Implementing Enterprise Risk Management: Case Studies and Best Practices

John Fraser
Betty Simkins
Christina Narvaez

Comment by: Lorenzo Preve

 

This book is a compilation of cases in Risk Management, mostly Enterprise Risk Management (ERM) cases.  I like this idea since interesting ERM cases are quite scarce.  The cases are, mostly, a description of an ERM implementation with a series of questions at the end, and not a classic Harvard Business School case in which there is a decision moment, a dilemma to discuss and a decision to make.  They are still very interesting cases that can be useful for teaching purposes.  This is an extremely useful book for academics to get information about real life ERM implementations, and for practitioners that can gain experience through other professional managers’ experience.

The book starts by giving a brief discussion on the evolution of risk management and the reasons why it is important, and then (in Ch. 2) compares teaching through the Learner-Centered Teaching (LCT) and through the traditional Teacher Lecture (TL).  This chapter provides an interesting analysis of the advantages of LCT, and interesting insights for those who are not familiar with the case method, but can be safely skipped for those who already master it.

The cases, describe the ERM implementation at companies such as Mars, Statoil, the LEGO Group, United Grain Growers (UGG), Intuit, TD Bank, Zurich, General Motors and the Malaysian Media Company Astro.  Additionally, the book presents ERM implementations in non-corporate institutions, like the city of Edmonton, the University of California Health System, three UK Charitable Housing Associations, some Universities, the British Columbia Lottery, a Workers Compensations Fund and the City of Hope Police Service.  In the next few paragraphs I add some comments on the most remarkable issues for some of these cases.

Mars was an early adopter of ERM, and the case stresses implementation of ERM, with a detailed description of the workshops and lessons learned.  UGG, the other case of an early adopter of risk management, is extremely interesting.  After having identified weather as one of their major risk sources, they conceived an integral insurance solution that would insure all their risks into a single insurance contract.  Another interesting issue is related with the way they faced liquidity risk by striking a deal with Scotiabank, creating UGG Financial; UGG provided customers, administration and reporting, while Scotiabank provided the capital. Among the major UGG clients where the hog producers, who where bearing significant hog price risk.  After carefully studying the past performance of hog prices, UGG decided to provide hog price insurance to those clients that deserved it based on performance, generating competitive advantage through the wise assumption of risk.

I like the four-step ERM system implemented at Lego. I would like to remark their use of Monte Carlo Simulations to measure the risk impact in the organization and their stressing of the need to go beyond damage control, and move toward creating value.  I also liked the “Park, Adapt, Prepare, Act” (PAPA) model they use to face uncertainty.  The chapter ends by reporting the impressive performance they obtained by using ERM.  The chapter stresses the importance of the risk management system in its ability to allow LEGO to assume more risks in a more accurate way.

The Intuit case, largely focuses in measuring performance, and states the importance of recognizing that the fact that “risk management is the responsibility of everyone in the organization from the board and executive management all the way down to the individual employees”, and the upside opportunity and downside nature of risk.

The TD Bank case describes the bank´s strong risk culture.  They decide to assume a necessary risk only if: (i) fits its business strategy, can be understood and managed, (ii) do not expose the firm to significant single loss events, and (iii) do not risk harming the TC brand.

Zurich is an organization with a well-respected risk-culture and its ERM system is very interesting.  They stress the importance of assuming the right risks and their ERM is both, tied to strategy and embedded into operations.  I liked the Emerging Risks Radar that allows the firm to follow trends that might affect the firm or some of their clients, and the fact that they recognize the importance of working with all their stakeholders.  They present a set of proprietary tools that are worth studying.  (1) The Total Risk Profile tool, a workshop based approach for developing a complete risk profile of the firm; (2) Zurich Hazard Analysis Tool, a methodology that identifies, address and manage several hazards or vulnerabilities; and (3) Zurich Risk Room, a data based tool that helps exploring the major global risks in a country-by-country basis.

I also liked the GM case very much. It describes the implementation of their new ERM system in 2010, putting a strong emphasis on the upside and downside aspects of risk. The section that discusses the lessons learned is extremely interesting.

The cases of ERM in non-corporate environments basically show that ERM can be applied in those organizations as well: Cities, Universities, Health Systems, Lotteries, Charitable Organizations, etc.  The University of California Health System case has some interesting tools that are worth analyzing.

There are also some shorter cases showing the use of ERM for some specific situations, like other ERM implementations, (Middle Eastern Oil & Gas Companies, JAA Inc, Akawini Copper), acquisitions (Bim Consultants, Akawini Copper), growth plans (Bon Boulangerie), performance improvement (Blue Wood Co., Kilgore Custom Milling, Nerds Galore), and the coordination between different firm departments (The Reluctant General Counsel, Chessfield).  Other interesting short cases discuss how Jerome Kerviel breached through the fragile security and compliance systems of Société Generale producing a huge loss, and the evolution of ERM in Poland.

I would also cite the awesome discussion regarding the 2007/8 financial crises in Ch. 32 that analyzes how several banks were affected, while some others came out unscathed from the crisis.  The author describes the main characteristics that defined each group, and the role of ERM in avoiding the crisis.

Some of the chapters are devoted to the discussion of technical aspects affecting risk management; we have an explanation of the Value at Risk and how it can be useful for risk management, a discussion on the way in which the theoretical framework of the Efficient Frontier can be used in a Strategic Risk Management model, and how the Root-Cause analysis can be used in facing risk management problems in Public Safety situations.  Additionally, Chapter 9 presents an interesting literature review of risk management in academic institutions.

Some Interesting Trends appear throughout the book.  These trends are clear in most of the chapters and worth mentioning:

·       Heat Maps are widespread; almost every company in the book is using them.

·       Almost every case recognizes the importance of considering both, the upside and the downside or volatility in risk management

·       Risk management must be linked with strategy; it is not only compliance or auditing, there is a whole chapter (Ch. 16) devoted to this issue that also appears in almost every case.

·       There is some recognition to the fact that Risk Management is everybody’s task, and it needs to be coordinated from the very top of the organization