Michael Hofmann's job didn't exist in January. In February, Hofmann became the first chief risk officer (CRO) of Wichita-based Koch Industries Inc., a privately held diversified energy company. His title gives him oversight responsibility for several risk-related areas that had previously been kept separate, from property-and-casualty exposures to foreign-currency exchange, commodity price fluctuations, credit risks, and reputational exposures.
"My job is to pull it all together," he says.
The new CRO joins a small but growing list of executives occupying this emerging corporate position. Chief risk officers aren't exactly taking the business world by storm, but they are finding a niche as companies migrate toward enterprise risk management, the activity taking up much of Hofmann's time. "We're building the capability internally to identify all risks, analyze and quantify them, and then determine the optimum means of mitigating, absorbing, or transferring them," he explains.
Enterprise risk management veers sharply from traditional risk management, in which different company departments are given the task of managing different risks. The custom is for insurance risk managers to mitigate property-and-casualty exposures, treasurers to run herd on finance risks, internal audit to manage compliance issues, desk traders to hedge market risks, and so on. Rarely is there any sharing of risk knowledge or strategy in this so-called silo approach. Not only do these overseers analyze risks differently, they often use different tools for risk transfer — a mix of traditional insurance, counterparty trades, derivatives, and alternative risk-transfer methods.
Even the jargon differs from silo to silo. That's why Hofmann sees a common language for risk as indispensable to enterprise risk management.
"At this point, we're working to apply our state-of-the-art trading-risk framework to all other aspects of our business by using common definitions of risk and a common way to measure or quantify risks," he says. "When that's done, we will decide on an ongoing basis which risks to keep and which to transfer. Then we can effect the transfer through our trading desks, financial markets, insurance carriers, integrated risk policies, OTC [over-the-counter] transactions, or a contractual transfer to another party entirely." Pulling all this together will take at least two years, he estimates.
Hofmann isn't alone in his endeavor. Regulatory pressures, particularly capital adequacy, allocation, and accountability issues, are compelling many companies to get a firmer handle on risk. A number of those companies are designating CROs or forming multidisciplinary risk oversight committees to effect enterprise risk management strategies. By managing the entire risk portfolio under one umbrella, they ensure that a rigorous, consistent risk management process is applied throughout the entire organization.
Tearing Down Walls
While Hofmann is building this capability internally, other CROs are working closely with insurance brokers, accounting firms, and risk management consultants to lead the way, a process that generally takes at least two years to reach fruition. The effort is worth it, advocates say. By tearing down the walls separating the management of risks, CROs have discerned undue risk concentrations within the portfolio of risk — exposures that may seem small on an individual basis but are dangerous in sum.
"One transaction to transfer risk often creates another risk elsewhere," explains James Lam, president of eRisks LLC, a New Yorkbased enterprise risk management company. "For example, when you hedge with an interest-rate derivative, you create a counterparty credit risk. Under the traditional silo approach of managing risk, this would escape notice. But with enterprise risk management, where you look at the entire portfolio of risk, you're better able to appreciate interdependencies. There's a much higher level of risk transparency for senior executives, the board of directors, and, ultimately, shareholders."
Lam speaks from experience. He's widely credited with creating the title of chief risk officer, a position he held in the mid-1990s at GE Capital and, later, at Fidelity Investments, where he effected an enterprise risk management strategy that included the first broad-based, multirisk portfolio risk transfer (see "Integrating Ideas," at the end of this article). Lately, he's been leading other companies through the process, a journey he says is increasingly necessary.
"Look at the business environment today," Lam argues. "We've got an unforgiving stock market, where if earnings projections are off by 5 percent, the stock price drops 20 percent. Meanwhile, the [Securities and Exchange Commission] is saying companies can't manage earnings through special accounting methods, regulators are requiring boards and senior management to have more responsibility for risk, and FAS 133 is making risk-hedging strategies more complex and challenging. These forces require a systematic program to manage risks better than in the past. That program is enterprise risk management."
Evolution of a Job
Enterprise risk management and CROs go hand-in-hand. Yet this new corporate position is largely confined, at present, to two broad industries: financial services and energy. Of the roughly 100 CROs surveyed by Lam, the lion's share falls into those two industries. The reason is largely regulatory.
"The energy and financial services businesses have experienced substantial change," explains Brian Kawamoto, director of enterprise risk at Swiss Re New Markets, a New Yorkbased insurer specializing in alternative risk transfer strategies. "In the banking and insurance sectors, regulators are requiring greater capital adequacy, given the potential negative repercussions on the public of default. Compliance issues and credit ratings are more critical than ever, requiring companies to develop performance metrics on a risk-adjusted basis, in which the cost of risk is explicitly recognized in terms of its effect on capital."
In the energy sector, deregulation has created similar turmoil. Energy companies are hawking weather derivatives and getting increasingly involved in interest rate risk management and foreign exchange risk management. Wide swings in supply and demand, evidenced recently by huge energy-price increases in the northwestern United States, are pressuring margins. These new risks are requiring more-focused management, hence the proliferation of CROs in the industry. Aside from Koch Industries, CROs can be found at Enron Corp. and Duke Energy, among others.
Companies outside the energy and financial services industries seem to be tentatively exploring the appointment of a CRO. Informal research at MMC Enterprise Risk, a subsidiary of New Yorkbased Marsh & McLennan Cos., of about 35 companies in a wide range of industries and countries indicated that only 5 or 6 had appointed or were in the process of appointing a CRO. Lam could recall only three CROs outside energy and financial services — at diversified food company ConAgra Inc.; Coventry Health Care Inc., a managed health care company; and The SAir Group, an air-transport holding company.
These modest numbers will doubtless increase as regulators tighten the screws and companies pursue enterprise risk management. Indeed, MMC's survey indicates that the primary reason for appointing a CRO was the desire to implement enterprise risk initiatives. Bob Khanna, president and CEO of MMC, says the second reason given was the need for more-coordinated risk-related reporting up the organization to the board of directors. "Boards are insisting on a more integrated view of risk, in part because regulators are demanding greater accountability from them," Khanna says.
Other observers read the same tea leaves. "Various corporate advisory bodies are elevating the responsibility of senior management and the board to understand all the risks of the organization and have strategies in place to manage them," says Carl Groth, senior vice president and director of alternative risk transfer at insurance broker Willis, in New York. Groth points to the 1999 Turnbull Report in the United Kingdom, the 1994 Dey Report in Canada, and the Basel Committee on Banking Supervision in the United States as motivating factors for instituting both CROs and enterprise risk management.
(The Turnbull Report, issued by the Institute of Chartered Accountants in England & Wales, gives guidance to companies listed on the London Stock Exchange on a risk-based approach to internal controls. The Dey Report makes recommendations on identifying and mitigating corporate risks. The Basel Committee recommends that balance sheet capital be set aside to cover volatile operational exposures in the banking industry.)
What's in a Name?
Nevertheless, the observers agree that appointing a CRO per se is not as crucial as implementing the enterprise risk management strategies he or she coordinates. Indeed, the CRO can be a company's CEO or CFO, or, as is common, a multidisciplinary committee of risk overseers.
Sometimes a CRO is the same animal by a different name. Take the case of Charles Schwab & Co., which just appointed its first executive vice president of risk management. "I don't have the exact title of CRO, but that's who I am," says Bryce Lensing, of the financial services firm's San Francisco headquarters. He heads Schwab's Global Risk Committee, which is composed of four subcommittees: financial risk management, credit oversight, technology and operations risk, and fiduciary risk. "My job is to bring an overall view of risk to the company," says Lensing, who was appointed to his position in late May.
Other companies have a CRO by committee. One example is software giant Microsoft Corp., a pioneer in enterprise risk management. Another is United Grain Growers Ltd. (UGG), a Winnipeg, Canada-based diversified grain handler with $1.2 billion in 1999 revenues. In 1995, UGG assembled an enterprise risk oversight committee of 20 individuals, headed by CFO Peter Cox. The committee worked with Willis and Swiss Re New Markets for the next three years to identify, assess, and quantify every conceivable risk to earnings. The process ended with the transfer of a single portfolio of property, casualty, and grain volume exposures to Swiss Re (see "Whatever the Weather," CFO, June).
Hallmark Cards Inc. has no formal enterprise risk management process. "We are organizing a pilot committee that will include insurance risk management, finance risk management, and internal audit to analyze risks across the landscape," says William Johnson, risk financing manager at the privately held Kansas City, Missouri-based greeting card company (annual revenues: $4.2 billion). The committee hopes to establish an optimum way to determine the amount of risk the company should retain internally. "Right now this varies all over the place," says committee member Richard Heydinger, director of risk management. "My department may be perfectly comfortable taking a $10 million risk and not transferring it, whereas credit or treasury may spend money to transfer any risk over $100,000." Says Johnson, "We have looked at combining risks in a portfolio for transfer to a third party, although we haven't made any decisions in that direction."
Not everyone is sold on the need for a CRO. "How many chiefs do you need?" asks William J. Kelly, a managing director at investment bank J.P. Morgan in New York, which eschews the position. "Frankly, I think it would be pretty hard to find someone who has the expertise to address market, credit, and operational risks across the organization. Isn't that what the CEO and CFO should be doing?"
Swiss Re's Kawamoto responds that CEOs are de facto CROs, responsible for directing risk management strategy, "but they often don't have the time to set up the framework for a risk-adjusted capital process or to monitor it," he says. "They may put this in play, but the CRO takes it to the finish line."
Correlations and Concentrations
Whether directed by a CRO or not, an enterprise risk management analysis can discern offsetting risk positions or undue concentrations of risk in a company. Marty Scherzer, an MMC Enterprise Risk managing director, provides this example of a risk offset: "A railroad suffers when the price of diesel goes up, but benefits by increases in coal shipments and the revenues this produces. Higher revenues offset the risk; thus, a fuel-price hedge would be unwarranted. Often, such offsets slip the radar screen in a multisilo approach."
CRO Suzanne Labarge at Royal Bank of Canada says her oversight of credit market and operating risks revealed high credit-risk concentrations at the Toronto-based financial institution, with $190 billion in assets. "Our personal and commercial bank is exclusively Canadian, meaning a very heavy concentration of small and midsize Canadian enterprises and retail businesses," she says. "Our corporate and investment bank, however, does business largely outside Canada, in industries that are primarily non-Canadian. Knowing this, we were able to diversify our exposures using ordinary portfolio techniques.
"Basically, we encouraged our corporate bank to take on larger exposures in non-Canadian industries. By diversifying outside the country, we're not susceptible totally to a Canadian recession."
In the past, Royal Bank had little knowledge of these risk concentrations or correlations, Labarge says. "We failed to appreciate risk overlaps, with each business having operating risks and bits and pieces of market risks and credit risks," she explains. "We've now pulled it all together at the corporate level so we don't have undue risk concentrations."
Apprised of Labarge's experience, former CRO Lam says he's not surprised. "It's amazing what you pick up when you have a view of the entire enterprise's risk," he says. "That's why I believe CROs must be the evangelists of enterprise risk management — getting people excited about the process to effect organizational changes, break down silos, and achieve senior management commitment. They're the stewards of their companies' financial and reputational assets, setting the right policies to make sure they don't get into trouble."
Judging from the number of CROs following in his pioneering footsteps, Lam may have inadvertently spawned a minor revolution. Indeed, MMC Enterprise Risk's Khanna predicts CROs will become standard positions throughout most industries. "CEOs and their boards are realizing they need a full-time person thinking and worrying about risk all the time," he says. "That way, if something goes wrong, there's someone accountable."
Russ Banham is a contributing editor of CFO.
Should you combine risks in a blended policy?
A number of companies that practice enterprise risk management are either undertaking or considering an integrated risk transfer, in which different risks are combined for transfer to a third party. For example, Charles Schwab & Co. is well on its way to integrating property, casualty, and intellectual-property exposures in a portfolio risk transfer, according to Bryce Lensing. "We're working with our underwriters to fold things like patents and trademark infringement exposures into a blended risk insurance policy that includes property, casualty, directors' and officers' liability, and other exposures," says Lensing, coordinator of Schwab's Global Risk Committee. "Rather than insure each discrete incident, we like the idea of a blended program that affords large dollar limits across the enterprise."
Fidelity Investments, the Boston-based diversified financial services firm, already has taken the integrated-risk route. "We put together the first enterprisewide structured financial insurance product," says Judy Lindenmayer, Fidelity vice president of insurance and risk management. The groundbreaking insurance policy, conceived by Lindenmayer and underwritten by New York based American International Group Inc., covered every reasonable exposure confronting the organization, barring six exclusions (including workers' compensation).
James Lam, former Fidelity CRO and now president of eRisks LLC, recalls: "We set up the infrastructure within the company to address losses across the entire enterprise, structuring the general ledger to systematically capture credit risk, market risk, and operational risk. We then decided, based on Judy's work, to combine property, casualty, and the other risks in a portfolio for transfer." Last year, Fidelity increased the coverage limits on the integrated policy, now layered among several insurers.
While enterprise risk management may lead to an integrated risk transfer, one does not necessarily always beget the other. Indeed, experts warn not to confuse the two. "Insurance brokers and investment banks tend to see enterprise risk management from a risk-transfer product perspective," notes Lam. "That's the cart before the horse. You want a service provider that sees enterprise risk from the client's perspective, not a product perspective."
Reduced costs, lower earnings volatility, and potentially higher shareholder value are cited as benefits of integrated risk transfer. But the strategy has its skeptics. "I don't see value in the enterprise risk strategy," says William J. Kelly, a managing director at investment bank J.P. Morgan in New York. "Supporters like to say two diverse risks offset each other in a portfolio. But where's the hedge — the interplay of 'When this risk goes down, this one goes up'? If two risks are diverse, they should be addressed separately. It makes no sense to combine them."