BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.

To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.

To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.

Login Register Subscribe

New tack to solving ERM problems


When I arrived at St. Peter's College in 2004, I sought and received permission to put the words "specializing in enterprise risk management" on my business cards. Every time someone sees my card, he or she says something like "Oh, I've heard of enterprise risk management. Exactly what is it?"

That would be a fine reaction to a new idea. It is, however, a sad commentary on a term that has been used for 12 or so years and, in the past seven years, promoted by risk managers, auditors and others. A Google search of "enterprise risk management" produces 859,000 hits. At are 200 books and articles on it. One is "COSO Enterprise Risk Management--Integrated Framework," a 230-page comprehensive description supported by professional associations of accountants and auditors. In recent years, the Risk & Insurance Management Society Inc. has created an ERM online discussion group, an ERM Center of Excellence and a risk maturity tool for evaluating ERM programs. Articles in Business Insurance and other publications suggest ERM is getting little traction. While this situation has improved some, we need to rethink how we present ERM and what it means. There are three problems:

1. Definitions. Everybody has his or her own for ERM. This includes brokers, accounting firms, consultants and professional associations. A typical definition is: ERM is the process of identifying major risks and business processes with exposures, forecasting significance of risks in business processes, addressing the risks in a systematic and coordinated plan, implementing the plan and holding key individuals responsible.

2. Risk categories. Brokers and others use different risk categories as they promote ERM. Examples: In 2001 and 2002, Marsh & McLennan Cos. Inc., Aon Corp., CFO magazine and the Economist Intelligence Unit variously identified four categories of risk: hazard, operational, financial and strategic. KPMG in 2001 identified seven categories of risk: strategic, operational, reputational, regulatory/contractual, financial, information and new risks. Around that year, Tillinghast-Towers Perrin declined to develop risk categories because it said risk cannot be directly managed. Instead, it said an organization should identify "risk factors"--such as culture, capital, business processes and capacity for change--and manage those. COSO, the Council of Sponsoring Organizations, categorized eight risk processes: internal environment, goals, risk events, risk assessment, risk response, control activities, information and communication, and monitoring.

All of these offer insights on ERM, but in terms of accountability, responsibility and process, most firms are not structured against the above risk classifications or processes. Firms do not have separate risk managers for each. A better categorization would be to align the risk categories with the existing management structure.

3. Failure to tell a good story. The third problem is ERM's real value is lost when we focus on processes, internal controls and details. Board members, senior executives and even middle managers see a cumbersome, expensive way to handle risks they are already managing. Many businesspeople pay lip service to Sarbanes-Oxley, Basel II and ERM. They believe the processes that all three require have been designed by bureaucrats, professors or regulators who do not really understand risk.

Here, then, are proposed solutions:

1. Definition of ERM. Let's simply say ERM is an effort to coordinate management of the risks facing an organization. We can skip more complex definitions, which all deal with risk coordination and mitigation.

2. Matching risk categories to business model. A business model states a firm's strategy for success. It includes: the value to be created by the entity; the network of partners for creating, marketing and delivering value; and capital, assets and other resources needed to generate sustainable profits. The likelihood of success of an ERM program rises significantly when companies align risk categories with the business model.

As an example, suppose a company has the following risk categories as components of its business model: production, or creation of goods and services; marketing, or development of customers and markets; finance, or management of liquidity, profitability, the control aspects of cash flows and investments; technology, and keeping up with changing technology; administration, or processes for efficiency, performance and structure; European and Asian regions, or entities that operate with a high level of autonomy from the corporate headquarters; and legal liability, or dealing with mounting lawsuits from a defective and discontinued product.

An advantage to this categorization is it matches risks against major exposures and the C-level individuals responsible for managing them. If we add a high-level responsibility for advising and consultation, we are coordinating risk at the organizational level. We can add other staff units, such as logistics, human resources and in-house legal counsel. The organization now has risk categories matching the senior executives who are identifying and managing risks daily. Once we have these categories, subcategories emerge easily (see chart).

3. Telling a good story. Up to this point, we are simply realigning the ERM message so it makes sense to the organizations, board members and senior executives. Solving the third problem, failure to tell a good story, will be the subject of my March 19 column in Business Insurance.

John J. Hampton is the KPMG Professor of Business and Dean of the School of Professional and Continuing Studies and Graduate Business Programs at St. Peter's College in New Jersey. He specializes in business ethics, legal liability and enterprise risk management. He is a former executive director of the Risk & Insurance Management Society Inc.

His columns and interviews with risk experts are available at