Make progress with a central risk function

In the past two years, I have been working with MBA candidates at St. Peter's College in Jersey City, N.J., to gain a clearer understanding of why enterprise risk management efforts often bog down. I also worked with a large corporation to move forward an ERM program. I concluded that organizations need to revise their ideas on a central risk function.

First, organizations do not manage risk centrally in one large effort, even if they have an individual who holds the title chief risk officer. A central function can identify risks and share them with risk owners, but a system with many exposures is likely to bog down. Nor can organizations manage risk in categories such as operational, financial, strategic or reputational. These do not match a business model. None has a single risk owner, and thus risk categorization suffers from complexity and the absence of accountability. Instead, an organization can make progress with a central risk function that has four components:

• Key risk identification. Scan the horizon and locate risk factors that might be missed by other parties.

• Key risk accountability. Assign each key risk to a risk owner who can delegate it.

• Key risk-sharing. Create a structure to facilitate collaboration on strategies.

• Simplified risk structure. Omit the myriad of exposures already managed as part of internal controls.

ERM is not about internal control, compliance or hazard risk. Rather, ERM should deal with governance. It should address exposures that make it difficult for board members to sleep at night. This can be illustrated with the European Aeronautic Defence & Space Co., the parent of Airbus. EADS' business model has risk owners for military transport, defense and security activities, and several other units (Figure 1). And of course a risk owner is assigned to Airbus. Let us drill down.

Airbus has its own risk owners for the variety of aircraft that it makes. One that sticks out in an ERM framework is the massive, 800-plus passenger A380 (Figure 2), which is almost a "bet-the-company" exposure. The project to develop the aircraft ran into problems. Identifying continuing exposures and sharing them is critical to finding the best risk management strategies, which need to be visible daily to the board.

Airbus knows the importance of the A380 and it created a critical risk program called Power8 to make the project more visible. Power8 might be an ERM effort if each of the major exposure areas has a risk owner. Power8 breaks down into operational risk and structural risk and then goes further into efforts to cut costs, maximize cash, speed development and streamline assembly. When the St. Peter's MBA candidates applied ERM to the A380, they discovered a major exposure that is not visible in Power8. It deals with airports. A limited number of the world's airports—maybe in the single digits—can handle sustained and effective operations for the A380. This risk is so critical it needs high-level visibility and a high-level risk owner. Drill down further.

Suppose we assign airport risk to Hans Ring, chief operating officer of Airbus. Boarding and deplaning at airports is done with at most a few passengers at a time. How long will it take to board more than 800 people? Airports handle baggage one bag at a time and offload bags onto carousels where people try to identify look-alike luggage. Paris' Charles de Gaulle Airport is one of the few airports that claim to be able to handle the A380. I passed through the airport in June. After waiting an hour for my bag from a plane with 180 passengers, I challenge the idea it is ready for the A380.

Now we return to the role of a central risk function. After identifying the airport exposure, the risk is placed in a knowledge warehouse. As I am using the term, this is a collaborative high-tech platform—Wikipedia-style—that enables authorized and interested parties to discuss risk. The central risk function can vet contributions that pose legal liability or other problems but otherwise encourage open collaboration. The book "Wikinomics" by Don Tapscott and Anthony D. Williams shows us how mass collaboration changes everything. The A380 is a perfect ERM application.

Now we have governance. Francois David, an EADS board member, could have a clear view down an ERM path right to the airport exposure (Figure 3). Through Hans Ring and subordinate co-owners, a board member can see the plan for loading and unloading. Will we use double-level terminals or large, mobile people transporters? Will we handle bags in containers or put them on new high-volume carousels? How will we convince a critical mass of airports to set themselves up to handle the A380? Mr. David would not have to wait until the next board meeting for answers; they would be immediately visible. If not visible or adequate, airports could become an agenda item at the next board meeting.

The view does not have to stop here. The structure could be replicated at lower levels. As an example, the airport risks co-owner could share with lower-level authorized contributors. It is easy to imagine many links that could be searched to help coordinate and integrate risk management.

So here is the proposal. Identify key risks, assign risk owners, and share and facilitate risk discussions using modern technology. We are learning the value of collaboration everywhere. A group of MBA candidates applied it to Airbus and discovered a critical risk. Organizations should seriously consider implementing high-tech collaboration monitored by a central risk function.

John J. Hampton is the KPMG Professor of Business and Dean of the School of Professional and Continuing Studies and Graduate Business Programs at St. Peter's College in New Jersey. He specializes in business ethics, legal liability and enterprise risk management. He is a former executive director of RIMS. To read Mr. Hampton's columns and interviews, visit www.BusinessInsurance.com/ERM.