Over the past two decades enterprise risk management (ERM) has evolved from concepts and visions of how risks should be addressed to a methodology that is becoming entrenched in modern management and is now increasingly expected by those in oversight roles (e.g., governing bodies and regulators). As Felix Kloman describes in his chapter “A Brief History of Risk Management,” published in Fraser and Simkins (2010), many of the concepts go back a very long time and many of the so-called newly discovered techniques 2 Implementing Enterprise Risk Management referenced to the earlier writings and practices described by Kloman.
However, it is only from around the mid-1990s that the concept of giving a name to managing risks in a holistic way across the many operating silos of an enterprise started to take hold. In the 1990s, terms such as integrated risk management and enterprisewide risk management were also used. Many thought leaders, for example, those who created ISO 31000,2 believe that the term risk management is all that is needed to describe good risk management; however, many others believe that the latter term is often used to describe risk management at the lower levels of the organization and does not necessarily capture the concepts of enterprise-level approaches to risk. As a result, the term ERM is used throughout this book.
As ERM continues to evolve there is still much discussion and confusion over exactly what it is and how it should be achieved. It is important to realize that it is still evolving and may take many more years before it is fully codified and practiced in a consistent way. In fact, there is a grave danger now of believing that there is only one way of doing ERM. This is probably a mistake by regulators who have too eagerly seized some of these concepts and are trying to impose them when the methods are not fully understood, and in some cases the requirements are unlikely to produce the desired results.
As Fraser and Simkins (2010) noted in their first book on ERM: “While regulatory interest can force ERM into companies, if not done well, it can become another box-ticking exercise that adds little value.”3 The leading and most commonly agreed4 guideline to holistic risk management is ISO 31000. However, it should be mentioned that in the United States the COSO 2004 Enterprise Risk Management–Integrated Framework has been the dominant framework used to date. Many organizations are currently adopting one or the other of these frameworks and then customizing them to their own context.
Following the success of the earlier Enterprise Risk Management: Today’s Leading Research and Best Practices for Tomorrow’s Executives by Fraser and Simkins (2010), we found through our own teaching experiences, and by talking to others, that there was an urgent need for a university-level textbook of ERM case studies to help educate executives, risk practitioners, academics, and students alike about the evolving methodology. As a result, Fraser and Simkins, together with Kristina Narvaez, approached many of the leading ERM specialists to write case studies for this book.
The first two chapters provide an overview of ERM and guidance on ERM education. As we have pointed out, education on ERM is crucial and more universities need to offer courses in this area. Our conversations with many ERM educators and consultants highlight how extremely challenging it is to achieve excellence in ERM education. Chapter 2, “An Innovative Method to Teaching Enterprise Risk Management: A Learner-Centered Teaching Approach,” offers insights and suggestions on teaching ERM. This chapter covers the concept of flipping the classroom with learner-centered teaching (LCT), distinguishes it from traditional lectures, and describes how it can be used in teaching ERM.
The LCT approach emphasizes active student participation and collaboration on in-class activities such as case studies versus the traditional lecture approach. This chapter provides several examples as to how LCT can be applied in teaching ERM, utilizing Fraser and Simkins’ (2010) book. David R. Lange and Betty J. Simkins, both experienced ERM educators, team together to write this chapter. David Lange, DBA, is an Auburn University Montgomery (AUM) Distinguished Research and Teaching Professor of Finance. He has received many prestigious awards for both research and teaching from the University and from several academic associations.
He has taught many courses in the area of risk management and has consulted in a significant number of individual and class insurance–related cases in both state and federal court. Betty Simkins, PhD, the Williams Companies Chair of Business and Professor of Finance at Oklahoma State University, is coeditor of this book.
Part II is a collection of ERM case studies that give examples of how ERM was developed and applied in major organizations around the world. Note that there is no perfect ERM case study and the objective is for readers to assess what they believe was successful or not so successful about these ERM programs.
The first case study in this book describes ERM at Mars, Inc. Larry Warner, who is the former corporate risk manager at Mars, Inc. and now is president of Warner Risk Group, describes the ERM program at the company in Chapter 3.
Mars is a global food company and one of the largest privately held corporations in the United States. It has more than 72,000 associates and annual net sales in excess of $33 billion across six business segments—Petcare, Chocolate, Wrigley, Food, Drinks, and Symbioscience. Its brands include Pedigree, Royal Canin, M&M’s, Snickers, Extra, Skittles, Uncle Ben’s, and Flavia. With such complex business operations, Mars recognized the importance of providing its managers with a tool to knowledgably and comfortably take risk in order to achieve its long-term goals. Mars business units use its award-winning process to test their annual operating plan and thereby increase the probability of achieving these objectives. Chapter 6 Presented strategic risk management with the LEGO Group.
Q: What exactly is strategic risk management?
Q: What are some examples of strategic risk?
Q: How can we measure and manage strategic risk?
Q: Are there a framework which an organization can use to navigate strategic risk management?
Q: Give specific examples of how other organizations implemented strategic risk management within their organizations and if it was successful or not.