liked the “Park, Adapt, Prepare, Act” (PAPA) model they use to face uncertainty.  The chapter ends by reporting the impressive performance they obtained by using ERM.  The chapter stresses the importance of the risk management system in its ability to allow LEGO to assume more risks in a more accurate way.

The Intuit case, largely focuses in measuring performance, and states the importance of recognizing that the fact that “risk management is the responsibility of everyone in the organization from the board and executive management all the way down to the individual employees”, and the upside opportunity and downside nature of risk.

The TD Bank case describes the bank´s strong risk culture.  They decide to assume a necessary risk only if: (i) fits its business strategy, can be understood and managed, (ii) do not expose the firm to significant single loss events, and (iii) do not risk harming the TC brand.

Zurich is an organization with a well-respected risk-culture and its ERM system is very interesting.  They stress the importance of assuming the right risks and their ERM is both, tied to strategy and embedded into operations.  I liked the Emerging Risks Radar that allows the firm to follow trends that might affect the firm or some of their clients, and the fact that they recognize the importance of working with all their stakeholders.  They present a set of proprietary tools that are worth studying.  (1) The Total Risk Profile tool, a workshop based approach for developing a complete risk profile of the firm; (2) Zurich Hazard Analysis Tool, a methodology that identifies, address and manage several hazards or vulnerabilities; and (3) Zurich Risk Room, a data based tool that helps exploring the major global risks in a country-by-country basis.

I also liked the GM case very much. It describes the implementation of their new ERM system in 2010, putting a strong emphasis on the upside and downside aspects of risk. The section that discusses the lessons learned is extremely interesting.

The cases of ERM in non-corporate environments basically show that ERM can be applied in those organizations as well: Cities, Universities, Health Systems, Lotteries, Charitable Organizations, etc.  The University of California Health System case has some interesting tools that are worth analyzing.

There are also some shorter cases showing the use of ERM for some specific situations, like other ERM implementations, (Middle Eastern Oil & Gas Companies, JAA Inc, Akawini Copper), acquisitions (Bim Consultants, Akawini Copper), growth plans (Bon Boulangerie), performance improvement (Blue Wood Co., Kilgore Custom Milling, Nerds Galore), and the coordination between different firm departments (The Reluctant General Counsel, Chessfield).  Other interesting short cases discuss how Jerome Kerviel breached through the fragile security and compliance systems of Société Generale producing a huge loss, and the evolution of ERM in Poland.

I would also cite the awesome discussion regarding the 2007/8 financial crises in Ch. 32 that analyzes how several banks were affected, while some others came out unscathed from the crisis.  The author describes the main characteristics that defined each group, and the role of ERM in avoiding the crisis.

Some of the chapters are devoted to the discussion of technical aspects affecting risk management; we have an explanation of the Value at Risk and how it can be useful for risk management, a discussion on the way in which the theoretical framework of the Efficient Frontier can be used in a Strategic Risk Management model, and how the Root-Cause analysis can be used in facing risk management problems in Public Safety situations.  Additionally, Chapter 9 presents an interesting literature review of risk management in academic institutions.

Some Interesting Trends appear throughout the book.  These trends are clear in most of the chapters and worth mentioning:

·       Heat Maps are widespread; almost every company in the book is using them.

·       Almost every case recognizes the importance of considering both, the upside and the downside or volatility in risk management

·       Risk management must be linked with strategy; it is not only compliance or auditing, there is a whole chapter (Ch. 16) devoted to this issue that also appears in almost every case.

·       There is some recognition to the fact that Risk Management is everybody’s task, and it needs to be coordinated from the very top of the organization

Review by Lorenzo Preve

The authors present it as a book on Enterprise Risk Management (ERM), more specifically a book that will help the ERM leader to practice a better risk management.  They claim that this is the book that the ERM leader should hand to its functional leaders to practice a sound risk management.  In my opinion the book fells very short of this ambitious objective.  The book is way too short to discuss with some minimum level of needed detail the complexities of ERM.

The book has four parts and eight appendixes (all in 142 pages including the Endnotes).  Part I, the book’s most interesting portion, has eight Guide Points that give a nice flavor of ERM.  It is not detailed, there is no description, but a reader can get a rough idea of what ERM means in just a few minutes. In these fifteen pages, the authors briefly define ERM, explain the importance of linking it to the business model and its strategy, and mention the importance of approaching all the risks in a combined fashion.  Part II provides a (too) brief discussion of five important points in ERM: Identify, Prioritize, Mitigate, Report and Measure.  Independently of agreeing or not with the book’s approach, the way this is treated is, again, too short (25 pages for the five points), so we do not have the chance of learning from it.  Part III discusses five functions of the firm: Finance, Human Resources, Marketing, Information Technology, and Investor Relations.  In my opinion, again, the discussion is way too short, but it is also difficult to understand why we do not see a discussion related to other areas of the firm that are equally important for risk management like for example; Operations, Security, Supply Chain, etc.  Part IV discusses a short case in which the authors discuss the application of ERM through the Process Points of Part II.  The eight Appendixes provided at the end are really short (seven of them are just one page) and do not, generally add much to the book.

In sum, I did not like this book; probably its best part is the 15-page long Part I in which the authors give a very brief description of ERM.  Other than that I really struggle to find something that I like.

Comment by: Lorenzo Preve

This is an interesting book in Risk Management; it stresses the importance of separating learnable from non-learnable risks, and design strategies according to this.

It is not my style of book, but overall I have enjoyed reading it.  I will provide a short summary of the book by going over the main concepts of each chapter.

Chapter 1 presents a general approach to risk management and focuses in the organization’s ability to learn about the risks it is assuming.  The general idea of the chapter is that a risk can be random or learnable, and a risk could be learnable for some firms and random for some others.  The author states that the company needs to choose risk that can learn about, and “we must know what we are good at learning”.  The chapter offers four rules that are the response to four myths; they are:

+Myth 1: All Risks are Random. Rule 1: Recognize which risks are learnable.
+Myth 2: Since Risk average out, they rarely create persistent winners and losers. Rule 2: Identify risks you can learn about fastest
+Myth 3: There is no pattern to how risks evolve. Rule 3: Sequence Risky Projects in a “learning pipeline”
+Myth 4: Business Partners get the same results no matter how they allocate the risks. Rule 4: Keep networks of partners to manage all risks

Chapter 2 presents the book’s First Rule: Recognize which risks are learnable.  This Chapter separates non-random “learnable” risks from random ones, bearing in mind that our relative risk assessment skills might affect the distinction.  The author recognizes the importance of learning what drives learnable risks.  The chapter states that the risk assessment ability becomes a critical skill that determines success.   The chapter’s bottom line is a strong urge to differentiate learnable from non-learnable (random) risks, and states that as a rule of thumb, a random risk usually depend on a well-established and efficient market.

Chapter 3 presents the book’s Second Rule: Identify Risks you can learn about faster. The Chapter focuses on the managerial ability to assess different kinds of learnable risks.  It is not the ability to manage risks, but the organization’s ability to learn about them what is discussed in this chapter.  The author proposes a five steps test that is designed to help the reader’s assess their ability to learn about their risks, and promises that it helps improving these abilities as well.  The chapter closes by characterizing the ability to assess risk, dividing people in Impressionists (lots of memorable experiences but lack of ability of applying it in the right situations), Encyclopedists (lots of superficial knowledge), and Amnesiacs (lots of knowledge that they do not share with others).  This chapter makes a point in trying to build teams that combine the three types of risk assessors.

Chapter 4 presents the book’s Third Rule: Sequence risky projects in a “learning pipeline”.  The Chapter focuses on the importance of having a strategy regarding the way we interact with risks.  It stresses the importance of learning one risk at a time, and to continually improve our ability to learn about risks.  This chapter combines the concepts of “pipelines of risks” and “portfolio of risks” getting the best of their interaction.  These two concepts are interconnected in the Risk Strategy Matrix that relates the Risk Correlations and our Ability to Assess it.  This matrix shows the life cycle of risks.  The chapter presents the “Risk Audit Strategy” that ends in a matrix that present all the company’s projects in a Risk Diversification and Risk Intelligence space.  Then the author relates this matrix with BCG’s Growth-Share Matrix.

Chapter 5 presents the book’s Fourth Rule: Keep networks of partners to manage all risks.  The Chapter introduces the Risk-Role Matrix, which relates Risk Diversifiability with Market Intensity, and uses it to explain the position of our firm in a network.  Risk diversifiability, a concept introduced in Ch. 4, is related with the correlation between the different risks in our portfolio, and market intensity is affected by the correlation of our risks with the economy (the author uses the S&P500 as a benchmark for the economy).  The idea is that, according to where is our project located in this matrix, we should play a different role in our risk network; here the author uses the terms, “customer umbrella”, “classic borrower”, “shock absorbers”, and “risk distributors” as roles depending on where is our firm located in the matrix.  The chapter relates the choice of where the company should be located, to its financial situation.  The chapter moves on to the discussion of the so-called “flat-field” risks; those risks that nobody can know better than the rest of the market.  The author gives a nice example about their importance explaining how creating a flat-field risk helped Mexico solving its debt problem (Dizard’s Index).  The chapter ends exploring what we have learned so far and its implications in expansion to emerging markets.

Chapter 6 provides a ten-step story of risk intelligence that, according to the author, will help the reader rethinking its business and the economy.  The steps are related to the Rules of Risk Intelligence outlined in the book. The ten steps are: (1) Choose projects, problems and ventures with learnable risks in mind, (2) Score your intelligence for the options you are considering and triage them, (3) Look for patterns in your risk intelligence scores and try to improve them, (4) Conduct a risk strategy audit for your main activities, (5) Classify your new risk pipeline in terms of gaps that threaten growth, (6) Compare the risk-role matrix for your activities with your risk partner networks, (7) Compare the risk roles that fit your organization with what fits your risks, (8) Look for opportunities to transform learnable risks into flat-field risks, (9) Check whether your launch market for an idea is relevant to your target market, (10) Look for opportunities to break the compromise between risk and growth.

Overall, the book was interesting.  It is not my style, too many lists and recipes, but I understand that it might add significant value to the reader that values that.

Comment by: Lorenzo Preve

This is a great book on political risk.  Is probably one of the most inspiring books for anyone interested in the topic.  The book is full of interesting examples that help motivating and understanding the topic.

Chapter 1 presents an interesting introduction that includes a nice motivation of why political risk is so important in modern strategic management and investing.

Chapter 2 presents a discussion on risk and uncertainty and why this matters for managers.

Chapter 3 presents an interesting discussion on geopolitics, and in page 55 presents an interesting list of actions that could potentially help firms to deal with geopolitical risks.

Chapter 4 discusses the effects of political events on capital markets.  Some of these effects are due to direct governmental events, while others are due to political events that have not been performed by governments but are still political in nature (like boycotts, terrorism, strikes and civil wars) since they are the response of some group to a government action.  The chapter does a great job in describing their effect on investors’ wealth.

Chapter 5 is devoted to the analysis of domestic instability; namely revolutions, civil wars and state failures.  This chapter has an extremely interesting approach that will help the reader to identify civil strife in advance. The discussion is very interesting and is filled with examples, unfortunately lacks hard data that would have been nice to analyze.  The chapter ends with several recommendations for coping with this risk.

Chapter 6 discusses the important issue of terrorism.  It starts by giving some information regarding the origins of the term and of terrorism itself, and then turns into more current events by analyzing several of the terrorist movements that have been active in the past 50 years.

Chapter 7 presents an analysis on expropriations, one of the most interesting issues on political risk.  The chapter starts offering several reasons why governments expropriate.  It then moves to an interesting discussion regarding the possibility to predict an expropriation in advance.  The chapter ends with a discussion on how to mitigate expropriation risk in a country.

Chapter 8 has an interesting discussion on regulatory risk.  It uses a nice example of an investment in South Korea by a Texas-based investment fund and the difficulties it encountered because of changes in foreign investment sentiment that triggered changes in regulation.  The chapter ends offering some regulatory risk mitigating strategies.

Chapter 9 is devoted to the discussion of the reporting and warning in politically unstable countries. Information about what is going on is crucial and it is sometimes hard to obtain in a suitable form in emerging economies. Massive amounts of data and cultural biases, among others are barriers to obtain reliable information.

In their Conclusion, the authors strengthen the importance of approaching risk management in a holistic way including all the risks in an integrated analysis.

Overall, I think this is a good book, worth reading if you are interested in Risk Management.  Some of the discussions that are placed in specific chapters could be easily generalized into a more general framework for any political risk (and not only for regulatory risk for example). Still, the book is very interesting and very inspirational.

Review by: Lorenzo Preve

This book is a recipe on how to implement ERM in a company.  Is filled with examples and lists of step by step to do’s.  I do not like this kind of books because it does not provoke or challenge the reader.  They just provide a recipe.  For those looking for a recipe is a fine book, but it will not teach you, it will just be an instructions manual…  I summarize the main point of the ten chapters and make some comments regarding what I like and dislike most of this book.

Chapter 1 starts by briefly defining ERM and explaining its evolution presenting eight factors that shaped it; namely, the Basel accords, September 11, corporate accounting frauds, Katrina, rating agencies scrutiny, the 2008 financial crisis, rare events (referred to H1N1 flu, and Pirates’ attacks off Somalia) and long-term trends (referred to more computing power and a higher risk perception in the business world).  The whole chapter is devoted to the explanation about how these factors have contributed to the arrival of ERM to the business world.  The chapter ends by discussing the main challenges faced by ERM.

Chapter 2 presents a definition of risk and expands on the definition of ERM by giving its 10 critical defining elements.  The definition of risk is based on: (i) risk is uncertainty, (ii) risk can be also upside, and (iii) risk is deviation from expected. This Chapter presents and interesting discussion regarding the importance of strategic and operational risk (and the relative low importance of financial risks) and on the bias introduced by financial analysts.

Chapter 3 starts by discussing the Value-Based ERM framework, that is composed by: (i) risk identification (to be discussed in Ch.4), (ii) risk quantification (to be discussed in Ch.5), (iii) risk decision-making (to be discussed in Ch.6), and (iv) risk messaging (to be discussed in Ch.7).  Risk identification is just a short guide on how to identify all the relevant risks for a company.  In risk quantification the author explains how to measure objective and subjective risks (and correctly suggests that even the most objective risks need a subjective assessment).  Continues by estimating a probability adjusted firm value (but it does offer no explanation about how this value should be calculated. In the risk decision-making section, the book explains the interaction between risk appetite and risk exposure, through the strategic planning.  There is no discussion on risk messaging at this point.  The Chapter ends with a discussion on how the ERM process can overcome its “three core challenges”: (1) inability to quantify strategic and operational risks, (2) unclear definition of risk appetite, and (3) lack of integration of ERM in the decision making process.

Chapter 4 is devoted to the study of risk identification. The book uses three steps for this, the first one, risk categorization and definition, categorizes risks in the three categories; strategic, operational and financial.  After that, the book provides several other sub-categorizations and divisions and presents a definition for each risk. The second step, qualitative risk assessment, is described by its purpose (prioritize the risks and narrow down the list), process (soliciting input form internal personnel for key risks) and product (they are three; key risks list, tool to monitor changes in importance of risks, and advancement in the organization’s risk culture). The third step, emerging risk identification, consists of two components: (1) monitoring known risks and (2) environmental scanning for unknown risks.  The chapter ends with a discussion on killer risks.

Chapter 5 discusses risk quantification.  The steps suggested in the book are: (a) calculate baseline value, (ii) quantify individual risk exposures, and (iii) quantify enterprise exposure. The first part is just an explanation of corporate valuation, since the author suggests that every firm needs to know its intrinsic value (which I agree).  In the second step, i.e. quantification of individual exposures, the author discusses how to value the exposure to individual risks, and offers a discussion regarding the benefits of stochastic and deterministic scenarios, strongly backing the latter because, in his opinion, they offer more space for judgment (I do not agree with the author in this point).  In order to mix both steps, the author suggests including the risk scenarios into the value estimation step by step i.e., one at the time.

Chapter 6 is devoted to the discussion of risk decision making.  This is discussed through the (i) definition of risk appetite and risk limits, and (ii) integration of ERM into the decision making process.  The main point in this chapter is the aim for a process that ensures that the company is able to improve its decision making process, and ultimately its value, by applying ERM into their decisions.

Chapter 7 called risk messaging, is about communication. This topic is divided in internal risk messaging, and external risk messaging.  In the internal communication, the focus is put in the interaction between ERM and performance evaluation and ERM and incentive compensation. Regarding the external communication, the books stresses the importance of communication with different stakeholders, namely: shareholders, stock analysts, rating agencies, and regulators.

Chapter 8 discusses risk governance.  There is a focus on the roles and responsibilities, the organizational structure and policies and procedures that some readers might find useful.  The chapter brings some insights on the role of the board of directors, the internal audit, discusses the position of the CRO, the ERM committee, etc.

Chapter 9 is a study of the 2007 global financial crisis.  It discusses the causes of the crisis and it evaluates the banks ERM programs in the light of the 10 key ERM criteria discussed in Chapters 2 and 3.

Chapter 10 discusses ERM for non-corporate entities; describing the ways the model presented in chapters 1-9 has to be modified in order to accommodate every different non-corporate entity.

Some additional general comments on the book

à What I do Like.

This book treats risk in a holistic manner, including most of the important risk factors into the discussion, and extensively discussing non-financial risks.  Additionally, it considers upside and downside effects for the risks.  I also like the fact that the author states that even objective and measurable risks should be assessed in some subjective manner.

à What I do not like.

One of the things I do not like of this book, is that it focuses exclusively on value, instead of considering other important places in which risks have an impact (i.e. outputs), such as cash flows, morale of people, competitiveness, reputation (by the way, I do not really buy the reputational risk story told by many authors; risk affects reputation, it is not a risk factor. This books has my same view, stated in page 123, but it does not really stress, I suspect because it does not fit into the framework outlined by the author, since its only output is value, and therefore tells a story in which reputation might not affect value that much after all) etc.

I do not like the idea of using a deterministic approach for measuring risks.  I do not agree with the reasons why the author suggests that this is better; a good stochastic planning can satisfy all the potential problems the author poses in order to justify his deterministic approach.

The book does not discuss risk factors, so the reader has no clue on interest rates, FX, strategic risks, political risk, human resources risks, etc. Understanding the determinants of risk is one of the single most important issues in risk management; this point is not mentioned in this book.

There is no discussion regarding hedging. In my view, you cannot discuss risk management without a thoughtful discussion on hedging.  The role of operational hedging, insurance and derivatives is crucial in any risk management design and implementation.

The book is extremely boring because it has a step by step implementation full o lists and recipes (every recipe or instructions manual is boring, almost buy definition…), instead of a discussion of ideas, so I found it boring and not provoking.