What's new

P1.T1.506. Enterprise risk management (ERM, James Lam)

David Harper CFA FRM

David Harper CFA FRM
Staff member
Thread starter #1
Learning outcomes: Describe enterprise risk management (ERM) and compare and contrast differing definitions of ERM. Compare the benefits and costs of ERM and describe the motivations for a firm to adopt an ERM initiative. Describe the role and responsibilities of a chief risk officer (CRO) and assess how the CRO should interact with other senior management. Distinguish between components of an ERM program.


506.1. James Lam considers different, valid definitions for enterprise risk management (ERM) by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the International Organization of Standardization (ISO) but settles on his own definition: "Risk is a variable that can cause deviation from an expected outcome. ERM is a comprehensive and integrated framework for managing key risks in order to achieve business objectives, minimize unexpected earnings volatility, and maximize firm value." He claims that ERM offer the potential to confer three major benefits: increased organizational effectiveness , better risk reporting, and improved business performance. However, to achieve successful ERM is not easy. (Source: James Lam, Enterprise Risk Management: From Incentives to Controls, 2nd Edition (Hoboken, NJ: John Wiley & Sons, 2014))

According to Lam, there are requirements, or prerequisites, to the achievement of successful ERM. Each of the following is a prerequisite to successful ERM EXCEPT which is not?

a. The integration of internal and external communications (including investor and public relations) that support a successful ERM launch date; the timing of the switch to ERM should be coordinated on a specific date as this avoids a long project with overruns and encourages accountability
b. The integration of risk transfer strategies which takes a portfolio view of all types of risk within a company and rationalizes the use of derivatives, insurance, and alternative risk transfer products to hedge only the residual risk deemed undesirable by management.
c. An integrated risk organization which probably implies a centralized risk management unit (RMU) reporting to the Chief Executive Officer (CEO) and a Chief Risk Officer (CRO) who is responsible for overseeing all aspects of risk within the organization
d. The integration of risk management into the business processes of a company which enables a shift from defensive or control-oriented approaches to managing downside risk (or earnings volatility) in favor of risk as "an offensive weapon for management"
(Source: James Lam, Enterprise Risk Management: From Incentives to Controls, 2nd Edition (Hoboken, NJ: John Wiley & Sons, 2014))

506.2. The role of Chief Risk Officer (CRO) is clearly gaining in prominence. According to James Lam, the CRO is responsible for:
  • Providing the overall leadership, vision, and direction for enterprise risk management;
  • Establishing an integrated risk management framework for all aspects of risks across the organization;
  • Developing risk management policies, including the quantification of the firm's risk appetite through specific risk limits;
  • Implementing a set of risk indicators and reports, including losses and incidents, key risk exposures, and early warning indicators;
  • Allocating economic capital to business activities based on risk, and optimizing the company's risk portfolio through business activities and risk transfer strategies;
  • Communicating the company's risk profile to key stakeholders such as the board of directors, regulators, stock analysts, rating agencies, and business partners; and
  • Developing the analytical, systems, and data management
Given these responsibilities, Lam says an ideal CRO would have superb skills in five areas ("While it is unlikely that any single individual would possess all of these skills, it is important that these competencies exist either in the CRO or elsewhere within his or her organization."). Those five skills are (Source: James Lam, Enterprise Risk Management: From Incentives to Controls, 2nd Edition (Hoboken, NJ: John Wiley & Sons, 2014))
  • Leadership skills to hire and retain talented risk professionals and establish the overall vision for ERM
  • Evangelical skills to convert skeptics into believers, particularly when it comes to overcoming natural resistance from the business units.
  • Stewardship to safeguard the company's financial and reputational assets
  • Technical skills in big data analytics which requires some background in programming code preferably with R and/or python
  • Consulting skills in educating the board and senior management, as well as helping business units implement risk management at the enterprise level
However, which of the above skills is inaccurately specified (defined)?

a. Leadership
b. Evangelical
c. Stewardship
d. Technical

506.3. According to James Lam, a successful enterprise risk management (ERM) program can be broken down into seven key components (Source: James Lam, Enterprise Risk Management: From Incentives to Controls, 2nd Edition (Hoboken, NJ: John Wiley & Sons, 2014)):

In particular, he says it is important that "expected losses and the cost of risk capital should be included in the pricing of a product or the required return of an investment project. In business development, risk acceptance criteria should be established to ensure that risk management issues are considered in new product and market opportunities. Transaction and business review processes should be developed to ensure the appropriate due diligence. Efficient and transparent review processes will allow managers to develop a better understanding of those risks that they can accept independently and those that require corporate approval or management." (Source: James Lam, Enterprise Risk Management: From Incentives to Controls, 2nd Edition (Hoboken, NJ: John Wiley & Sons, 2014))

To which component does this key activity--i.e., pricing of risk at its inception--primarily refer?

a. Corporate Governance
b. Line Management
c. Portfolio Management
d. Risk Transfer