“The New Risk Paradigm for Corporate Governance: Seven Essential Questions Every Board Must

Consider.” by Leo M. Tilman and David Martin

I choose this article to reflect upon the latest economic crisis and the opportunities which were lost

to mediate the eventual downfall of many a company. The article identifies the problem as an “urgent

need for the new kind of corporate governance. A strategy grounded in risk management.“ This article

states that many businesses “Failed due to inadequate risk management expertise, lack of adequate

support, and outdated tools.” This article outlines a framework for risk thinking and development of a

risk oriented culture. Prior to the recent failure of our economy most companies were fortunate to

enjoy a long and continual trend of expansion. While enjoying the easy successes of a strong business

environment attention to risks were often ignored. Companies should have been asking

themselves.,“Are we putting ourselves at risk.” The failure to take appropriate actions to identify and

react to risk is a major contributor to poor corporate performance especially during turbulent times.

These failures demonstrate a lack of focus and a failure to execute a proper risk strategy.

Due to the increasing complexity of today's business world the board of directors can easily be

distracted from even the most basic issues. In today's economy a multitude of data is generated and

presented to the board. Due to the number of competing priorities it is easy to lose focus on something

as important as a well developed risk strategy. The established way of risk identification and mitigation

fails to fully address risks within functional areas. A better way of drafting plans to mediate those risks

is sorely needed. The latest crisis has made it clear that we cannot operate in a business-as-usual state

of mind.

The first question of risk strategy asks, “Do we fully understand our institution's risk exposures?”

The first step towards understanding the risk facing the organization is the identification and

quantification of the risk. Risk identification is probably most effective when developed by the

business unit where the risks can readily be identified. It is essential that the presentation of the risks be
properly presented to ensure focus is spent on those issues with the most importance. Execution of a

well defined action plan will be the result when board-level executives are able to see through the

clutter.

The second risk strategy question addresses, “Are our risk exposures appropriate relative to earnings

objectives, risk appetite, capital levels, and desire for long-term sustainability?” The interrelationships

between both risk and business opportunities must be recognized for proper mitigation strategies to be

formed. The formation of these strategies must be include long-term changes in the market which they

operate and take into account outliers such as that of a disruptive technology. The drive to increase

shareholder value must be tempered within an equivalent risk and reward portfolio. During times of

crisis opportunities from this portfolio must be approached in an entirely different fashion. Obviously

that approach is driven by the preservation of capital and investments which correspond to reduction of

risk throughout the enterprise. Companies may well choose to invest capital into strategies that alter the

long-term structure of the company. Examples include the exiting of certain markets and the shuttering

of operations deemed non-strategic in order to focus on the primary business activity.

The third risk strategy asks, “Is our organization adequately dynamic from the viewpoint of risk

management?” Tilman and Martin state that a “Lack of organizational dynamism..was one of the main

characteristics of failed companies during the recent financial crisis.” This can be related to early

identification of risks and other changes and drafting responses to those elements identified. This

cannot just be the development of a report that goes into a filing drawer but must be continually

monitored by the board of directors. Tilman/Martin give an example of British Petroleum's lack of

organizational dynamism. I believe this demonstrates that large corporations often miss the important

issue as their attention spans over a multitude of events occurring simultaneously. BP's ability to react

to the crisis may have been better managed had their been a better system of risk reporting.

The fourth strategy question asks, “How do risk and uncertainty factor into our strategic decisions?”
Tilman/Martin give an example of Wachovia and the deeply-held belief that "growing deposits is

perhaps the most profitable thing that a retail and small business bank can do." Wachovia's strategic

opportunities were driven by this philosophy and resulted in a merger with an entity whose risk ran

deep. Wachovia's failure to fully identify risks within the merger lead to their failure. As a company

identifies where to compete they must also take into account the downside of each decision. As with

Wachovia plans are sometimes drafted without enough diligence paid to each option. With each

opportunity the corresponding cost of risk needs to calculated into the equation. If each business case is

developed with a quantified risk component choices may become a little clearer.

The fifth strategy asks “Is there is an integrated firm-wide risk management policy?” Tilman/Martin

outline the important questions that an organizational risk management strategy must entail:

"comprehensive risk reporting, governance policies and limits, escalation procedures, action triggers,

and dynamic and integrated firm-wide process." They go on to identify the prerequisites necessary for

the above policies to be in place. "an analytical system capable of properly: identifying, measuring and

aggregating all risk on the enterprise-wide level." A board will become easily overwhelmed without a

proper system that is capable of both the collection and dissemination of risk information throughout

the enterprise. A key here is the aggregation of this information. Although it is important for risks to be

reported from the bottom up, it is equally essential to see the overall trends emerging from each

operating unit. The board may see trends across business units and have the chance to act accordingly.

Tilman and Martin’ sixth identified question of empowerment: “Are all professionals at all levels

empowered to manage risk?” Tilman/Martin identify the important components necessary for the

company to instill a culture where all professionals are charged with risk management: common risk

language must be established throughout the organization - along with clearly delegated responsibilities

for managing risk at all levels; the risk management function must be genuinely empowered, with

senior risk officers gaining not only the "seat" but also a "voice" at the table where important decisions

are made; last, leadership and management structures must be correctly aligned with the firm's business
model from a risk perspective, and that the right balance must be established between competing

priorities and constituencies.

The last risk issue to address is whether there is an appropriate risk management culture.

Developing a common definition of risk throughout the organization facilitates the collaboration of

both risk professionals and functional management. It becomes critical at the time of aggregation of

risk data. Without common metrics it would be hard to evaluate or quantify risks throughout each

business unit and without a common reporting system risk truly becomes unmanageable. A common

risk strategy must include common operating procedures between units to ensure that the risk message

has been both received and dutifully implemented. The board must demonstrate their willingness to

listen and assimilate the issues outlined by the companies risk professionals to legitimize the

importance of the companies risk management function. Without empowering the risk professional the

risk function will not be taken seriously. Executives must continually demonstrate their 'buy in' for the

company into risk strategy for the company to benefit.

I learned the importance of a properly implemented risk culture. Tilman and Martin alluded to the

fact that risk is a system of values and behaviors that need to apply to everyone as they conduct

business. Each individual must go beyond just the understanding of risk. Each manager must

understand their company’s beliefs that police risk. The rules of risk and how they apply to everyday

operations must remain through a risk framework which clearly sets out policies and standards to

consistently follow. Employees must know where the company stands. A strong risk culture can be

built over time but it must be inspired.

I also took away the relevance of the proper communication related to the companies risk strategy. A

risk strategy will not be successful without a context in how to apply risk principles, therefore,

communication is the key to it’s success.. The tone must be set by the companies C-level leaders and

represent the real driver of change throughout the organization. The organization will follow the actions

of their leaders so they must go beyond nearly recognizing the importance and actually put the strategy
into everyday practice.

Another area where I can apply material is with the actual application of risk strategy thought the

enterprise. There must be a consistent and repeatable approach to risk; otherwise, there will be

differences between business units. Implementing risk policy in a common fashion allows for the

upward reporting and allows for trend analysis. A proper risk environment may also need to take into

account things such as hiring practices and be a part of real performance reviews and rewards for

applying the companies risk strategy.

There are two areas where this article failed to focus: proper training of the organization in risk;

ethical considerations of risk strategy. Without proper educational opportunities employees will not

make the most use of risk strategy. Placing a priority on risk education will reinforce the importance of

the risk mitigation throughout the enterprise. It is not sufficient to demonstrate risk behavior,

disseminate the risk message and develop risks and rewards for risk behavior. Education is a very large

piece of the risk equation and in order to effectively implement the strategy there must be a

corresponding investment. Understanding risk management and learning how to apply that knowledge

is a crucial part the corporate risk strategy. The second area I felt could have been explored was the

association of risk with ethics. A company's risk culture should clearly outline the behaviors and

practices to which employees are expected to adhere to on a daily basis. A constant, clear message is

key to enforce the policies and procedures needed for compliance. There is a strong value correlation

between those companies which choose to develop a risk culture and then enforce it's compliance and

those who choose to simply communicate and lead through example. There must be a personal buy-in

from employees as they will be the key to implementing the risk strategy on a daily basis.