Phase One: Financial and Operational Risk

Financial institutions began developing ERM programs in the early 1990s to address financial concerns such as aggregate market risk and credit risk. In 1993, the Group of 30's (G30) “Derivatives: Practice and Principles” addressed risk areas such as credit, market, operations and systems, accounting, and disclosures for derivatives dealers and end users.¹ Financial risks continue to be focal points of ERM functions, especially within the banking and financial-services industry.

Unfortunately for a number of derivatives end users—including Orange County, Procter & Gamble, and Gibson Greetings—the risk management practices recommended by the G30 Report didn't arrive on time to prevent significant losses in 1994. At about that period, risk professionals began addressing operational risk, which grew to prominence thanks to the trading scandals (e.g. Barings, Kidder, and Daiwa) that rocked the marketplace in the mid-1990s. These incidents highlighted the importance of applying risk management techniques to ongoing operational processes, and ensuring that protocols, policies, and procedures align with the organization's risk appetite. During this period, the role of chief risk officer (CRO) began to take shape as the executive leader for ERM. A rash of accounting fraud cases in the early 2000s, headlined by the dramatic failures of Enron and WorldCom, led many companies to adopt operational controls specifically aimed at fraud prevention and detection.

Regulators, too, got into the fold. The Sarbanes-Oxley (SOX) Act of 2002 mandated increased oversight with a set of detective and preventative controls to ensure integrity in the financial reporting processes for publicly listed companies.² A few years later, Basel II sought to provide a framework within which financial institutions could manage their financial and operational risks.³ The framework established minimum capital requirements, supervisory and regulatory review standards, and marketplace transparency guidelines. Although these regulations addressed unexpected losses resulting from certain financial and operational risks, their limitations would become all too clear.

Phase Two: Compliance-Driven Approach

The global financial crisis of 2008 fundamentally changed the world of risk management. The bankruptcy or near-death experience of large banks and the freefall in asset prices around the world left many to ponder the effectiveness of risk management at even the most sophisticated companies.

Regulators demanded that banking institutions take further strides to protect themselves against excessive risk. In the United States, the adoption of Dodd-Frank required banks to conduct stress testing on an annual basis.⁴ These stress-testing requirements were designed to quantify and address vulnerability to various risk scenarios. The Federal Reserve established stress-testing rules, known as CCAR, for banks with assets of at least $50 billion while the OCC established similar rules for banks holding $10–$50 billion in assets known as DFAST. Such laws and regulations resulted in massive investments in risk, compliance, and audit functions. They also shaped risk governance and oversight at the board level.

Beyond the banking industry, companies have learned critical lessons about systemic risks and the shortcomings of their own risk management programs. As a result, the scope and responsibility of risk-oversight functions have increased significantly in all industry sectors. That positive outcome has been tempered, in my view, by two unfortunate if entirely understandable trends: a primary focus on regulatory compliance, and risk aversion. As a result, forward-looking, strategic risk management initiatives have not been given sufficient attention.

Attribute #1: ERM Is a Continuous Process

ERM is moving from a periodic monthly or quarterly process to a continuous one. This is essential to align the cadence of ERM with the velocity of risk. As a continuous process, ERM can provide business leaders with timely information and predictive analytics on their sensitivity to key business drivers, including:

1. Macroeconomic environment: In an interconnected world, regional, national, and global economic trends can impact the financial performance of any company. A continuous ERM process monitors leading economic indicators for interest rates, energy prices, manufacturing activities, economic growth, business investment, and capital flows. Management can compare these new economic data sets with the assumptions used in the business plan to support timely decisions regarding spending and capital investments.
2. Business processes and operations: On a daily basis, changes in the business and operating environment can have a significant impact on a company's risk profile. For example, management must respond immediately if there is a supply chain disruption. It may need to take mitigation actions if a key investment falls below expectations or a risk exposure exceeds appetite. Conversely, the company may want to increase risk if the market presents attractive risk-adjusted return opportunities.
3. Employee support and oversight: Employees represent the lifeblood of any organization. A continuous ERM process supports front-line employees in their day-to-day work, including decisions on risk acceptance or avoidance, product pricing, risk-transfer strategies, and risk escalation and communication protocols. Employee behavior can also have a material impact on a company's operational and reputational risk. Continuous ERM supports management oversight with respect to employee performance and feedback, compliance with policies and regulations, workplace safety, and risk-mitigation strategies.
4. Customer service: in order for an individual customer to be profitable, his or her lifetime value must exceed the cost of acquisition. It stands to reason, then, that even small improvements in customer retention can have a large impact on a company's profitability. In fact, a classic study by Bain & Co. indicated that reducing customer defections by 5% boosts profits 25% to 85%.⁶ Given the importance of customer service and retention, business managers should continuously monitor customer service levels, customer complaints and time to resolution, and customer-retention metrics against risk tolerance levels.
5. Counterparties and business partners: Companies increasingly rely on third parties to support their business and financial operations, including suppliers and vendors, business and outsourcing partners, and financial counterparties. The performance and creditworthiness of these third parties can have an immediate and long-term effect on a company's business model. A continuous ERM process monitors vendor performance against service-level agreements, counterparty stock prices and credit spreads, and problem-resolution rates.
6. Environmental and social impacts: Long-term sustainability, relative to environmental standards and social expectations, has become a top corporate priority. This includes how a company impacts its environment as well as how the environment impacts the company. The former requires a continuous monitoring of environment and social performance indicators, daily press coverage, and social-media posts. The latter requires monitoring extreme weather patterns, natural-resource constraints, and business contingency readiness.
7. IT infrastructure and cybersecurity: Companies rely increasingly on their IT infrastructures. With the advent of cloud computing, big data, predictive analytics, and the Internet of Things (IOT), IT performance and cybersecurity requirements have become a top concern for most organizations. A continuous ERM process monitors IT availability and performance as well as cybersecurity metrics such as patch management, incident rate, and time to detection and recovery.

Attribute #2: Strategic Risk Management

Strategy and risk are two sides of the same coin. Strategic planning and ERM should be integrated to support the development, implementation, and performance monitoring of corporate and business-unit strategies. Companies ignore strategic risks at their peril. Independent studies of the largest public companies have shown time and again that strategic risks account for approximately 60 percent of major declines in market capitalization, followed by operational risks (about 30 percent) and financial risks (about 10 percent).⁷ Yet, in practice, many ERM programs downplay strategic risks or ignore them entirely.

Strategic risk can arise throughout the strategy development and implementation processes. The integration of strategy and ERM, or strategic risk management, can add long-term shareholder value in a number of important ways. Strategic risk management helps companies make more informed decisions when they:

• Choose between alternative corporate strategies—e.g., organic growth, acquisition, stock buyback—based on their impact on enterprise intrinsic value.⁸
• Ensure that corporate strategies are well-aligned with the company's core mission and values, business-unit strategies, and operating budgets.
• Assess the strategic and resultant risks from the implementation of corporate strategies, including the utilization of risk appetite and risk capacity.⁹
• Support the implementation of corporate strategies to achieve key organizational objectives.
• Monitor the actual performance of corporate strategies against management assumptions and expectations, and make timely adjustments as appropriate.

To support strategic risk management decisions, the company's performance management system must integrate key performance indicators (KPIs) and key risk indicators (KRIs). An integrated performance and risk monitoring process would include the following steps:

1. Define the business strategy through a set of measurable strategic objectives.
2. Establish KPIs and targets based on expected performance for those strategic objectives.
3. Identify strategic risks that can drive variability in actual performance, for better or worse, through risk assessments.
4. Establish KRIs and risk tolerance levels for those critical risks.
5. Provide integrated reporting and monitoring in support of strategic risk management.

Unfortunately, many companies perform these actions in two distinct silos. As part of strategic planning they perform steps 1 and 2 and report the results to the executive committee and full board. Separately, as part of risk management they perform steps 3 and 4 and report the results to the risk and audit committees. In order to effectively manage strategic risks, these steps must be fully integrated.

Attribute #3: Dynamic Risk Appetite

An integral part of continuous ERM is the development of key risk metrics, exposure limits, and governance and oversight processes to ensure enterprise-wide risks are within acceptable and manageable levels. A best-practice approach to addressing these requirements is to implement a formal risk appetite statement (RAS). Corporate directors who are ultimately responsible for overseeing their companies' risk management indicated that this practice is not fully developed. According to a National Association of Corporate Directors (NACD) survey, only 26 percent of companies have a defined risk appetite statement.¹⁰

An RAS is a board-approved policy that defines the types and aggregate levels of risk that an organization is willing to accept in pursuit of business objectives. In determining the appropriate risk appetite, an organization should also consider its risk capacity (also known as risk-bearing capacity), which represents a company's overall ability to manage the risk and absorb potential losses. Companies can measure risk capacity in terms of liquidity and capital reserves, as well as management capabilities and track record in managing the specific risks.

A dynamic RAS would include the following components:

1. Qualitative statements and guidelines, as well as quantitative metrics and risk tolerance levels for all key risks.
2. A cascading structure of risk tolerance levels with drill-down capability from the board (Level 1) to executive management (Level 2) to business units (Level 3).
3. Continuously updated RAS dashboard reports, including commentaries and expert analysis.
4. Risk-mitigation strategies and exception reporting in the event risk exposures are above tolerance levels.
5. Dynamic adjustments to tolerance levels to reflect risk-return opportunities. For example, if the market provides attractive return opportunities and the company has excess risk capacity, the risk tolerances may be increased accordingly.

The following example breaks down a strategic RAS into its three primary components:

• Qualitative statement: “To ensure strategic alignment, we will limit business activities that are not consistent with our overall strategy and core competencies.”
• Metric: Non-core investment capital total capital.
• Risk tolerance level: “Non-core capital ratio will not exceed 10 percent.”

Attribute #4: Risk Optimization

The risk bell curve is a graphical depiction of risk with respect to probabilities and outcomes, including expected value (the mean of the bell curve) as well as the potential upside and potential downside (the tails). The objective of ERM is to assess, quantify, and optimize the shape of the bell curve for all of the key risks on an ongoing basis.

Although all key risks take the form of a bell curve, not all bell curves are alike. Figure 3.2 shows how the bell curve can be used to capture various risks.

For example, credit risk has more downside risk (potential loss of principal) versus upside gain (interest income). Market risk (including interest rate risk) follows an essentially symmetrical curve, as market prices (and interest rates) have an equal chance of moving favorably or unfavorably. On the other side of the spectrum, operational risk has a limited upside but a lot of potential downside. After all, not having any IT, compliance, or legal issues simply means business as usual. But a major negative event, such as a cybersecurity breach, IT downtime, or regulatory issue, can have tremendous consequences.

If managed well, strategic risk (not shown) is unique in that its downside can be limited while its upside can be unlimited. For example, the maximum loss of a new investment is 100 percent of the investment, but a new business venture can produce multiples of the investment. An asymmetrical bell curve with significant upside risk can describe any new product or business opportunity, whether that opportunity is part of a corporation's growth strategy or a venture capital firm's new investment.

Consider a decision tree that maps the probabilities and consequences of different decision paths.¹¹ This map not only provides a better picture of the risks and rewards involved, but also helps identify trigger points for action if the initiative lags behind expectations. Taken this way, the optimum strategic risk profile resembles a call option: limited downside exposure with unlimited upside potential. A company can also limit downside risk by “failing faster.” The sooner a company recognizes an initiative is in trouble, the sooner it can take corrective action—such as getting the initiative back on track, deploying risk mitigation strategies, or shutting it down.

Minimizing downside risk and increasing the upside is the objective of “real option theory.” A real option is the right, but not the obligation, to undertake a business investment or change any aspect of that investment at various points in time, given updated information. The beneficial asymmetry between the right and the obligation to invest under these conditions is what generates the option's value.

Venture capital (VC) firms take advantage of this asymmetry as part of their business model. According to research by Shikhar Ghosh, a senior lecturer at Harvard Business School, about 75 percent of venture-backed investments in the United States do not return investors' capital, 20 percent achieve subpar returns, and only 5 percent achieve or exceed the projected return on investment.¹² To maintain an ideal risk profile, VCs carefully stagger funding rounds in order to reap outsized returns on the 5 percent of firms that are successful while exiting or minimizing their investments in the other 95 percent. This risk/return profile is why VC firms are always concerned about the size of the market. They don't hit often but when they do they need to hit it big!

Pharmaceutical companies take a similar portfolio approach. They invest in drug development internally or acquire promising patents or entire drug companies. They can then continue to make limited, iterative investments in successful ventures and bow out of those that fail to achieve expected performance levels.

However, the enterprise-wide risk profile shown in Figure 3.2 is more indicative of a bank, for which the upside is limited to net interest income (about 2–3% of average assets) plus fee income while the downside can include large loan losses. This is also known as “fat-tail” risk. The ideal risk profile would be skewed to the right, which is more indicative of venture capital and pharmaceutical firms, which have more upside than downside. Regardless of the industry, companies must make the appropriate business decisions to optimize the shape of their risk bell curves.

Attribute #5: ERM-Based Decision Support

In order to add value, companies must integrate the continuous ERM process into their strategic, financial, and operational decisions. Generally speaking, organizations have the following options available to them in response to risk:

1. Risk acceptance or avoidance: The organization can decide to increase or decrease a specific risk exposure through its core business, mergers and acquisitions (M&A), or financial transactions. This includes new product development, market expansion, acquisitions and divestitures, capital budgeting, and investment and financing activities.
2. Risk mitigation: An organization can establish risk-control processes and strategies in order to manage a specific risk within a defined tolerance. This includes constructing a risk appetite statement with explicit risk tolerance levels, corporate risk policies, risk measurement and monitoring systems, and risk-control strategies and contingency plans.
3. Risk-based pricing: All firms take risks in order to be in business, but there is only one point at which they receive compensation for the risks that they take. That is in the pricing of their products and/or services. A product's price must always incorporate its share of the cost of risk. Similarly, companies should fully account for the cost of risk to measure the risk-adjusted profitability of business units.
4. Risk transfer: An organization can decide to implement risk-transfer strategies through the insurance or capital markets if risk exposures are excessive and/or if the cost of risk transfer is lower than the cost of risk retention. Risk-transfer strategies include hedging; corporate insurance and captive insurance strategies; and securitization programs.
5. Resource allocation: An organization can allocate human and financial resources to business activities that produce the highest risk-adjusted returns in order to maximize firm value. This includes rationalizing the allocation of staff resources, economic capital, and financial budgets based on projected risk-adjusted performance.

While it is important to understand the general categories of choice an organization can make as discussed above, in practice, each business or risk decision falls to a specific committee, function, or individual. These decision makers can be members of the board, corporate management, or business and functional units. Here is a summary of key risk management decisions based on the “three lines of defense” model:

• Business units and support functions represent the first line of defense. The first line is ultimately accountable for measuring and managing the risks inherent in their own businesses and operations. Since they must assume some level of risk to achieve their business objectives, the goal is to take intelligent risks. Key business and risk management decisions include accepting or avoiding risks in day-to-day business activities and operations; including the cost of risk in product pricing; managing customer relationships; and implementing risk-mitigation strategies and contingency plans in response to risk events.
• Corporate management, supported by the ERM and compliance functions, represents the second line of defense. Management is responsible for establishing and implementing risk and compliance programs, including risk policies and standards, appetite and tolerances, and reporting processes for the board and management. The second line of defense is accountable for ongoing risk monitoring and oversight. This level's key business and risk management decisions include allocating financial and human capital resources to business activities that produce the highest risk-adjusted profitability; implementing organic and/or acquisition-based growth strategies; and devising risk-transfer strategies to reduce excessive or uneconomic risk exposures.
• The board of directors, with the support of internal audit, represents the third line of defense. The board is responsible for establishing the company's risk governance structure and oversight processes; reviewing, challenging, and approving risk policies; and overseeing strategy execution, risk management, and executive compensation programs. The third line of defense is also accountable for the periodic review to assure risk management effectiveness. Key business and risk management decisions include establishing the statement of risk appetite and risk-tolerance levels; reviewing and approving management recommendations with respect to capital structure, dividend policy, and target debt ratings; and reviewing and approving strategic risk management decisions, including major investments and M&A transactions.

Attribute #6: Collaborative Dashboard Reporting

One of the key objectives of continuous ERM is to promote risk transparency with enhanced reporting. The old adage “what gets measured gets managed” certainly holds true in risk management, and business leaders appear to be getting the message. In a 2011 Deloitte study of approximately 1,500 executives across various industries, 86 percent identified “risk information reporting” as a high or moderate priority, making it the most highly prioritized of 13 risk initiative options.¹³ What's more, this priority was followed closely by “risk data quality and management” (76 percent) and “operational risk measurement system” (69 percent). Clearly, management understands that establishing a robust risk measurement and reporting system is critical to ERM success.

The ideal way to achieve this objective is with a real-time collaborative dashboard reporting system. This system would produce role-based reports designed to support the decision-making requirements of each recipient. When designing a role-based dashboard report, it is useful to determine the key questions each recipient needs to address. For example, the ERM dashboard for the board and senior management may address the following five basic questions:

1. Are any of our business objectives at risk? As discussed, a company's RAS defines risks according their effects on primary business objectives. The ERM dashboard should similarly organize risk information (e.g., quantitative metrics, qualitative risk assessments, early warning indicators) within the context of key strategic and business objectives. For each objective, the dashboard report might show green, yellow, or red indicators to signal that its achievement is on-track, threatened, or off-track, respectively. For objectives with yellow or red indicators, the board and management should be able to drill down to underlying analyses and data.
2. Are we in compliance with policies, regulations, and laws? The ERM dashboard should indicate at a glance the company's compliance status in regard to key policies, regulations, and laws. Again, traffic-light signals would highlight whether the company is in full compliance (green), approaching violation (yellow), or in violation (red). Drill-down capabilities would support further analysis with respect to more detailed legal analyses, compliance metrics, and regulatory reports.
3. What risk incidents have been escalated? The ERM dashboard should be able to escalate critical risk incidents to the appropriate board members, executives, or managers in real time. This capability would require a system to capture incidents throughout the company that meet a defined threshold (e.g., customer or reputational impact, financial exposure, etc.). Moreover, the ERM dashboard needs an embedded algorithm that prioritizes risk incidents and escalates them to the proper individuals. The most critical incidents should prompt alerts via email, text, or other system for immediate response.
4. What key performance indicators (KPIs), key risk indicators (KRIs), or early warning indicators require attention? A key goal of an ERM dashboard is to highlight potential problems before they become critical. For that reason, the dashboard should include early warning indicators that help foreshadow such issues. A well-designed ERM dashboard would provide KPIs and KRIs that are most relevant to the decision-making needs of each user, whether at the board, management, or business-unit level. To provide context, each metric should include performance thresholds and/or risk tolerance levels to provide benchmarks for evaluation.
5. What risk assessments must we review? Risk assessment is an ongoing process, with top-down risk assessments, bottom-up risk-control self-assessments (RCSAs), regulatory examinations, and audit reports taking place on a regular basis. Given that these assessments include mainly qualitative information, the dashboard need only provide a summary of key findings and analyses. Each such summary should indicate whether it meets board and management expectations (green), is near those expectations (yellow), or falls short (red). When more detailed review is necessary, the actual risk assessments and reports would be available via linked files.

In addition to the above components of dashboard reporting, new features are surfacing that are becoming part of the emerging reporting standards. An established dashboard system should incorporate the following elements for streamlined reporting:

1. Single-source publishing: Software that publishes the same data in multiple places at once across a platform effectively eliminates duplicate content and version-control issues. Single-source publishing not only makes reporting more accurate, it also increases efficiency and frees up time for making important business decisions instead of managing data. The same technology can also produce dynamic charts that respond to data as it changes.
2. Collaborative real-time editing: Advanced software platforms, often cloud-based, permit multiple users to work on a single document at the same time, with changes displayed in real time. Such functionality permits each user to have the latest data as soon as it is available. This technology is becoming increasingly powerful and simpler to deploy across the organization, making it essential to support continuous ERM reporting.
3. Data visualization: Many dashboard applications now have the ability to create graphs or presentations seamlessly with underlying data, making it far more impactful and actionable. Consider the impact and clarity of a pie chart or bar graph compared to a dense table of numbers. Whether the user is a chief risk officer or an IT manager, being able to clearly visualize risk data can dramatically improve risk monitoring and decision-making.
4. Interactive data displays: The best data presentation is dynamic, allowing users to see summaries but giving them the ability to drill down into the underlying details. The next step in interactivity, however, will allow users to have a “conversation” with the data, by asking human-readable questions of the database and receiving answers pertinent to business objectives. While this is still a mostly experimental feature of dashboards, the advances in artificial intelligence should make such features available in the coming years.

Attribute #7: ERM Performance Feedback Loops

Performance feedback loops support self-correction and continuous improvement by adjusting a process according to the variances between actual and desired performance. As a foundational component of the scientific method, the feedback loop has long been an essential tool used to support advances in many fields, including economics, engineering, and medicine. More recently, the innovative use of feedback loops has been reported in the hedge fund industry¹⁴ and the effective altruism movement.¹⁵ It would be difficult to evaluate and improve any process efficiently without a performance feedback loop. Risk management is no exception.

In order to establish a performance feedback loop for ERM, companies must first define its objective in measurable terms. I believe that the primary objective of ERM is to minimize unexpected earnings variance. See Chapter 19 for a full discussion on feedback loops and an example that illustrates the use of earnings volatility analysis as the basis of a performance feedback loop to do exactly that.

Perhaps the best way to illustrate how these seven attributes work together in a corporate environment is with a story. The following account is fictional, but the situations I describe are ones that real-life companies are likely to face.

Managing Strategic Risk (Attribute #2)

As part of an integrated strategic-planning and ERM process, Elizabeth and her team were fully engaged in the M&A analysis and due-diligence process. After thoroughly reviewing Galactic's risk profile, they calculated a cost of risk of $10 per share based on the severity and likelihood of numerous risks. They also determined the level of economic capital Legacy would have to maintain in order to safely absorb these risks post-merger. As a result, the risk team concluded that a properly priced acquisition of Galactic would optimize Legacy's risk profile and add value for its shareholders. The acquisition team, seeking a RAROC of about 12%, agreed on an offer of $100 per share, which Galactic accepted.

The deal was set to close in a couple of weeks when Elizabeth received an early morning call from Legacy's CEO. He just learned that Galactic had suffered a massive cyberattack overnight that may have exposed private customer data. The CEO called together the acquisition team to review their options.

The COO and CIO both argued that Legacy should call off the deal: Galactic's reputation was likely to be irreparably damaged by the breach, and the company was facing multiple potential lawsuits from its customers. Elizabeth argued, however, that it was premature to pull the plug, and urged the group to wait for more information.

A Robust and Continuous Process (Attribute #1)

As it turns out, Galactic was well prepared for a potential breach. As soon as the attack was detected, the system went into automatic lockdown and customers were informed, as well as required to change their login information with double authentication. A previously created “SWAT team” of technicians, attorneys, security experts, and communications experts was called into action to determine root causes and solutions, assess the damage, minimize impact, and report progress to all stakeholders. Elizabeth's team was equally prepared. They tapped into Galactic's team to receive continuous updates on the situation. They then used this information, as well as governmental data and analyses of similar attacks, to analyze the event's potential strategic, financial, and reputational impact on the acquisition.

Relevant Data, Informed Decisions (Attribute #4)

As information became available, the risk team updated its assessment and models based on the new risks related to the cyberattack. They also updated their original heat map to indicate a higher level of risk due to the dramatically increased likelihood of consequences such as lawsuits and reputation damage. Finally, they revised their calculation of the cost of risk in the acquisition, which increased from $10 to $25. As a result of this analysis, Elizabeth and her team proposed incorporating this increased cost into a reduced acquisition offer, from $100 to $85.

Mitigating Risk to Create Opportunity (Attribute #5)

Executives at Galactic balked at the lower acquisition price, and it looked as though the deal was all but dead. But Elizabeth had an idea. She reached out to Legacy's corporate insurance provider to obtain a quote on a risk-transfer strategy that would cover losses resulting from the cyberattack above a certain level. It was a buyer's market in cyberinsurance, so the premium was economical. In other words, the cost of risk transfer was lower than the cost of risk retention. The overall reduction in risk cost allowed Legacy to raise its offer to $90. At the same time, it lowered projected earnings from the acquisition somewhat. This transaction optimized the risk profile for the company given the new risks, risk-transfer costs, and business requirements. Overall, it meant that Legacy was able to offer a price acceptable to Galactic while still achieving its desired return on investment.

Engaging the Three Lines of Defense (Attribute #6)

Throughout the process, Elizabeth and her team took care to inform and engage the three lines of defense: operating units, management, and the board.

The first line of defense, which consists of the company's business and operating units, as well as its support functions, gathered ongoing data. In particular, the IT function kept the board and management apprised of the situation as it unfolded. IT provided the risk and deal teams with expert interpretation of the information coming in from Galactic, analyzing it against known scenarios to project likely outcomes.

The CRO and ERM function, along with corporate management, provided the second line of defense. This group was tasked with reevaluating the risk level of the situation as it developed. Elizabeth's team updated assessment and qualification models to recalculate the cost of risk, and formulated the risk transfer strategy. Other members of the management team evaluated these results and offered additional input to fine-tune the ERM team's conclusions. The CEO maintained communication with Galactic, worked with the deal team to build consensus around a revised proposal, and obtained approvals from the board.

Finally, the third line of defense—the board—conducted calls and meetings on an as-needed basis to monitor the situation, challenge management's risk assessment, and approve the risk transfer strategy and new acquisition price.

Although it was a coordinated effort, Elizabeth and her risk team were instrumental in saving the day. The deal, once thought to be dead in the water, was consummated just a month behind schedule.

Reevaluating Risk Appetite (Attribute #3)

After a short celebration, the CRO and risk team went back to work to tackle the post-merger integration risks. These risks included continued fallout from the cyberattack (lawsuits, technology updates), performance of the risk-transfer strategy, and integration of management teams, customers, and technology platforms. They also added new metrics and risk-tolerance levels to Legacy's risk appetite statement to reflect these changes.

Supporting Ongoing Collaboration (Attribute #7)

The successful acquisition paid Elizabeth an additional benefit. Her contribution won over a number of her peers in the C-suite and beyond who had questioned the value of Legacy's continuous ERM program. These former doubters were impressed that the program could escalate and address a new threat on a timely basis. And they were swayed by Elizabeth's ability to quantify and illustrate pre- and post-merger risk profiles, which led to informed decisions about the cost of risk, risk-transfer strategy, and updated acquisition price and expected return.

What's more, they, along with other internal stakeholders, were engaged in the process as it unfolded on the customized risk dashboards that the ERM team had created for them. Even after the deal was signed, these dashboards continued to assist the integration team, senior management, and the board in monitoring and oversight.

For Legacy, ERM was a game-changer. What's more, Elizabeth put to rest the common misperception that ERM's role is to put the brakes on a company's ambitions. Far from impeding a strategically important deal, risk management actually provided a path forward.

The global economy and business world have evolved significantly over the past three decades, and so has the practice of ERM. As companies face great financial and reputational damage from derivatives losses, unauthorized trading, accounting fraud, global recession, and cybersecurity threats, the scope and focus of ERM has expanded to include strategic risk, financial risk, operational risk, regulatory-compliance risk, reputational risk, and cybersecurity risk.

Given the increase in macroeconomic and business uncertainties, regulatory standards, and risk velocity, ERM must continue to evolve. In the following chapters, we'll turn our attention to ERM at the organizational level, starting with the many stakeholders whose requirements must be addressed.