Proponents of enterprise risk management should pay attention to the fundamental difference between organizational risks that are managed and those that are influenced. Senior executives manage risks directly in the areas of production, marketing, finance and technology. Other enterprise risks, including alignment of strategies and operations in changing environments, are better addressed by influencing various components of an organization.

Within this context, an ERM process can be quite valuable to individuals responsible for production, marketing, finance and technology exposures. The managers in these areas understand the importance of coordinating risk management and would welcome help from the ERM process. At the same time, they do not want to be annoyed by it. Thus, ERM must provide real value identifying internal and external risks that affect the entire organization.

To get it right, a large organization should consider appointing two senior executives with responsibilities in two specific areas-strategy and nonfinancial enterprise risks.

Chief strategy officer

Strategic risk factors threaten a firm's ability to align goals, strategies and the external environment. Underlying exposures are a lack of vision, faulty planning, aggressive competitors and inflexible responses to changing conditions. Most existing C-level officers are busy people with significant responsibilities. They lack the time to consider strategic risks that cross all functions and lines of business.

This situation encourages organizations to appoint a "chief strategy officer" responsible for scanning the horizon for trends and unexpected developments and influencing the board, CEO and senior executives to address emerging exposures. The role is to encourage coordinated strategies to manage risk. The individual should have broad qualifications. As examples, he or she could have many years of experience in the industry, prior experience as a senior vp or other C-level officer, an advanced degree and participation in continuing professional education and a reputation for innovative and creative problem solving.

The key to success is that the individual would be responsible solely for identifying and sharing strategic risks facing the entity. The incumbent would have no day-to-day deadlines, time pressures or distractions. Once an exposure is identified, the knowledge would be shared with all interested parties to allow the organization to develop coordinated strategies to manage critical risk factors.

What would a chief strategy officer look at today? How about the emergence of India in production, computer programming and service operations such as call centers? How about the fact that a Detroit production worker costs $40 an hour while a Mexican worker across the border from El Paso costs $4 an hour? Is there anything that China cannot produce to world-class standards at a low production cost? What will be the impact as the world's consumption of oil grows by 20% in the next five years? Is the company prepared for the changing demographics and diversity of the workforce? How will it manage far-flung operations and supply chains? By all indications, a company has plenty of work for a chief strategy officer.

Chief risk officer

The second high-level position brings us into a controversial ERM discussion point-the title and role of chief risk officer. The term first appeared a 1988 Peat Marwick study on global capital markets. The first CRO was James Lam, who was given the title at GE Capital in 1993. Since then, the term CRO has led to diverse meanings and little agreement on responsibilities. Financial institutions-banks and insurance companies-were early adopters of the title in the 1990s. CRO most frequently described a position primarily concerned with three areas:

• Portfolio risk, or balancing risk across financial investments and holdings.

• Compliance with regulatory and statutory requirements.

• Security, ensuring strict internal controls on flow of data and access to information.

Since 2001, the title has made slow progress in nonfinancial organizations. The trend may speed up in the largest publicly traded corporations. A 2004 report by Forrester Research forecast that 75% of companies in fields such as utilities and energy will soon have a CRO in place. A 2005 survey by the Economist Intelligence Unit showed that 45% of 137 companies had a CRO, with 24% planning to create the position by 2007.

As we acknowledge that a chief risk officer position is growing in popularity, we can also recognize that the title is used with two meanings that involve different roles and require different skill sets. Maybe we need two titles: financial CRO and nonfinancial CRO.

A financial CRO would manage financial or internal control functions such as portfolio risk, compliance and the security of data and systems. The financial CRO would be trained in finance, actuarial science, auditing or accounting and would have major experience in financial positions such as financial or investment analyst, treasurer and controller. In many cases, he or she would report to the CFO. Alternatively, the title could reflect an additional duty of a senior finance executive.

A nonfinancial CRO would manage risk retention and transfer, culture, structure, governance and ethical factors. This individual could have any kind of training, including finance, business administration, engineering or law and would have major experience in operations. This CRO position would coordinate addressing risk factors in business units through an indirect process of influence as opposed to the direct controls of portfolio management and compliance. The only direct risk management would involve insurance (risk mitigation, retention and transfer), which could be handled by a subordinate professional with an insurance background.

The model of identifying both a chief strategy officer and nonfinancial chief risk officer recognizes that corporate strategies evolve from focusing on opportunities, not risk. The CRO has much to contribute once a strategy is identified. The CRO role is to ensure that the internal enterprise risk factors are identified and assessed. The development of the strategy itself, with its innovation and creativity aspects, is not necessarily a skill of a CRO.

From this foundation, the company has a role for a nonfinancial CRO who influences and integrates risk management without interfering with operating and functional areas. The responsibilities could include gathering centralized information on how senior executives manage risks in their areas, recommending actions to better coordinate direct, indirect and functional risk management, and advising the CEO and board on exposures and responses to them.

The key to the position is to help the organization understand critical risks that are not the specific responsibility of business units. Examples are:

• Cultural risk arising from the values and beliefs of the organization.

• Life cycle risk emerging as a result of a business unit's position in the organizational life cycle.

• Employment practices risks developing from interactions with employees and others in the workplace.

• Structural risk from behaviors, attitudes, linkages and decision-making processes.

• Fiduciary and reputation risk, as a result of failures to fulfill expectations of stakeholders.

• Compliance risk from omissions when fulfilling official requirements imposed by laws or regulatory bodies.

Meeting ERM challenge

Now we have a pathway that can lead senior executives to participate fully in enterprise risk management. Operating units can get help from these two senior executives. The chief strategy officer scans the horizon for changing conditions that call for new strategies. The nonfinancial CRO works across departmental lines to help managers understand risks that cross all business and staff units.

Most observers recognize that large, publicly traded companies need enterprise risk management. To get the maximum benefit, companies must devise a customized structure with senior leaders involved in a broad process of risk identification and mitigation. To do this properly, the organization should consider seriously the value of appointing chief strategy and risk officers who know the business of the entity and who help everyone coordinate the management of risks.

John J. Hampton is the KPMG Professor of Business and Director of Graduate Business Programs at Saint Peter's College in Jersey City, N.J. He specializes in business ethics, legal liability and enterprise risk management. He is a former executive director of the Risk & Insurance Management Society Inc.

John J. Hampton is the KPMG Professor of Business and Director of Graduate Business Programs at Saint Peter's College in Jersey City, N.J. He specializes in business ethics, legal liability and enterprise risk management. He is a former executive director of the Risk & Insurance Management Society Inc. Mr. Hampton can be emailed at jhampton@spc.ed.

Please join in the discussion with your thoughts and comments at our Community Forums.