Two quandaries of enterprise risk management have come together as a result of the global financial crisis.

The first is the importance of creating a structure of risk categories when some risks have owners and some do not. The second deals with how the enterprise sees changes in the organizational culture that reflect a failure of leadership. Let us examine these issues one at a time.

The wrong way to build a structure of risks is to list hundreds or thousands of risks in an electronic spreadsheet. This is plain common sense. If you have 50 strategic goals for next year, you are unlikely to achieve even a small portion of them. If you collect too much data, you will have problems making sense out of relationships.

The problem is compounded because many exposures are insignificant in an ERM framework. Companies often have extensive internal controls, business process audits and proactive compliance functions that cause central risk management efforts to be redundant, or worse, useless. In the grand scheme, it is not important to have high-level oversight of inventory, advertising copy or changes to the setup of an assembly line. Another issue arises when we try to correlate myriad risks. We know the relationship historically. What will happen to it in a rapidly changing competitive environment? Finally, all expertise is not found in the higher ranks of an organization. The CEO is not necessarily the best-equipped and most knowledgeable person to solve customer relationship exposures.

The problem of understanding risk is further compounded by a failure of risk categorization. As an example, one of the more extensive efforts to categorize risk was undertaken in 2000 when Nashville, Tenn.-based e-commerce and insurance incubator Discover eHoldings Inc. surveyed organizations and developed four categories of risk: external factors, internal operations, relationships and the marketplace. These four categories were broken down into 17 subcategories and 178 sub-subcategories. Now we ask a simple question. What are we going to do with this kind of risk categorization? To take one example, the category of relationships had 43 sub-subrisks. Shortly after addressing how to handle relationship risk, we would be buried in a mixture of important and less important discussions that distract people from their real goals.

Today, we have a better approach. We identify two categories of risk: those with risk owners and those that cross departmental lines. In the first group are exposures in functional areas, relatively independent operating units and key initiatives. The CFO is responsible for financial risks, the Asia-Pacific manager oversees regional exposures and a senior vp is responsible for a key initiative of growth through acquisitions. The risk owners report to the CEO and board and are held accountable for risk management. The second category contains risks without owners. Examples are strategic risk, subculture risk, leadership risk, and reputation risk. A company has strategies, dysfunctional subcultures, managers when it really needs leaders, and constant danger to its reputation on all sides. Everybody, often including members of the board, has to work on these exposures by recognizing that all have an upside: opportunity.

So what do we do to ensure coordination and effective understanding of risks in both areas? We start with a hierarchical structure. At the top, whether it's the entity itself or a subentity, we identify five to nine key risks (opportunities) and assign risk owners. The CFO is accountable for capital budgeting, valuation, capital structure, credit, the investment portfolio and financial reporting risks. Each of these areas can be broken down into subcategories with specific individuals responsible for managing risk and reporting on risk status. The CFO takes in the big picture.

The next component of the model is to use technology to allow interested and authorized parties to peer into risk mitigation details. For this goal, we build or purchase technology that provides visual risk clusters showing interrelationships of risk backed up by detailed documentation and reports. Fortunately, technology has become so powerful that it can handle and organize detail and simplify it. Should we say that again? Simplify it. We can see relationships visually. We can reduce massive amounts of words or numbers in reports that clarify an exposure. It was possible for American International Group Inc. to see the massive commitments accepted by its Financial Products group. The company simply did not have the risk structure and technology in place.

Finally, augment the entire structure with a central risk function. Composed of employees, consultants, a risk management committee, other parties or a combination, it should be led by a senior executive who knows the company's industry and business. Sometimes called a chief risk officer, the head of the unit should not manage any risk. Should we say that again? Probably, yes. The task is to constantly scan the horizon for external developments that bring exposure or opportunity. At the same time, scan internally for management weaknesses that harm operations or leadership shortcomings that deny the pursuit of opportunities. When something is spotted, put it on a high-tech platform as an issue to be considered and a discussion to be started. Going back to AIG, the company insured $500 billion in credit default obligations. Somebody could have asked whether that seemed like a lot.

Now we have enterprise risk management. Compliance, internal controls and internal audit identify or manage their risks, and technology allows us to see their efforts if we choose to do so. Somebody is buying insurance—an important function, but a small part of ERM. And the organization has a structure so it can understand things that otherwise might be missed in a changing world. In a speech at the 2009 RIMS annual conference, former AIG chief Maurice Greenberg recommended a quarterly discussion of ERM by the board. The recommendation is long overdue. The above structure would make the discussion meaningful.