Enterprise Risk Management: From Incentives to Controls


Successful risk management requires balance—of risk andreward, controls and culture, art and science. In the fully revisedand updated Enterprise Risk Management: From Incentives toControls, Second Edition, James Lam leads you on a thoroughexploration of ERM from the unique perspective of one of theworld’s foremost authorities on risk and business management.With an abundance of first-hand experience, Mr. Lam providespractical guidance from his work as a chief risk officer, a trustedboard advisor and management ...

See more details below
Other sellers (Hardcover)
  • All (10) from $77.18   
  • New (9) from $77.18   
  • Used (1) from $111.52   


Successful risk management requires balance—of risk andreward, controls and culture, art and science. In the fully revisedand updated Enterprise Risk Management: From Incentives toControls, Second Edition, James Lam leads you on a thoroughexploration of ERM from the unique perspective of one of theworld’s foremost authorities on risk and business management.With an abundance of first-hand experience, Mr. Lam providespractical guidance from his work as a chief risk officer, a trustedboard advisor and management consultant, and a public companydirector. Throughout the book, he provides case studies andreal-world examples—every aspect of risk management isdistilled and discussed—from the perspective of highlyeffective and proven corporate leadership.

Business executives and risk management professionals are taskedwith identifying and taking intelligent risks. In this book,Mr. Lam explains how an over-reliance on quantitative riskmeasurement has directly contributed to some of the high-profilerisk management failures of recent years. Most risk models aresimply incapable of accurately predicting the complex scenariosthat could lead to financial disaster, which is why EnterpriseRisk Management: From Incentives to Controls, Second Editionposits that your company’s risk profile—and ultimatelythe success or failure of its risk management strategy—isdriven by the decisions and actions of its leadership andemployees.

Based on direct experience with more than 50 ERM programs, Mr.Lam explains how to establish best practices and overcome commonbarriers. In this updated Second Edition, a new section dedicatedentirely to ERM Implementation articulates the importance ofeffective board risk oversight, risk assessment, risk-baseddecision making, and risk dashboard reporting in a way that isaccessible for board members, business executives, riskprofessionals as well as their employees and stakeholders.Enterprise Risk Management: From Incentives to Controls, SecondEdition takes you far beyond quantitative risk measurement andpredictive modeling to a comprehensive understanding of how tobuild and nurture a corporate culture that encourages successfulenterprise risk management.

Read More Show Less

Product Details

  • ISBN-13: 9781118413616
  • Publisher: Wiley
  • Publication date: 2/17/2014
  • Series: Wiley Finance Series
  • Edition number: 2
  • Pages: 496
  • Sales rank: 662,643
  • Product dimensions: 6.20 (w) x 9.10 (h) x 1.80 (d)

Meet the Author

JAMES LAM is widely recognized as the first ever ChiefRisk Officer and a pioneer in the field of enterprise riskmanagement. In a Euromoney survey, Mr. Lam was nominated by clientsand peers as one of the world’s leading risk consultants. Hecurrently serves as President of James Lam & Associates andDirector and Chairman, Risk Oversight Committee of E*TRADEFinancial. Previously, he held positions including Partner ofOliver Wyman, Founder and President of ERisk, Chief Risk Officer ofFidelity Investments, and Chief Risk Officer of GE Capital MarketsServices, Inc. In 1997, Mr. Lam received the inaugural Risk Managerof the Year Award from the Global Association of RiskProfessionals. Treasury & Risk magazine named him one ofthe “100 Most Influential People in Finance” in 2005,2006, and 2008.

Read More Show Less

Read an Excerpt

Enterprise Risk Management

From Incentives to Controls

John Wiley & Sons, Inc.

Copyright © 2003 James Lam
All right reserved.

ISBN: 0-471-43000-5


One evening in the autumn of 1995, I flew into Boston to have dinner with Denis McCarthy, then the chief financial officer of Fidelity Investments. McCarthy was the person to whom I would report if I accepted an offer to become the first chief risk officer for the corporation. I asked him what the main objective would be for this new position. His reply: "We want to operate in an environment in control, not a controlled environment."

I took that job with the understanding that Fidelity wanted to improve its risk management practices, but not at the price of destroying the entrepreneurial spirit and product innovation that had made it the largest mutual fund company in the United States.

Fidelity was not alone then and is not alone now. Every business faces the parallel challenges of growing earnings and managing risks. A thriving business must identify and meet customer needs with quality services and products; recruit and retain talented people; and correctly make business and investment decisions that will lead to future profit opportunities. However, the pursuit of new profit opportunities means that a business must take on a variety of risks. All of these risks must be effectively measured and managed across the business enterprise.

Otherwise, today's promising business ventures may end up being tomorrow's financial disasters. As I am fond of telling audiences when speaking on the importance of risk management, over the longer term, the only alternative to risk management is crisis management-and crisis management is much more expensive, time consuming, and embarrassing. The majority of such audiences have experienced one or more crises in their time, so this is a message that rings true.

Every business decision involves an element of risk. There are risks involved in making investments, hedging with derivatives, or extending credit to a retail customer or business entity. There are also risks involved when developing and pricing new products, hiring and training new employees, aligning performance measurement and incentives with business objectives, and establishing a culture that balances revenue growth and risk management.

Over time, individual business decisions and risks collectively build up into a company's overall risk portfolio, which will have a unique risk pro-file. This risk profile will determine the company's earnings-and earnings volatility-over the business cycle. Some decisions will be winners and some will be losers. Some risks will offset each other, some risks will be unrelated to each other, and some will compound each other. In order to manage risk effectively, a business must address not only its underlying risks, but also the interrelationships between them.

As we will see from the numerous case studies discussed in this book, ineffective risk management can lead to reduced earnings or even bankruptcy. However, risk management means different things to different people. In this book, risk management is defined in its broadest business sense. Risk management is not just about using derivatives to manage interest rate and foreign exchange exposures-it is about using a portfolio approach to manage the full range of risks faced by an enterprise. Nor is risk management only about establishing the right control systems and processes-it is also about having the right people and risk culture. And although the term has come to bear some negative connotations, risk management is not only about reducing downside potential or the probability of pain, but also about increasing upside opportunity or the prospects for gain.

Individual investors managing their investments must be careful when it comes to the amount of risk that they take on. If they take on too much risk, perhaps by making aggressive investments, the losses could exceed their risk tolerance, or be too uncertain for comfort. On the other hand, if they fail to take on enough risk, by making conservative investments, they may earn returns that are stable, but inadequate for achieving the investor's financial objectives.

Striking an optimal balance between risk and return is not only important to the individual investor, it is also an imperative for business management. The concept of "no risk, no return" is widely accepted in the business world. A corollary to that concept is "higher risk, higher return," a positive relationship illustrated in Figure 1.1. This is how many people think about the trade-off between risk and return, and it has the virtue of simplicity. However, it is certainly not valid if risk is put into its proper perspective.

A better way to think about risk and return is illustrated in Figure 1.2. The focus is no longer on the relationship between risk and absolute return, but about the relative or risk-adjusted return. A company in zone 1 is not taking enough risk, and its capital is being underutilized. This company would be better off increasing risk through a growth or acquisition strategy, or reducing capital through higher dividends. In zone 3, however, the company is taking too much risk. This company's risk level is above and beyond its risk absorption capability in terms of capital, and/or its risk management capability in terms of people and systems.

In zone 2, the company has found the "sweet spot" that optimizes its risk/return profile. The problem is that most companies do not even have good information on enterprise-wide risk exposures (which is to say, where they are on the horizontal axis), let alone where they are on the risk-adjusted return curve. To make matters worse, the net present value and economic value-added models frequently used in strategic planning naturally favor higher-risk investments unless proper adjustments are made to account for risk. Over time, investments guided by these unadjusted models may inadvertently lead a company to drift into zone 3.

A principal message of this book is that a company should develop an integrated approach to measuring and managing all of its risks in order to optimize its risk/return profile. A key management requirement for risk/return optimization is to integrate risk management in the business processes of the company.

We've seen, then, that risk is an inescapable part of doing business and argued that a business should strive toward its optimal risk/return profile. However, there is another question that deserves examination: why manage risk? Indeed, why read this book?

A company could conceivably agree that it bears risks but feels it inappropriate to manage them, rather than simply live with them. Risk management may seem to be irrelevant, too costly, or not in accordance with the interests of the company's stakeholders. Some academics have argued positions close to these, as we will see. Certainly, before a company invests money and other valuable resources into risk management (and before the reader spends any more time reading this book), the "value proposition" of risk management needs to be clearly established.

Perhaps the best way to answer the question "why manage risk?" is to borrow a popular technique used by diet and other self-improvement programs. That simple but effective technique is to paint a clear picture of the gain of action along with an equally clear picture of the pain of inaction. In the next section, we'll paint the happy picture: the benefits of effective risk management in terms of the expected benefits and gains. In the section thereafter, we'll paint the dire picture of the severe negative consequences-the pain-that may be suffered if effective risk management is not in place.


Numerous academic papers have established the theoretical basis for managing risk, arguing that it can reduce taxes, reduce transaction costs, and improve investment decisions. However, beyond the theory there are at least four practical reasons why risk management should be of paramount importance to the management of a firm. In this practical context, risk management should be defined more broadly, to include internal controls as well as hedging.

Let's now take a look at these four reasons in turn.

Reason #1. Managing risk is management's job. One notion in modern finance theory is that managing risk, or more specifically hedging, is not necessary because an investor can reduce risk through a diversified investment portfolio. Regardless of what some theoreticians may argue, you will never in the real world hear a fund manager or individual investor tell a company's management, "Don't worry about managing risk or bankrupting the company-I have a large diversified portfolio."

Managing the risks of a business enterprise is the direct responsibility of its management, not of its shareholders. While modern portfolio theory is a major contributor to the theory and practice of finance and risk management today, the argument that the investor can better manage or diversify risks does not ring true in the real world. The average individual investor probably spends more time buying a new car than addressing the risks of his or her investment portfolio. Even the professional fund manager is several degrees away from the "insider knowledge" required for effective risk management, which includes:

* Historical data on risk/return results, volatilities, and correlations

* Current risk exposures and concentrations in the business

* Future business and investment plans that may alter the firm's risk profile

Given the complexity of the above information, as well as the lack of full transparency to outsiders, the shareholder cannot be expected to make optimal risk/return decisions. Measuring and managing enterprise-wide risks is a great challenge even for the enterprise's management, which has superior access to information and support from risk management professionals. The most that shareholders can do is to elect an independent and risk-astute board that will represent their interests, and walk away with their investment dollars if they are not happy with management's performance. In the meantime, it remains management's job to ensure that the company achieves its business objectives and is not exposed to excessive risks.

Reason #2. Managing risk can reduce earnings volatility. One of the key objectives of risk management is to reduce the sensitivity of a firm's earnings and market value to external variables. For example, the stock prices of companies that are more active in, say, market risk management should exhibit lower sensitivity to market prices. This is borne out by the empirical evidence. For example, a study published in 1998 by Peter Tufano of the Harvard Business School ranked gold producers in terms of the intensity of their hedging activities. The conclusion was that the stock prices of those in the top quartile were about 23 percent less sensitive to gold price changes than those of the bottom quartile. Companies exposed to interest rates, foreign exchange rates, energy prices, and other market variables can better manage earnings volatility through risk management. Managing earnings volatility today is more important than ever given that the stock market severely punishes stocks that fail to meet earnings expectations. At the same time, the Securities and Exchange Commission (SEC) and other regulatory bodies are cracking down on "earnings management" practices that use accounting techniques to smooth out earnings. In this business environment, management must pay more attention to managing the underlying risks of the business.

Reason #3. Managing risk can maximize shareholder value. In addition to managing earnings volatility, risk management can help a business enterprise to achieve its business objectives and maximize shareholder value. Companies that undertake a risk-based program for shareholder value management typically identify opportunities for risk management and business optimization that can add 20 to 30 percent or more to shareholder value. Such improvements can be achieved by ensuring that:

* Target investment returns and product pricing are established at levels that reflect the underlying risks.

* Capital is allocated to projects and businesses with the most attractive risk-adjusted returns, and risk-transfer strategies are executed to optimize portfolio risk and return.

* The company has the appropriate skills to manage all of its risks, in order to protect against large financial losses or damage to its reputation or brand.

* Performance metrics and incentives, at both the individual and business unit levels, are in congruence with the enterprise's business and risk objectives.

* Key management decisions, such as mergers and acquisitions and business planning, explicitly incorporate the element of risk.

Strategies for achieving these objectives, and case studies of how they work in practice, will be discussed in the main sections of the book.

A 1998 study by George Allayannis and James Weston of the University of Virginia has supported the notion that active risk management contributes to shareholder value. Allayannis and Weston compared the ratio of market value to book value for companies that were more or less active in market risk management between 1990 and 1995, as measured by their hedging activities. They found that the more active companies were rewarded with an average increase of 20 percent in market value. Risk management adds value not only to individual companies, but also supports overall economic growth by lowering the cost of capital and reducing the uncertainty of commercial activities.

Reason #4. Risk management promotes job and financial security. On an individual level, perhaps the most compelling benefit of risk management is that it promotes job and financial security, especially for senior managers. In the aftermath of the fall 1998 turmoil in financial markets, a significant number of chief executive officers (CEOs), chief operating officers, chief risk officers, and business group heads of financial institutions lost their jobs because of poor risk management performance. Senior executives in other industries have faced a similar fate in the wake of risk management problems. More recently, senior executives involved in corporate frauds and accounting scandals have appeared on national television being led away in handcuffs and face the potential of severe criminal sentences.

In addition to "career risks," senior executives with a significant portion of their wealth tied up in company stocks and options have a direct financial interest in the success and survival of the firm. These incentives, if structured appropriately, work to put the "skin in the game" for managers, resulting in a strong alignment between management and shareholder interests.


Excerpted from Enterprise Risk Management by JAMES LAM Copyright © 2003 by James Lam. Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.

Read More Show Less

Table of Contents

Preface xiii

Acknowledgments xvii

Section One Risk Mangement in Context 1

Chapter 1 Introduction 3

The Benefits of Risk Management 6

Integration Adds Value 9

Cautionary Tales 12

Chapter 2 Lessons Learned 21

Lesson #1: Know Your Business 23

Lesson #2: Establish Checks and Balances 24

Lesson #3: Set Limits and Boundaries 25

Lesson #4: Keep Your Eye on the Cash 26

Lesson #5: Use the Right Yardstick 27

Lesson #6: Pay for the Performance You Want 27

Lesson #7: Balance the Yin and the Yang 28

Chapter 3 Concepts and Processes 31

Risk Concepts 32

Risk Processes 36

Risk Awareness 38

Risk Measurement 40

Risk Control 42

Risk Is a Bell Curve 48

Chapter 4 What Is ERM? 51

ERM Definitions 53

The Benefits of ERM 53

The Chief Risk Officer 57

Components of ERM 61

Section Two The Enterprise Risk Management Framework67

Chapter 5 Corporate Governance 69

Codes of Conduct 71

Best Practices 72

Linking Corporate Governance and ERM 77

Chapter 6 Line Management 83

The Relationship Between Line and Risk Functions 84

Key Challenges 89

Best Practices 92

Chapter 7 Portfolio Management 99

The Theory of Active Portfolio Management 100

Benefits of Active Portfolio Management 102

Practical Applications of Portfolio Management 105

Chapter 8 Risk Transfer 111

A Brief History of ART 112

Advantages of ART 116

Pitfalls of ART 119

A Look to the Future 122

Case Study: Honeywell 124

Case Study: Barclays 124

Chapter 9 Risk Analytics 127

Risk Control Analytics 128

Risk Optimization Analytics 133

Market Risk Analytics 135

Credit Risk Analytics 138

Credit Portfolio Models 141

Operational Risk Analytics 142

GRC Systems 143

Chapter 10 Data and Technology 147

Early Systems 147

Data Management 149

Interface Building 151

Middleware 152

Distributed Architectures 153

Key Factors for a Successful Implementation 154

Chapter 11 Stakeholder Management 157

Employees 158

Customers 161

Regulators 164

Rating Agencies 166

Shareholder Service Providers 167

Business Partners 169

Section Three Risk Management Applications 173

Chapter 12 Credit Risk Management 175

Key Credit Risk Concepts 176

The Credit Risk Management Process 184

Basel Requirements 192

Best Practices in Credit Risk Management 196

Case Study: Export Development Corporation (EDC) 200

Chapter 13 Market Risk Management 209

Types of Market Risk 210

Market Risk Measurement 211

Market Risk Management 224

Best Practices in Market Risk Management 227

Case Study: Market Risk Management at Chase 230

Chapter 14 Operational Risk Management 237

Operational Risk—Definition and Scope 240

The Operational Risk Management Process 246

Best Practice in Operational Risk Management 257

Emerging IT Risks 259

Case Study: Heller Financial 264

Chapter 15 Business Applications 271

Stage I: Minimizing the Downside 271

Stage II: Managing Uncertainty 272

Stage III: Performance Optimization 274

The Further Evolution of Risk Management 275

Chapter 16 Financial Institutions 277

Industry Trends 278

Risk Management Requirements 283

Systemic Risk 287

A Look to the Future 289

Case Study: CIBC 292

Chapter 17 Energy Firms 297

Industry Trends 298

Risk Management Requirements 301

A Look to the Future 310

Lessons Learned from Enron 313

Lessons Learned from the BP Oil Spill 314

Chapter 18 Non-Financial Corporations 317

Risk Management Requirements 317

Best Practices in Corporate Risk Management 326

Case Study: Microsoft 333

Case Study: Ford 335

Case Study: Airbus and Boeing 336

Section Four A Look to the Future 339

Chapter 19 Predictions 341

The Profession of Risk Management 342

Technology and the Convergence of Risk Management 345

Ten Predictions 348

2013 Looking Back 353

Chapter 20 Everlast Financial 357

Section Five ERM Implementation 361

Chapter 21 ERM Implementation 363

Benefits of Corporate Governance and ERM Practices 364

ERM Implementation Requirements 366

ERM Maturity Model 373

Other ERM Maturity Models 377

Risk Culture 378

Chapter 22 Role of the Board 381

Board Oversight Requirements 381

Current Board Practices 383

Case Study: JP Morgan Chase 386

The Last Line of Defense 388

Chapter 23 Risk Assessment 399

Risk Assessment Methodology 401

Best Practice Case Studies in Risk Assessment 414

Appendix: Risk Assessment Self-Evaluation Checklist 415

Chapter 24 Risk-Based Decision Making 423

ERM Decisions and Actions 423

Creating Value through ERM 427

Case Study: Duke Energy 437

Chapter 25 Dashboard Reporting 439

Traditional versus Dashboard Reporting 441

General Dashboard Applications 442

ERM Dashboard Implementation 444

Evolving Best Practices 450

Notes 451

Index 465

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)