Excerpt from

F U N D A M E N TA L S O F

Enterprise
Risk Management
H o w To p C o m p a n i e s A s s e s s R i s k , M a n a g e
Exposure, and Seize Oppor tunity

Second Edition

John J. Hampton

American Management Association

New York Atlanta Brussels Chicago Mexico City San Francisco
Shanghai Tokyo Toronto Washington, D.C.

................. 18585$

$$FM

08-06-14 07:54:16

PS

PAGE iii

CONTENTS
(full table of contents)

Introduction

xi

Part One. Essentials of Enterprise Risk Management

1. Hazard and Enterprise Risk Management

Hurricane Andrew. Definitions of Risk. Hazard Risk. Insurable

Risk. Traditional Risk Management. Severity and Frequency.
Enterprise Risk. Operational Risk. Strategic Risk. Financial Risk.
Conclusion.

Appendix 1. Russian Frozen Chicken

2. Enterprise Risk Management

15

18

ERM Defined. The Need for ERM. Conclusion.

Appendix 2. GM, Ford, and the Chrysler Bailout

3. Contributions of ERM

25

30

Contribution 1: Recognize the Upside of Risk. Contribution 2:

Assign Risk Owners. Contribution 3: Align Risk Accountability.
Contribution 4: Create a Central Risk Function. Contribution 5:
Install a High-Tech Electronic Platform (HTEP). AIGs View of Risk.
Contribution 6: Involve the Board of Directors. Contribution 7:
Employ a Standard Risk Evaluation Process. Conclusion.

Appendix 3. Home Depot

40

4. Challenge of the Black Swan

45

2014 Atlanta Ice Storm. What Is a Black Swan? Blockbuster. Risk

Experts. The Failure of Experts. The Perceived Level of Risk.
Silent Evidence. Conclusion.

5. The 2008 Financial Crisis

57

Speculative Frenzies. History of the Crisis. Scanning for

Exposures. Visible Signs of Danger. Aftermath. Parallel with the
Great Depression. DoddFrank Act. Conclusion.

vii

................. 18585$

CNTS

08-04-14 09:18:12

PS

PAGE vii

viii

Contents

6. Implementing ERM

69

COSO Framework. COSO Structure. COSO Components. COSO

Definitions. Approaches to ERM. Risk Management Areas.
Strategies and Situations in Risk Management. Expanding the
Scope of ERM. Benefits of ERM. Making ERM More Effective.
Leadership Risk. ERM Premises. How Do We Start? High-Tech
Electronic Platform (HTEP). Conclusion.

Appendix 6. ISO 31000 Framework

82

Part Two. Risk Management Technology

7. Risk Clusters

85

87

Cluster Risk Structure. Sophisticated Risk Mapping. Clusters

Versus Spreadsheets. Hierarchy of Subrisks. Interactions.
Conclusion.

8. Risk Technology in 2008

95

Rejection of Spreadsheets. High-Tech Electronic Platform (HTEP).

Riskonnect HTEP. User Features. Design Features. Relationships.
Risk Dashboards. Heat Map. CP&L ERM Implementation. Next
Steps. Conclusion.

9. New Technology in 2014

113

New York University HTEP. Mobile Devices. HTEP Links.

Earthquake Notification. Southwest Airlines HTEP. Collaboration
with Chatter. Real-Time Links to the World. Word Translation and
Currency Translation. Data Resources. Managing a Disability
Claim. Conclusion.

10. HTEP Applications

126

Airbus A380 Jumbo Jet. HTEP Opportunity with Bananas. Tropical

Storm Disruption. BP Oil Explosion. Ford Supply Chain. Dell
Supply Chain. Chilean Mine Rescue. Conclusion.

11. Product Launch Application

139

Market Risk. Product Risk. Capital Risk. Intellectual Property

Risk. Risk Profile. Expanding the View. Conclusion.

Part Three. Risks Without Risk Owners

12. Strategic Risk

147

149

FedEx. Strategic Risk Management. Strategic Risk and

Knowledge. Pursuit of Knowledge. Historical Perspective of

................. 18585$

CNTS

08-04-14 09:18:13

PS

PAGE viii

ix

Contents
Strategic Risk. Strategic Risk and Synergy. Strategic Risk and

Tools of Knowledge. Strategic Risk and Opportunity Since 1980.

Scanning Post-2014. Energy All by Itself. Boeing Versus Airbus.
The Fax Machine and Strategic Risk. Conclusion.

13. Subculture Risk

171

Ford-Toyota Rowing Contest. Subculture Risk. Bureaucracy as a

Structure. Understanding Subculture Risk. Charles Handy on
Culture. Bureaucracy Culture. Spiders Web Culture. Team
Culture. Individual Culture. Cultural Control and Effectiveness.
Recognizing the Subculture. Conclusion.

Appendix 13a. Characteristics to Identify Subcultures

Appendix 13b. Subculture Risk in High School 186
14. Leadership Risk

184

192

Behavioral Risk. Strategic and Situational Leadership. Situational

Leadership Styles. Competence and Commitment. How Leaders
Decide. IKEA Best Practices. High-Performance Leadership.

15. Life Cycle Risk

205

Organizational Life Cycle. Sharing Life Cycle Information. Life

Cycle Goals. Life Cycle Tactical Focus. Planning Horizons. Growth
as a Risk Factor. Risks with Change. GM and Toyota Life Cycle
Risk. ERM Implementation and Life Cycles. Funding for ERM.
Priority for ERM. Politics of ERM. Conclusion.

16. IBM, Microsoft, and Apple

215

IBM at Its Peak. IBM in Decline. IBM Resurgence. Microsoft

Growth. Microsoft Peak. Microsoft Decline. Apple Rise. Apple
Decline. Apple Rebound. Conclusion.

Part Four. Special Topics

225

17. Cyber Risk Management

227

Cyber Risk. Malicious Software. Loss Assessment. Managing

Cyber Risks. Buying Cyber Risk Insurance. Incident Response
Plan. Mafiaboy Attack. Sony PlayStation Attack. Hacker Language.
WikiLeaks 2010 Leak. Authorized User Exposure. Hackers and
Cyber Risk. Anonymous. Arab Spring. Bay Area Rapid Transit
(BART). Megaupload. Responding to Anonymous Threats.
Conclusion.

................. 18585$

CNTS

08-04-14 09:18:13

PS

PAGE ix

Contents

18. Collaboration for Effective Risk Management

249

Collaboration. Grocery Acquisition. Wikipedia Accuracy. Swarm

Theory. GoldCorp Collaboration.

19. Cerberus, JPMorgan, and Lehman

255

Cerberus and Chrysler. JPMorgan Chase and Derivatives. Lehman

Toxic Assets.

20. Rise of Modern Risk Management

262

Risk Management Supersedes Insurance. Formation of Captives

to Retain Risks. Risk Management Addresses Liability. Decline of
Historical Data. Performance Risk Augments Hazard Risk. ERM
and Cyber Risk. War Risk. Outlaw Environments. Environmental
Risks. Conclusion.

21. Evolving ERM

266

Four Problems for ERM. Black Swan. Long-Term Capital

Management. Speeding Up the Implementation of ERM. The
Future of ERM. Conclusion.

22. Modern Risk Managers

275

Risk Manager Roles. Risk Manager Levels. Profiles of Risk

Managers. Areas of Attention. Chief Risk Officer. Chief Strategy
Officer (CSO). CRO and CSO Areas of Focus. Paul Buckley, Tyco
Risk Manager. Chris Mandel, USAA Risk Manager. Lance Ewing,
Harrahs Risk Manager. George Niwa, Panasonic Risk Manager.
Susan Meltzer, Aviva Risk Manager. Central Risk Management
Committee.

Denouement
Index

285

287

................. 18585$

CNTS

08-04-14 09:18:14

PS

PAGE x

INTRODUCTION
Risk Quote:

Keep your friends close, and your enemies closer.

Sun-Tzu, Chinese general and military
strategist, around 400 b.c.e.

This was my fathers study. He taught me a lot of

things in this room. He taught me to keep my friends close and
my enemies closer.

Risk Quote:

Michael Corleone in The Godfather (1976)

elcome to the world of enterprise risk management (ERM), one of

the most popular and misunderstood of todays important business topics. It is not very complex. It is not very expensive. It does
add value. We just have to get it right. Until recently, businesses
have been getting it wrong.
The first edition of this book carried us into the heart of risk
management. It was mostly about how to do a better job of risk
identification. If we define the problem correctly, we reduce surprisesnot eliminate them, mind you, but get many of them
under control.
This book continues our journey with massive updates. Risk
management has changed dramatically since the 2008 financial
crisis. Recent developments in technology and communications
demand new approaches to manage risk and seize opportunity.
They still build on the basic structure of ERM.
s Upside of Risk. Most people discuss risk as the possibility of
loss. This is totally insufficient because risk has an upside. A
xi

................. 18585$

INTR

08-04-14 09:18:15

PS

PAGE xi

xii

Introduction

lost opportunity is just as much a financial loss as is damage

to people and property. This is a key insight. Ask Sun-Tzu or
Michael Corleone.
s Alignment with the Business Model. Within a framework for
achieving goals, a single manager can supervise directly only a
limited span of subordinates. Similarly, one person can oversee
a limited number of risks. ERM encourages us to create a hierarchy of risk categories aligned with the business model.
s Risk Owners. A single person should be responsible for every
category of risk. When questions arise, we go directly to the
risk owner. We will see an exception to this guideline in Part
Three, where we address risks with no single risk owner.
s Central Risk Function. Although risks cannot be managed centrally, a central risk function acknowledges that some risks
cross units and responsibilities. The function influences risk
decisions by scanning for changing conditions from a central
vantage point and sharing findings. This book argues that a
central risk function should not, itself, have responsibility for
management decisions. Risk goes with the risk owners.
s High-Tech Electronic Platform (HTEP). ERM encourages the
use of new technologies. This book describes a cutting-edge
technology and a revolutionary way to use it. The results are
amazing.
The book is organized in four parts:
1. Part One. Essentials of Enterprise Risk Management. What is
ERM? What is not ERM? What are its key components? Why do
we need a central risk function, risk identification, a high-tech
platform? We address risk management successes and failures
and cover lessons learned since the original publication of this
book.
2. Part Two. Risk Management Technology. This is big. In the
first edition, we examined visualized risk relationships and
backed up the view with supporting detail. You will not believe
the developments since 2008. Building on the success of

................. 18585$

INTR

08-04-14 09:18:15

PS

PAGE xii

xiii

Introduction

Riskonnect, we describe the High-Tech Electronic Platform

(HTEP) that serves so many companies today. If we thought
technology was big six years agoand it wasit is amazing
today.
3. Part Three. Risks Without Risk Owners. Some risks depend
on collaboration, crossing, as they do, the silos of organizations. With a central risk function and modern technology, we
update strategic risk, subculture risk, leadership risk, and life
cycle risk. We examine how weak management practices
endanger success and how the absence of a clear and achievable
vision can be destructive. Included are incisive stories about
IBM, Microsoft, and Apple and their rise, decline, and efforts to
rebound.
4. Part Four. Special Topics. Here we fill in the picture of risk
management. Cyber risk management deserves a chapter of its
own. The importance of collaboration is demonstrated with
examples. The struggles of Cerberus, JPMorgan, and Lehman
are documented. Three chapters build our understanding of
modern risk managers.
Our journey covers a mixture of concepts, tools, and stories that
add richness and depth to managing enterprise risk. Modern risk
management is both popular and misunderstood, but, as we will
see, it is not overly complex. Nor is it expensive. It does add value.
We just have to get it right. Is risk management a science? An art?
A mystery? Or is it plain old common sense? In the following
pages, we update answers to these questions.

Contributors
In the first edition, we acknowledged many people who contributed to this book. Chris Mandel and Lance Ewing, former presidents of the Risk and Insurance Management Society (RIMS),
continue to encourage me to understand risk from a holistic viewpoint. Valery Vyatkin, my Russian partner, contributed ideas from
a Russian perspective. Finally, thanks to Bob Nirkind from

................. 18585$

INTR

08-04-14 09:18:15

PS

PAGE xiii

xiv

Introduction

AMACOM books. His insight and wisdom kept this project on

course.
Lets also remember my administrative assistant, Mary Sullivan of Saint Peters University, who was once again invaluable in
creating the final product. My bride, Doreen, a book author in her
own right, tells me regularly, Jack, dont talk about risk management. Nobody cares. She is also the person who gives me the
most support for projects such as this book.
Updating this list is a single acknowledgment. Thanks to the
people at Riskonnect, particularly Bob Morrell, Kelly Barton, Elizabeth Morrell, and Russell McGuire. They started the journey and
built the HTEP described in this book. An amazing job. Just ask
any of their clients.
J. Hampton
Litchfield, Connecticut
March 2014

................. 18585$

INTR

08-04-14 09:18:16

PS

PAGE xiv

Bulk discounts available. For details visit:

www.amacombooks.org/go/specialsales
Or contact special sales:
Phone: 800-250-5308
Email: specialsls@amanet.org
View all the AMACOM titles at: www.amacombooks.org
American Management Association: www.amanet.org
This publication is designed to provide accurate and authoritative
information in regard to the subject matter covered. It is sold with
the understanding that the publisher is not engaged in rendering
legal, accounting, or other professional service. If legal advice or
other expert assistance is required, the services of a competent
professional person should be sought.
Library of Congress Cataloging-in-Publication Data
Hampton, John J.
Fundamentals of enterprise risk management : how top companies assess risk,
manage exposure, and seize opportunity / John J. Hampton.Second edition.
pages cm
Includes bibliographical references and index.
ISBN-13: 978-0-8144-4903-5 (alk. paper)
ISBN-10: 0-8144-4903-4 (alk. paper)
ISBN-13: 978-0-8144-4904-2 (ebook)
ISBN-10: 0-8144-4904-2 (ebook)
1. CorporationsFinance. 2. Risk assessment. 3. Risk management. I. Title.
HG4026.H274 2015
658.155dc23
2014009521
2015 John J. Hampton.
All rights reserved.
Printed in the United States of America.
This publication may not be reproduced, stored in a retrieval system, or transmitted
in whole or in part, in any form or by any means, electronic, mechanical,
photocopying, recording, or otherwise, without the prior written permission of
AMACOM, a division of American Management Association, 1601 Broadway, New York,
NY 10019.
The scanning, uploading, or distribution of this book via the Internet or any other
means without the express permission of the publisher is illegal and punishable by law.
Please purchase only authorized electronic editions of this work and do not participate
in or encourage piracy of copyrighted materials, electronically or otherwise. Your
support of the authors rights is appreciated.
About AMA
American Management Association (www.amanet.org) is a world leader in talent
development, advancing the skills of individuals to drive business success. Our mission
is to support the goals of individuals and organizations through a complete range of
products and services, including classroom and virtual seminars, webcasts, webinars,
podcasts, conferences, corporate and government solutions, business books and
research. AMAs approach to improving performance combines experiential
learninglearning through doingwith opportunities for ongoing professional
growth at every step of ones career journey.
Printing number
10 9 8 7 6 5 4 3 2 1

................. 18585$

$$FM

08-06-14 07:54:16

PS

PAGE iv