ERM: embracing a total risk model; Enterprise risk management (ERM) is fast joining the business lexicon for more and more companies as increasing regulatory, legislative or stock exchange rules demand that senior executives and corporate boards certify their knowledge of current and future risks and the programs in place for managing those risks.

• Author: Quinn, Lawrence Richter
• Position: Enterprise risk management - Cover Story

Don't tell Mike Gardner that enterprise risk management (ERM) shouldn't be a major "do-or-die," board-sanctioned effort at corporations worldwide. Vice president of Audit Services at Providence, R.I.-based Textron Corp., Gardner had already structured a major ERM effort at his former employer, Hillebrand Industries Inc. in Indiana. When he subsequently was hired by Textron as Vice President of Internal Audit and it became more interested in ERM, he was asked to evaluate the applicability of ERM for Textron as well. He advises other companies to follow suit--as quickly as possible.

[ILLUSTRATION OMITTED]

Never mind that the evolution of ERM, in both theory and practice, is in its infancy--with nay-sayers who believe there's no need for it, and many senior executives and board members who still believe effective risk management need be nothing more than what it has been traditionally: keeping hazard and financial risks under control.

Never mind, too, that there are plenty of executives who would simply think no more about risk management under any name or title--now that they've dealt with the Section 404 compliance requirements of The Sarbanes-Oxley Act of 2002.

A Global Sprint Toward ERM

Gardner is not alone in his keen interest in ERM. Fueled by new exchange rules, regulatory initiatives around the globe and a bevy of reports that link good corporate governance with effective risk management, attention is turning to ERM. Some are entering the ERM arena reluctantly, while others view it as something of a "second coming"--much like the total quality programs of yesteryear--that will save companies from any number of current and future ills while providing significant competitive advantages along the way.

No hard numbers exist for all industries, but Rick Funston, a managing director at Deloitte, estimates that somewhere between a third and half of the Fortune 500 companies are looking at or have launched ERM initiatives. Not surprisingly, financial services firms have long led the way, and it's not just investment and commercial banks; the insurance industry, too, is widely and increasingly embracing ERM, according to successive annual reports from Tillinghast Towers-Perrin. Abroad, Australian, Canadian and British companies have led the way.

"Already everybody feels safer," says Craig Raymond, who was appointed chief risk officer (CRO) for The Hartford Financial Services Group last October to promote a more holistic approach to managing risk across its three operating units, which include the life side (Hartford Life), Hartford Fire, the property and casualty (P & C) side and the business and investment management company, Hartford Investment Management. At the same time Raymond was hired, the company created new CRO positions for each of those units.

"As we started looking at things from more of an enterprise level, we realized that they needed to be rolled up together," Raymond explains. "In contrast, prior to 9/11, we viewed the life and P & C risks as independent."

Board members are demonstrating interest as well. Says Barbara Colwell, a member of the audit committee at Mutual Trust Life Insurance Co. and on the audit and compensation committees at Publishers Clearing House: "ERM is a good concept, and I think all intelligent risk managers and board members should concern themselves with it."

Why Be Concerned with ERM?

At its most basic, ERM is a means of determining all the risks a company faces, both currently and in the near and long-term future--regardless of whether those exposures have been historically insurable or able to be hedged through the financial markets.

That description may sound too "mid-management" and technical to attract the interest and attention of boards and senior management, but nothing is further from the truth. Companies should and must care about ERM, for a variety of reasons.

First, increasingly, regulatory and legislative requirements, as well as a boatload of rules being issued by stock exchanges globally, require or strongly suggest that corporate boards and senior executives certify publicly that they are aware of all of their current and future risks, and that they have effective programs in place for managing those risks. Indeed, Sarbanes-Oxley asks a variation of this, as do new NYSE rules now coming into effect.

Among the countries pressing companies to "tell all" about their risk management strategies--due either to legislation or exchange rules--are Canada, the United Kingdom, Germany, the Netherlands, Australia and New Zealand. In some cases, requirements have been legislated; in others, like Australia and New Zealand, they are simply recommended.

Requirements aside, corporate executive...