risks that are changing at an ever faster speed (e.g. cybersecurity, emerging technologies). As part of this discussion, seven specific attributes for this new ERM model are provided.
• In addition to the board and management, other stakeholders such as regulators, institutional investors, and rating agencies are increasingly focused on ERM. Chapter 4 discusses their requirements and expectations.
ERM is a multi-year effort that requires significant attention and resources. As such, Part Two focuses on ERM program implementation:
• Chapter 5 lays out the scope and objectives of an ERM project, including the need to set a clear vision, obtain buy-in, and develop a roadmap. This chapter also provides an ERM Maturity Model and an illustrative 24-month implementation plan.
• One of the key success factors in ERM is addressing change management and risk culture. Chapter 6 describes risk culture success factors and the cognitive biases and behavior obstacles that risk professionals must overcome.
• Given the wide range and complexity of risks, having a structured and organizing ERM framework is essential. Chapter 7 provides an overview of several published frameworks and an ERM framework that I've developed to support performance-based continuous ERM.
The next four parts provide deep dives into the key components of the ERM framework. Part Three focuses on risk governance and policies:
• Chapter 8 discusses two versions of the “three lines of defense” model-the conventional model and a modified model that I've developed to reflect better the role of the board.
• Chapter 9 goes further into the important role of the board in ERM, including regulatory requirements and expectations, current board practices, and three key levers for effective risk oversight.
• Chapter 10 describes my first-hand experience as an independent director and risk committee chair at E*TRADE Financial. This case study discusses our turnaround journey, the implementation of ERM best practices, and the tangible benefits that we've realized to date.
• As expected, the rise of the chief risk officer (CRO) is correlated to the adoption of ERM. Chapter 11 discusses the evolution in the role of the CRO, including key responsibilities, required skills, and desired attributes. The chapter also provides professional profiles of six prominent current or former CROs.
• Chapter 12 focuses on one of the most important risk policies: risk appetite statement. This chapter provides practical steps and key requirements for developing an effective risk appetite statement.
Risk analytics provide useful input to business and risk leaders. Risk assessment and quantification is the focus of Part Four:
• Chapter 13 discusses the implementation requirements, common pitfalls, and practical solutions for developing a risk-control self-assessment process.
• What gets measured gets managed, so it is not enough only to identify and assess risks. Chapter 14 provides a high-level review of risk quantification models, including those designed to measure market risk, credit risk, and operational risk.
ERM can create significant value only if it supports management strategies, decisions, and actions. Part Five focuses on risk management strategies that will optimize an organization's risk profile:
• The integration of strategy and ERM, also known as strategic risk management, is covered in Chapter 15. The chapter outlines the processes and tools to measure and manage strategic risk, including M&A analysis and risk-based pricing. Case studies and examples of strategic risk models are also provided.
• Chapter 16 goes further into risk-based performance management and discusses other strategies to add value through ERM, such as capital management and risk transfer.
Board members and business leaders need good metrics, reports, and feedback loops to monitor risks and ERM effectiveness. Part Six focuses on risk monitoring and reporting:
• Chapter 17 discusses the integration of key performance and risk indicators, including the sources and characteristics of effective metrics.
• Once these metrics are developed, they must be delivered to the right people, at the right time, and in the right way. Chapter 18 provides the key questions, best-practice standards, and implementation requirements of ERM dashboard reporting.
• Once an ERM program is up and running, how do we know if it is working effectively? Chapter 19 answers this critical question by establishing a quantifiable performance objective and feedback loop for the overall ERM program. An example of a feedback loop based on earnings-at-risk analysis is also discussed.
Chapter 20 in Part Seven provides additional ERM templates and outlines to help readers accelerate their ERM initiatives.
Throughout this book, specific step-by-step implementation guidance, examples, and outlines are provided to support risk practitioners in implementing ERM. They are highlighted below:
• Example of a reputational risk policy (Chapter 4, Appendix A)
• ERM Maturity Model and benchmarks (Chapter 5, Appendix A)
• Practical 24-month plan for ERM program implementation (Chapter 5, Appendix B)
• 10-step process for developing a risk appetite statement, including examples of risk metrics and tolerance levels (Chapter 12)
• Implementation of the RCSA process, including common pitfalls and best practices (Chapter 13)
• Example of a strategic risk assessment (Chapter 20)
• Structure and outline of a CRO report to the risk committee (Chapter 20)
• Example of a cybersecurity risk appetite statement and metrics (Chapter 20)
• Example of a model risk policy (Chapter 20)
• Example of a risk escalation policy (Chapter 20)
SUGGESTED CHAPTERS BY AUDIENCE
Given its focus on ERM implementation, this book does not necessarily need to be read in its entirety or in sequence. Readers should select the relevant chapters based on the implementation phase and ERM maturity at their organizations. In general, I would suggest the following chapters by the seniority