John J. Hampton recently talked with Christopher Mandel, who served as president of the Risk & Insurance Management Society during 2002-2003 and was named Risk Manager of the Year by Business Insurance in 2004. He has been a longtime proponent of enterprise risk management. Mr. Hampton asked Mr. Mandel to comment on his May 15 article in Business Insurance proposing dual positions of a chief strategy officer and non-financial chief risk officer.

Hampton: In 2000, as a member of the RIMS Executive Council, you interviewed me for the position of executive director. You asked me if I knew about enterprise risk management. I said no. Has ERM made substantial progress outside risk management circles since 2000?

Mandel: I think it has. Every day I am bombarded with communications from consultants, brokers and the trades with products, services and writings on the subject. Its linkage with other key initiatives like SOX compliance, regulator interest and emerging requirements and a truly effective internal and external audit function, is spreading across companies like wildfire. More and more often, I see evidence that operations, control and finance types are expressing their interest in and concern about how to effectively manage other than typically insurable risks.

Hampton: The Business Insurance article argues that a chief strategy officer should have no responsibilities other than scanning the changing risk horizon external to the organization and bringing back early warning signs. What do you think of that idea?

Mandel: Frankly, while that might be an ideal situation for that incumbent, it is probably unrealistic to think it's achievable in many of today's more stressed industries. Clearly a strategy head has a unique and important role in integrating key risk management with the planning process. And external environmental scanning is something they should and often do. Most importantly, however, is that such a person work effectively with a risk management head to ensure together that no key risks are missed in preparing an effective plan for any entity.

Hampton: The article also suggests the creation of non-financial chief risk officer with responsibilities for helping mitigate broad organizational risks related to culture, employment practices and fiduciary responsibilities. Is such a position consistent with your view of ERM?

Mandel: I support a diversity of approaches to effective risk management and believe that the most important element of a good risk strategy is designing it to align with the company and its culture, which define its view of risk taking and risk mitigation. Certainly, in many large financial institutions, the most significant risks are financial in nature. Risk heads in these companies often end up focusing on market, credit and interest rate risks, often to the exclusion of many operational and business or strategic risks. In most other companies, these risks are the ones that, by far, can bring the most harm to mission success. Therefore, I think a non-financial CRO type is appropriate in many cultures, to ensure the most significant risks are appropriately addressed. However, I think there are many models that can work. One where subject-matter experts in specific risk areas hold accountability for those risks can work well when a senior risk process leader partners effectively with that person.

Hampton: The list of critical risks includes insurable risk--the stock in trade of today's risk managers. Are traditional risk managers properly prepared for the larger role of a CRO? If yes, what additional knowledge or skills would they need?

Mandel: I maintain that "traditional" risk managers are in many cases better suited to assume this broader responsibility for reasons that include their need to have a deep and broad understanding of how all key company segments work. However, many traditional risk managers don't know their companies as sufficiently as they should. They also run a wide range of influencing success, with many having very limited relationships among their companies' most senior and powerful leaders. So, you would naturally understand that it is my belief that individuals that have this broad and deep understanding and who have built relationships across key business segments, both lines and functions, are the ones who will be most successful as enterprise risk managers. In addition, a solid understanding and education in finance and business management goes a long way to paving the way to success.

Hampton: At RIMS you were always one of the leading voices for a broadened view of risk management, including a RIMS presentation when you coined the term "world-class risk management." How has your thinking changed since you left RIMS?

Mandel: For me personally, world class has given way to a focus on "best in class" where in our culture, continuous improvement coupled with a need to be highly competitive is critical to long-term success. The 10 criteria that made up my view of world class are still largely the same criteria but have only been adjusted to a higher level of performance, e.g. top 10% vs. top quartile cost of risk. On a broader level, my thinking has expanded primarily in areas that have allowed me to see the importance of key stakeholder alliances, both internal and external, in order to ensure such a broad and deep mandate can be driven sufficiently into a company's culture. To do that, I believe practitioners need a particularly close alignment with internal audit, compliance, legal, operations, business continuation, control and CFO.

Hampton: Any other thoughts to share on the future of ERM?

Mandel: More than ever, it's up to risk managers to take the lead if they want it and if not, to at least ensure a place at the table with those who do lead. Together, stakeholders can drive the best results, since critical risks for most companies are too far and wide for any one leader to hope to successfully manage alone. In addition, developing more rigor around risk process, especially risk value measurement, is a critical component of enlisting the long-term support of key leaders.