Risk management, once the redheaded stepchild of corporate governance, is coming in from the cold—and coming with it is a newly empowered executive class of chief risk officers (CROs), vice-presidents of risk and other assorted risk-related personnel.
Who better to attest to this shift than the international search firms whose job it is to find people to fill these roles? “We’re absolutely seeing an uptick in the number of companies looking to fill risk management positions,” says Toronto-based Mark Letourneau, senior client partner with the Canadian division of Korn/Ferry International, the world’s largest executive search firm. “Organizations feel they need a broader and deeper understanding of the new types of risk they’re facing, and they’re looking for people with specific risk-related skill sets.”
Business is brisk enough, in fact, that Korn/Ferry is in the process of creating a specialized division dedicated exclusively to staffing risk management positions. And you know they’re not alone.
Why the sudden interest in risk, and especially so-called enterprise risk management, or ERM, which consolidates risk from throughout an organization and manages it as a single, dynamic portfolio? Many factors—competitive, legal, environmental, social—are at play, but Mark Aiello, risk strategies consultant with Marsh Canada Ltd., singles out economic uncertainty and fallout from the global banking meltdown of 2008 for having caused companies—as well as regulators and shareholders —to become most aware of risk and the need for risk mitigation and management strategies. “If the best risk management plans are invisible, the failures are anything but,” says Aiello. “Over the last few years we’ve seen countless examples of what happens when effective risk manage- ment isn’t in place. You just have to open the newspaper.”
No surprise, then, that the financial services industry in particular has turned to ERM as a way of dealing not only with regulatory fallout from the banking crisis, but also to ensure it’s sufficiently prepared and protected should such an event repeat itself. Toronto-Dominion Bank (TSX:TD), for one, only created its ERM group two-and-a-half years ago, lead by 18-year TD veteran Bruce Schouten.
“The activities my group is responsible for used to be distributed across the organization, and it made sense to bring them all under one umbrella,” says Schouten, 50, who now carries the title of senior vice-president, ERM. “It’s my role to make sure we’re in compliance with regulatory regimes, to annually review risk appetite with the most senior management committees at the bank, and to ensure our technology is robust enough to monitor, model and manage risk.”
It’s not just compliance driving the ERM train, though. Aiello acknowledges that shareholders and boards are also becoming more attuned to risk and the potential pitfalls of not having effective risk management strategies in place. “From a governance perspective, it’s the board’s responsibility to oversee risk. The board shouldn’t be doing the plan, but should have an understanding of what the top risks are and make sure they’re being adequately addressed.”
Perhaps most profoundly, ways of thinking about risk are changing. Whereas at one time risk management was viewed only from a downside perspective—a cost silo primarily focussed on regulatory compliance and preserving assets—ERM is increasingly being seen as an integral part of good corporate governance and strategic planning, supporting management decision-making and growing shareholder value.
It’s also being applied proactively, building risk resiliency into organizations, instead of merely reactively in terms of risk mitigation and recovery. “Organizations are now looking at risk not simply in terms of fixing the mess they just made, but preventing it in the first place,” says Aiello.
Finally, ERM helps companies identify and quantify what Aiello calls “impact pathways,” not just the immediate consequences of a risk event taking place, but the full range of delayed, follow-on and long-term consequences.
The well-documented travails of Calgary-based energy giant Enbridge Inc. (TSX:ENB) serve to illustrate. Two years ago, in July of 2010, one of Enbridge’s pipelines ruptured, spilling 20,000 barrels of oil into Michigan’s Kalamazoo River. The resulting $800-million clean-up bill made Kalamazoo the most costly on-shore oil spill in U.S. history.
That, needless to say, came as unwelcome news to Enbridge shareholders, who could reasonably have expected the company to be prepared for such an eventuality: after all, in its disclosure filings the company specifically identifies pipeline leaks as “an inherent risk of operations.” Moreover, Enbridge had a well-articulated risk management plan in place for dealing with leaks, including “predictive and detective in-line inspection tools,” scheduled maintenance to ensure compromised pipe was replaced or repaired in a timely manner, and procedures that shut down pipelines within minutes once a leak was detected.
As a recently concluded investigation by the U.S. National Transportation Safety Board makes clear, however, Enbridge’s risk management plan failed at multiple levels: pipeline corrosion cracks were indeed detected, and yet years went by without the affected pipe being repaired or replaced; and when the rupture did occur, the pipeline was allowed to continue spilling oil for a whopping 17 hours before being shut down.
If this were the end of the story, it could be put down to a valuable, albeit costly, learning experience, a wake-up call for Enbridge to re-evaluate its risk management policies and practices. But the impact pathways were just getting started. Environmental and financial risk quickly morphed into political and opportunity risk, as negative publicity generated by the Michigan spill began to impinge upon Enbridge’s plans to build a multibillion-dollar pipeline from the tar sands to British Columbia—the so-called Northern Gateway pipeline. Within days of the U.S. National Transportation Safety Board’s scathing indictment of the handling of the Kalamazoo spill, Enbridge announced it would invest another $500 million to thicken pipeline walls at Northern Gateway river crossings and to hire more inspectors.
Thus, the direct and indirect costs of the risk management failure at Kalamazoo escalated from $800 million to $1.3 billion, not counting additional lobbying and PR expenses necessary to counter negative press. And if the $6-billion project is ultimately scuttled due to public and political opposition over perceived environmental risk, the opportunity cost to Enbridge will have been massive.
At Vancouver-based telecommunications giant Telus Corp. (TSX:T), meanwhile, Kasey Reese, the company’s vice-president of risk management and chief internal auditor, knows all about impact pathways. That’s because any risk that could cause even a temporary service interruption carries two inherent costs: the immediate cost of fixing the problem, and the long-term cost of having to replace lost business, as customers invariably flee to competitors when their smart phones, satellite TVs or Internet connections go black.
“Ice, snow, sabotage, labour disputes, the seventh game of the Stanley Cup in Vancouver, we look at anything and everything that could impact our business continuity,” says Reese, who was hired by Telus a little over a decade ago, shortly after the company was formed through the merger of Telus (Alberta) and BC Tel.
“And you don’t always get the event you plan for,” he continues. “In 2002-2003 we were preparing for a potential work stoppage, but instead of a strike we got the Sapphire computer virus, the outbreak of SARS in [Toronto], which is where our wireless division is headquartered, forest fires in Kamloops, another computer virus, and the largest cable cut in B.C. history.”
Because of that volatility, Telus reviews its risk profile annually, quarterly and granularly in real-time. “The execs who own the risk do the granular risk assessment in their particular domains,” says Reese. “They model very specific what-if scenarios, with the result that we’ll typically post updates to our risk assessment five or six times a year, as the temperature of various risks change over time.”
In order to help quantify and rank different risks, Reese helped devise an extensive electronic survey that captures perceptions of risk from both Telus’s executive ranks and frontline managers. “The survey is delivered to 850 executive VPs and VPs, and then there’s another 1,200 Telus managers who participate, selected at random,” Reese explains. “We then go through the results, synthesize them, identify the high and medium-high risks facing the company and devise plans to make sure we’re adequately prepared to tackle them.”
Two years ago, Telus expanded its risk survey to include board members for the first time. “We want to see if the views of the board are aligned with those of the executive suite. The acid test is, does the board know what the top five risks are?” says Reese. “It’s all about enhancing risk governance, and linking it to good corporate governance.”
Perhaps no industry is fraught with more potential risk than mining, and no mining sector more risky than uranium mining. In its corporate filings, Saskatoon-based Cameco Corp. (TSX:CCO), one of the world’s largest uranium producers, lists supply risks (the company being unable to locate additional mineral reserves), political and regulatory risks (failure to win permits and approvals from domestic or foreign governments), market risks (price of uranium falls, making new development uneconomical), social risks (blockades or other acts of protest by environmentalists or indigenous peoples) and health and safety risks (mine-related accidents, flooding, radiation contamination).
This last risk played out in dramatic fashion in April 2003, when the company’s McArthur River mine in northern Saskatchewan caved in and flooded with radioactive water, causing the world’s largest uranium mine to cease production for three months. As with the Enbridge oil leak, a subsequent review—this time by the Canadian Nuclear Safety Commission—determined that Cameco’s risk management processes were seriously flawed. Despite previous consultant reports warning of the possibility of a cave-in and a major “inflow” of contaminated water, the mine’s pumping capacity was grossly inadequate and there was no contingency plan in place: steel emergency doors that had been previously fabricated and could have sealed off the mine were left in storage and never installed.
Since then, however, the company’s operating record—especially with regard to worker safety and satisfaction—has seen a marked improvement, to the extent that Cameco was last year named one of the Top 10 Best Companies to Work For in Canada by the Financial Post. In October 2011, the company turned to Katharine Palmer, formerly of Atomic Energy of Canada Ltd., to fill its new vice-president, risk and internal audit position—an inspired choice given AECL’s expertise in nuclear safety and regulatory compliance, and Palmer’s 20-plus years of experience in internal audit and related risk management activities.
Part of her duties include running the company’s ERM group. “It provides me with the opportunity to ensure everyone has a good understanding of our risk profile and risk treatment plans,” says Palmer. “Risk management has to be aligned with, and support, the overall corporate strategy, and I help the organization see the relationship between our growth strategy and risk management.”
As with Kasey Reese at Telus, Palmer oversees a formal collection and analysis of information, after which risks are identified and ranked. “It’s not a one-time exercise,” she says. “Scores can shift over time, so risks have to be continuously monitored and evaluated. The highest-ranked are raised with the senior management team and the board on a regular basis.”
One of the keys to a successful risk management regime, she says, is creating an environment where employees are comfortable reporting risks and potential problems, instead of ignoring them or, worse, covering them up. “If people are afraid to report problems, it goes back to the corporate culture. At Cameco, we think about risk every day, company-wide. It’s what we do. It’s very much part of our corporate culture.”
When a strong, top-down risk management culture is absent, or has been corrupted, bad things can follow. In an unusually frank videotape interview with the Conference Board of Canada, Siemens Canada’s regional compliance officer, Hentie Dirker, explained what happened back in 2006 when the German industrial titan was found to have engaged in a variety of illegal and unethical business practices, including the use of bribes and unauthorized payouts to win business in developing countries.
During the ensuing review—which included interviews with almost 2,000 employees and the examination of millions of internal documents and bank records—Siemens discovered that while it had corruption risk management rules in place designed to enforce ethical behaviour, they were all too frequently being ignored or subverted. “There were no clear disciplinary consequences for employees who violated policies and procedures,” Dirker explained. “A kind of wink and nod culture had developed, where it was easy for people to hide bribery and corruption.”
The fix involved nothing short of a wholesale housecleaning and reboot of the company’s corporate culture. “We changed the CEO, general counsel, chief audit officer and chief compliance officer. None of the 11 members of the Siemens management board as it was constituted in 2006 remained in December of 2008.” A corruption risk assessment process was established along with a corporate disciplinary committee, the compliance regime was tripled to 600 officers worldwide, and within a year 180,000 employees had been trained on the company’s new “zero tolerance” policies and procedures regarding corruption.
As to whether Siemens’ new “no more bribes” policy won’t end up costing the company billions in lost—if sketchy—business, Dirker was optimistic. “I think it’s more of an opportunity for us. We at Siemens can now use compliance and ethical business as a competitive advantage. If [customers] use Siemens anywhere in the world they’ve got one less supplier to worry about in terms of ethics and compliance to law.”
Back at TD Bank, Bruce Schouten at least doesn’t have to worry about corporate culture: chief executive Ed Clark is notoriously risk averse, once famously stating that the bank wouldn’t sell to customers financial products that were too complicated or abstruse to sell to his mother-in-law. “That’s a pretty easy concept for everyone at TD to grasp,” says Schouten.
It’s also a concept that likely saved the bank billions, as TD was the only Canadian chartered bank to avoid write-downs related to third-party asset-backed paper—aka repackaged sub-prime mortgages—during the mortgage crisis of 2008 or the subsequent banking crisis. As head of the ERM group, however, Schouten does have to deal with the regulatory fallout from all those financial institutions that did end up on the wrong side of the risk/reward equation. The most challenging of those regulations is what’s known as the Volcker Rule, a section of the Dodd-Frank Wall Street Reform and Consumer Protection Act that prohibits banks from engaging in proprietary trading—in other words using deposits to trade on the bank’s own accounts. “We support the principles that underlie that rule, but the challenge is to get the implementation part right,” says Schouten. “How do you interpret the guidelines and rules correctly?”
Well, you start by creating yet another group, a regulatory relationship management unit that liaises between the bank and the regulator, interpreting, simplifying and communicating the rule to TD’s Dodd-Frank implementation steering committee. The steering committee, meanwhile, is comprised of managers from every area of the bank that might be impacted by the regulations, including certain funds the bank sponsors and advises in its asset management business, as well as private equity investment and TD Securities.
Sitting at the centre of all this is Schouten and the ERM group. “I participate in all those committees as a member, and work to make sure the right person is chairing the right committee, and the right people are participating to ensure we have full coverage. That’s one of the things I enjoy about risk management, you get that enterprise view of what’s going on. It’s a lot of communication, a lot of influencing, a lot of partnering with other control functions to ensure the bank is well situated.”
So what makes someone good at risk management and ERM? It comes down to common sense and communications, says Schouten. “It’s great to have a technical background in terms of understanding credit risk, market risk or operational risk, but you need to be able to figure out the impact of those risks on the organization, and then be able to explain to others why they’re important, and why the organization needs to respond to them.”
Photos: Evan Dion (Bruce Schouten); David Stobbe (Katharine Palmer)