There seems little doubt that enterprise risk management (ERM) is here to stay. The amount of discussion, writing and resources devoted to its development has multiplied dramatically in recent years. So has the number of chief risk officers appointed to implement ERM programs at companies of all kinds.

But what does ERM - also known as enterprise-wide, or firm-wide, risk management, and closely related to integrated risk management - actually involve? And why is it better grounded than other "flavour-of-the-month" management fads that have come and gone in the past? The easiest way to answer these questions is to go back to first principles.

Risk and reward are equally integral parts of every decision. This is just as true in business as in the rest of our lives. When we cross the road, we must consider - and manage - the risk of being run over by a car as well as the reward for making the crossing safely. When we make an investment - in a stock, an asset or a strategy, say - we are exposing ourselves to the risk as well as return. The investment may not work out as well as we hope it will.

Even the decision not to make the investment generates risk and return: it may be a wise decision, but it exposes us to the risk that we will not achieve our objectives - whether to double our money, retain control over the means of production, or stay ahead of the competition. We cannot escape risk; we can only try to strike an appropriate balance between the risks and returns associated with a particular decision or course of action.

As soon as we try to do this, we are managing our risk. We could equally say that we are managing our returns, but people naturally tend to place more emphasis on potential rewards. That we would want to manage the rewards of an activity largely goes without saying; deciding that we would want to manage its risks involves a little more thought. It would be most accurate to say that we are managing our risk/return, but this is too much of a mouthful. So we talk about risk management.

People have always given some thought to the potential for disaster and taken precautions against it. There is plenty of evidence that this kind of risk management has been practised since antiquity, sometimes in surprisingly sophisticated ways: there is evidence that both derivative instruments and insurance contracts were used to protect against risk thousands of years ago.

But people have not always explicitly recognised that risk management is really risk/return management. Outside liquid markets, risk management continued to mean protecting against disaster right up until the late 1980s. Typically, this involved setting conservative limits on the extent of any risky activity, thus preventing any adverse consequences from escalating beyond a certain point. The limits were based on relatively simple estimates of the risk, usually considered case-by-case for every business decision in isolation. For example, a lender might only extend a certain amount of credit to a particular borrower. Where risks could not be limited internally, any excess was transferred to a third party such as an insurer.

The goal of this kind of transactional risk management was largely to prevent the company running into potentially disastrous trouble. It is still the approach typically taken when dealing with individuals and small or traditionally minded companies, and the approach taken by these groups when managing their risks.

However, larger and more progressive companies found themselves with additional goals for risk management after the 1980s. The increasing importance of shareholders meant that companies had to worry about more than just staying in business. They now had to worry about appearances and, above all, performance. The implications of integrated risk management, and risk adjusted pricing and performance measures, are already proving profound in the banking industry as our next Expert Witness explains.

Shareholder value, volatility and diversification
In theory, shareholders do not necessarily care about risk, much less risk management. Modern portfolio theory - the branch of economics which, since the late 1950s, has explored how investors manage risk and return - suggests that companies come with two types of risk. Diversifiable risks are those risks unique to a particular company, whereas undiversifiable risks are the risks that are common to all firms operating under the same economic regime. According to simplistic versions of the theory, shareholders can get rid of the effects of diversifiable risk by investing in a large, well-diversified group of stocks, and can do nothing about undiversifiable risk. They therefore don't care about risk.

In real life, however, there are a number of reasons why shareholders do care about risk. For one thing, shareholders - who tend not to pay much attention to rational economists - do not always hold large, well-diversified portfolios. They frequently invest in particular companies because they believe the management of those companies to be particularly expert at managing both the specific returns and the specific risks of certain activities.

And because today's markets are far from perfect (from a theoretical perspective), there are a host of issues - ranging from tax to regulation to the ability to diversify away risks like bankruptcy - that make risk management a potentially valuable activity.

Any corporate management that tried to argue its right to take any risk that it wants to because its shareholders should be well diversified is one that would be given short shrift by today's legions of professional and amateur investors. Risk management, in this respect, is all about accountability. Shareholders expect companies to manage their funds as efficiently as possible - and that includes risk management.

Lack of accountability, or the perception of it, is a good way for shareholders to lose faith in a company's management - clearly a bad thing for the company. One of the fastest ways for this to happen is for the company to announce an unpleasant surprise - an extraordinary loss, for example. Such volatility of earnings can be much more damaging in terms of its impact on shareholder confidence than in its immediate effect on the bottom line. And the effects extend beyond shareholders - a lack of confidence on the part of other stakeholders, such as customers, employees and business partners, can be equally devastating in terms of the operating costs run by a company. Retrospective crisis management is much more difficult and expensive than prospective risk management.

Consequently, the role of risk management has changed since shareholders became key players in corporate management during the late 1980s. It has continued to evolve during the 1990s, as other stakeholders began to exert increasing influence: for example, the rise of the environmental and ethical lobbies and of "free agents" in the workplace. Risk management increasingly addresses the management of uncertainty and the prevention of unpleasant surprises.

The key tool used to achieve these goals is diversification - relying on pleasant surprises in one area to balance unpleasant surprises elsewhere. The effect of diversification is that the net risk of a group (or portfolio) of individual risks is less volatile, and lower, than the simple sum of those risks. Companies began to concentrate on managing the risks of portfolios of business; providers of risk protection, for their parts, began to develop products that matched these portfolio risks.

Portfolio risk management, which added the key concepts of diversification, volatility and correlation to those of limit and default management, also had benefits in terms of business performance. Reducing the likelihood of default and managing the level of volatility means increasing stakeholder confidence, which translates into cheaper and more manageable transaction costs in a host of areas, ranging from supplier invoices to debt financing. It also makes it easier to manage the long-running conflict of interest between bond-holders and share-holders - the so-called "agency problem".

The other side of the coin is that companies which recognise the benefits of diversification can build these benefits into the pricing of their goods, services and risk transfer strategies. Rather than simply adding up all the risks in isolation, they can take advantage of overlaps and offsets in their portfolio risks, enabling them to use capital more productively and price more keenly. Risk/return management then reaches a new, more sophisticated level: the risk-adjusted return of a business provides a meaningful measure of performance that allows companies to make more rational allocations of resources to business.

So compelling has this way of doing business become that many financial companies now routinely consider transactions in terms of the diversification benefits they bring to a book of business, rather than stand-alone profitability - thinking about the residual risk and return of a portfolio of retail loans, for example, rather than the simple sum of the individual lending risks. And the risk-adjusted return is used as a key indicator of which businesses are really doing well and which are doing poorly.

However, some pioneers have gone further, and begun to think about diversification across multiple lines of business: interest rate derivatives and retail lending, for example, or commodity trading and real-estate finance. This recognises the relationships between the risks of each of these business lines and exploits whatever diversification benefits these relationships may bring. Exploiting the benefits of this approach, however, requires a different approach to risk management: integrated risk management (IRM), in which the various risk types that can affect a company are considered holistically, rather than independently. We'll look at IRM in the next section.

Broadly speaking, there are four basic types of risk: credit risk, operational risk, market risk and business risk. Each of these has a precise definition (sometimes more than one!), which are explored in more detail in other pieces of the Risk Jigsaw. However, it can be more useful, when beginning to think about ERM, to consider more general definitions:

Credit risk is the risk that a promise will not be kept;
Operational risk is the risk that something will go wrong;
Market risk is the risk that something cannot be afforded; and
Business risk is the risk that plans have not been made correctly.

These are somewhat analogous to the classical elements of earth, air, fire and water. Just as "earth" includes everything from rock to steel, so this definition of credit risk includes everything from a supply chain failure to a debt going bad. And just as the classical elements can be combined to make up new substances - earth and water to make mud, for example - so these elemental risks can be intermingled to form new ones. For example, the apparently minor operational risk of a slight time disjunction between settlement systems, or a temporary failure in one of the systems, can combine with credit risk exposure to create massive settlement risks.

Under the silo approach to risk management, different risks are managed by different specialists within a business line (or company) - and mostly, it is not elemental risks that are managed, but subsidiary and mixed risks. There are various reasons for this, but the main one is the division of risk specialists into bankers, insurers, trading houses and investment managers, largely for reasons of historical accident. The subsequent evolution of these industries meant the development of sophisticated, but narrow markets, for each of the risks involved.

This division was mirrored in the internal structure of companies. Credit and financial officers were responsible for credit risk; insurance managers and actuaries managed operational risks; buyers and traders were responsible for market risk; and senior managers for business risk. Various other groups - legal, audit and compliance units, for example - provided additional (and sometimes overlapping) oversight of other risks. Each of these functions grew more sophisticated, until finally they could hardly communicate with each other.

The problem with this approach is that it doesn't work - at least, not efficiently. Not many real businesses are exposed to these risks in ways that are easy to separate out and manage independently. Rather, they are intertwined, with a change in the level of one type of risk triggering changes in the levels of others, and perhaps in the total level of risk run by the company. Managing them independently means these correlations between levels of risk are not recognised.

The industry that gets closest to taking on isolated and entirely independent risks is the financial services industry - fairly obviously, since according to the argument above, the structure of risk management and transfer is a product of the traditional structure of the financial services industry. But, ironically, it's also a result of the fact that financial services are specialists in risk management - most financial services can actually be defined as activities in which one party is compensated for taking a particular kind of risk.

For example, lenders take credit risk: they lend money to people or companies who may not ultimately be willing or able to repay their debts. The lender charges interest to account for this possibility. Similarly, insurers write policies against operational risks - ranging from lawsuits to hurricanes - in exchange for premiums. Trading houses engage in variety of activities that involve taking on market risk, from underwriting initial public offerings (IPOs) to making secondary markets in securities. Investment managers, meanwhile, earn fees for managing business risks - such as planning for retirement or saving for college funds - on behalf of their clients.

Even in financial services, however, the business is usually exposed to risks other than the obvious one. A lender may also be exposed to the market risk that interest rates will change, for example. If interest rates drop, borrowers may refinance their debts, leaving the lender unable to maintain the same level of profitability. If interest rates rise, borrowers may not be able to continue making repayments, increasing the default rate. Either way, the result is a business risk for the lender.

So the efficient management of "lending risk" is not just a question of efficient credit risk management, or even of efficient credit risk management and market risk management. It is dependent on the integrated management of credit and market risk - the kind of integration that is unlikely to run smoothly within a fragmented organisational framework. The same kind of argument can be applied for almost all other companies and businesses, both within the financial services and beyond.

Even in the unlikely event that a company's risks actually can be pigeonholed in terms of risk types behaving completely independently, this will likely be obvious only in retrospect. Companies can only be confident that they are not compounding risks by anticipating the likelihood of any number of risk events occurring and mapping out their interconnections. As we'll see in the next section, it is perfectly possible for large, or even catastrophic, risks to grow like weeds between the cracks.

We've seen that silo risk management doesn't really address the risks typically run by a business. The other side of the coin is that a silo approach makes it difficult for senior management to understand the risks to which their organisation is really exposed. Faced with risk reports based on qualitatively different measures, calculated using different models and different assumptions - and then written up using different definitions and technical language - senior management may find it difficult to piece together the complete, enterprise-wide picture of risk with which they are ultimately concerned.

Experience has demonstrated that this holistic view of risk is a necessary part of management. Not only are risks intimately interconnected, but companies that are brilliant at managing one kind of risk may still be tripped up by a basic error in managing another kind, as many of the case studies included in our Wheel of Misfortune testify. Bankers Trust's skill at managing complex market risks, for example, didn't help it to alleviate the operational risks that arose from problems with customer management.

Managing a variety of risks in an integrated framework is a large and important part of ERM. However, it's more intuitively obvious, and sometimes technically simpler, to see how some risk types should be integrated than others. It is fairly obvious, for example, that the market risk and credit risk associated with an instrument traded in the capital markets can be integrated to come up with a measure of "price risk" which is likely to be more meaningful to a company holding that asset than either its market risk or credit risk alone.

And tracing and quantifying the connections between the market and credit risks involved in, say, trading fixed-income securities, is one of the easier (although by no means simple) tasks facing risk analysts. Over the past few years, for example, volatility-based portfolio risk measures such as value-at-risk (VaR) and return on risk-adjusted capital (RAROC) have been applied to measure many types of market risk. More recently, similar models have been applied alongside default and portfolio management models, to provide summary measures of credit risk. So there is a common basis for the integration of market and credit risk.

Correlations between other risks are much harder to discern, much less quantify. Organisations looking for these must expend considerable time and effort in "mapping" the risks of their various business lines and developing compatible methods for assessing and comparing those risks. Many financial institutions, for example, are currently trying to express their operational risks in terms of loss distributions that are at least qualitatively similar to those distributions used to quantify market and credit risks.

It's unlikely, however, that all risks - or even many operational risks - can be effectively handled this way. Risk management has to go further than reporting, quantification and risk transfer (the realistic limits of integrated risk management) - to address risks that cannot be as readily quantified (reputational risk or legal risks, for example) and which are primarily managed not through risk transfer, but through organisational control and reporting frameworks.

Rather than plunge into the continuing controversy over which risks can and cannot be meaningfully quantified, let's explore this through an illustrative example - that of Barings Bank, which collapsed in February 1995 after Nick Leeson, a Singapore-based trader, racked up more than a billion dollars of trading losses. Leeson's losses originated with an earthquake in Kobe, Japan which shook confidence in the country's economy, triggering a steep fall in the stock market. Barings was unable to make good on its obligations in the futures market, and forced to declare bankruptcy.

Baring's exposure to a market event shock might have been much more obvious if Barings had been working within an integrated risk management system - the chance of a major market collapse could have been assessed along with Barings' credit exposure in the event of such a collapse. But the real problem was that Leeson's trading losses had grown like topsy because he had been able to conceal them. This in turn was thanks to a gross failure of line management and process integrity - Leeson was responsible both for accounting and executing trades on behalf of both the bank and its customers.

Beyond that, there was the problem of accountability. Before the losses emerged, Barings' senior management had feted the young trader as a star and extended him huge lines of credit, apparently in the belief that he was operating some kind of infallible money machine. That this went unquestioned suggests a failure of corporate governance, which ultimately led to the bank heavily being censured by regulators and sued by its own debt-holders. By that time, however, Britain's oldest merchant bank had already disappeared, snapped up by the Dutch bank ING for just one pound sterling.

The case of Barings is only the most spectacular of a large number of similar tales. Quantitative risk management may eventually put all risks on a common footing. But many companies will still be enormously vulnerable to "soft" risks until then. That calls for a new approach to risk management - one that addresses the risk aspects of all decisions, control frameworks and business processes within an organisation. This is enterprise risk management.

ERM has many components, and means different things to different people. We'll discuss this in more detail in the next section.

It's perhaps no surprise that the boundaries of a discipline as broad as ERM are sometimes hard to make out. ERM shares common elements with some other management disciplines, such as change and quality management, and its critics claim that it is little more than a reinvention of these. There is some truth in this. ERM does borrow some of their techniques - knowledge management, process re-engineering and "six-sigma" quality standards among them.

Where it differs is in integrating these various factors, tying them to business performance, and taking account of extreme risks. That, however, is not very useful as a working definition - different organisations will place different priorities on accounting, operations, quality and change management and want to integrate them into business performance in different ways. One useful starting point in coming up with a better definition is to say that ERM is whatever the chief risk officer does - a definition that self-adjusts to fit every organisation and encompass whatever mixture of disciplines is necessary.

But that then begs the question: who is the CRO? Not all organisations feel the need for a full-time CRO or want to create an explicit position for one in the senior management team. Many already have a head of risk management somewhat further down in the organisation. It might seem natural to have that person drive the ERM process.

However, as we'll see in the next section, it is critical that companies elevate this person, or identify or create a senior manager responsible for risk - and not just because it provides a quick, company-specific starting point for a definition of the ERM initiative. Risk management is likely to meet with more resistance than most management initiatives, and it is unlikely that the benefits of ERM will be realized if it is not driven by a figure of real authority within the firm.

There will in many cases already be an individual, or group, who ultimately heads up risk management at the executive level, even if they do not have day-to-day involvement. That might be:

• The chief executive officer;
  
• The chief financial officer (in a financial services concern, for example);
  
• The chief information officer (in a intellectual property business);
  
• The chief operating officer (in a manufacturing business); or
  
• Any combination of these roles and more.

The first, and most basic, of these is that the CRO must know the business. This may seem obvious, but is actually overlooked surprisingly often. Clearly, a CRO needs to worry about things that might actually affect the business, not about irrelevant or inconsequential factors. Conversely, a CRO who does not know the business will probably not spot things that are really worth worrying about.

Another key requirement is that the CRO must ensure that an organisation's activities remain in balance. Most obviously, a chief risk officer is charged with ensuring that a balance is struck between the rewards of activities and investments and that the risks of a portfolio are well balanced (i.e., well-diversified). But the CRO must also ensure that corporate decision-making is well balanced in a more general sense. There are two aspects to this. First, the company's risk-taking should not be set unilaterally by a single individual or group - even at the senior management level. Second, the organisation should make sure that decisions are made in a way that reflects its own performance benchmarks.

The first step in meeting both of these conditions is to work out exactly what those performance benchmarks are, or what they should be. For example, is the company looking for a short-term surge in profits, or a sustained improvement in long-term profitability? Is business volume more important than profit? Is customer satisfaction more important than volume? Having decided the answers to these kinds of questions - perhaps by constructing a "balanced scorecard" - the company has set a performance standard by which all activities and decisions can be judged.

If this standard is well balanced, it becomes much more difficult for an individual or group to win excessive power over the organisation's risk-taking. In order to be recognised as successful compared with the performance standard, groups within the organisation will have to co-operate with each other - the diversification of goals built into the performance standard will lead to a diversification of the people and processes by which decisions are made. If the standard is also reflected in the compensation and incentives offered to the decision-makers, they will be much less motivated to diverge from it. That reduces the chance that people are either willing or able to take excessive, non-core risks.

This is only likely to be true, however, if the decision-makers are sufficiently well-informed about risk to make good decisions, feel able to discuss risk with others in the firm and are aware that non-compliance with either the firm's risk management principles will not be accepted. This is a third balance that the CRO must maintain: between the "soft" aspects of risk management - risk education, communication and culture - and the "hard" aspects such as risk quantification, reporting, pricing and risk transfer. We'll see why the soft side is so important in the next section.

This approach does not work under ERM, whose guiding principle is that risk is ubiquitous and exists at all levels of an organisation, and therefore needs to be managed accordingly. In fact, ERM can only address the huge volume and diversity of risks involved if all of the employees of a firm are enlisted into the cause of risk management.

While there may still be a relatively small team of risk specialists in an ERM framework, its role will be more one of risk education and consultancy. Rather than managing risks themselves, the members of this team will help the organization's business units and staff functions to recognise their risks and establish processes for managing them.

This is not a one-off activity. Although it is possible to document the risks affecting an activity and the procedures and techniques for managing them, both the procedures for gathering the information and the information itself need to be updated continually to reflect changes in the way that the activity is conducted. Many notorious risk management disasters have occurred at least partially because of organisational failures to recognise the new risks engendered by change. Barings, for example, failed to adapt the "clubby" London-centred control framework of its merchant banking days to the demands of trading in highly leveraged derivative instruments through international outposts.

The first step in managing risk is to ensure that managers and employees think about risk when making decisions. This is mostly a matter of education and training - both of which have historically been sorely lacking in the risk management arena. As we saw in the first section, the emphasis has historically been on the management of returns, with risk controlled (if at all) by capping it at some more or less arbitrary level. The result is that many employees have never really needed to grapple with risk, and thus have a very poor understanding of it.

Risk management is still seen by many as an activity that does little more than frustrate efforts to build businesses, and is associated with the embarrassment of having to own up to mistakes.

Overcoming this perception requires some evangelism. Risk management needs to be built up as a something that has tangible benefits and helps, rather than hinders. Staff need to be convinced that risk management has an important, proactive role to play in ensuring that their businesses will not "blow up"; that proper risk management thinking can facilitate business activities, not just veto them; and that striking a balance between risk and return can help to ensure long-term profitability rather than unsustainable short-term gain. Only if people buy into these ideas will they take the initiative in identifying, managing and communicating risks.

One of the best ways to encourage such buy-in is for senior management to endorse risk management - and to enforce compliance. This is one of the reasons that it can be useful to appoint a CRO, or at least identify a de facto CRO. Tying compensation to a risk-adjusted benchmark is one way of sending a clear signal to the organisation. Asking pointed questions about risk is another.

It is critically important that no-one is allowed to ignore the rules of good risk management - including senior managers themselves. One of the fastest ways to undermine a risk management initiative is to permit certain staff or businesses to escape its dictates - a particular danger with high-performers, who can exploit "star" status to bend the rules.

One last "soft" element of ERM is communication. Just as many employees do not have much understanding of risk and risk management, so they may struggle to express what they do know - particularly if they are emerging from a silo-based environment and have to express risks to other groups who may use radically different language and definitions. One valuable exercise is to establish a "common language of risk", perhaps narrowing down the elemental risks described above into a list of definitions of the risks specific to a given company. That way, the organisation can be sure that when its people talk about risk, they are talking about the same thing.

We talked in the previous section about the importance of empowering and requiring people to think and talk about risk. The first application of this empowerment is to try to assess which risks seem manageable and which do not. Given how diverse the risks covered by an ERM program can be, there is no single easy formula by which this kind of risk assessment can be conducted. However, there are a number of factors that can be considered in qualitative terms in order to evaluate risks: exposure, volatility, probability, severity, timeliness, correlation and capital.

These criteria will give some indication of whether the risk seems like one that the organisation can manage, or whether it is best left alone. If it seems like a risk that the organisation can handle, the business and risk managers can move on to the next step in the risk management process: measurement and reporting.

It's been said that you cannot manage what you cannot measure. This is certainly true in risk, which is largely measured in terms of probabilities - which human beings are very bad at estimating. People tend to be very poor judges of risk, and intuition is often a very poor basis for risk management, although experience and judgment do have their parts to play, particularly in market and credit risk. That makes it particularly important to have measures of risk that can be reported to key decision-makers in a clear, unambiguous way.

One such measure would be the summary information about the size and number of losses actually suffered by an organisation, along with any trends in the type of event that produced them, or how losses compare with business volumes or revenues. Incidents that do not result in financial loss, but are nonetheless considered serious - policy violation, systems failures or fraud, for example - can also be reported.

Clearly, quantitative measures such as value-at-risk and RAROC are also useful for market and credit risks. It is usually possible to come up with simple measures of other, softer risks such as customer dissatisfaction - the number of complaints, for example - and even if these cannot be used for integrated risk management, they are still useful for ERM. Bearing in mind the balance of soft and hard risk management, it is also useful to have qualitative assessments of risks. These should include descriptions of the most important current and emerging risks, problems with the risk management infrastructure and general concerns about risk.

Reports should not try to be exhaustively comprehensive, as long as they accurately reflect changes in the nature of the organisation's business environment and risk exposures. Screening criteria should be used to ensure that senior management are only alerted to specific incidents if they are serious enough to merit attention: the development of such criteria, and of procedures the escalation of communication over a certain risk or incident, is likely to be a substantial part of the work of the risk management team.

Once risks have been identified and some form of measurement introduced, the risk management theory can be translated into risk management action using various control mechanisms.

Other parts of the Risk Jigsaw explore the application of what might be called a three-stage risk management process - awareness, management and control - for various risks. The three-stage management process also applies for ERM, but in a somewhat different way to its application in credit risk management, say, or operational risk management. The awareness, measurement and control required by ERM are not so much about processes, as they are at the single-risk level, but about infrastructure and organisational structure. We'll look at this in more detail in the next section.

Risk awareness is largely a matter of corporate culture and education. We've seen that this needs to be implemented from the top of the organisation if it is to take hold in the way necessary for efficient ERM. Corporate governance is the practice that ensures that the board of directors and management have established the appropriate organizational processes and corporate controls to measure and manage risk across the company. This is increasingly required by regulatory standards and voluntary codes of conduct around the world.

While corporate governance serves to increase awareness of risks internally, stakeholder management serves to ensure that this awareness is communicated efficiently. There are many parties, both internal and external to a firm, that need to know about risk. The board of directors, for example, needs periodic reports and updates on the major risks faced by the organization, as well as to review and approve policies for controlling those risks. Regulators need to be assured that sound business practices are in place, and that business operations are in compliance with regulatory requirements. Shareholders, equity analysts and rating agencies need risk information to help add balance to their investment and credit opinions.

Companies need to invest in both risk analytics and risk technology if they are to be able to deliver on the risk measurement part of the risk management process. Risk analytics includes the risk measurement, analysis and reporting tools used to quantify the company's risk exposures, as well as to track the external drivers of those risks. The development of sophisticated risk analytics has in recent years fuelled a revolution in the way that credit, market, and operational risks are managed. Not only does this allow the risks of a business to be properly understood, but it also means that the costs of bearing or transferring risk are more obvious, and can be accounted for in the pricing of the organisation's own products and services, or in the costs of risk transfer provided to it.

Perhaps the greater part of the problem, however, is assembling the data necessary to feed those analytics, a task that frequently requires a comprehensive overhaul of an organisation's information systems. In the case of transactional businesses - most financial firms - one of the greatest challenges for enterprise risk management is the aggregation of portfolio and market data. Portfolio data includes the information on the company's positions needed to calculate its exposures; market data includes information about the external factors that will affect them. In the majority of companies, the systems that gather these pieces of information are unconnected and incompatible, and the data itself is frequently unreliable. There is usually no way to get around this but to make a major investment in upgrading processes, systems and technology.

Organisations have three alternatives when it comes to risk control. The first is to control risk at the front line - the origination end of the business. This amounts to the inclusion of risk in line management. The second is to manage the risks that make up the organisation's integrated risk portfolio - much of what we have talked about so far in this piece of the Risk Jigsaw. The third is to transfer those risks which it doesn't make sense for the company to assume, to a third party.

The integration of risk management into the revenue generating activities of the company, including business development, product and relationship management and pricing is crucial. It is these activities that most immediately generate risks, and so a great deal of the efficiency of risk management is tied to the inclusion of risk as a factor in everyday decision-making. Managers need to ensure that their businesses comply with the overall corporate policy on risk, that risks are considered in the pricing of existing businesses and the development of new ones, and that unusual or large risks are referred to the appropriate authority for approval.

Effective line risk management can ensure that no individual business racks up inordinate or inappropriate risks, but it cannot prevent risks from building up at the corporate level, since, as we have seen, risks often overlap and compound each other. That means that an organisation cannot simply allow its overall risk portfolio to just fall together. There needs to be a level of control which monitors the overall portfolio for potentially worrying (or beneficial) combinations of risks, and strives to optimise the risk/return relationship of the entire portfolio.

This portfolio management function needs to think like a fund manager, accepting only those risks that make sense and are profitable in the context of the overall portfolio. Some unwanted risks can be negotiated away by imposing limits on line management and charging explicitly for any excess. Diversification can reduce others. However, there will often remain other risks that simply do not fit in or are too expensive to hold. These risks will have to be transferred out to a third party in a rational manner - through derivatives, securitisation, insurance or the emerging market in hybrid "alternative risk transfer" instruments.

This brings us back to the chief risk officer - or "worry officer", as we called him or her. We worry about the risks that we can identify but have difficulty assessing and managing. But the encouraging message of enterprise risk management - fed by all sorts of structural changes in the management of individual risks discussed in the other pieces of the Risk Jigsaw - is that it is becoming easier to take rational action to manage enterprisewide risks.

And as companies take action - purchase novel insurance policies, use derivative instruments to reshape credit exposures, use stress scenarios to assess the risk of major market events - the risks themselves become ever more clearly defined, priced and costed. In market, credit and now operational risk management sectors, risk management practices and markets are evolving in a virtuous cycle that seems to be spinning ever faster. It's not dissimilar to the progression at company level that we identified earlier - awareness, measurement and control. Except that, in this case, it's powered by industry-level risk and compliance officers (regulators), risk/reward mechanisms (market prices), best-practices (published standards) and so on.

So let's finish with a question, rather than a message. Wouldn't it be strange if the management of individual risks evolved to a higher plane, but the practices of companies in managing portfolios of these disparate risks remained as they are today?