T&R:  At a systemic level, how well have the global financial markets evolved to avoid future financial crises?

Max Rudolph:  Horribly. I'm working on a research project on the low-interest-rate environment, and although I don't see problems that are as obvious as the problems in the residential mortgage market back in 2007, I do see four bubble risks in the global economy. One is another systemic bubble around excessive leverage. U.S. government subsidies continue to drive down interest rates, so companies are taking on more leverage than they would if rates were higher. That's a given. The problem is that we don't always see where the excessive leverage is until either interest rates go back up or an asset class starts to blow up.

The second is a bubble in farmland prices, which have jumped a lot over the past few years. The third is a bubble in the high-yield credit risk market. That's not as bad as we've seen in the past, so that one might continue to grow for a while before it bursts.

And then the fourth bubble is in the movement back to making loans easier on the borrower. Some of the Dodd-Frank regulatory changes have gotten quite watered down, and we're seeing companies taking on some of the same risks they were taking on before the financial crisis, using 'covenant-lite' loans and similar vehicles. I thought those lessons were learned five years ago, but apparently they weren't.

T&R:  How should knowledge of these bubbles impact the day-to-day financial and operational decisions of individual companies?

MR:  Well, the systemic leverage and covenant risks certainly cascade down to individual businesses. If you're given the chance to borrow at 2 percent, you can come up with all kinds of opportunities that meet that threshold but wouldn't pass muster with a 6 percent threshold. It's critical to have somebody on staff looking at financial risks from a what-if, stress-test perspective. What if interest rates go to 10 percent? How big of a deal would that be? You can avoid a lot of problems with scenario analyses.

One of the most interesting changes that I've seen in enterprise risk management since the financial crisis is a heightened interest by the board and other stakeholders. Practices are often driven by the interest of the board; as soon as the board starts asking questions, senior management is going to take ERM more seriously. And we've seen corporate boards, and rating agencies as well, increasingly asking questions like 'What keeps you up at night?' They're trying to supplement the economic capital models. The models are important, but as the saying goes: Every model has benefits, but every model is wrong as well.

In the Emerging Risk Survey, we ask, 'Are you, as a risk manager, being asked to predict the future?' Respondents have said, 'We're not being asked to predict a specific future, but we're being asked to present a range of futures.' That's exactly what I hoped to hear, and that response has become more prevalent over time. More and more risk managers are being asked to look at what-if scenarios and different stress tests.

T&R:  What types of risks are companies using scenario planning to evaluate?

MR:  It depends on the company. If you're talking about a bank or an insurance company, the financial risks tend to be the primary exposures that they have, so that's what they spend the most time on. Obviously a manufacturing or services company is going to spend more time looking at operational risks. But financial, operational, and other risks can be closely intertwined. For example, look at the Deepwater Horizon accident at BP. That's had a huge financial impact, but the underlying drivers of the accident were operational, not financial. If BP had spent more time looking at their risks and the potential downside of those risks, they might have avoided at least some of the problems resulting from that accident.

T&R:  Are you seeing significant changes in how companies manage their financial risks?

MR:  Since Hurricanes Katrina and Sandy, a lot of companies have been spending more time on things like supplier and vendor risks. They are reducing their reliance on suppliers concentrated in one geographic area. Unfortunately, with regard to other financial risks, companies would rather herd with everybody else than be the outlier. They would rather go over the cliff doing the same practice that everybody else is doing than to step out and say, 'This practice doesn't make any sense.' That's been a real disappointment to me.

T&R:  Does that mentality generally come from the board?

MR:  For public companies, it's hard. If you don't meet your quarterly targets, you'll have an activist investor after you, and you won't stay in charge very long if you aren't using practices that are common in the industry. It's a little easier for a private firm or a family-owned firm to make those tough decisions.

T&R:  Since the financial crisis, have companies begun taking a more holistic approach to risk management?

MR:  Yes. More and more companies are trying to overcome their internal silos when it comes to risk management. So, for example, suppose a company has currency risk in three different geographic regions; say its business is segmented into operations in North America, South America, and Europe. Each of those three units has always had currency risk, but in a lot of companies there's now more of a proactive attempt to manage the risks from a corporate perspective. So the company might have more internal currency trading going on, as opposed to the business units going outside to a third party to hedge their foreign exchange risk. I see a lot of companies managing risk much more holistically than they did in the past.

T&R:  So, what's the key to implementing best practices in ERM?

MR:  The key to successful enterprise risk management is for companies to think of it as a process and not a project. A lot of companies will bring in a consultant and say, 'We want to implement ERM.' But as soon as the consultant leaves, the ERM initiative goes up on the shelf. The company may pull it out if a ratings agency asks for it, but it's not actually embedded in the risk culture of the firm.

One of the most important ways to achieve best practices in risk management is to make sure it's not just top-down—not just the CEO saying, 'We need to be doing this'—but also bottom-up. The lowest-level person should be thinking about risk when they're doing their job. They should perpetually be saying, 'Does this make sense, or does this not make sense?' Companies should have a risk culture in which people are encouraged to speak up if they see something that doesn't pass a test of common sense.

In the insurance industry, there are some great stories where an employee who is right out of high school is hired to process new policies and notices something that looks odd. Maybe 10 policies in a row from the same agent all look really similar. When people like that have the wherewithal, the confidence, and the encouragement to say something, they can uncover fraud.

T&R:  Where do you think corporate risk management practices are currently lacking?

MR:  Right now—at big companies, especially—many chief risk officers are not as contrarian or as skeptical as I think they should be. The culture at big companies tends to be a little bureaucratic, so risk managers often get to the top by avoiding situations that would make waves. But the best CROs are the ones who are comfortable challenging the status quo and asking questions.

That comes back to the risk culture, which is usually driven by the CEO. Companies always need to keep pushing to encourage skeptical practices, to not just have one view of the world but to have multiple perspectives. It's very important to risk management to have people playing devil's advocate, not just accepting whatever the CEO says as right. None of us is perfect.

T&R:  That would require a big cultural change in a lot of companies, wouldn't it?

MR:  Yes, it would be a major undertaking. It's not common practice today—and in my mind, that decision-making risk is one of the biggest concentration risks companies have. A small number of people are making all the decisions, which reduces a company's likelihood of having normal results. That could be either a positive or a negative. When decision-making is in the hands of just a few people, the company has a higher probability of having better-than-average results, but also a higher probability of having worse-than-average results.

One other problem with current risk management practices that I've found in my research on emerging risks is that the time horizon many companies use to evaluate risks is far too short. A lot of organizations have trouble getting beyond one year, and very few are comfortable going beyond the end of their business plan, which is three—or, at most, five—years out. But companies really need to look at emerging risks from a long-term perspective. Sometimes something that seems like a positive may have negative consequences, or vice versa. Think about what would happen if medical researchers found a cure for cancer. That would be great for individuals, but if it involved a recurring cost every year, like the HIV solution does, then health insurers would take a big hit. This very positive event would have an unintended negative consequence for health insurance companies.

Corporate risk managers need to think through all kinds of scenarios over multiple time periods. They need to get past the mind-set of 'Let's look at this over a three-year period because that's the length of our incentive compensation plans.'

T&R:  How can a company determine what sorts of scenarios to analyze if its time horizon is 20 or 30 years in the future? How should risk managers narrow down all the millions of different things that could possibly happen that would affect their business in some way?

MR:  It's incredibly hard. The first step is to make sure the risk management team is not taking an insular perspective. They should talk to people who are experts in scenario planning, maybe follow some outside sources in the areas that they're looking at. The World Economic Forum and our Emerging Risk Survey do some good work on emerging risks. Talking to a third party can help companies think about things in a different way that may not come naturally to most people.

T&R:  Is it also important for risk managers to make sure they're getting out and about within the company, that they're engaging people in operations, finance, and other areas in conversations about risks the organization may face?

MR:  Yes, that's incredibly important. One thing I've always suggested to people is that when you're right out of college and you have the opportunity to join the company's softball league or bowling league, you should. Twenty years later, when you're the chief risk officer, you're going to find that the operations managers you've known since they were 22 are much more comfortable talking to you about risk scenarios than they would be if they'd never met you before.

T&R:  In companies that are doing a good job with ERM, what does staffing look like on the risk management team?

MR:  A risk team needs to include people with different backgrounds. If your chief risk officer is an accountant, you'll want to also include people who have worked in operations, in investments. And one thing that's critical in ERM is to develop and share a glossary, a common set of terms. When I was working in a corporate environment, part of my job was to be what I called an interpreter. I'd sit in a meeting with our chief investment officer, chief financial officer, chief actuary, and CEO, and sometimes one of them would say something and one of the others would turn to me and say, 'OK, now say the same thing using words that I know.' It's interesting how quickly enterprise risk management can get stuck when people aren't speaking the same language.