Preface xiii

Acknowledgments xix

Part One ERM in Context

Chapter 1 Fundamental Concepts and Current State 3

Introduction 3

What Is Risk? 4

What Does Risk Look Like? 8

Enterprise Risk Management (ERM) 11

The Case for ERM 13

Where ERM Is Now 18

Where ERM Is Headed 19

Notes 20

Chapter 2 Key Trends and Developments 21

Introduction 21

Lessons Learned from the Financial Crisis 21

The Wheel of Misfortune Revisited 26

Global Adoption 34

Notes 37

Chapter 3 Performance-Based Continuous ERM 41

Introduction 41

Phase Three: Creating Shareholder Value 43

Performance-Based Continuous ERM 44

Case Study: Legacy Technology 56

Notes 59

Chapter 4 Stakeholder Requirements 61

Introduction 61

Stakeholders Defined 62

Managing Stakeholder Value with ERM 79

Implementing a Stakeholder Management Program 80

Appendix A: Reputational Risk Policy 83

Notes 87

Part Two Implementing an ERM Program

Chapter 5 The ERM Project 93

Introduction 93

Barriers to Change 93

Establish the Vision 95

Obtain Buy-In from Internal Stakeholders 97

Assess Current Capabilities against Best Practices 100

Develop a Roadmap 104

Appendix A: ERM Maturity Model 108

Appendix B: Practical Plan for ERM Program Implementation 111

Chapter 6 Risk Culture 115

Introduction 115

Risk Culture Success Factors 117

Best Practice: Risk Escalation 130

Conclusion 130

Notes 131

Chapter 7 The ERM Framework 132

Introduction 132

The Need for an ERM Framework 132

ERM Framework Criteria 136

Current ERM Frameworks 138

An Update: The Continuous ERM Model 145

Developing a Framework 150

Conclusion 153

Notes 153

Part Three Governance Structure and Policies

Chapter 8 The Three Lines of Defense 157

Introduction 157

COSO’s Three Lines of Defense 158

Problems with This Structure 160

The Three Lines of Defense Revisited 164

Bringing It All Together: How the Three Lines Work in Concert 172

Conclusion 173

Notes 173

Chapter 9 Role of the Board 175

Introduction 175

Regulatory Requirements 176

Current Board Practices 179

Case Study: Satyam 180

Three Levers for ERM Oversight 181

Conclusion 189

Notes 189

Chapter 10 The View from the Risk Chair 191

Introduction 191

Turnaround Story 191

The GPA Model in Action 192

Top Priorities for the Risk Oversight Committee 192

Conclusion 196

Notes 197

Chapter 11 Rise of the CRO 198

Introduction 198

History and Rise of the CRO 199

A CRO’s Career Path 201

The CRO’s Role 202

Hiring a CRO 206

A CRO’s Progress 208

Chief Risk Officer Profiles 212

Notes 225

Chapter 12 Risk Appetite Statement 227

Introduction 227

Requirements of a Risk Appetite Statement 228

Developing a Risk Appetite Statement 233

Roles and Responsibilities 239

Monitoring and Reporting 242

Examples of Risk Appetite Statements and Metrics 246

Notes 250

Part Four Risk Assessment and Quantification

Chapter 13 Risk Control Self-Assessments 255

Introduction 255

Risk Assessment: An Overview 255

RCSA Methodology 256

Phase 1: Setting the Foundation 259

Phase 2: Risk Identification, Assessment, and Prioritization 262

Phase 3: Deep Dives, Risk Quantification, and Management 267

Phase 4: Business and ERM Integration 270

ERM and Internal Audit Collaboration 272

Notes 273

Chapter 14 Risk Quantification Models 274

Introduction 274

Market Risk Models 275

Credit Risk Models 278

Operational Risk Models 281

Model Risk Management 283

The Loss/Event Database 288

Early Warning Indicators 289

Model Risk Case Study: AIG 289

Notes 290

Part Five Risk Management

Chapter 15 Strategic Risk Management 295

Introduction 295

The Importance of Strategic Risk 296

Measuring Strategic Risk 299

Managing Strategic Risk 301

Appendix A: Strategic Risk Models 310

Notes 312

Chapter 16 Risk-Based Performance Management 314

Introduction 314

Performance Management and Risk 316

Performance Management and Capital 317

Performance Management and Value Creation 319

Summary 323

Notes 324

Part Six Risk Monitoring and Reporting

Chapter 17 Integration of KPIs and KRIs 327

Introduction 327

What Is an Indicator? 327

Using Key Performance Indicators 329

Building Key Risk Indicators 330

KPI and KRI Program Implementation 335

Best Practices 337

Conclusion 338

Notes 339

Chapter 18 ERM Dashboard Reporting 340

Introduction 340

Traditional Risk Reporting vs. ERM Dashboard Reporting 344

General Dashboard Requirements 348

Implementing ERM Dashboards 351

Avoid Common Mistakes 357

Best Practices 358

Notes 361

Chapter 19 Feedback Loops 362

Introduction 362

What Is a Feedback Loop? 363

Examples of Feedback Loops 364

ERM Performance Feedback Loop 366

Measuring Success with the ERM Scorecard 368

Notes 371

Part Seven Other ERM Resources

Chapter 20 Additional ERM Templates and Outlines 375

Introduction 375

Strategic Risk Assessment 375

CRO Report to the Risk Committee 376

Cybersecurity Risk Appetite and Metrics 378

Model Risk Policy 380

Risk Escalation Policy 382

Notes 385

About the Author 386

Index 387

Praise for Implementing Enterprise Risk Management

"James Lam provides a strong case that ERM should be a continuous process that is aligned with the strategy and risks of the organization. He offers detailed and practical information on how to structure a robust, dynamic process that stays closely attuned to business risks and how to ensure that ERM fulfills the expectations of all stakeholders."
—Ann C. Berzin, Board Member of Exelon Corporation, Ingersoll-Rand plc

"In these times of rapid change and business model disruption, ERM must go beyond regulatory checklists and compliance. Effective implementation of ERM informs business strategy and can lead to breakthrough value creation. James Lam makes a compelling argument that boards have both a strategic and a fiduciary responsibility to ensure that a strong ERM program is in place, and gives wise and practical guidance on how to do so."
—Irene Chang Britt, Board Member of Dunkin' Brands, Tailored Brands, TerraVia; CEO, ICB Enterprises, LLC

"In a world of heightened expectations from investors, regulators, and the public, this book is a must read for corporate directors and executives on the keys to effective risk oversight and how to successfully integrate it into corporate strategy."
—Robert H. Herz, Board Member of Fannie Mae, Morgan Stanley, Workiva; Former Chairman of the Financial Accounting Standards Board (2002-2010)

"Well, it should be crystal clear from reading this latest book why James Lam was invited to be on the COSO Advisory Committee to revise the 2004 ERM framework. He's a true thought leader and luminary, helping us all to make progress on the ERM journey to higher performance."
—Robert B. Hirth, Jr., Chairman, Committee of Sponsoring Organizations of the Treadway Commission (COSO); Senior Managing Director, Protiviti

"A terrific compendium of practical approaches and case studies for implementing an effective ERM framework. James Lam's advocacy of performance feedback loops provides an important innovation to adaptive risk management programs. This book also highlights the increasingly critical role of Chief Risk Officers in defining strategy for companies that adhere to a clearly articulated risk appetite statement."
—Bradford Hu, Chief Risk Officer, Citigroup

As the speed at which companies do business all over the world increases, so does the velocity of existential risks. Still, even risk professionals with exemplary knowledge will not be successful unless they can effectively put their ideas into practice— Implementing Enterprise Risk Management turns their expertise into business value.

Picking up where Enterprise Risk Management leaves off, pioneering risk management authority James Lam distills his more than thirty years of experience at the highest levels of business into a clear, focused approach to integrating an enterprise risk management (ERM) program into any company. His innovative performance-based continuous model for ERM is specifically designed to tackle the global risks facing today's organizations in such areas as strategic risk management and cyber security.

Getting an ERM system up and running is a complex, multi-year effort, and this complete blueprint ensures everything is on track at the very start, from outlining the scope and goals of an ERM initiative through using the accurate and insightful metrics, reports, and feedback loops critical to maintaining program effectiveness. Revealing case studies and examples demonstrate how to implement an ERM program in two years, integrate risk into business decisions, create a cyber security risk appetite statement and metrics, structure a concise report from the Chief Risk Officer to the risk committee, and more. Keep this versatile book at your fingertips for everyday guidance on:

• Overcoming common execution issues and cultural barriers to proficiently implement a sophisticated ERM program
• Using an exclusive customized model of tiered defenses to clearly define the role of the board, corporate management, and operating units
• Developing and applying state-of-the-art ERM processes and tools to make more- informed business decisions and create value
• Enhancing the risk culture of the organization by aligning performance measurement and incentives
• Incorporating the opportunity side of risk in maximizing risk-adjusted profitability

Find the optimal balance of risks and rewards with Implementing Enterprise Risk Management.