Basic Enterprise Risk Management

Concepts for Organizations Not Currently Employing a

Comprehensive Risk Management Framework

W. Michael Scott
David A. Walton
Beirne, Maynard & Parsons, LLP
1300 Post Oak Blvd., Suite 2500
Houston, Texas 77056
(713) 623-0887

Federation of Defense and Corporate Counsel

7th Annual Corporate Counsel Symposium
Hyatt at the Bellevue, Philadelphia, PA
September 21-23, 2010

BIOGRAPHICAL INFORMATION
W. Michael Scott. Mr. Scott received a Bachelor of Business Administration in 1983 from
Texas A&M University and obtained his law degree from the University of Houston Law Center
in 1987. Mr. Scott is Board Certified in Personal Injury Trial Law by the Texas Board of Legal
Specialization and AV Rated by Martindale Hubbell. He is a partner in the Houston office of
Beirne Maynard & Parsons, LLP, focusing his practice on complex civil litigation, including
commercial disputes and the defense of negligence and product liability actions. In addition to
the Federation of Defense and Corporate Counsel, Mr. Scott is a member of the State Bar of
Texas, the Defense Research Institute, the Houston Bar Foundation, and the Texas Bar
Foundation.
David A. Walton. Mr. Walton received a Bachelor of Science in Geology in 1998 from The
University of Alabama and obtained his law degree from St. Mary's University School of Law in
2003. Prior to private practice, Mr. Walton was the law clerk to the Honorable Hayden W. Head,
Jr., Chief U.S. District Judge, Southern District of Texas, and the late Honorable Filemon B.
Vela, Sr., Senior U.S. District Judge, Southern District of Texas. He is a senior litigation
associate in the Houston office of Beirne Maynard & Parsons, LLP, focusing on complex
commercial civil litigation in state and federal courts throughout the U.S. Mr. Walton is a
member of the State Bar of Texas. He is a Fellow of the Texas and Houston Bar Foundations, a
Life Fellow and Chairman of Trustees in the Houston Young Lawyers Foundation, and a
Director of the Houston Young Lawyers Association.

TABLE OF CONTENTS
1.

Enterprise Risk Management ...............................................................................................4

2.

Types Of Risk Subject To Enterprise Risk Management ....................................................5

3.

Legal Risk And Compliance ................................................................................................6

4.

Risk Management Processes ................................................................................................7

5.

Enterprise Risk Mitigation Models ......................................................................................9

6.

Conclusion .........................................................................................................................10

-3-

1.

Enterprise Risk Management

Risklets get this straight up frontis good. The point of risk
management isn't to eliminate it; that would eliminate reward. The
point is to manage itthat is, to choose where to place bets, and
where to avoid betting altogether.
Thomas A. Stewart, Managing Risk in the 21st Century, FORTUNE,
Feb. 7, 2000, at 202.
Although not formally practiced until the 20th Century, risk management is not a novel

concept and has been implemented, in some manner, since the 17th Century. It is only in recent
historyat least in the past three decadesthat various changes, i.e., instabilities, in hazard and
financial risks led to the development of enterprise risk management by the financial and
insurance industries. The Casualty Actuarial Society defines enterprise risk management as:
the discipline by which an organization in any industry assesses,
controls, exploits, finances, and monitors risks from all sources for
the purpose of increasing the organizations short- and long-term
value to its stakeholders.
OVERVIEW

OF

ENTERPRISE RISK MANAGEMENT (Casualty Actuarial Society, Enterprise Risk

Management Committee, May 2003), at 8. In sum, enterprise risk management allowed these
industries to shift the management of uncertainties that stand in the way of achieving their
strategic, operational, and financial objectives by integrating the risk across the organization.
THOMAS L. BARTON, WILLIAM G. SHENKIR & PAUL L. WALKER, MAKING ENTERPRISE RISK
MANAGEMENT PAY OFF: HOW LEADING COMPANIES IMPLEMENT RISK MANAGEMENT (Financial
Times/Prentice Hall PTR 2002), at 11. This shift included prioritizing and allocating resources
against various risks that underpin the sustainability of the industrythat is, to maintain value by
planning for risks. CAROL A. FOX & MICHAEL S. EPSTEIN, WHY IS ENTERPRISE RISK
MANAGEMENT IMPORTANT FOR PREPAREDNESS? (The Risk and Insurance Management Society,
Inc. 2010), at 5.

-4-

Enterprise risk management, in todays environment, is no longer viewed as an option by

most companiesbig or small; instead, it is a necessity. Despite this acknowledgement,
companies continue to struggle with developing and implementing an effective enterprise risk
management program to address their specific needs. TIM MAHANEY, TERRY FLEMING & MARY
ROTH, EXCELLENCE

IN

RISK MANAGEMENT VII: ELEVATING

THE

PRACTICE

OF

STRATEGIC RISK

MANAGEMENT (Marsh, Inc. 2010), at 2. For example, in a February 2010 study of hundreds of
companies concerning risk management, only 28% (compared to 4% in 2004) had a formal
enterprise risk management program, and 53% (compared to 27% in 2004) did not have any
enterprise risk management programs at all. ID., at 8. From this same study, the challenges faced
in implementing enterprise risk management varied by the companys size:
$1B and above

$50M to $1B

$50M and below

1. Other areas have

greater priority

Lack of personnel
resources

Other areas have

greater priority

2. Lack of personnel
resources

Lack of financial
resources

Senior management
commitment

3. Demonstrate return
on investment

Other areas have

greater priority

Demonstrate return
on investment

Top 3 Challenges by Company Size (revenue). ID, at 5.

2.

Types Of Risk Subject To Enterprise Risk Management

Enterprise risk management is designed to address, at a minimum, four types of risk, as

described by the Casualty Actuarial Society: (a) hazard risk, (b) financial risk, (c) operational
risk, and (d) strategic risk. The risks that were traditionally handled by insurers, e.g., fire, theft,
windstorm, liability, business interruption, pollution, health, and pensions, are hazard risks.
STEPHEN P. D'ARCY, ENTERPRISE RISK MANAGEMENT (University of Illinois at UrbanaChampaign, May 30, 2001), at 2. Financial risks involve the companys resources, e.g., return on
investments, losses due to changes in the financial markets, interest rates, foreign exchange rates,
-5-

commodity prices, liquidity risks, and credit risks. ID. Next, the risks involving the people,
processes and technology of the company are operational risks, including customer satisfaction,
product development, product failure, trademark protection, corporate leadership, information
technology, management fraud and information risk. ID. Finally, the companys overall
objectives are encompassed in strategic risks, e.g., completion, customer preferences,
technological innovation and regulatory or political impediments. ID.
Under the typical fragmented approach of risk management, generally, hazard risks were
addressed by the companys risk management department, financial risks were addressed by the
accounting department, operational risks were handled by the human resources or information
technology departments, and strategic risks were the concern of the marketing department.
OVERVIEW

OF

ENTERPRISE RISK MANAGEMENT, at 32. Enterprise risk management attempts to

manage these risks in the aggregate, rather than independently. DARCY, ENTERPRISE RISK
MANAGEMENT, at 3.
3.

Legal Risk And Compliance

The dynamic condition of todays corporate world has moved the legal departments role

from the traditional legal risks, i.e., contractual, regulatory, and employment risks, to an
expanded role concerning other legal risks involving compliance and corporate governance. In
fact, a 2009 survey conducted by the Practical Law Company revealed a current trend that the
recent financial crisis has fundamentally altered the legal risk environment for most companies.
CAROLINE FRIEND & MARIANA TEIXEIRA, PRACTICAL LAW COMPANY, BENCHMARKING SURVEY:
LEGAL RISK AND COMPLIANCE (Legal & Commercial Publishing Limited 2009).
The survey, as it relates to this trend, made several observations: the perceived causes of
the crisis are likely to lead to new legislation and regulation, particularly in banking and financial
services; many companies in financial difficulty may be forced to consider a range of
-6-

restructuring strategies, which may bring their own risks; customers and suppliers are more
likely to get into financial difficulty, e.g., increasing the need for contractual protection; the
global turmoil has led to increased litigation, particularly in the United States; and following
some major scandals, there is an increased focus on fraud and corruption. ID., at 2. Along with
this trend, the PLC survey identified ten other trends, some of which are: key areas of legal risk
varied from sector to sector, but operational/contractual issues, general compliance, and
fraud/money-laundering have moved up the agenda for most legal departments; fewer companies
saw a rise in the budget for legal risk management; however, an increasing proportion predicts a
rise in budgets over the next two years; general counsel find the task of monitoring and enforcing
compliance programs considerably easier, compared to last year; however, developing a
compliance culture remains an area of concern; nearly all general counsel report directly to the
CEO or chair of the company; and despite the pressures brought to bear by the current climate,
general counsel remain reasonably confident in their legal management processes. ID., at 3-9.
4.

Risk Management Processes

ERM FrameworkSource: MCCARTHY & FLYNN, RISK FROM THE CEO AND BOARD
PERSPECTIVE, p. 257.
The Australia/New Zealand Risk Management Standard is a set of risk management
standards issued in 1995 that call for a formalized system of risk management and for reporting
to the organizations management on the performance of the risk management systemcreating

-7-

a benchmark for enterprise risk management programs. OVERVIEW

OF

ENTERPRISE RISK

MANAGEMENT, at 35. These standards describe enterprise risk management as:

establishing an appropriate infrastructure and culture and applying
a logical and systematic method of establishing the context,
indentifying, analyzing, evaluating, treating, monitoring and
communicating risks associated with any activity, function or
process in a way that will enable organizations to minimize losses
and maximize gains.
Australian and New Zealand Standard on Risk Management, AS/NZS 4360 (2004).
Enterprise risk management is separated into several stages, as originally detailed in the
above definition and since adjusted through the years by risk management experts. First, to be
able to recognize a risk it is necessary to know what is at risk. DALE F. COOPER, TUTORIAL
NOTES: THE AUSTRALIAN

AND

NEW ZEALAND STANDARD

ON

RISK MANAGEMENT, AS/NZS

4360:2004 (Broadleaf Capital International Pty Ltd. 2007), at 2. This stage, known as
establishing the context, includes external (defining the relationship of the company with its
environment), internal (understanding the overall objectives of the company), and risk
management contexts (identifying the risk categories of relevance to the company). OVERVIEW
OF

ENTERPRISE RISK MANAGEMENT, at 11. The next stage, identifying the risks, involves

documenting the conditions and events that represent material threats to the companys
achievement of its objectives or represent areas to exploit for competitive advantage.
Brainstorming by the decision makers in the company with experience and knowledge in risk
management is the preferred approach to identifying the risks. COOPER, TUTORIAL NOTES: THE
AUSTRALIAN AND NEW ZEALAND STANDARD, at 3.
The next stage generally involves three steps: analyzing, integrating and prioritizing the
risks. The analysis and/or evaluation stage assigns each risk a significant rating taking into
account any existing factors which will operate to control the risk to develop an initial view of

-8-

the significance of the identified risks. ID., at 4; OVERVIEW OF ENTERPRISE RISK MANAGEMENT,
at 12-13. Then, the company must treat the risksthat is, determine whether to avoid, retain,
reduce, transfer, or exploit the identified risks. OVERVIEW OF ENTERPRISE RISK MANAGEMENT, at
13. The risk management process next goes through the monitoring and reviewing stage to
continual gauge the risk environment and the performance of the risk management strategies. ID.,
at 13. Finally, the consultation and communication stagethat is, successful risk management
relies on achieving a high level of creative input and focused communications involving all
decision makers. COOPER, TUTORIAL NOTES: THE AUSTRALIAN AND NEW ZEALAND STANDARD,
at 5.
5.

Enterprise Risk Mitigation Models

Strategic Risk Management ModelSource: MCCARTHY & FLYNN, RISK FROM THE CEO
p. 19.

AND BOARD PERSPECTIVE,

Enterprise risk management programs will vary from company to company; however,
each are essential (in any form) for the consideration and recognition of risks throughout the

-9-

company. BARTON, MAKING ENTERPRISE RISK MANAGEMENT PAY OFF: HOW LEADING
COMPANIES IMPLEMENT RISK MANAGEMENT, at 30. The chief executive officer is the companys
chief risk management officer; however, a unique individual, e.g., a chief risk officer, may be
necessary to spearhead the effort to manage the companys risks. This chief risk officer would be
responsible for executing and communicating the initiatives taken to assess, shape, optimize, and
monitor risk impacting the company to the chief executive officer and the Board. Regardless, it
is important in every enterprise risk management program that decision makers at all levels
consider risk management an active part of their job, and not simply an afterthought. ID., at 13.
6.

Conclusion
Enterprise risk management is a discipline that must be more than a mere suggestion to

be successful. At a minimum, a successful enterprise risk management program must develop an

aggregate approach to handle or address risk broadly across the company. Indeed, whether it
succeeds will depend on the commitment made by the company, i.e., the senior management and
board of directors, to make risk management a priority.

- 10 -

BIBLIOGRAPHY
THOMAS L. BARTON, WILLIAM G. SHENKIR & PAUL L. WALKER, MAKING ENTERPRISE RISK
MANAGEMENT PAY OFF: HOW LEADING COMPANIES IMPLEMENT RISK MANAGEMENT (Financial
Times/Prentice Hall PTR 2002).
DALE F. COOPER, TUTORIAL NOTES: THE AUSTRALIAN AND NEW ZEALAND STANDARD ON RISK
MANAGEMENT, AS/NZS 4360:2004 (Broadleaf Capital International Pty Ltd. 2007).
MICHAEL CROUHY, DAN GALAI & ROBERT MARK, THE ESSENTIALS OF RISK MANAGEMENT (The
McGraw-Hill Companies, Inc. 2006).
STEPHEN P. D'ARCY, ENTERPRISE RISK MANAGEMENT (University of Illinois at UrbanaChampaign, May 30, 2001).
AL DECKER & DONNA GALER, GETTING THE FOCUS ON ENTERPRISE RISK MANAGEMENT RIGHT
(The Risk and Insurance Management Society, Inc. 2010).
CAROL A. FOX & MICHAEL S. EPSTEIN, WHY IS ENTERPRISE RISK MANAGEMENT IMPORTANT FOR
PREPAREDNESS? (The Risk and Insurance Management Society, Inc. 2010).
CAROLINE FRIEND & MARIANA TEIXEIRA, PRACTICAL LAW COMPANY, BENCHMARKING SURVEY:
LEGAL RISK AND COMPLIANCE (Legal & Commercial Publishing Limited 2009).
DAVID HECHLER, CORPORATE COUNSEL, HAVE WE LEARNED ANYTHING? (ALM Media
Properties, LLC, 2010).
TIM MAHANEY, TERRY FLEMING & MARY ROTH, EXCELLENCE IN RISK MANAGEMENT VII:
ELEVATING THE PRACTICE OF STRATEGIC RISK MANAGEMENT (Marsh, Inc. 2010).
MARY PAT MCCARTHY & TIMOTHY P. FLYNN, RISK FROM THE CEO AND BOARD PERSPECTIVE
(The McGraw-Hill Companies, Inc. 2004).
OVERVIEW OF ENTERPRISE RISK MANAGEMENT (Casualty Actuarial Society, Enterprise Risk
Management Committee, May 2003).
RICHARD W. SARNIE, ERM: DO YOU KNOW WHAT IT MEANS? (The Risk and Insurance
Management Society, Inc. 2010).
PAUL L. WALKER, WILLIAM G. SHENKIR & THOMAS L. BARTON, ENTERPRISE RISK
MANAGEMENT: PULING IT ALL TOGETHER (The Institute of Internal Auditors Research
Foundation 2002).

- 11 1251129v.1 iManage