Everybody knows risks must be managed in an integrated program across the enterprise. Silos do not encourage a broad perspective on risk. Concurrently, members of boards of directors are intrigued by efforts to avoid the debacles of Enron, WorldCom, Tyco and others. Brokers, accounting firms and risk managers "push" the idea of enterprise risk management. For the most part, companies have been lukewarm to respond.

Contrast ERM efforts with those being taken in the name of "compliance." Thanks to the Sarbanes-Oxley Act, the Securities and Exchange Commission and the Basel II Capital Accord in other parts of the world, companies are spending a fortune on internal controls and other processes that add only a negligible value to governance, risk management and accurate reporting of financial results. Compliance has "pull" and the resources needed to fulfill the external regulatory agenda.

The sad part of the story is that the cart is pulling the horse. We do not need compliance programs to manage the risk of misbehavior. We need ERM to coordinate all risk management efforts, and compliance will follow effortlessly.

This point can be illustrated with the whistleblower requirements of Sarbanes-Oxley. Audit committees of publicly traded companies must establish procedures for receiving and handling complaints from any source concerning accounting, internal accounting controls or auditing matters. Further, these firms must provide a channel--for example, a toll-free number--so employees can submit confidentially and anonymously their concerns about accounting or auditing matters.

There is nothing wrong with protecting whistleblowers. The problem is that ERM advocates--brokers, consultants, risk managers, internal auditors--know the need for whistleblowers is also the failure of governance and risk management. With an effective ERM system, the whistleblower should be redundant. Everybody would be empowered to report wrongdoing and unethical or illegal behavior. ERM drives compliance, not vice versa.

So why is ERM a highly vocal but often ineffective discussion, even as it lives in the shadow of compliance? Part of the problem is the failure to distinguish between horizontal and vertical risk management. Horizontal risk management deals with exposures in company operations. On a continuum from left to right, a firm faces risks in producing, distributing and marketing products and services. The focus of traditional risk management is to avoid disruption to the process of making profits while meeting the needs of buyers of products or services. We manage risks involving suppliers, customers, partners and employees.

Companies have developed extensive financial and other rewards for executives to "pull" horizontal risk management. A disruption to the process of earning profits will be felt by employees in all areas, from bonuses to layoffs. Workers lose jobs when production dips, supply or distribution channels are blocked, products fail to sell or prices fall. The entire organization is energized to mitigate risk in business operations.

The same situation does not exist for most companies with respect to governance, culture and the firm's appetite for risk. We might call this vertical risk management, as it links the board of directors at the top with front-line employees on the bottom of the hierarchy. The board may spell out the desired risk framework. Senior management disperses it downward.

What happens next? Not much, if incentives do not support building a culture that carries risk management across the natural internal boundaries of operating units and staff cubbyholes. Stated simply, we cannot have ERM if employees lack incentives for improving business ethics and organizational governance.

Having said this, we only have to look as far as Tyco for a "pull" system for governance and ethical behavior. The story has been widely reported. Dennis Kozlowski became the chief executive officer of Tyco International Ltd. in 1992 and presided over a rapid growth in assets, earnings and stock price. Over a 10-year period, Tyco used creative accounting to boost profit margins, moved its nominal headquarters to Bermuda, set up a European finance subsidiary and created more than 100 subsidiaries to hide fund transfers and complicate an understanding of its finances. In 2002, following SEC investigations and a precipitous drop in stock price, Mr. Kozlowski was indicted.

At that point, Tyco had a strong sense of urgency to institute a pull system for vertical risk management, the start of meaningful ERM. In July 2002, Tyco appointed Edward D. Breen, Motorola's president, as its new CEO. One of his first acts was to appoint Eric Pillmore as senior vp of corporate governance, reporting directly to the board. In subsequent months, Mr. Breen replaced all the directors and recruited a new and independent board. At the same time, he dismissed the entire headquarters staff of 125 people. Think about that for a method of changing a corporate culture! Finally, in January 2003, Tyco hired Laurie Siegal as senior vp of human resources, with a mandate to set up corporate governance and compensation systems and controls. Tyco is now a model of vertical risk management, building on the four pillars of integrity, excellence, teamwork and accountability.

This is a "pull" system across the enterprise. Accountability and excellence include financial and other incentives to make a unit perform in the marketplace. Horizontal risk management is still in place. Integrity and teamwork promote a culture where misbehavior is not tolerated, ethical behavior is encouraged, and managers must consider how their actions affect and endanger other units and the overall corporate reputation. Vertical risk management has been added to the measurement of management performance and reward mechanisms.

ERM will not be successful if a company thinks it is the job for a risk manager who is trained in loss control, insurance, safety or general administration. Nor will it work effectively if senior executives meet a few times a year as a central risk committee discussing risk mitigation and integration. Neither is it enough to bring in an outside consulting firm to develop a corporatewide risk management program. All these actions can be helpful, but first, the entity needs an internal structure that pulls rather than pushes risk management.

This is a good time to get ERM right. Compliance pressures now have the attention of the board, senior management and shareholders. Tyco and others seem to have the right model. Companies now have the opportunity to follow the Tyco example and create their own customized programs of vertical risk management. Changes in culture and incentives will soon be followed by real enterprise risk management.

John J. Hampton is the KPMG Professor of Business and Director of Graduate Business Programs at Saint Peter's College in Jersey City, N.J. He specializes in business ethics, legal liability and enterprise risk management. He is a former executive director of the Risk & Insurance Management Society Inc. Mr. Hampton can be emailed at jhampton@spc.ed.

Come back on Wednesday, March 15 to read John Hampton's interview with Paul Buckley, VP-Risk Managment, Tyco International (US).