enterprise risk management make presentation of ten slide from attached article , www.hbr.org R O U N D T A B L E Managing Risk in the New -

enterprise risk management
make presentation of ten slide from attached article ,

www.hbr.org

Don't use plagiarized sources. Get Your Custom Assignment on

enterprise risk management make presentation of ten slide from attached article , www.hbr.org R O U N D T A B L E Managing Risk in the New

From as Little as $13/Page

O U N D T A B L E

Managing Risk in the
New World

with Robert S. Kaplan, Anette Mikes, Robert Simons,

Peter Tufano, and Michael Hofmann

Moderated by HBR senior editor David Champion

Has the development of

tools for assessing risk lulled

people into believing risk is

now easier to control?

When are risk-return

trade-offs prohibitively

dangerous? How should

managers prepare for Black

Swan events? What makes a

good CRO?

Reprint R0910E

D
o

N
ot

C
op

y
or

P
os

This document is authorized for educator review use only by MUHAMMAD ATHER ELAHI, Institute of Business Administration until Sep 2021. Copying or posting is an infringement of
copyright. [emailprotected] or 617.783.7860

http://www.hbr.org

http://harvardbusinessonline.hbsp.harvard.edu/relay.jhtml?name=itemdetail&referral=4320&id=R0910E

O U N D T A B L E

Managing Risk in the
New World

with Robert S. Kaplan, Anette Mikes, Robert Simons,

Peter Tufano, and Michael Hofmann

Moderated by HBR senior editor David Champion

harvard business review october 2009 page 1

O
P

Y
R

IG
H

2
0
0
9
H

A
R

V
A

R
D

B
U

S
IN

E
S

S
S

C
H

O
O

L
P

U
B

L
IS

H
IN

G
C

O
R

P
O

R
A

T
IO

N
. A

L
L

R
IG

H
T

S
R

E
S

E
R

V
E

D
.

Has the development of tools for assessing risk lulled people into believing

risk is now easier to control?

When are risk-return trade-offs prohibitively dangerous?

How should managers prepare for Black Swan events?

What makes a good CRO?

Five experts discuss the future of enterprise
risk management.

Robert S. Kaplan

([emailprotected]) is the
Baker Foundation Professor at HBS. He and
his colleague David P. Norton developed the
balanced scorecard.

Anette Mikes

([emailprotected]) is an assis-
tant professor at HBS who studies the evolu-
tion of risk management and the role of the
chief risk officer.

Robert Simons

([emailprotected]), the
Charles M. Williams Professor of Business
Administration at HBS, is the author of How
Risky Is Your Company?, a prescient article
published 10 years ago in HBR.

Peter Tufano

([emailprotected]) is the
Sylvan C. Coleman Professor of Financial
Management at HBS and an executive board
member of the Global Association of Risk
Professionals (GARP).

Michael Hofmann

([emailprotected]
.com) is the chief risk officer at Koch Indus-
tries, a diversified private company based

in Wichita, Kansas, and an executive board
member of GARP.

David Champion: How predictable was
the financial meltdown of 20082009? Was
it a Black Swan event or, rather, analogous
to the next big California earthquake
something you know will happen though
you dont know when?

Peter Tufano:

Many of the elements of the
crisis were being talked about long before it
happened. Analysts had been questioning the
sustainability of the subprime business well
before the meltdown. Macroeconomists had
been worrying about the U.S. current account
deficit. I myself had been looking at obviously
unsustainable household saving rates and
debt levels. Other people were writing about
the imperfections of ratings models. What we
didnt see was how the elements were inter-
acting. And that meant we were blind to the
risk that the whole system would break down.

Michael Hofmann:

I agree. The crash was
essentially the bursting of a classic creditD

o
N

ot
C

op
y

or
P

os
t

mailto:[emailprotected]

harvard business review october 2009 page 2

bubble. The interesting part was what the
bursting revealed, which was just how con-
centrated the financial system had become.
It also highlighted a classic behavioral bias.
The main features of the financial system had
been in place for some 25 years, and we had
gotten pretty comfortable with the way things
were. We were all relying on data from this
largely stable period. Its very hard in these
situations to stand up and prophesy disaster.

Robert Simons:

There has certainly been a
strong pattern of risk-taking behavior in the fi-
nancial sector, and in my view that is because
we had three enabling conditions in place
at once. First, the innovations in financial
engineering that were developed over the
past decade created an opportunity to take on
more risk through new products. This is not
new, of course. Breakthroughs in transporta-
tion, telecommunications, and computing all
created similar opportunities for risk taking.
Second, you need motivation in the form of
performance pressure, and the financial mar-
kets supplied this in spades. Theres been in-
tense pressure on executives to deliver sales
growth, a larger market share, and ever-
rising stock prices. But again, nothing in
the past few years would suggest that this
pressure had suddenly intensified. What was
new was the third ingredient, which I call
rationalizationthe belief that a particular
behavior is economically and morally justi-
fiable. The shareholder value principle
that social welfare is somehow best served if
managers focus exclusively on delivering the
maximum value to stock ownerswas one
such rationalization. And rationalizations
like that made it much easier for managers
everywhere to take on risk that they would
otherwise have avoided. Risk became the rule
rather than the exception, which explains the
scale of the crisis.

As you point out, financial innovation
created the opportunity. But it also gave us
tools for assessing risk, and some people
argue that this scientification of risk made
it easier for people to believe they could
control it. Any thoughts?

Hofmann:

Theres often a profound misun-
derstanding about what financial models can
do. Any business decision is about capturing
some reward. To capture it, you take certain
risks. So the first questions for a risk person

are: Whats the reward we are trying to cap-
ture? Do we really understand the risk we are
taking? Is it an acceptable risk? If so, the
next question is whether the reward is high
enough. This is where modeling comes in.
But before you start to model the risk, you
have to think about whether you understand
the nature of it.

Anette Mikes:

I second that. Models are not
decision makers; people are. So the real issue
is the culture that you have around modeling.
Ive found that, in extremis, there are two
types of risk managers. One type I call quanti-
tative enthusiasts. They believe that there are
basically just two kinds of risks: the ones we
have already modeled successfully and the
ones we havent. Some banks were convinced
that you could use models to decide whether
to lend to a particular company. You would
plug in data, and the model would come out
with a credit grade. If you step back a bit, you
realize that you have to make some heroic
assumptions to be able to do this. The weak-
ness of the quantitative enthusiast culture is
that managers give too much attention to the
output and too little to the assumptions that
went into the model. The other type of risk
managers I call quantitative skepticspeople
who overemphasize the weaknesses of risk
models. They consider the major risks to be
outside the quantifiable-risk universe, but
they can easily lose sight of aggregate risk
effects. Incidentally, the crisis has brought
both camps closer to a healthy skepticism.
Quantitative enthusiasts have become more
skeptical and are reclaiming the lost science
of decision making by expert judgment.
Quantitative skeptics are getting more com-
fortable with risk analytics as they imple-
ment strong validation controls around risk
models.

So far weve been talking about the finan-
cial sector. Arent the challenges that in-
dustrial companies face very different?

Hofmann:

Yes and no. Koch Industries and
its subsidiaries have some of the same finan-
cial risks, though obviously to a lesser degree
than a bank would have. For example, we
grant credit to our customers. We have a
treasury group that deals with liquidity
management; we manage large investment
portfolios; and we have trading operations.
But we also deal with significant operational

Managing Risk in the New World ROUNDTABLE

D
o

N
ot

C
op

y
or

P
os

mailto:[emailprotected]

harvard business review october 2009 page 3

risksfrom logistics and massive industrial
plants. Those operational risks are different
from and much greater in scale than the
ones that a financial services group is con-
cerned with, which are mainly around docu-
mentation, data processing, and so forth.

Robert S. Kaplan:

Industrial companies
definitely have strategic risks, which may
be even more difficult to measure and man-
age than financial risks. Those companies
make big investments in their physical and
intangible assets, which become worthless if
customers cease to value the products and
services produced from them. But since we
dont mark physical assets to realizable val-
ues or even recognize a companys intangible
assets, the impairment plays out over longer
periods of time. General Motors took about
25 years to realize the risks it had assumed
by generating profits only from large vehicles.
When energy prices doubled, it did not have
profitable fuel-efficient cars available for sale
to customers, and the company failed.

Tufano:

Its also important to think about
the unit of analysis. In most of our discussion
so far, the unit of analysis is a corporation,
and the risk-return trade-off is being calcu-
lated at that level. But you can look at risk
on a higher level. If youre the World Food
Programme (the unit of the UN that provides
food in the wake of emergencies), for in-
stance, you think about large-scale famine.
That is systemic risk, and if the risks that blew
up at individual firms hadnt risen to the
level of systemic risk, we wouldnt be here
today. When systemic risk arisesas it can
when firms and markets interactthen all
the traditional risk-return analysis in the
world wont help.

Simons:

I agree. I get nervous when we talk
about risk-return trade-offs. Thats clearly
the right approach to portfolio and individual
investment decisions. But there are risks that
affect customers, employees, and the long-
term viability of a firm. The danger with those
risks is that if we start talking about a risk-
return trade-off, we might rationalize getting
into things that we should stay out of. The
best firms, I think, have a clear sense of what
they will not do under any circumstances.

Kaplan:

To provide a vivid example of a firm
that did not follow Bobs excellent advice,
consider the remarkable statement made in
July 2007 by Charles Prince, then CEO at

Citigroup: When the music stops, in terms of
liquidity, things will be complicated. But as
long as the music is playing, youve got to
get up and dance. He concluded, Were still
dancing. I dont think Prince or his former
companys bondholders, shareholders, and
employees are dancing much these days.

Mikes:

True, but lots of companies also took
a beating from the stock market for trying to
drop out of the dance.

That raises an issue around incentives, no?

Kaplan:

Of course. And the more we tie
incentives to short-term performance, the
more we encourage managers to take on high
degrees of risk to generate high returns,
leading to a big moral-hazard problem. Bank
analysts referred to a Greenspan put. What-
ever risks banks took on were hedged by
society, because the Fed would bail them out
in order to save the system. With the recent
rescues of AIG, General Motors, and Chrysler,
this society put has now been extended
beyond the banking sector.

Its interesting how this has come full circle.

Kaplan:

Yes. In the 1970s we encouraged
company managers to take on more risk
because investors held diversified portfolios
that could tolerate more risk taking by indi-
vidual firms. In the 1980s and 1990s com-
panies motivated managers to take risk by
issuing them large options and equity grants.
But a pendulum never stops in the middle,
and managers took on too much. In retro-
spect, we should have encouraged them to
take on uncorrelated risksrisks that would
affect only their individual firms. We didnt
want them to take systemic risks that other
firms were also taking. Going forward, well
have to design incentives that encourage
uncorrelated risk taking but not correlated
risk taking. Thats hard for many reasons
not the least of which is that risk correlations
change in response to extreme events.

Tufano:

One idea Ive been working on is
bond-based compensation. If executives were
compensated not just according to the per-
formance of their stock but also according to
the performance of their bonds, they would
have a somewhat more balanced view of
stakeholder interests and would move us
away from incentives that benefit stockhold-
ers at the expense of bondholders.

Managing Risk in the New World ROUNDTABLE

D
o

N
ot

C
op

y
or

P
os

mailto:[emailprotected]

harvard business review october 2009 page 4

Kaplan:

You also have to distinguish be-
tween compensation for risk managers and
compensation for general managers. My
colleague Bob Merton pointed out to me
that the ideal bonus for risk professionals like
Michael is a five-year nonrecourse note thats
paid only if the firm is still in business.

Hofmann:

Wouldnt that just make me
fixate on the five-year term? Effectively align-
ing incentives to encourage productive be-
havior is challenging. In my experience, what
seems to work best is a combination of short-
term, intermediate, and long-term incentives
consistent with a persons ability to influence
results. Unfortunately, any formula you work
out in advance can cause problems in practice,
because it is impossible to anticipate all issues.
But if we are able to achieve a good balance of
measures and judgment, it can be effective.

How do you see nonfinancial risk measures
going forward?

Kaplan:

You probably expect me to say this,
but I think the balanced scorecard provides
a useful framework for managing strategic
risk. Briefly, the scorecard is predicated on a
hierarchy of measures and objectives that
collectively show how a given strategy trans-
lates into operational reality and results.
At the foundation, you develop metrics for
peoples skills and motivation and the IT in-
frastructure. The next level identifies the
processes critical for creating and delivering
the strategy. On top of that is the customer
perspective, where you see how your work
and processes create value for the customer.
Finally theres the financial perspective. At
each level you could develop a risk scorecard
that would serve as an early warning system
when one of your strategic objectives was
in jeopardy. Risk scorecard targets could
come from a heat map [see Mapping Your
Fraud Risks, by Toby J.F. Bishop and Frank E.
Hydoski, reprint R0910F], a two-dimensional
table with the likelihood and the conse-
quences of a risk event each scored on a 1-to-5
scale. The two scores are multiplied together,
and risk events with a score of 15 or higher
require management action, such as a risk-
mitigation initiative to reduce the likelihood
or severity of the event. Youd obviously need
to come up with ways to measure risk, and
one of the companies I stay in touch with,
Infosys, has been very active in this respect.

Its current strategy is to have large engage-
ments with global customers, so one of its
biggest financial risks involves getting paid.
To manage that risk, Infosys tracks the credit
default swaps market, which trades contracts
on about 80% of its customers. The need to
deliver services globally also creates a learn-
ing and growth perspective risk: The com-
pany has to be able to put key people into
key projects around the world. That makes it
vulnerable to protectionism in the labor mar-
ket. So Infosys tracks how many of its employ-
ees hold multiple visas or citizenships.

These feel like known unknowns. What
about unknown unknowns?

Kaplan:

We need a different approach
for the Black Swan events that have a very
low likelihood but catastrophic consequences
should they occur. Quantifying those risks is
not worth the effort. You have to undertake
some form of scenario analysis instead. You
begin by identifying the unusual events that
would cause your strategy or entire enterprise
to fail if they were to occur. We may not know
if the future will bring hyperinflation or de-
flation, but we can attempt to assess how our
strategy and our competitors strategies would
play out in either of those scenarios.

Michael, does that twin-track approach
make sense to you?

Hofmann:

Yes. Scenario planning, the bal-
anced scorecard, and heat maps are all useful
tools. But you need to avoid three traps in
using them. First, dont believe your own
predictions. Whatever you consider most
likely will probably not occur. You have to be
ready to question everyand I mean every
significant assumption. Second, dont think of
catastrophic risk as something you can tolerate
because its probability is low. Thats OK for
some of the risks that Bob was describing, but
no company should ever treat a catastrophic
risk as anything but intolerable. Either you
dont engage in the business or you find a way
to structure it to cut the tail off, so to speak.
Butand this is the third trapdont believe
that its easy to eliminate a risk. When you
buy insurance, for example, what youre really
buying is an option to make a claim against
somebody you hope will be good for the
payment. So youve just converted one kind of
risk into another.

Managing Risk in the New World ROUNDTABLE

D
o

N
ot

C
op

y
or

P
os

mailto:[emailprotected]

harvard business review october 2009 page 5

Tufano:

I couldnt agree more. Most deriva-
tives and insurance contracts are far from
perfect, and you have to ask hard questions
when youre buying derivatives or entering
into insurance contracts. Is the risk adequately
transferred? Does the contract do what I think
it does, and will it be enforceable in court? Is
the party to whom Ive transferred the risk
going to hold on to that risk? To the extent that
your counterparties are not able to bear the
risk, does it flow back to you in some wayif
not contractually, then at least reputationally?

What about outsourcing? Is that an effec-
tive risk-management tool?

Hofmann:

Yes, it can be. If youre outsourc-
ing because somebody has a competitive
advantage of some sort, youre probably re-
ducing operational risks. But what happens
if your subcontractor goes out of business?
These kinds of decisions require you to think
about what youre really doing. What can go
wrong? Am I willing to take the consequences
if it goes wrong? And none of the answers
are clear. Of course, thats what makes our job
interesting.

Slack in the balance sheet can be a form of
insurance. Do you think capital structures
in many companies have become a bit too
efficient?

Hofmann:

Leverage is more problematic at
some times in the economic cycle than at
others, and tensions exist between caution
and investors demand for returns. Managing
that tension is a significant part of a CROs
job, because it has an impact on the level of
risk a firm assumes.

Tufano:

Deciding on leverage is basically
about balancing the tax advantages of debt
financing against the likelihood of financial
distress if the economy turns out worse than
expected. For the past 25 years weve been
discounting the chances of financial distress
quite heavily. Obviously that calculation
has changed. People were also levering up in
order to take advantage of opportunities:
The more you borrowed, the more you could
apply your managerial skills and create value.
But in a world where you have to be careful
about which opportunities you take, the in-
centives to lever down and create some idle
capacity to use in the future will increase. So
were now seeing a change in how we define a

healthy balance sheet. In financial services,
for example, we were used to a set of rela-
tively simple metrics for determining what
appropriate capital structures were. Now peo-
ple are talking about imposing conditional
capital requirements that change with the
economic cycle. Some people in the current
administration, for example, are suggesting
that financial institutions build more slack
into their balance sheets in good times, so
that they have a reserve for the bad times.
I think this makes some sense.

Kaplan:

I agree. As M.D. Ranganath, the
CRO of Infosys, points out, everyone focuses
on risk management in bad times. The
strong test of risk management, he says, is
whether it works in good times. Will top
management stand behind the risk managers,
avoiding temptation and saying no to things
that put the enterprise at risk? When the
music is playing, you need the discipline
from risk management to keep managers from
dancing too exuberantly.

Simons:

You should also think about slack
in the P&L, which is where your financial
policies affect performance. Top performers
like Johnson & Johnson build in a contin-
gency to the profit plans of each of their
businesses. They hold managers to a high per-
formance standard, but if something comes
up that puts their profit plan in jeopardy,
they can protect their profit targets without
forcing managers into actions that put the
firm at risk. Of course, operating managers
have always built slack into their budgets,
and they always will. But the problems with
this kind of secret padding are widely docu-
mented and indeed are part of the reason
that many people favor high debt levels; it
leaves less room for such padding. These
problems largely disappear, though, if you
make the slack explicit and transparent.

One sure fallout from the crisis is that were
going to get more financial regulation. Any
suggestions for policy makers?

Tufano:

Ill offer two bits. First, as my col-
league David Moss has pointed out, systemic
risk needs heavy and careful regulation, but
nonsystemic risk should be lightly regulated.
Theres also a decision about whether you
have one regulator or many. The U.S. has
historically had multiple regulators, and much
of the criticism of our system is that quite a

Managing Risk in the New World ROUNDTABLE

D
o

N
ot

C
op

y
or

P
os

mailto:[emailprotected]

harvard business review october 2009 page 6

lot of risks fall into the gaps. There seems to
be a movement right now toward consolidat-
ing the system. I think thats probably a step
in the right direction.

Mikes:

Absolutely. Regulators traditionally
focus on individual firms. The challenge is
to connect the dots at the systemic level. To
get the bigger picture theyll have to commu-
nicate with one another better or consolidate.
On top of that, theyll have to talk to central
banks and regulators in other countries.

Kaplan:

Regulators will always lag behind
innovationcertainly in financeand theyre
always going to be regulating the previous
innovation. We have to be skeptical about the
ability of regulators to understand the kinds of
risks being taken on in innovative enterprises.
I also think that banks should be regulated
more like utilities than like entrepreneurial
firms. Lets reintroduce a wall and say Taking
in short-term money and lending it out long is
important. Concentrate on doing that well and
stay away from the really risky stuff. Let hedge
funds and investment banks do that business.

Id like to switch gears from risk manage-
ment to risk managers. What makes a good
CRO?

Tufano:

Michael and I belong to the Global
Association of Risk Professionals. The organi-
zation is about 10 years old, and weve been
working on creating professional standards.
First, risk professionals need to master techni-
cal materialthe math and the models. We
have an extensive set of exams similar to those
that CPAs or CFAs would take, to certify that
people have that basic knowledge. But the
knowledge isnt enough; they also need to be
able to think like seasoned executives who can
look beyond individual risks to appreciate
broader trends and how firm-to-firm interac-
tions play out. The third thing they need is a
sense of responsibility to something greater
than their individual organization, which my
colleague Rakesh Khurana and others have
been talking about in the context of MBA
education.

Mikes:

Id add communication skills to
Peters list. Much of what risk managers do is
expressed in technical language. To get access
to top-level decision making, they need to be
able to translate risk analytics into a language
that top management speaks. Effective CROs,
at a minimum, help top management under-

stand the downside scenarios: Can the com-
pany afford to have those events occur? Some
go even further and become trusted advisers
to the executive team on strategic matters.
They do this essentially by playing devils advo-
cate, collecting and channeling information
that challenges taken-for-granted assumptions
in the organization.

It sounds as if the boundaries between
general management and risk manage-
ment are getting blurred.

Simons:

Typically, general managers hand
off accounting, HR, and IT functions to profes-
sionally qualified employees. But Im not sure
you can do this with riskrisk needs to be
owned by operating managers. Clearly, risk
officers have a huge role to play, but we dont
want to transfer the responsibility for risk from
operating general managers to CROs and then
feel that the problem is solved.

Mikes:

Theres an interesting sociological
perspective on this. Neil Fligstein, at Berkeley,
has been studying the transformation of corpo-
rate control over the past 100 years. He shows
that different functional groups became strate-
gically important in running companies at dif-
ferent times. In the age of the railroads, top
management came from manufacturing.
When the conglomerates emerged, it became
more important to know how to market differ-
ent products to different geographies and mar-
ket areas, which meant that top managers
were more often marketing executives. When
the biggest concern of corporations became
how to finance their operations, we saw the
rise of the finance executive. I think we now
live in an era when many of the concerns in
running organizations are being reframed in
terms of risk, which suggests that risk profes-
sionals are likely to rise to the top.

Michael, youve heard what everyone else
has to say. What do you think?

Hofmann:

To me, it all boils down to deci-
sion making under uncertainty and the issues
this creates. We are all subject to our own
biases and need to be aware of them when
were thinking about our decisions. That can
create a problem with experience. Yes, expe-
rience creates credibility, but it also anchors
your perspective. The risks that get you are
the ones youre not expecting, and your expe-
rience may be whats making you not expect

Managing Risk in the New World ROUNDTABLE

D
o

N
ot

C
op

y
or

P
os

mailto:[emailprotected]

harvard business review october 2009 page 7

them. For some reason, people do not always
just say: Time out. How does this work? Why
do we do it this way? Whats the problem
here? They may assume they know these
things from experience. Also, one of the hard-
est things for a decision maker to admit is his
or her own ignorance, and the more compli-
cated we get with our metrics and models, the
more hesitant people are to admit that they
dont understand. Bottom line, I think that
credibility for a risk manager stems not only
from the ability to understand the business
but also from a willingness to push back on
the opinions of decision makers, including
senior executives. That doesnt mean saying

no all the timequite the reverse. A credible
risk manager also has to be a risk taker. If you
keep saying no, you will go out of business.
Finally, you have to be able to draw on differ-
ent talents. At Koch Industries, for example,
our risk-management teams include engi-
neers, accountants, finance people, and other
professionals. We need all of them, because
there is no one perspective that can give the
full picture.

Reprint R0910E

To order, see the next page
or call 800-988-0886 or 617-783-7500
or go to www.hbr.org

Managing Risk in the New World ROUNDTABLE

D
o

N
ot

C
op

y
or

P
os

http://harvardbusinessonline.hbsp.harvard.edu/relay.jhtml?name=itemdetail&referral=4320&id=R0910E

http://www.hbr.org

Related Questions:

Related questions

Leave a Comment Cancel Reply