When I arrived at St. Peter's College in 2004, I sought and received permission to put the words "specializing in enterprise risk management" on my business cards. Every time someone sees my card, he or she says something like "Oh, I've heard of enterprise risk management. Exactly what is it?"

That would be a fine reaction to a new idea. It is, however, a sad commentary on a term that has been used for 12 or so years and, in the past seven years, promoted by risk managers, auditors and others. A Google search of "enterprise risk management" produces 859,000 hits. At www.amazon.com are 200 books and articles on it. One is "COSO Enterprise Risk Management--Integrated Framework," a 230-page comprehensive description supported by professional associations of accountants and auditors. In recent years, the Risk & Insurance Management Society Inc. has created an ERM online discussion group, an ERM Center of Excellence and a risk maturity tool for evaluating ERM programs. Articles in Business Insurance and other publications suggest ERM is getting little traction. While this situation has improved some, we need to rethink how we present ERM and what it means. There are three problems:

1. Definitions. Everybody has his or her own for ERM. This includes brokers, accounting firms, consultants and professional associations. A typical definition is: ERM is the process of identifying major risks and business processes with exposures, forecasting significance of risks in business processes, addressing the risks in a systematic and coordinated plan, implementing the plan and holding key individuals responsible.

2. Risk categories. Brokers and others use different risk categories as they promote ERM. Examples: In 2001 and 2002, Marsh & McLennan Cos. Inc., Aon Corp., CFO magazine and the Economist Intelligence Unit variously identified four categories of risk: hazard, operational, financial and strategic. KPMG in 2001 identified seven categories of risk: strategic, operational, reputational, regulatory/contractual, financial, information and new risks. Around that year,

Tillinghast-Towers Perrin declined to develop risk categories because it said risk cannot be directly managed. Instead, it said an organization should identify "risk factors"--such as culture, capital, business processes and capacity for change--and manage those. COSO, the Council of Sponsoring Organizations, categorized eight risk processes: internal environment, goals, risk events, risk assessment, risk response, control activities, information and communication, and monitoring.

All of these offer insights on ERM, but in terms of accountability, responsibility and process, most firms are not structured against the above risk classifications or processes. Firms do not have separate risk managers for each. A better categorization would be to align the risk categories with the existing management structure.

3. Failure to tell a good story. The third problem is ERM's real value is lost when we focus on processes, internal controls and details. Board members, senior executives and even middle managers see a cumbersome, expensive way to handle risks they are already managing. Many businesspeople pay lip service to Sarbanes-Oxley, Basel II and ERM. They believe the processes that all three require have been designed by bureaucrats, professors or regulators who do not really understand risk.

Here, then, are proposed solutions:

1. Definition of ERM. Let's simply say ERM is an effort to coordinate management of the risks facing an organization. We can skip more complex definitions, which all deal with risk coordination and mitigation.

2. Matching risk categories to business model. A business model states a firm's strategy for success. It includes: the value to be created by the entity; the network of partners for creating, marketing and delivering value; and capital, assets and other resources needed to generate sustainable profits. The likelihood of success of an ERM program rises significantly when companies align risk categories with the business model.

As an example, suppose a company has the following risk categories as components of its business model: production, or creation of goods and services; marketing, or development of customers and markets; finance, or management of liquidity, profitability, the control aspects of cash flows and investments; technology, and keeping up with changing technology; administration, or processes for efficiency, performance and structure; European and Asian regions, or entities that operate with a high level of autonomy from the corporate headquarters; and legal liability, or dealing with mounting lawsuits from a defective and discontinued product.

An advantage to this categorization is it matches risks against major exposures and the C-level individuals responsible for managing them. If we add a high-level responsibility for advising and consultation, we are coordinating risk at the organizational level. We can add other staff units, such as logistics, human resources and in-house legal counsel. The organization now has risk categories matching the senior executives who are identifying and managing risks daily. Once we have these categories, subcategories emerge easily (see chart).

3. Telling a good story. Up to this point, we are simply realigning the ERM message so it makes sense to the organizations, board members and senior executives. Solving the third problem, failure to tell a good story, will be the subject of my March 19 column in Business Insurance.

Read the March 19 column: "Successful ERM Tells a Good Story"

John J. Hampton is the KPMG Professor of Business and Dean of the School of Professional and Continuing Studies and Graduate Business Programs at St. Peter's College in New Jersey. He specializes in business ethics, legal liability and enterprise risk management. He is a former executive director of the Risk & Insurance Management Society Inc.

His columns and interviews with risk experts are available at www.BusinessInsurance.com/EmergingRiskStrategies.

EXAMPLES OF RISK SUBCATEGORIES

MARKETING RISK

Most organizations have a chief marketing officer who manages risk factors related to entering markets, finding customers/clients, and pricing and selling goods or services. Examples of exposures include:

Needs risk. Understanding what customers will buy.

Distribution risk. Getting the products to market.

Volume risk. Selling sufficient units.

FINANCE RISK

Most organizations have a chief financial officer who manages financial decisions and controls. Underlying exposures include:

Capital budgeting risk. Investing to earn an adequate return on assets.

Valuation risk. Protecting or increasing the value of a firm.

Capital structure risk. Managing the sources of funding for the firm.

Credit risk. Obtaining the value expected from business transactions.

Financial reporting risk. Ensuring accurate financial statements.

TECHNOLOGY RISK

Many organizations have a chief technology officer who identifies risk factors and influences others to respond to changing telecommunications, data management, business systems and other technological developments. Exposures include:

Business support risk. Providing technology for production and marketing.

Information systems risk. Responsive information on products, markets and finances.

Communications risk. Effective systems for linking all parties.

Records management risk. Accurate and timely data collection.

ADMINISTRATION RISK

A chief administrative, operating officer or CEO manages ordinary operations risks. Issues include:

Efficiency. Organizing work in cost-effective processes that achieve goals.

Performance. Ensuring achievement of leadership, management and behavioral objectives.

Structure. Pursuing optimal hierarchical and other relationships.

An expanded list of risk subcategories can be viewed at www.BusinessInsurance.com/EmergingRiskStrategies