The Humble Cro (to Read!)

Copyright 2014 by Anette Mikes

Working papers are in draft form. This working paper is distributed for purposes of comment and discussion only. It may not be reproduced without permission of the copyright holder. Copies of working papers are available from the author.

The Triumph of the Humble Chief Risk Officer Anette Mikes

Working Paper

14-114 May 23, 2014

1

TheTriumphoftheHumbleChiefRiskOfficer

AnetteMikesHarvardBusinessSchool

AbstractThispapertrackstheevolutionoftheroleoftwochiefriskofficers(CROs),andthetoolsandprocessestheyhaveimplementedintheirrespectiveorganizations.Whilethecompaniesarefromverydifferentindustries(oneisapowercompany,theotherisatoymanufacturer),theybothembracedtheconceptsandtoolsofEnterpriseRiskManagement.Overanumberofyears,atbothfirms,riskmanagementtransformedfromacollectionofofftheshelf,acquiredtoolsandpracticesintoaseeminglyinevitableandtailoredcontrolprocess.ThepaperinvestigatestheroleoftheCROinmakingthesetransformationshappen.ThetwocaseshighlightthattheroleoftheCROmaybelessaboutthepackagingandmarketingofriskmanagementideastobusinessmanagers,butinstead,thefacilitationofthecreationandinternalizationofaspecifictypeofrisktalkasalegitimate,crossfunctionallanguageofbusiness.Therebytheriskmanagementfunctionmaybemostsuccessfulwhenitresistsconventionalandconflictingdemandstobeeithercloseto,orindependentfrom,businessmanagers.Instead,byactingasafacilitatorofrisktalktheCROcanenabletherealworkofriskmanagementtotakeplacenotinhisownfunction,butinthebusiness.Inbothcases,facilitationinvolvedasignificantdegreeofhumilityonthepartoftheCRO,manifestinlimitedformalauthorityandmeagreresources.Theirskillwastobuildaninformalnetworkofrelationshipswithexecutivesandbusinessmanagers,whichallowedthemtoresistbeingstereotypedaseithercompliancechampionsorabusinesspartners.Insteadtheycreatedandshapedtheperceptionoftheirrolewhichwasoftheirownmaking:acarefulbalancingactbetweenkeepingonesdistanceandstayinginvolved.

2

In thewakeof the20072009 financialcrisis,continuingcorporatedebacles,andongoingcorporategovernancecallsfortheappointmentofchiefriskofficers(CROs)andriskmanagementcommittees,itisparticularly important to understand what role risk officers (may) play in organizational life. Thecomplianceimperativerequiresbankstoimplementafirmwideriskmanagementframeworkcompletewith analytical models for the measurement and control of quantifiable risks. In addition, corporategovernance guidelines advocate the business partner role of risk management. In this context, thequestionbecomes:howdo senior riskofficers strike abalancebetween the twin rolesof compliancechampionandbusinesspartner?

Thepractitioner literatureon riskmanagementpromotes theview that thechief riskofficershouldfocusondevelopingfruitful interactionsbetweenriskmanagersandtheorganizationsmanagerialandexecutivelayers(EconomistIntelligenceUnitLimited,2010);forexample,bypositioningthemselvesasastrategicbusinessadvisor(KPMG,2011:27).Therisingvisibilityofenterpriseriskmanagementandriskmanagersinorganizationsreflectsanapparentandongoingreconfigurationofuncertaintyintoanareaofmanagement(Power,2007),whichplacesdemandsontheriskmanagertobeaproactiveassessorandcommunicatorofuncertainty, capableofoperating as apotentialpartner to businessdecisionmakersratherthanasareactivecontrolagent.

Seemingly, risk managers are riding a favorable tide with regulators, standardsetters, and someemergingprofessionalassociationsadvocatingtheirvalue.Anincreasingproportionofcompanieshaveappointed CROs over the last decade, and surveys demonstrate that the proliferation of senior riskofficers is ubiquitous1. While only a minority of respondents tend to treat COSOs Enterprise RiskManagement(ERM)framework(COSO,2004)astheirblueprint,andmanydonotfollowanyparticularstandardor framework2, surveysgenerallyagree that thenumbersof companies embracingERM (i.e.reporting tohaveanERM frameworkand/oranERMpolicy)havereached thecriticalmassof60%(RIMS,2013;Deloitte,2013). Puttingmoney to theproverbialmouth,companieshavespent increasingresourcesonriskmanagementandmanyareplanningtocontinuedoingso.3Yetthe juryisstilloutonERMsactualvalueaddedaccordingtoasurveyofriskmanagers,carriedoutbyRIMS in2013,theirsatisfactionwiththeirprogresswaswidelyvaried,andaccordingtoanothersurveyofCsuiteexecutives,lessthanhalfbelievetheirorganizationhaveaneffectiveriskmanagementprogram(KPMG,2013).

Atbest,evidencetellsusthatorganizationsvarywidelyintheirdesign,implementation,anduseofriskmanagement practices and tools.Atworst, riskmanagement (or the appointment ofCROs) is afaddishphenomenon, takingup increasing amountsof resourcesyetproving incapableof closing theexpectations gap (Power, 2007) that is now alltoo evident between aspirations for better riskmanagementandtheactualachievementsandcapabilitiesofriskmanagementfunctions.

1Arecentsurvey(Accenture,2013)ofasampleof446large,diverseorganizations(whichincludedfinancialservices(46%)andotherorganizationsfromtheutilities,healthcare,lifesciencesandgovernmentsectors)foundthatthepresenceoftheCRO,orequivalentseniorriskofficer,wasnearuniversalwith96%ofrespondentshavingonein2013(upfrom78%in2011).However,surveysthathavelessfocusonregulatedindustriessuggestthattheacceptanceofCROs(andformalriskmanagementfunctions)couldbemuchlesswidespread31%inglobalfirms(AICPA,2010)andevenlowerinnonregulatedU.S.organizations.

2This2013surveyof1095riskmanagers(RIMS,2013)suggeststhat22%ofcompaniesadoptedtheCOSOframework,23%embracedtheISO31,000standardand26%doesnotfollowanyparticularframeworkindefiningtheirenterpriseriskmanagementpractices.

3Aglobalsurveyof1,092respondentsfromdiverseindustries,carriedoutinlate2012(KPMG,2013)foundthatthelevelofinvestmentinriskmanagementhasgrownasapercentageoftotalrevenuesinthepastthreeyears,with66%ofrespondentsexpectingtheproportioninvestedinriskmanagementtoriseinthenextthreeyears.

3

Thispaperfocusesontwocompanieswheretheriskmanagementstaffhadsuccessfullydefinedandbrought about their version of risk management. Having traced the evolution of these two riskmanagementfunctions,theirapparatus(toolsandprocesses),andtheirrelationshipwiththerestoftheorganization, Iwas struck, first,by theapparent successof theseCROsatmaking riskmanagementaseeminglyinevitable,inconspicuouspartoforganizationallife.Overtheyears,theydevelopednewtoolsthatseamlesslylinkedupwiththeworkofbusinessmanagers,creatingtheimpressionthattherealworkof riskmanagement tookplace in the business lines, andwas carried out by employees.Yet the riskmanagers (or rather, the riskfunction managers) retained a certain amount of attachment to thesepracticesthatenabledthemtodemarcateriskmanagementastheirexpertiseandraisondetre.

Secondly, Iwasalso intriguedby theparadoxicalattitudesdisplayedby theseCROs towards theirown work: they appeared to be tremendously confident and surprisingly humble. The CROs weresurroundedbycorporategovernanceadvocates, regulators,consultantsandcertified riskprofessionalswithavestedinterestintellingthemwhatriskmanagersshoulddoandbe.Buttheyhadtheconfidencetosteerawayfromtheemergingconventionalwisdom,theriskmanagementstandardsandguidelines,and the charlatans who advocated them. They took on the challenge to develop the idea of riskmanagement and its apparatus themselves. Yet at the same time, they displayed a lot of humility,acknowledgingfailures,strugglesandimperfections.Theyregardedtheirworkunfinished.

Thirdly, theseCROs sensed that theexcessiveuseofcertainkindsof riskmanagementvocabulary,technology, and theiruncritical adaption could harm, rather than further their cause. Irritated by theproliferation of abstract vocabulary emanating from riskmanagement standards, theseCROs tried tolearnandspeakthelanguageofthebusiness.Bycocreatingrisktoolsandasparseriskvocabularywiththosewhowere touse them, theseCROsbroughtabout inconspicuous risk talkmanagerswerenotevenconsciousofspeakinganewlanguage,thatofriskmanagement.

Finally,theseCROsoperatedextremelyfrugallywithoneortwofulltimestaff,theyplayedtheroleofthefacilitatorofrisktalk,andkepttheirresourcerequirementstoabareminimum.Theyplannednofurther investment in riskmanagement, and did not ask for increases in their formal authority ordecision rights.Towards the endof the researchhorizon,atboth companies the roleof theCROwasstructurallydemoted (oneor twosteps furtherremoved from theCEO in thereportinghierarchy),yettheirorganizationalreachandinfluenceremainedunchanged.

Thus,thetwocasestudiesdocumentwhatmightbecalledthetriumphofthehumbleCROovertheadvocatesofevermorevisible,betterresourcedandhighlyindependentriskmanagers.Itisthetriumphofordinaryrisktalkandanunobtrusiveriskapparatusoverevermoresophisticatedriskmodelsandofftheshelf IT programs that promise a comprehensive and elaborate display of risks. The followingsectionsaimtodescribethemovementsofthisevolution,asevidencedbythecasestudies.Istartwithabriefdescriptionof the case sites and the researchprocess.Second, Ioutline the evolutionof the riskapparatus and describe the work of risk management (riskwork) at the two companies. Third, Idescribetheireffortsatfacilitatinginconspicuousrisktalkandunobtrusiverisktools.Next,Iillustratethemix of confidence and humility that characterized the attitude of these CROs towards their owncreations.Here Ishallalsodescribehow theseCROskept theirspanofcontrol (Simons,2005)narrow,

4

andevencame toaccept less formalauthority,while (somewhat counterintuitively) they succeededatwideningtheirspanofsupport4.

ThecasesitesandresearchprocessElectroworks, amajorCanadianpowerutility,operated in an industry inwhich lackof reliability

could leadnotonly to financialandassetdamagebutalso tohuman injuryanddeath.Theprovincialregulatoryagencyhadcapped theprice thatElectroworkscouldcharge,whilealsorequiring it to leadconservationinitiativesthatwouldreducefuturerevenuesandearnings.Electroworkshadtomanageacomplex web of conflicting intereststhe agendas of government ministers, regulators, consumers,environmentalgroups,aboriginal (firstnation) landowners,and thecapitalmarketdebtholders thathadsubscribed to thecompanysC$1billionbond issue. Istarted fieldworkatElectroworks inspring2008.Through25interviews(seeAppendix1foralistofinterviews),IaimedtoreconstructthehistoryofERMfromitsoriginalconsultantledintroductionthroughitstransformationtoitscurrentinevitable,yetstillunfinishedandevolvingstate.MagicToyswasa large, familyowned toymaker,operatingwithinahighlycompetitive, fastpaced

industry,which essentially produces andmarkets fashion for kids. Themajority of the companysannualsalescamefromnewproduct launches,whichelevatedthe importanceofproductdevelopmentandinnovation.Thefirmsprimarycustomersweretheglobalretailerswhodistributedchildrenstoys.Serving these retail chainswith accurate and timelydeliveries, and ensuring their fast shelfturnoverwereofparamount importance inMagicToysbusinessmodel,whichaspired topossessworldclassmarketinganddistributioncapabilities.Inthiscontext,riskmanagementsrolewastoassistthesmoothdeliveryofnewproduct lines (eachcarriedoutasaseparateproject)and toprepare thecompany foruncertainty.IstartedfieldworkatMagicToysin2010,andthrough44interviews(seeAppendix2foralistofinterviews)withriskfunctionmanagersandbusinessexecutives,Itriedtosketchtheevolutionofrisk practices from formfilling to an established, actionable and consequential part of the annualplanningexercise.

TheevolutionoftheriskmanagementapparatusOriginsEarly 1999, in preparation for listing on the Toronto Stock Exchange, the board of directors at

Electroworks decided that the company should implement enterprise risk management (ERM), incompliancewith listing requirements5. They hired a succession of four consulting firmswho (in thewordsofthelaterchiefriskofficer)allcamethroughdoingERMtypestuff.Theywouldcomein.Theywoulddorisk interviews.Theywoulddoriskmaps.Theywouldchargeaquarterofamilliondollars,anddeliveranicereport.Butnothinghappened;therewasnoknowledgetransfer.Afterthisperceivedfalsestart,theCEOand

4InSimonsLeversofOragnizationalDesignframework,spanofcontrolindicatesthefinancialandnonfinancialresourcesthatmanagersandemployeescandrawoninordertoaccomplishtheirtasks.Spanofsupportindicatestheamountofsupporttheycanexpecttoreceivefromothersintheorganizationwhentheyreachoutforhelp.

5AlthoughElectroworkseventuallyabandoneditslistingplans,ERMremained.

5

CFOaskedtheheadofinternalaudit,RobertLewis6totakeonERMwithverylittledirective,outofasenseofneed conveyedby theboardand the listing requirements.Originallyhired from thebankingindustry tobe theheadof internalaudit,Lewishad littleexpertise inanyof thedaytodaychallengesfacedbyElectroworks lineworkers,engineers, lawyersandcustomerservicemanagers.Trainedasanaccountantandexperiencedasaninternalauditor,Lewissawriskmanagementbothasachallengeandadevelopmentopportunityforhiscontrolfunction.Herealizedthathecouldmakethisfunctionhisown,andhaveawidespanofcontroloverdefiningwhatriskmanagementwastobe:They[theCEOandtheCFO]decidedtheywantedERM.Theydidntknowwhatitlookedlike.Theywerejust

told[bytheboardandthestockexchange]that itwasagoodthingtohave. InitiallyIsaid,No,IdontthinkIshouldtakeiton.Ithinktheresaconflictofinterest,becauseofmyauditrole,butletmethinkaboutit,Illsleeponitandgetbacktoyoutomorrow.So,IwenthomeandIthoughtaboutit,andIguessmyfeelingwasthatbeforethe consultants nothing had happened in the risk domain. Now after the consultants had left, nothing washappening.Andwhileitmightbealittlebitofaconflict,Ifelt,well,itmightbefun.Illgiveitashot,butIllrunitasacompletelyseparateproductline.

LewisestablishedaChinesewalltoseparatehisinternalauditrolefromhisriskmanagementone.Recordsoftheriskworkshopswerekeptconfidentialandseparatefrominternalauditassessmentsandnoone,besideshimself,wasinvolvedinbothactivities.HehadthehabitofsignalingwhichhathewaswearingbyactuallyappearinginmeetingswithabaseballcapcarryingeithertheInternalAuditortheERMlabel.

****IncontrasttoLewis,CarlHirschman,7MagicToysCRO,spenthisentirecareerinthecompany,asa

financialcontroller.Thenotionofriskmanagementcametohimasanoutofthebluerequestfromhisboss,theCFO in2007.Atthetime,MagicToyswasrecoveringfromaseriouscrisisthatsawhighstaffturnover and the appointment of the companys first ever outside CEO (a former McKinseyconsultant). As part of the recovery, the board requested that the company should adopt riskmanagementbestpractices.SimilarlytoLewis,Hirschamninitiallyrefusedtotakeontherole,butthenendedupdefiningitforhimself:[Initially,]Isaid,No,becausethatsacompliance job,andIdontwanttospendtherestofmycareerdoing

compliance.Forgetit.Idonthavethepatienceforit.Thenextday,theCFOcametomyofficeandsaid,Whatwould it take?So Iwent tohisofficeon the followingMondayI spentmostof thepreviousweekend readingaboutriskmanagementandIsaid,Iwantriskmanagementtobeproactive.Iwanttorunastrategicprocess.Iwanttofocusonvaluecreationmorethanvalueprotection.Ididntwanttodocompliancevalidationallthetime.AndtheCFOsaid,Yeah,goahead.

HirschamnsfirstrealizationwasthatmanyoftheriskareasdefinedintheERMframeworks,incaseofMagicToys,were alreadymonitored andmanaged by specific functions. In an internalmemo, hedeclared:Operationalrisk ishandledbyplanningandproduction.Employeehealthandsafety isOHSAS18001certified.HazardsaremanagedthroughexplicitinsuranceprogramsITsecurityriskisadefinedfunctionalarea.

6Pseudonym

7Pseudonym

6

[Thefinancedepartment]coverscurrencies,hedgingandcreditrisks,And[thelegalfunction]isactivelypursuingtrademarkviolationsOnlystrategicrisksarenthandledexplicitlyorsystematically

Ratherthanpositioningthewouldberiskmanagementfunctionasanumbrellafunctionforalloftheseriskareas,HirschmandecidedtofindanicheforitstrategicriskandcalledthenewfunctionStrategicRiskManagement.Hiringonly twoemployees,hesearched formeaningfulopportunitiesandtoolsthatwouldcontributetothemanagementofthebusiness.

TimelinesOver time,Lewis introduced a threephase enterprise riskmanagementprogram, consistingof risk

workshops,biannual riskupdatesand, linked to theannualplanningprocess, riskbased resourceallocation.Thefollowingtimelinesummarizestheevolutionofthesephases.

19992000 20002004 20042012Facilitatorsofriskwork

Consultants CRO;riskteamof2andInvestmentManagementdepartment

CRO;riskteamof2

Foraforrisktalk

Interviews Workshops;onetooneinterviews;annualplanningandresourceallocationdebates

Workshops;onetooneinterviews;annualplanningandresourceallocationdebates;blackswanworkshops

Risktools Consultantsriskassessmenttemplates

Inhouseriskassessmenttemplates(forworkshopsandinvestmentproposalevaluation);Headlinenewsupdatesforinterviewdiscussion;BiannualCorporateRiskProfilereports

Asbefore,plus:Inhousetemplateforblackswanevaluation

Frequencyofformalriskmeetings

4projectscarriedoutbydifferentconsultingfirms

4050riskworkshops;Biannualriskupdates(interviews);Annualplanning(withtheinvolvementofinvestmentmanagementdepartment)

512riskworkshops;Biannualriskupdates(interviews);Annualplanning(noinvestmentmanagementdepartment);BiannualCROpresentationtothefullboard;Adhocblackswanworkshops(from2008on)

Initially,riskworkatElectroworkswasmanifestintheproliferationofriskmanagementworkshops

inwhichparticipantsevaluatedriskimpact,probabilityofriskoccurrenceandcontrolstrength(inordertogetasenseofresidualrisk).Theworkshopsachievedaconsensusassessmentoneachofthesedimensionsbyrepeatedandanonymousvoting,withintermittentdiscussions,facilitatedbyariskofficer(WorkshopFacilitator).Oncethemanagementteamhadassessedrisksandcontrols,theriskofficerspreparedariskmapatwodimensionalrankorderedchartofresidualrisks.

7

Twiceayear,inJanuaryandJuly,LewisandhisteampreparedaCorporateRiskProfilereportfortheexecutiveteam(biannualriskupdates).HealsopresentedthereportinpersontotheAuditCommittee,andfrom2004on,totheentireboardofdirectors.TheCorporateRiskProfilesummarizedtheprincipalrisksfacingtheorganization.

ToprepareforthefinalphaseoftheERMprocess(riskbasedresourceallocation),theinvestmentplanningdepartmentandtheriskmanagementteamjointlydevelopedtemplatesforallocatingresources.Engineers(challengedbytheinvestmentplanningdepartment)hadtoevaluatetheirproposalsintermsofcostandtheseverityoftheriskthattheirprogramaimedtomitigate.Theycalculatedabangforthebuckindextoshowtheriskreductionperdollarspent,andrankedtheinvestmentprogramsaccordingly.By2004,theengineeringteamsandtopmanagementwerebothsufficientlyfluentinriskandcostassessmentsthattheywereabletodowithouttheinvestmentmanagementdepartment.Theinvestmentmanagementdepartmentwasdissolvedyettheriskmanagementteam,andthepracticeofriskbasedresourceallocation,remained.

In 2008, responding the global financial crisis and aworldwide concernwith systemic risks andblackswanevents8,Lewisandhisteaminitiatedsocalledblackswanworkshops,aseparateprocessto focusexecutivesandboardmembersattentionon lowprobabilityhighimpactevents thatdidnotnormallycomeupduringriskworkshopsandthebiannualriskupdates.Thesediscussionsusedanewtemplate, asking directors to consider the velocity of the underlying trend and the companysperceivedresiliencetosuchevents.Lewisdescribedtheseworkshopsasmoreathoughtexperimentthanariskworkshop.Theblackswanworkshopswereheldondemand(butatleastannually).Insightsfromtheblackswanworkshopswerefedbackintothecompanysdisasterrecoveryplans.

*****Thefollowingtimelinesummarizestheevolutionoftheriskmanagementprocessesandapparatusat

MagicToys.

20062008 2009 20102012Facilitatorsofriskwork

CROplusriskteamof1

CROplusriskteamof2 CROplusriskteamof2

Foraforrisktalk

Riskandopportunityidentification

Riskandopportunityidentification;Adhocscenarioexercise(failed)

Riskandopportunityidentification;Regularscenarioplanning

Risktools Spreadsheettoolforriskandopportunityidentification;BiannualERMReport

Spreadsheettoolforriskandopportunityidentification;BiannualERMReport;Scenarios(externalDavosscenarios)

Spreadsheettoolforriskandopportunityidentification;BiannualERMReport;Scenarios(internallygenerated)

8PopularizedbyauthorNassimNicholasTaleb,ablackswanisanevent,positiveornegative,thatisdeemedimprobableyetcausesmassiveconsequences.SeeTaleb,N.TheBlackSwanTheImpactoftheHighlyImprobable.AllenLane,2007.

8

NotingthatMagicBeanswasaprojectfocussedorganization(witheachprojectleadingtoanewproductreleaseoraprocessimprovement),Hirschmandefinedriskatthelevelofprojects,asachange,whichnegativelyimpactsourabilitytoachieveourtargetsandgoalswiththestrategiesandinitiativesdefined9andgavemanagersalistofexamples(lossofconsumeraffinity;lossofmajorcustomer;changesinthecompetitivelandscape;lossofintegrity;majorsupplychaindisruptions).

HirschmansfirstdeliverabletotheMagicToysboardwasa15pagereportonthestrategicrisks(includingatwopagebulletlistandasinglechart),asassessedbythebusinesslines.ThereportwasbasedonaspreadsheetthatHirschmandevelopedfortheinterrogationandcollectionofstrategicriskinformation.

Theboardreportsgotupdatedbiannually.Inbetween,Hirschmanandhisteamintroducedscenarioplanninginanefforttohelpmanagersprepareforuncertainty,butalso,fortheperiodicreassessmentsofthe110riskstheycollectivelyloggedintheriskspreadsheet.Afteraninitialfiasco,thescenarioexercisewasredesignedforhigherrelevance,spreadandby2012,becameanintegralpartofMagicToysplanningprocess.

InconspicuousrisktalkandunobtrusiverisktoolsLewisacknowledgedthattheriskassessmentprocessatElectroworkswassubjective,notscientific.

Yettheriskworkshopswereaninstantandenduringsuccess,asexplainedbyoneriskofficer(theWorkshopFacilitator):

Our original ambitious plan was to do twelve risk assessments a year. The senior executive teamembracedtheapproachsoenthusiasticallythatoneyearwedid60differentriskassessmentworkshops.Myrolewas tohelpexecutives tell theirbossesabout therisks they facedandhow theyweremitigating thoserisks.Wehelpedthemmakejudgmentsabouttheadequacyofthemitigatingactionsproposedandtaken.Inordertomaketheriskassessmentdiscussionsrelevant,theriskteamrealizedthattheirtools(risk

assessmenttemplates)hadtobeperceivedasrelevanttoo.Theyaskedseniormanagers,whohadaccountabilityfortheparticularriskareas(financial,regulatoryetc.),toreviewandapprovetheimpactscalesannually.ThustheCFOdefinedandreviewedthefinancialscale,thechiefregulatoryofficerreviewedtheregulatoryscale,andsoon.Intheend,theimpactscalerepresentedeverybusinessfunctionsconcern,inparalleltoothersresemblingtoamultilanguagemanualthateveryoneconcernedcouldread(seeAppendix3).Lewisdescribedhowbusinessmanagersusedthetemplate:

Letsassumewehadanenvironmentalspillof10,000litersofoil.Weaskpeopletovoteonascaleofonetofiveastotheconsequencesifourcontrolsdidntwork.Afinancialpersoncouldusethefinancialscalebystating,thelasttimewehadanoilspill,itcost$10milliontocleanup;Icallita4.Theenvironmentalspecialistcouldassessitsimpactbysaying,thiscouldcauseasignificantlocaloffsiteimpact,Iamgoingtovotea3.Theheadofpublicrelationssaysifitgetsreportedinthelocalpress,theTorontoStar,Iwould

9Internaldocument,Version2.0/15March2012

9

callita3.Ifthespillgetsintothewaterways,itwouldgetcoveredbythenationalpress,andthenImgoingtovotea4.Eachperson intheroom identifiesadifferent impact,basedonhisorherareaofexpertise.Itbringsalotofclarity.Having cocreated the language of risk assessments with the business lines, Lewis also coopted

businessmanagersinsettingtheagendafortheriskworkshops.Priortoeachriskworkshop,Lewisriskteam informallypolledparticipantsanddrewupageneric listof6070potentialrisksorthreatstothebusiness or theproject beingdiscussed.They emailed the list to theparticipatingmanagement teamaskingthemtochoosethetenmostcriticalrisksfacingtheirbusinessorproject.Basedonthesechoicesthe risk team narrowed the list to 810 risks.A risk officer then started the halfday risk assessmentworkshopwiththepresentationoftheshortlistedrisks,andaskedparticipantstoconfirmwhetherthesewereinfactthemostimportantrisksorwhetheranyothersshouldbediscussedindetailinstead.

Inordertopreparethebiannualriskupdates,Lewisdidaseriesofinterviewswiththetop30to40executivesandconsultedothersources,suchasannualbusinessplansandriskworkshops.Butgenerally,thesediscussionsweredrivenbymanagerialconcerns,whichLewismerelydirectedintoreportingtemplates:

Itaketheonepagestrategicobjectives,thenewsupdateandthesummaryofthepreviousriskassessmentstoallinterviews,sothecontextisclearlyset.ThenIpullouttheemptyriskprofiletemplateandaskwhathadchanged,whatisnew.Theriskassessmentscouldchangebecauseofthemitigationstepstaken,orbecauseofexternalchangesintheenvironment.Somepeoplegrabthetemplateandstartfillingitoutonthespot.Otherswillliterallyshuttheireyes,puttheirfeetuponthedeskandtellmewhatisworryingthem.

All three phases of ERM at Electroworks channeled risk information vertically and horizontallythroughoutthecompany,enablingexecutivesandemployeestodevelopasharedunderstandingofwhatrisks the company facedandwhathad tobedoneabout them. Indeed,by2008,Lewisnoted that theworkshops facilitated the riseofparticipantsunderstandingof theirown risks in the contextof thosefacedbyothers:Magicoccursinriskworkshops.Peopleenjoythem.Somesay,Ihavealwaysworriedaboutthistopic,andnow

IamlessworriedbecauseIseethatsomeoneelseisdealingwithit,orIhavelearneditisalowprobabilityevent.Otherpeoplesaid,Icouldputforwardmypointandgetpeopletoagreethatitissomethingweshouldbespendingmoretimeon,becauseitisahighrisk.

Atthesametime,participantswereusinganewvocabularyaspecific,yettothemunobtrusiverisktalk,whichallowedthemtovoicetheirconcernsmoreprecisely.Lewispermittedhimselfabroadsmileasherecalledwhatheconsideredashisteamsultimateachievement:Themanagementteamgotsofamiliarwithcomingtoworkshopsandunderstandingwhatthescaleswereand

howtovote,thatitjustbecamepartoftheirlanguagetotheextentthattheystartedtodosomeofthestuffontheirownandnowthebigthrillformeiswhenIgotoamanagementmeeting,theyreusingalloftheERMterminologywithresidualriskandmitigationIts justgreattosee[that]andtheyunderstandeachotherandtheyrereallyspeakingacommonlanguage.

****

10

Inhispolicydocument(writtenfortheboard)HirschmaninsistedthatMagicToysStrategicRiskManagement(SRM)processesaredefinedtolargelycomplywiththeISO31.000standard.HirschmanverydeliberatelyreferencedtheInternationalStandardsOrganization,asanexternalsourceofcredibilitythatmanagersrecognizedandassociatedwiththesamestandardsthatupheldthevaluesofqualityandexcellenceintheirmanufacturingoperations.YetHirschmandepartedfromISO31.000ashewasdefiningSRMattheprojectlevel(notattheleveloftheenterprise).

HealsorecognizedthattheextensiveERMvocabularyemanatingfromISO31.000wascounterproductive:Initiallywecame[tomanagers]withalotofriskmanagementjargonandgotthrownoutofthedoor.Nobodyunderstoodwhatwesaid.Ilearntquicklythatitsimportantforusriskmanagersmyteamthatwespeakthelanguageofthebusiness.Wewanttomakeitassimpleandintuitiveaspossible.

Hirschmanrecruitedaformerprojectmanager(LynneMatte10)andsetouttoexplaintheraisondetreofriskmanagementtoprojectmanagersintheirlanguage.Inseriesofmeetingswithprojectmanagers,havingjokinglyagreedthataprojectisadreamwithadeadline,HirschmanandMattedeclared:Ourstartingpointisthatourtaskistomakeyoushine.Whetheryoufailorsucceedwiththeprojectisyourresponsibility.Butwehavesometoolsandanapproachandaprocessthatcanhelpyousucceed,eveniftheworldturnsouttobedifferentfromwhatyouhavehopedfor.

Hirschmanandhisteamchasedprojectmanagersforriskupdatestwiceayear,usingtheriskregister(andExcelspreadsheet)asthechannelofcommunication.Buttheyalsohadtheconveningpowertogettogetherseniormanagerstodiscussdiscretionarystrategicissuesandtheirimplicationsforthecompany:

Everynowandthen,thatis,everytimewechangestrategicdirection,Igatherpeople,specialistpeople,mostlysenior,mostlydirectors,seniordirectors,andacoupleofVPstodiscuss:withthisstrategicinitiative,whatdoyouseefromyourperspective?Tellmeallabouttherisksthatsay:OK,nowwecantgotoAsia,orwehavetogotoAsiainadifferentwaythanwethoughtwewould.ThenIupdatemyriskdatabasebasedonthat.

Hirschmansriskinquiriesbecamenotonlyubiquitous,butexpectedaswell,andmanagersstartedtoproactivelyshareriskinformationwiththeriskteam.Hirschmanrecalled,Whensomethinghappens,likeinthecaseoftheIcelandicashcloudorthetsunamiinJapan,atleastfifteenpeopleemailedmetosaydoyouhavethisinyourriskdatabase?

In2009,Hirschmanandhisteam,lookingforincreasingsupporttheycouldprovidetothebusiness,convenedaseniormanagersmeetingtodiscusstheimplicationsofasetoffourstrategicscenarios,basedonthemegatrendsdefinedbytheWorldEconomicForumin2008fortheDavosmeetings.Hirschmansreport,summarizingthediscussions,endedupinthebottomofeverybodysdrawer,becausenobodycouldrelatetothescenariosthatwehavedone.

Havinglearntfromtheexperience,Hirschmanredesignedthescenarioprocesstoallowmanagerstogeneratescenariosbasedontheirownworries,withtheriskteamprovidingmeresuggestionsforthe

10Pseudonym

11

dimensionsofuncertaintythatmanagerscanpickfromandfreelyaddto.Secondly,heinitiatedscenariodiscussionstoexplicitlysupportbusinessmanagerswiththepreparationoftheirannualplans.Inthescenariosessionsmanagerslistedissuestheyhadtocontendundereachscenario,andthenprioritizedthem(basedontheirlikelihoodandthespeedoftheiremergence).ThesessionsneverconcludedwithoutanhourlongdiscussionofActissuesmanagershadtoagreeexplicitlywhoisdoingwhatbywhenaboutthefastemerging,mostlikelyissues.

Hirschmanconsideredtheintroductionofthefifthhour(andtheinclusionoftheActissuesintheannualbusinessplans)astheturningpoint:Andthatwasit.ThatfinaldiscussionmakessurethattheActissuesareactuallyactedupon.Itwasahintgiventousfromtwomembersofour[topmanagement].Thenitjustbecamepartofthebusinessplanningprocess.

ScenarioplanningbecamepartofMagicToysbusinessplanningprocessatin2013.Withtheinvolvementof19topmanagersandover200otheremployees,23scenariosessionswereheld,affecting21threeyearbusinessplans.Theheadsofthreebusinessareaschosetodeployscenarioplanningupfront,asaninspirationtotheirregularplanningprocess,whiletheothersdeployedthesesessionsexpost,asawayofresiliencetesting.Hirschmanreportedthescenarioplanningsessionshelpedthemanagerscollectivelyidentify136Actissuesand80Prepareissues,whichsubsequentlyresultedinadjustmentstotheMustWinBattlesandHowtoWinsectionsofthe21businessplans.

ConfidenceWith no formal qualifications or domain expertise to engage Electroworks engineers at risk

assessmentworkshopsandatresourceallocationmeetings,Lewisandhisteamactedasafacilitator.ButtheydidtheirhomeworkinresponsetotheboardsrequestforanERMprocesstheyspentfourmonthsreadingeverythingwecouldabout it:publicationsbytheConferenceBoardofCanada,byTillinghastTowersPerrin,theAustralianStandard436011,articlesandmanybooks.Intheend,Lewisconcludedtodoit[his]ownway:Therehasbeenalotofbadliterature,alotofbadconsultants;alotofpeopleweregoingdownthewrongroad.

[ERMconsultants]wouldchargeus[a fortune]todosomethingtheyprobablydidtheweekbefore forsomeothercompany.Intheend,IconcludedERMcanbesosimpleandsologicalwasitnotforthemanypeoplewhoseektocomplicateit.

LewisespousedpracticeofERMrequiredthreepeople(threepersonalitytypes):Thefirstoneissomeonetomakeithappen.Thatsme.Okay,somebodywhowillpushdowndoors,isdriven,and

hasthecredibilityandauthoritytoopendoorsandmakeithappen.Thesecondisanicecharismaticpersonalitywhopeopleenjoyworkingwith.Andthatwas[theWorkshopFacilitator]anabsolutecharmer.Asuperniceguy,goodlooking,charming,veryknowledgeable,whobecameaverygood [workshop] facilitator.The thirdone isapersonwithananalyticalmindwhocanmanagethevastquantitiesofdata [collectedat theworkshops].Youdont findthosecharacteristicsinthesamepersonsoIteamedthemtogether.

Heconsciouslydepartedfromconventionalwisdombydecidingtojuststartrunningworkshops:11StandardsAustralia(2004)

12

Thetheorysaysgoon,trainandeducatepeopleonERMbygoingandgivingpresentations.MyanswertothiswasNo,no,no,youhavetorunworkshops;thatsthewayyougetothersinvolved,engaged,andthatshowtheylearn,notbysittingthroughaPowerPoint.

By2003,ERMatElectroworkswassufficientlyestablishedso thatLewiscould judge itasasuccessand confidently entered the wider ERM discourse by publishing articles and book chapters onElectroworksERMpractice.Publcizinghisapproach toERMwaspartofhiscampaignagainstpeoplewhoseektocomplicateERM,butitalsoreassuredthecompanysmanagementteamandboardofdirectorsthatwewereaheadofthegameandourregulatorwassoimpressedwith[ourERM]thattheyaregoingtotakeandmandateitforeveryoneelsetodoitthisway[intheindustry].

****Having examined several software packages and attended consultants presentations on risk

databases,Hirschmanconcluded thatfinding therightone [forMagicToys]wasratherdifficult.HeendedupdevelopinghisownExcelspreadsheet(IveusedExcelsince1984,Iknowhowtodo it),whichwasmaintainedandupdatedbyoneofhisteammembers,basedonwrittenorspokeninputfromriskowners.

Hirschman continuously wheedled and cajoled business managers to send updates on risks andactions.HeneverusedfiatandneverreferencedtheERMpolicydocumentsheappearedpermissive,and lenientbutat the same time, thedownside consequencesofnot respondingwas implicit in thesecommunications.Hedescribedoneinstancewhenalateresponsecostamanagerholidaytimetocatchupwithhisriskreporting:Itoldhim[theriskowner]:Ineedtoknowwhatyouredoing.Hesaid,sure,howdowedothismosteasily?Isay,mosteasily,IvesentyoutheriskandIvesentyouthetemplateImusingforupdatingmitigations.Whoisdoingwhatandwhydowethinkitworks?Itsaquestionnaire.Andhesaid,Okay.Whendoyouneeditby?Isay,Well,Icangetthereportouttwoorthreedaysafteryouredone,soyoudecide.ThedaybeforeChristmas,hesaid,Ididntgettodoityet.IsitokayifIdoitafterChristmas?Isaid,Sure,butwehavetosendthereporttotheboardbyxxx,andthatwouldbedemonstratingthatyouarenotincontrolofsomethingwethinkyouarecontrollingsoAfterChristmas,headmittedthathespentthreehoursfillingintemplatesinhisholiday,togivemethatfeedbackbyJanuary,sowecanhaveitintheupdatedreport.

Hirschmanmade itclear toeveryone thathisresponsibilityconcerned thedesignand facilitationoftheSRMprocessnotmore,notless.HepushedbackonarequestforquarterlyriskreportsfromaboardmemberarguingthatoursisaseasonalbusinesswehavehalftheturnoverthelasttenweeksofChristmas;themajorityoftherestaroundEaster.Itdoesntmakesensetomakeafirstandthirdquarterreport.Whentheboardmemberinsistedonthequarterlyreporting,HirschmanstoodhisgroundandpersuadedtheCEOthatitwouldbeawasteoftime.Thedirectoryielded.

Havingfacilitatedthepreparationofthebiannualriskreport,theriskteamdidnotremainentirelysilent.Inthereport,therewasaseparatesectiondevotedtowhattheStrategicRiskManagementOfficebelieves.HereHirschmancouldbeexplicitandchallenging:

InthelatestreportIjustsentoutinJune,Iputinthecommentsthatthisyearmaybethefirstonesince2005thatwewillnotmeetourtargets.IhadtheCFOonthephoneassoonashesawthedraft,tellingme:Ourtargetis11%salesgrowth.Thatnumberisnotinjeopardy.AndIsaid,Sorry,John,Idontagree.Itisinjeopardy.Ididnt

13

saywewontmakeourtargets.Isaidwemaynotmakeourtargets.InfactIthinkitsinserious,severejeopardy.Wearegrowingbutyeartodate,wehadan8%growthonconsumersales,andyouwanttomakeit11%byhighseason?Thatsnotadonedeal.Bynoway.Hestilldisagreedwithme,butallowedmetosendittotheboard.Next,IhadtheVPMarketingonthephone.IhadtoexplainthatIranmyMonteCarlosimulationonourbudgetedandyeartodatefiguresandwhatthatmeanstothem:Guys,youaregettinglatefortheparty,butyetyouarestillcruisingat40mphonthehighwaywhynottakemorerisks,speeduptothe70youareallowedtodrive,ifthatwillmorelikelytakeyoutothepartyintime.

Overtheyears,Hirschmanformulatedaviewofriskmanagementthatputemphasisonitsenabling,rather than constraining aspect, and he put it inwriting in a series of papers and book chapters coauthored by a businessschool academic. Contradicting the corporate governance advocates andguidelines that considered riskmanagement as a line of defense in the internal control landscape,Hirschmanemphasizedthattheroleoftheriskmanagementfunctionwastosupport,ratherthancontrolmanagers:I think one of the placeswhere the traditional riskmanagers in other companies have problems is that they

emergedtheycomefromacontrolenvironment,internalauditorsomethinglikethat.Thatmeansthatwhentheywalkinthedoor,youseethemasinternalauditcomingandcheckingyouup.Wedonotcomefromthatpartofthebusiness.Weveneverbeenintothatactuallyuntilacoupleofyearsago,weneverhadaninternalauditfunction.But,werecomingwitha licensetoaskquestionsthathelpthemsucceed.Because,wellSRMmaybeapartofcontrolling,butitsactuallyapartofsupporting.

HumilityandfrugalityWhiletheriskteamremainedsmall,asperLewisoriginalvision(onepersonprovidingauthority;a

Workshop Facilitator and a Data Manager), its reach impacted much of the organization thoughworkshops,theannualplanningandthebiannualupdates.Lewisandteamwerequicktoacknowledgethatdespite theirperceived successes, their fullvision forERMwasneveraccomplished,andperhapswillneverbe.Lewissummarizedhistheoreticaldreamastheriskdashboard asoftwareenabled,computerizedversionofhisriskreports,accessibleanytimebyanyseniormanager,providinguptodateand fastgraphicdisplaysofallrisk information,summarized intocolourfulriskmapsandTop10risklists,withdrilldowncapabilityintoindividualitems.ButLewiswasconsciousthatElectroworksdidnothavethesystems,skillsetorculturetoimplementsuchamodel.

UponLewis retirement in2012,Electroworksdidnot recruitanewCRO thepreviousWorkshopFacilitator (Larry White12) became Director of Enterprise Risk Management (and no longer reporteddirectly to theCEO, but to theTreasurer).UnlikemanyERM advocates,Whitedid notperceive thisseemingdemotionoftheriskfunctionasaweakness:Lotsofconsultants,lotsofpeoplespeakatconferencesabouttheimportanceofatopdowndrivenriskfunction,

supportedbytheCEOIthinkthatsactuallyavulnerability.YoucannotdoERMbyfiat,IdonotneedtheCEOtosaytoourguysEverysixmonthsyoumustdoariskworkshopwith[White]andIwanttoseethereport.ButagoodwayfortheCEOtosupportERMisinthewaysheasksquestions.Ourswouldsay[tothebusinessmanager]:OK,Ivegotyourplan.Howcouldthisgowrong?Whatareyourrisks?Yourenotsure?Well,youknow,thereisthisguyoverhereLarryWhitewhocanhelpyoufigureout.Whydontyougoandseehim,becausehellhelpyou figure thatout?Thenyoucancomeback tomeandwecanmake thisdecision.SoRiskManagementgets12Pseudonym

14

pulled intothebusinessbecausethere isavacuumto fill,asopposedtome imposingmyself,orsomebodyonmybehalfimposingme,onthem.

AtElectroworks,theriskfunctionsspanofcontrol(intermsofresources,decisionrightsandformalauthority)remainednarrow,andevennarrowedovertime.However,thewillingnessoftheCEOandthebusiness lines toparticipate in risk talk,madeup for that frugality.Bringingabout thatwide spanofsupportvia theproliferationofanunobtrusive,businessrelevantriskprocessandvocabulary,was theriskteamskeyachievement.

****AtMagicToys,Hirschmanfacedanumberofdebaclesashebuilthisownriskmanagementtoolsandprocesses.Henotedthatthefirstcoupleofdatabasesdidntwork,thethirdonedid.Thistrialanderrorapproachcharacterizedthedevelopmentofthescenarioprocesstoo.Aftertheinitialdisappointment,Hirschmanwasreadytoadmittoseniormanagersthattheexercisefailedduetothelackofanyfollowthroughoraction.Despitethisacknowledgement,oneoftheseniormanagersexpressedsupportandthatbecamethecatalystforthefurtherdevelopmentofthetool:

Inearly2011,Igottotalkbycoincidencewith[seniormanager]overacupofcoffee,andwegottotalkaboutthesescenariosandhesaid,Youreallyhavesomethinggoodaboutthisscenariodiscussion,quitegreat.Whydidntwork?Isaid,Ireallydontknow.IunderstooditdidntworkandIacceptthatitdidntwork,butIreallydontknowwhy.Hesaid,Trytofigureitout.Seeifwecanmakeitwork.AndIwentbackwiththatandsaidtomyselfoverandover,okay,whydidntitwork?,andcontemplatedwhyitdidntworkandeventually,Ifoundoutwheretheflawswas:theownershipofthescenarios.

Hirschmanandhisteaminsistedthatintheriskdiscussions,whatevertoolwasusedtochannelthem,managershadtokeeptheirthunder.Hirschmanexplained:Managershatetobetoldwhattodoandthehighertheorganizationallevel,themoretheresentmentsoby

letting them run the show,and by limiting scenarioplanning to ahalfdayworkshop for each team,wegot theproverbialfootinthedoor.

Theriskteamalsomadeitclearthattheirrolewasmerelyfacilitating,notadvising.LynneMatte,whowas a former project manager, had to actively fight a natural enough inclination to become moredirective:Asariskmanager,youshouldnever takeover [thediscussion].Even ifyouknow thesolution,keepyourmouthshut.Hirschmanadded:Itstheirdecision,itstheirperception,itstheirrisk.IfIstartedtoadviseorcorrectthem,Iwouldstartowningthestuff,andIcantdothat.

Hirschman saw risk management as commons sense, and highlighted the importance ofunderstandingthebusinessandtheindustry.Hewascarefulnottotakeanycreditforthesuccessesofthe business. Commenting on Magic Toys eventual success at exceeding its 2013 sales targets, heconcluded:There is a benefit to knowingwhether you are taking the right amount of risk.Youneed to be able to take

chances,butyouneedtoknowhowmanychancesyoucantake.Wegrew25%lastyear.Icanttakethecreditforthat,butIpushedtheball.Itoldeverymanagerwhowaswillingtolistenthatwefoundthatwewerenottakingenoughrisk.Intheend,wewereabletoshiftproductsalesandsuddenlywewerethewinnersbecausewehadtheproductsandwegotmoreshelfspace.Wemore thandoubledourshelfspaceatWalmart.Andwith200million

15

peoplethroughthestoreseveryweek,thatmatters.IamnotpartofCorporateManagement[topmanagement],andIcannottakecreditforanyofthis.Riskmanagementisavery,verysmallpartofthesuccesswevehad.

Despiteitshumblerhetoricofsimplicity,commonsense,Hirschmancreatedariskfunctionthathadthe ears of the board and senior management. This remained the case even when a managementreorganization left the CRO with a reporting line to the Treasurer (who then reported to the CFO).ThoughformallytheCROwas4stepsremovedfromtheboardofdirectors,by2013heestablishedaprocessthatshapedthediscussionofeverybusinessplan,andthebiannualboardmeetings.

Hirschman commented that despite his seemingly frugal resources (and small team of two) heenjoyedawidespanofsupport.IgetallthesupportandallthetimeIneed.IfIwanttogoontrainingortoaconference,Igetthefunding.I

havealltheresourcesIneed.Ihavetherighttofocusonstrategicrisksonly.Idontdoinsurance.Idontdovendorriskmanagementoranythinglikethat.Otherpeoplearedoingthat.

Hirschmanalsobuiltaninvaluablerelationshipwiththefourthgenerationownerofthefamilyheldfirm,whohadjustgotappointedtotheMagicToysboard:IbenefitfromthefactthatIknowtheguysinceheworediapers,literally.Hesayoungguy,hes32,heisjust

coming in and hewants to be a good owner and a good part of the board of directors.And he sees the riskmanagementapproachasthebestwayhecanaddvaluetotheboardofdirectorsbecausenoneoftheothersreallywanttobotherdiscussingthis.Itgiveshimapointofentrytosay:OK,whataboutthis?Whataboutthat?Andaddpositivelytothediscussion

Bymentoring the young owner,Hirschmans role acquired another layer of significance.HewasbecominginfluentialinthemannerofthefamousGreyEminencesofabygoneeraoperatingbehindthescenesinanunofficialcapacityoftheirownmaking.

DiscussionandConclusionThispapertrackedtheevolutionoftheroleoftwochiefriskofficers(CROs),andthetoolsand

processestheyhaveimplementedintheirrespectiveorganizations.Whilethecompaniesarefromverydifferentindustries(oneisapowercompany,theotherisatoymanufacturer),theybothembracedtheconceptsandtoolsofEnterpriseRiskManagement.Overanumberofyears,atbothfirms,riskmanagementtransformedfromacollectionofofftheshelf,acquiredtoolsandpracticesintoaseeminglyinevitableandtailoredcontrolprocess.ThepaperinvestigatedtheroleoftheCROinmakingthesetransformationshappen.

TheCROatElectroworks,bythefacilitationofcontinuousrisktalkinworkshopsandfacetofacemeetings,overtenyears,hassucceededinorchestratingthecreationandproliferationofanewlanguage(thatofriskmanagement),andestablishedprocessesthatregularlybroughtbusinesspeopletogetherfromdiverseplacesandhierarchicallevels,todiscussissuesofconcern.Farfrombeingselfevident,risktalk,manifestin,forexample,15assessmentsofimpactandlikelihoodofrisk,andformallydocumentedinriskmapsandlistsoftop10risks,tookalongtimetoproliferate.ThecontributionoftheCRO(andhissmallteam)wastocooptthebusinessinthecreationanduseofrisktalk.Bymerelyprovidingafewrudimentaryconceptsandaminimalriskvocabulary,theCROwasabletogetbusinesspeopletofillintroublinggapsinmeaning,andtoaddtherulesofuse,byforexampledelegatingthedefinitionof15impactscalestothoseabletomakesense,andalsotomakeuse,ofthem.Thefinaltest

16

oftheacceptanceofrisktalkwasitsformallinkingtoresourceallocationintheannualbudgetingprocess,whichgaveriskmanagementpermanence,significanceandasenseofinevitability.

Thesecondcase,inaseemingcontrast,focusedonaCRO,whoinitiallytriedandfailedtocreatelinkagesofpermanenceandsignificancebetweensomeconventionalERMtools(similartothosechampionedbyhiscounterpartabove)andthebusinesslines.Afteraperiodofsearch,theCROsettledonalessconventionalriskidentificationtool,scenarioplanning,andfacilitateditstransformation,overfiveyearsfromanadhocfuturegaugingexercisetowidelyacceptedrisktalkandaseeminglyselfevidentelementoftheannualbusinessplanningprocess.

ThetwocaseshighlightthattheroleoftheCROmaybelessaboutthepackagingandmarketingofriskmanagementtoolstobusinessmanagers,butinstead,thefacilitationofthecreationandinternalizationofaspecifictypeofrisktalkasalegitimate,crossfunctionallanguageofbusiness.Theriskmanagementfunctionmaybemostsuccessfulwhenitresistsconventionalandconflictingdemandstobeeithercloseto,orindependentfrom,businessmanagers.Instead,byactingasafacilitatorofrisktalktheCROcanenabletherealworkofriskmanagementtotakeplacenotinhisownfunction,butinthebusinesslines.Inbothcases,facilitationinvolvedasignificantdegreeofhumilityonthepartoftheCRO,manifestinlimited(andparadoxicallydecreasing)formalauthorityandmeagreresources.Theirskillwastobuildaninformalnetworkofrelationshipswithexecutivesandbusinessmanagers,whichallowedthemtoresistbeingstereotypedaseithercompliancechampionsorbusinesspartners.Insteadtheycreatedandshapedtheperceptionoftheirrolewhichwasoftheirownmaking:acarefulbalancingactbetweenkeepingonesdistanceandstayinginvolved.

Thisanalysis suggests thatcalls for increasing investments in riskmanagement,and for the formal

inclusionofseniorriskofficersintheCsuitemightbemisguided.Inordertoclosetheexpectationsgap,riskmanagersneedfirstandforemostcommitmentfromothersintheorganizationtoacceptarelevantandsituationallycontingentversionofriskmanagement,tailoredtotheirneeds.Thusthesignofsuccessof the humbleCRO is not somuch in her ability to go beyond the compliance role or turn into abusiness partner, but in her ability to bring about consequential risk talk where it matters, in thebusinesslines,helpingthosewhocarryouttherealworkofriskmanagementmanagingrisks.

17

ReferencesAccenture.Accenture2013GlobalRiskManagementStudy:RiskManagementforanEraofGreaterUncertainty,

2013.Committee of Sponsoring Organizations of the Treadway Commission (COSO). Enterprise riskmanagementframework.NewYork,NY:AmericanInstituteofCertifiedPublicAccountants,2004.

Deloitte.GlobalRiskManagementSurvey,EighthEdition:SettingaHigherBar,2013.EconomistIntelligenceUnitLimited,RiskManagementintheFrontLine,2010.InternationalStandardsOrganisation(ISO).ISO31000:2009,RiskManagementPrinciplesandGuidelines.

Geneva:InternationalStandardsOrganisation,2009.

KPMG.RiskManagement:ADriverofEnterpriseValueintheEmergingEnvironment,2011KPMG.ExpectationsofRiskManagementOutpacingCapabilitiesItsTimeForAction,May2013.Power,M.K.OrganizedUncertaintyDesigningaWorldofRiskManagement.Oxford:OxfordUniversity

Press,2007.RIMSandAdvisenLtd.2013RIMSEnterpriseRiskManagement(ERM)Survey,August2013.

Simons,R.LeversofOrganizationDesign.Boston,MA:HarvardBusinessSchoolPress,2005.

StandardsAustralia.AS/NZS4360:2004Riskmanagement(3rdedition).Sydney,Australia:StandardsAustraliaPublications,2004.

18

Appendix1ElectroworksInterviewsInterview

DateInitials of

interviewee /nature of meetingattended

Title(s)

5/7/2008 B.S. ChiefFinancialOfficer5/7/2008 J.F. SeniorVicePresident,InternalAuditandChiefRiskOfficer5/7/2008 R.Q. Director,EnterpriseRiskManagement5/8/2008 G.R. Director,CustomerStrategy&ConservationOfficer5/8/2008 G.V.D. Director,AssetManagement5/8/2008 J.T. Director,IntegratedStrategy5/8/2008 L.F. ChiefExecutiveOfficer5/8/2008 P.G. Director,PublicRelations5/9/2008 J.F. SeniorVicePresident,InternalAuditandChiefRiskOfficer5/9/2008 S.F. ChiefRegulatoryOfficer7/10/2008 J.F. SeniorVicePresident,InternalAuditandChiefRiskOfficer6/1/2009 G.V.D. Director,AssetManagement6/1/2009 G.S. Engineer6/1/2009 J.F. SeniorVicePresident,InternalAuditandChiefRiskOfficer6/1/2009 L.F. ChiefExecutiveOfficer6/3/2009 C.M. ExecutiveVicePresident,StrategyandPlanning6/3/2009 M.D. SeniorVicePresident,CustomerOperations6/3/2009 S.F. ChiefFinancialOfficer11/1/2011 J.F.&R.Q. SeniorVicePresident,InternalAuditandChiefRiskOfficer&

Director,EnterpriseRiskManagement11/1/2011 M.D. SeniorVicePresident,CustomerOperations11/1/2011 R.S. VicePresident,CustomerServices11/2/2011 J.F.&R.Q. SeniorVicePresident,InternalAuditandChiefRiskOfficer&

Director,EnterpriseRiskManagement11/2/2011 N.L.&R.W. Manager,AccountManagementandGISProgramManager7/16/2013 R.Q. Director,EnterpriseRiskManagement12/10/2013 R.Q. Director,EnterpriseRiskManagement

Appendix2MagicToysInterviews5/2/2012 H.L. SeniorDirector,RiskManagement5/2/2012 J.H.&T.P. SeniorVicePresident,GlobalQualityandEngineering&Customer

ServiceAdvisor5/2/2012 J.K. SeniorDirector,OperatingModelLeverage5/2/2012 M.N. ChiefMarketingOfficer

19

5/2/2012 R.S. SeniorVicePresident,CorporateAffairs5/2/2012 H.L.,A.M.B,&

L.M.SeniorDirector,RiskManagement;Director,StrategicRiskManagement;&SeniorDirector,ConsumerGoods

5/3/2012 H.L. SeniorDirector,RiskManagement5/3/2012 J.P.P. SeniorVicePresident,MarketGroupAsia&EmergingMarkets5/3/2012 J.V. VicePresident,DigitalBusiness5/3/2012 L.T.B.&V.M.H. VicePresidents,GroupTreasury5/3/2012 T.N.&C.B. Director,DigitalProgramManagement,Office,andQuality&

Manager,OutboundLicensing6/25/2012 ScenarioPlanning

Session

6/25/2012 O.T. CountryManager,AsiaandEmergingMarkets6/25/2012 U.C. VicePresident,AsiaandEmergingMarkets6/26/2012 A.M.B.&R.F. Director,StrategicRiskManagement&SeniorStrategicRisk

Manager6/26/2012 K.F.C.&A.J.M. SeniorManager,Finance&Manager,MarketLogistics

6/26/2012 R.F. SeniorStrategicRiskManager6/26/2012 R.F.&H.L.

(Morning)SeniorStrategicRiskManager&SeniorDirector,RiskManagement

6/26/2012 R.F.&H.L.(Afternoon)

SeniorStrategicRiskManager&SeniorDirector,RiskManagement

6/26/2012 R.F.&H.L.(Feedback)

SeniorStrategicRiskManager&SeniorDirector,RiskManagement

6/27/2012 D.H. Director,ExternalRelations9/13/2012 J.K. SeniorDirector,OperatingModelDevelopment9/13/2012 K.F.C.&R.F. HeadofEmergingMarketsOperations&SeniorStrategicRisk

Manager9/13/2012 O.T. CountryManager,AsiaandEmergingMarkets9/13/2012 R.F. SeniorStrategicRiskManager9/14/2012 A.J.M. Manager,MarketLogistics9/14/2012 D.H. Director,ExternalRelations9/14/2012 K.F.C. HeadofEmergingMarketsOperations9/14/2012 R.F. SeniorStrategicRiskManager9/14/2012 U.C. VicePresident,AsiaandEmergingMarkets11/20/2012 H.L. SeniorDirector,RiskManagement11/20/2012 K.F.C. HeadofEmergingMarketsOperations11/20/2012 O.A. SeniorKeyAccountManager9/17/2013 H.L. SeniorDirector,RiskManagement

9/17/2013 U.C. VicePresident,AsiaandEmergingMarkets9/18/2013 A.J.M. Manager,MarketLogistics

20

9/18/2013 H.L. SeniorDirector,RiskManagement

9/18/2013 Teammeeting Riskteam9/18/2013 J.K. SeniorDirector,OperatingModelDevelopment

9/18/2013 K.C. HeadofEmergingMarketsOperations

9/18/2013 O.T.andK.C. CountryManager,AsiaandEmergingMarkets;HeadofEmergingMarketsOperations

9/18/2013 O.T. CountryManager,AsiaandEmergingMarkets11/15/2013 J.K. SeniorDirector,OperatingModelDevelopment11/18/2013 S.K. SeniorVicePresident,ShopperMarketing&ChannelDevelopment12/4/2013 H.L. SeniorDirector,RiskManagement

Appendix3 Electroworks:ObjectivesImpactMatrix

Objective Attribute Event 5

Worst Case 4

Severe 3

Major 2

Moderate 1

Minor

FINANCIAL

Net Income Net Income Shortfall (after tax, in one year)

>$150M $75M$150M $25M$75M $5M$25M 25% Value Loss of 1025% Value Loss of 5-10% Value Loss of 1-5% Value Loss of 100,000 Customers Distribution or >1000MW Transmission for more than seven days.

Outage affects: 40k-100k Customers Distribution or 4001000 MW Transmission for 47 days.

Outage affects: 10k40k Customers Distribution or 100400MW Transmission for 24 days.

Outage affects: 1k10k Customers Distribution or 10100MW Transmission for 424 hrs.

Outage affects: 50%) increase in call centre volumes and complaints received by field staff.

Call centre volumes increase noticeably (25%); noticeable increase in complaints received by field staff.

Sharp deterioration in customer satisfaction as per survey responses.

Moderate deterioration in customer satisfaction as per survey responses.

COMPETITIVENESS

Unit Cost Reduction Failure to Reduce Unit Costs (incl. overhead & non-billable time)

Unit Costs increase by >25% Unit Costs increase by 15%25%

Unit Costs increase by 10% - 15%

Unit Costs increase by 5% 10%

Unit costs not reduced

Work Program Accomplishment

Work Program Shortfall >10 Critical Projects late or; 85% of non critical work completed.

No Critical Projects late >85% of non critical work completed.

SAFETY AND ENVIRONMENT

Employee: Workforce Availability/ Safety

Change in availability (%) in one year; Accident Severity Rate.

Key functions/locations unavailable > 1 week; Employee fatality or major permanent disability.

Key functions/locations unavailable > 1day; Employee critical injury.

Accident Severity Rate > 50% above target.

Accident Severity Rate > 25% above target.

Accident Severity Rate above target.

Environmental Performance Adverse Environmental Impact Widespread offsite impacts e.g., regional or municipal water supply.

Multiple local offsite impacts e.g., multiple residential properties or private water supplies.

Significant local offsite impact e.g., a public thoroughfare; Significant spill/release with impact on Hydro One Inc. property only

Minor local offsite impact e.g., a single residential property or private water supply).

Minor impact on Hydro One Inc. property only.

Public Safety Public Injuries with Hydro One at fault.

Fatality or major permanent disability.

Significant increase in number of injuries.

Moderate increase in number of injuries.

Small increase in number of injuries.

No change.