Enterprise risk management (ERM) emerged from the fundamental roots of risk management itself: preserve assets, protect people and comply with laws and regulations. And like a young tree, ERM has developed a strong trunk with several distinct branches, each representing a different approach. 

There are three primary reasons why ERM has developed so many branches. First, there is no standard definition of ERM. Instead, there are a variety of national and global standards, which have led to much confusion over what exactly the discipline of ERM really means.

Second, the marketing of ERM by professional service firms tends to mirror the services that those firms are selling. Accountants, insurance brokers and consultants craft their ERM approaches around their specific agendas, in effect creating more branches on the tree.

Third, how ERM is developed within organizations is largely dependent upon where it has been implemented (or where the ERM seed fell, if you will). For instance, the practice of ERM could be rooted in compliance, risk or value creation depending on where it is "owned" within the organization.

So although these branches all come from a common trunk, the diversity of perspectives has made ERM implementation more daunting. Understanding the rationale behind these approaches, however, can be the first step to cultivating an effective ERM program.

The Horticulture of ERM

The lowest branch on the tree, closest to the base, represents the earliest ERM efforts. These were centered around integrated risk programs, such as those created by Honeywell and United Grain Growers in the late 1990s. The fruit of this branch was the creative financing of historically immiscible risk categories in blended programs (i.e., commodity prices or volume risks combined with hazard risks, or multi-line and multi-year basket aggregates with exotic triggers and floating retentions).

Two additional limbs appeared in quick succession in 2001 and 2002. In the wake of 9/11, the business continuity planning branch emerged with a focus on disaster preparedness and emergency response planning. A renewed emphasis on physical security and system redundancy was accompanied by terrorism risk assessments, modeling of man-made disasters and the passage of the Terrorism Risk Insurance Act (TRIA). Another compliance-related branch grew out of the Enron implosion to ultimately include Sarbanes-Oxley and the COSO ERM framework. 

Governance, risk and compliance (GRC) is another branch in the compliance and audit family that has emerged over the last few years and is gaining support among audit firms, information technology providers and consultants. This branch focuses on adapting the ERM approach to include corporate governance and risk management requirements from entities like the New York Stock Exchange and the rating agencies including the auditing, reporting and compliance practices for those requirements. 

As the U.S. companies embrace the general concept of sustainability, a new ERM branch has grown to include the green movement. From this perspective, ERM is seen as being less about the risks faced by businesses in executing their strategies than the risks that those strategies may pose to the environment. Terms like "cap and trade," "carbon footprint" and "sustainable development" have worked their way into the risk management lexicon. We have rapidly moved from "greenhouse gases" to "global warming" to "climate change." Company stakeholders have expanded far beyond employees, owners and customers to literally encompass the entire world. It remains to be seen how large or rapidly this branch grows, but it seems clear it will remain firmly attached to the ERM trunk.

Some practitioners have always seen ERM as a process that can be used to gather data and statistics, especially about emerging risks, in order to provide "risk intelligence" that enables senior management to make risk-adjusted decisions. Once the exclusive jurisdiction of actuaries and financial quants, phrases such "total cost of risk" (TCOR), "value at risk" (VAR), "tail VAR," "return on risk-adjusted capital" (RORAC) and "risk adjusted return on capital" (RAROC) have become commonplace in risk-related decision frameworks. The terms "tail dependency" and "copula" may still result in a puzzled look from time to time, but nobody raises an eyebrow at the mention of a "Monte Carlo simulation" or "correlation." The efficient frontier and modern portfolio theory have made it from the textbook to the desktop--and to risk management in general. ERM will always encompass far more than statistics, metrics and formulas, but it is fair to say this branch is here to stay.  

Several years ago, another branch emerged that recognizes ERM's potential to add new measurable value to an organization. Adherents to this variant of ERM, called "entrepreneurial risk management," tend to be sympathetic to the risk intelligence school but are primarily focused on identifying new or unique market opportunities related to risk. Those in this camp talk about "leveraging risk" or the "upside of risk." While some of the opportunities identified can be transactional or product-related in nature, entrepreneurial ERM is by and large focused on developing business strategies to take advantage of market conditions by aligning differing perceptions and appetites to overall organizational objectives. Organizations are then in a position to prioritize investment opportunities and highlight areas of competitive advantage.

Cultivating Continued Growth

Many organizations are embracing ERM in some fashion. They have formed internal risk committees and agreed on an organizational definition of risk. Some of those organizations have tackled the differences between risk tolerance and risk appetite beyond pure numbers. However, if all the published surveys are accurate, very few organizations are practicing true ERM across the entire enterprise.

If ERM is going to become a standard business practice, the place for it to start is an ERM or risk committee. Its members must include the C-suite because the C-suite brings an organizationwide view and a power base necessary to make the strategic decisions about the business and the associated risks. They also have a longer-term and bigger-picture view of the business. This allows them to consider the aggregation of risk identified by the individual business units, as well as considering unanticipated, unknown and emerging risks that individual profit center leaders may not have had the option or time to consider, especially if they are in survival mode. Basically, the complexity of the ERM tree requires skilled leadership to thrive in an organization.

For the last decade, the changing regulatory and economic climate has permitted the creative growth of ERM. The result has been a strong tree and increased visibility of ERM within organizations, but it is also a tree that has spawned branches that have headed in several different directions at once. Organizations need to take care not to rely on any one branch more than the others. If one branch becomes too dominant, ERM could become mired in a confusing tangle of heat maps, Section 404 compliance reports and enterprise database systems. 

An ERM program, and the ERM discipline itself, is strongest when it encompasses multiple approaches. And if an organization only clings to one branch of the tree, risk management itself is compromised. As the axiom says, the whole is truly greater than the sum of its parts. 

CMP1: The Original ERM Policy

When the first ERM programs for Honeywell and United Grain Growers were announced in the late 1990s, they received a great deal of attention in the financial press. Both were sophisticated risk programs that integrated traditional insurable event risks with so-called non-traditional risks into a single insurance policy. They offered a new model for creative risk financing techniques. 

But integrated risk programs go back three decades earlier to a policy known as CMP 1, as in Casualty, Marine, Property Catastrophe Policy 1. Issued on January 1, 1966 by American International Union (the precursor of AIG) for the Standard Oil Company of New Jersey (now Exxon Mobil), CMP 1 was the first integrated risk policy, and it was the brainchild of insurance innovator William McGuinness.

McGuinness began his insurance career working as an underwriter at the General Accident Insurance Company, and then in the insurance departments at Flinkote and the Port Authority of New York before landing the job of assistant insurance manager at Standard Oil of New Jersey. Even in the early 1960s, Standard Oil was a corporate behemoth with the risks to match. 

McGuinness had always been a student of risk management and in developing CMP 1 his objectives would be familiar to all risk managers: expand coverage, reduce cost and improve administrative efficiency.

Standard Oil was an early adaptor of the captive insurance company model and McGuinness planned to use the Standard Oil captive, ANCON, as an underlying foundation of his integrated approach to risk. He first studied and then deconstructed the various policy forms that were standard in the market at the time and came to the conclusion that it might be possible to construct an integrated excess program that would achieve his objectives for managing and financing risk. He then crafted the policy form wording and calculated the pricing for a multiyear policy.

A large claim that had occurred while McGuinness worked at the Port Authority convinced him that the new policy would also have to define a claim as a result of an "occurrence" (more common in the United States) versus an "accident" (the standard in the London market at the time). This was a critical issue since McGuinness required a $100 million catastrophe limit-a huge limit for those days. He figured the only way to achieve his goal was to have American underwriters lead the program.

McGuinness had a solid working relationship with Jim Manton, the president of American International Underwriters, and after they negotiated the potential policies terms, conditions, premium and AIU's participation, Bill Hedges of Marsh & McLennan in New York and Edgar Bowering of C.T. Bowering in London were given the responsibility of marketing the program.

CMP 1 insured Standard Oil against "all risks of physical loss of, or damage to, property of any kind or description owned by the insured" and included protection against property, personal injury, marine and employee fraud risks. It was a quota-share subscription policy with all the underwriters signing on to the same wordings. The American leads were the Insurance Company of North America, American Home Assurance Company, the Aetna Casualty and Surety and the Travelers Indemnity Company. Underwriters at Lloyd's signed on for over half of the policy limit. 

Thirty years later, Honeywell combined traditional insurance lines with foreign exchange risk, while United Grain Growers created another innovative risk management program by combining traditional insurance lines with volume risk. Just like CMP 1, these programs ushered in a new era of integrated risk. Today, most of the integrated programs in force have more complex structures than CMP 1, but the core concept remains the same. And for that, risk managers have Bill McGuinness to thank. 

Written by John Bugalla, Barry Franklin & Corey Gooch. John Bugalla is an Indianapolis-based ERM consultant. Barry Franklin is a director in the corporate enterprise risk management practice of Towers Watson. Corey Gooch is Aon Global Risk Consulting's regional director of business development for the Americas.

The above article is reprinted from the May 2010 edition of Risk Management Magazine.