Enterprise Risk Management: From Incentives to Controls

You bought Jorion, Pearson, and Hull; you slammed headfirst into the quantitative quagmire of risk management, and you may even have passed the Financial Risk Manager exam, sponsored by the Global Association of Risk Professionals, but are you prepared to become your company's "Risk Champion?" Can you explain to laymen why loss distributions are not normal? Can you illustrate the "sweet spot" in the profit/risk tradeoff? If you aren't quite there yet, pick up James Lam's new book, Enterprise Risk Management, From Incentives to Controls. It's a book you can read on the five hour flight from New York to Los Angeles, and its melodies will linger in your memory. This book has changed the way I communicate with people both in and outside the risk management profession. Read it with a highlighter in your hand, and keep the book within easy reach.

The book has a very basic and elementary level. Probably this is due to the great array of topics it includes. It is a very high level overview of risk management concepts. Good reading for the weekend.

This book by James Lam provides an excellent insight into this current business strategic problem. In view of all the corporate governance coming from Sarbannes-Oxley legislation and Basel II capital pronouncements, this book provides the user with the building blocks in terms of explaining how credit, market, and operational risk all tie into the big picture of enterprise risk. The author enables one to understand these risks without getting bogged down in mathematical details. He effectively brings these risks together in terms of portfolio management and then presents the reader with some risk mitigation techniques. He goes beyond other books which just concentrate on financial institutions by bringing in energy firms and nonfinancial corporations in his concluding chapters. Lam's book is a must read for anyone considering a career in risk management.Gerald G. Wisz, Ph.D.Adjunct Associate Professor of FinancePolytechnic University, Brooklyn NYIndependent Risk Management Consultant

A little under ten years ago I reviewed "Enterprise Risk Management: From Incentives to Controls" by James Lam in Risk Professionals, the flagship magazine of the Global Association of Risk Professionals (GARP). In the book, Lam made ten predictions for the future of risk management. Ten years later, it is interesting to revisit his predictions and ask how many have come to pass.Here are the predictions with my comments:1. Enterprise Risk Management (ERM) will become the industry standard for risk management.Not just yet, but it's on its way. Among the key findings in a recent Accenture 2011 Global Risk Management Study was, "More than 80 percent of the survey respondents overall have a ERM program in place or plan to have one in the next two years."The study was based on a survey of C- level executives from 397 companies across ten industries in Europe, North America, Latin America and Asia. Similar studies confirm the same trend. There is not enough space, here, to name them all.2. The CRO will become prevalent in risk intensive businesses.As Lam states in his book, "The rise of the CRO goes hand-in-hand with the trend toward ERM". Again from the same study above, "Companies are establishing C-level oversight of the risk management function."About two thirds of all survey respondents have a Chief Risk Officer operating with that title. Another 20 percent have an executive in the role fulfilling those responsibilities. Thus the criticality of risk management is being recognized by the way the function is staffed and led. That said, there is still a chasm between the traditional risk management model and ERM. A comprehensive, enterprise wide focus on managing risk is an ongoing struggle for most organizations because of the behavioral changes to overcome the conventional management of risk in silos, which companies have had in place for a long time. For that reason, ERM has been pursued by visionary companies rather than by the mainstream of companies. In short, ERM is prevalent in all the major banks across the globe. The hedge fund community in particular is increasingly implementing an ERM model in light of increasing regulation and the broker-dealer market continues to define and establish the ERM model as well.3. Audit committees will evolve into risk committees.In January 2012, the committee of Sponsoring Organizations of the Treadway Commission (COSO) issued its draft ERM - Integrated Framework to be finalized later this year. The new Framework will play a key role in the internal audit function. The Institute of Internal auditors (IIA) says internal auditors should assist both management and the audit committee in their risk management responsibilities and oversight roles by examining, evaluating, reporting, and recommending improvements on the adequacy and effectiveness of management's risk processes. However, the IIA has taken a stand on what roles internal auditing should not undertake: setting the risk appetite, imposing risk management processes, management assurance on risks, taking decisions on risk responses, implementing risk responses on management's behalf, accountability for risk management. These activities should be direct from the top of the organization. Audit committees have evolved and continue to evolve into risk committees.4. Economic capital will be in; VaR will be out.With the advent of the recent economic downturn, the government bailout that injected TARP money into the banking system, and consequent regulation such as Dodd-Frank and Basel III, economic capital is certainly in and VaR is certainly out.5. Risk transfer will be executed at the enterprise level.Partially, this prediction was already realized "as far as hedging and insurance strategies were concerned" when Lam's book went to press. Today, management of risk transfers through assessments, systems and other tools is at the enterprise level.6. Advanced technology will have a profound impact on risk management.With the rise of risk systems reflecting state of the art applications that encompass regulatory requirements and beyond, this has certainly come to pass. For example, look to the latest automated risk enhancement of Credit Valuation Adjustments which ensures limits are met on a market basis.7. A measurement standard will emerge for operational risk.This operational metric has been formulated for reporting purposes as reported each month in regulatory reports and continues to evolve internally from an operational perspective.8. Mark to market accounting will be the basis for financial reporting.Remember, loans and securities make up the bulk of a bank's assets. Thus, the method you use to establish values for these securities when preparing your financial statements affects shareholders' equity and, in turn, has an effect on a bank's profit and loss statement. In light of the 2008 financial crisis, fair value accounting under FASB 157 returned to center stage with supporters and detractors of the rule. There is also a conflict between the way the U.S. regulators approach mark to market accounting and the approach of international standards under the IFRS. In effect, rules vs. principles. For our purpose here, suffice it to say that FASB and IFRS are exploring changes to the reporting and measurement of financial instruments. In effect, the jury is still out on this prediction.9. Risk education will be a part of corporate training and college finance programs.If you are in risk and haven't seen every major university offering a graduate degree in risk management (not to mention risk training and certification from associations such as PRMIA and GARP), then you are not from this planet.10. The salary gap among risk professionals will continue to widen.Depending on what specialty skill you bring to the table (CRO and all the waterfall functions that work alongside with, or support, that office, legal, compliance, quantifiable risk, subject matter risk expertise within project management, etc.), compensation has risen significantly across the risk landscape to attract and retain talent.In short, nine out of ten predictions have come to pass. Not bad from the perspective of a ten year horizon. Well done! I hope we hear from Mr. Lam soon on his predictions for the next ten years.

A well-written guide to enterprise risk management from somebody who knows it first hand. The book covers all of the relevant topics within ERM: concepts and processes, governance, risk transfer, analytics, risk types, and applications to the business (lessons learned, case studies, etc.).The book is tilted towards banking and energy and could use an update on how ERM has become vogue among corporations in almost every other sector. It could also include more information on operational risk and Sarbanes-Oxley requirements, as well as more recent info on the topic from leading risk organizations and projects (COSO and others). It is not a one stop shop on the subject - hence just four stars.If you have a chance to work with risk managers and/or risk consultants, see the latest dashboard tools, or sit in on risk assessment and ranking exercises, I believe you'll get much more from the book. There is a lot of "dot-connecting" that needs to go on with ERM.And a special endorsement...I once received a very attractive offer from a leading Fortune 500 company for an enterprise risk manager position. I had just a little experience with ERM, but I used material from this book to get me through six probing interviews. Very few books can help a candidate quite the way this one helped me.

The book written by James Lam takes the reader into interesting areas of contemporary debate, including risk concepts, corporate governance, risk transfer, data and technology, and industry trends relating to the topic of enterprise risk management. The book is written with great clarity and authority, and successfully navigates through emerging strategic contours and professional discussions about risk. The author combines fresh thinking about the evolving terrain of enterprise risk management with new questions about incentives and responses to it, whilst grounding his ideas and reasoning upon his professional experience. This is a very good resource aimed at security and risk practitioners.

This is basically new. At least i didnt find any marks on the book in the first quick glsnce. Its greatBut this does offer a lot less than second edition