When ERM first emerged on the scene in the mid-1990s, pundits predicted a new world order in managing risk. Financial services companies and deregulated energy suppliers latched onto the approach, pressured by government regulators and anxious boards of directors to pinpoint, articulate and govern the underlying risks to shareholder capital. Suddenly, the chief risk officer became a must in top-tier management in these industries. Gradually, a few companies outside these two industries, like Ford, also began to see the logic of ERM.

The Long Road to ERM

Then, they were forced to implement it. The strategy is demanding, costly and time-consuming. Each risk is measured for potential frequency and financial severity, quantified in such a way as to allow comparison with other risks. Some may offset others, thus reducing overall risk, while others may compound aggregate risk. Finally, a determination must be made on how to transfer risks deemed outside the company's core competency, either through insurance, a derivative financial instrument or a contract with a third party (like a vendor), in which that party absorbs the risk.

For example, a company building a plant in Mexico to sell widgets locally will want to measure the risks of fire, asset expropriation, market introduction, currency exchange, employment and commodity prices–in a multitude of different "what if" risk scenarios. These risk exposures require the involvement of all the organization's risk managers–which is why an ERM team is critical and elusive. "You can't talk about financial risks without the HR people there or vice versa," says Jeffrey Cole, a vice president at McNeary Insurance Consulting, a Charlotte, N.C.-based risk-management firm.

Then, there are the costs. The technology to perform the various risk-modeling exercises is not inexpensive–upwards of $500,000. In the late 1990s, that was lunch money, but not these days. "With insurance costs skyrocketing and revenues down generally because of the recession, even the most conscientious companies are putting their ERM plans on hold," Cole says. "Frankly, the subject doesn't really come up as much in conversation now, and when we bring it up, it stops the conversation. There are other more important fish to fry."

Many companies outside financial services and energy are sticking to more traditional risk management, says James Lam, founder and vice chairman of ERisk Holdings LLC, a New York-based risk technology and consulting firm. "Energy and finance firms face higher levels of market risk and credit risk, and have heightened requirements for earnings stability–hence the need for an integrated approach to managing risk," Lam explains. "But if you're in an industry that deals primarily with operational risk issues, the traditional audit and compliance controls may be sufficient to manage risk, as opposed to a full ERM strategy. It boils down to whether or not risk management is a core competency of the company and a part of business strategy."

ERM also may unearth risk exposures that are better left in the dark. "Many companies believe this is not the time to dig below the surface," Cole says. "They want to showcase their strengths to make them more insurable at the least cost–not uncover and introduce risks that may cause insurability problems."

Others believe the value of ERM has been overstated by its proponents. "In order for the diversification advantage to be present, the correlation between different risk types would need to be perfect," says Deborah J. Pretty, an economist and principal at Oxford Metrica, an Oxford, England-based independent strategic advisor specializing in corporate risk. "I am slightly dubious as to the potential."

Not surprisingly, ERM malaise is affecting the growth rate in the number of CROs. "Our database indicates the number of CRO appointments has slowed in the last two years," says ERisk's Lam. "Only 10% of the 200 CROs we have tracked are outside financial services and energy."

CROs vs. CFOs

Lam should know: He is a poster executive for ERM, pioneering the strategy in the mid-1990s at Fidelity Investments, where he had the distinction of being the first CRO in history, a title he actually coined. But in financial services, ERM has lived up to its promise.

Turf issues also may play a role in diminished CRO postings, with many traditional executives leery of a perceived interloper. "The CRO position has created a power play within organizations, challenging the conventional executive structure that has existed for decades," says Art D'Elia, managing director and head of the risk management search practice at executive search firm Korn/Ferry International. "Treasurers and CFOs are concerned about losing their power. Many won't admit to this, but it is a reality." D'Elia has secured CROs for several corporate clients, including Wood at Ford.

Some observers say a CRO is a redundant executive. "The CRO should be the CFO," says Robert Arvanitis, president and CEO of Risk Finance Advisors, a Westport, Conn.-based risk-advisory firm. "Isn't enterprise risk management the CFO's job in the first place? Aren't companies structured into different risk management departments in order to help the CFO manage the organization's risks?"

Even CRO pioneer Lam has misgivings. "I haven't drunk the Kool-Aid and said every company should appoint a CRO or pursue ERM," he says. "But that doesn't mean many shouldn't. I still believe there is a lot of value in ERM to the strategic planning process."

Certainly, many companies engaged in ERM agree it is the right and real thing, despite the time and expense involved. Wood has been at it for two years now, and he admits the journey is not yet concluded. It took a full year just to assemble an integrated risk management team and another year to measure Ford's discrete risks and overall risk tolerance. Wood, formerly with investment bank BNP Paribas, is just now beginning to apply these metrics to Ford's strategic decisions. "For example, by knowing our tolerance for risk, we can work backwards from there to determine the risk limits we take in, say, a counter-party default risk, a currency risk or an insurance risk," he explains. "Our key objective is simply to integrate risk management as a strategic part of the business decision-making process on an ongoing basis, so that when a business unit leader is trying to determine strategy, either I or a member of my risk management team is sitting in on it."

One plus, for instance: Prior to Wood's appointment, Ford's various risk overseers did not share risk information via a centralized reporting structure. Individual units managed the risks of foreign exchange, commodities, interest rates and insurance risks with very little, if any, interplay. Given the costs of the Firestone tire-recall debacle, which can be measured as an aggregation of different risk exposures–legal risk, customer-relations risk, brand risk, product-liability risk, supply-chain risk, etc–a comprehensive approach to managing these exposures makes sense. "My job was to bring together these different risk managers into a global organization that could look at our various risks in a more consistent and comprehensive way," says Wood.

By examining Ford's diverse risks through a single lens, Wood hopes to identify excessive risk concentrations, correlations and non-correlations to calculate the accumulated impact on earnings. "A business unit leader could then work with us to modify that unit's risk profile in order to reduce the earnings impact," he explains.

RBC Financial Group (formerly Royal Bank of Canada) had similar objectives when it jumped on the ERM bandwagon four years ago. "We wanted to align our risk appetite to our business strategy," says Suzanne Labarge, vice chairwoman and CRO at RBC, a Toronto-based bank with a market capitalization of $21 billion. To do that, Labarge erected a risk pyramid that identifies all the risks that "could stop this organization from being what it wants to be," she says. RBC lays the pyramid like a template on each business decision. Before, "no one was quite sure how much risk was being taken on in one area or another, since risk management was so decentralized," Labarge says. "Now we've got transparency."

Due for a Revival?

At the bottom of the pyramid are those risks that RBC has greatest control over, such as credit, market, insurance, liquidity and operational exposures. The next level up is reputational risk, then strategic, then competitive, regulatory and legal risks, and finally systemic risk. "That's the one we have virtually no control over, the tidal wave of risk that central banks fret about, where something happens in one market and has a ripple effect that topples other markets–basically a complete economic collapse," Labarge says.

No doubt, some of the apathy toward ERM stems from the recession: Clearly it is expendable. But a survey by insurance broker Aon Risk Services indicates the strategy is on many agendas. "We found that while only 1% of respondents [500 U.S. and European companies in diverse industries] have fully integrated risk management strategies in place today, 39% said they would within three years," says Randy Nornes, managing director at Chicago-based Aon. He himself is working with several companies in the pharmaceutical and consumer-products industries interested in undertaking the strategy. So a couple of years from now, Freeman Wood may be glad he was willing to carry the ERM banner through its roughest patch.