James Lam is a globally recognized risk expert, an early advocate of Enterprise Risk Management and the first-ever Chief Risk Officer.  He has served as a director and chair of the risk oversight and audit committees of both publicly and private companies. James was a commissioner for the NACD Blue Ribbon Commission on board oversight of disruptive risk.  In this episode he shares his most current thinking on the evolving state of risk management and the challenges and opportunities ahead.. 

Thanks for listening!

We love our listeners! Drop us a line or give us guest suggestions here.

Links

https://en.wikipedia.org/wiki/James_Lam

https://jameslam.com 

Quotes

I think taking a proactive approach to risk management is one of the key responsibilities for the CRO. So, think about yourself in the first line of defense. You're running a business. You're running the IT function. You're really focused on the day-to-day, and you might be responding to risk incidents or minor crises, but a Chief Risk Officer is much more forward-looking, much more proactive, looking at things outside in, looking at things much more long term….the Chief Risk Officer really provides the expertise, the time, the attention and focus on the most critical things that are going to drive performance in the future. So being proactive, being forward looking at key trends outside in, are really important things.

I think it is important that the board provides input in terms of the kind of risk management reporting that they want to see, the kind of metrics, and also guidance on the risk appetite statement and the integration between risk and strategy.

The Risk Committee and the Audit Committee wear different hats. They have very different scopes and mandates. The Audit Committee is paid to think inside the box: SEC requirements, financial disclosure, Sarbanes Oxley, FASB, etc. You don't want to be creative in your accounting. You really want to make sure you're in compliance of all the laws, regulations and standards.

Whereas the risk committee is paid to think outside the box. What are the uncertainties, what are the external drivers that could impact our earnings, our cash flows, our value? How do we expect the unexpected? How do we think around corners? So, you're really paid to think outside the box, and I think that is a very compelling way of contrasting the scope and mandate of the Audit versus the Risk Committee.

Big Ideas/Thoughts

Even companies with risk committees might say appropriately that strategic risk, and reputational risk ought to be a full board agenda item. There are different ways of doing it, but I think the most important thing is to make sure that the risk agenda is well represented in terms of board and committee time.

What are the things that we should look at in determining whether, and to what extent, a board bears the responsibility for the catastrophic problem that might derail a company?

I think your listeners could benefit from looking at the Blue Bell Ice Cream case (link) and the Clovis Oncology (link) case, both of which I think have really elevated the standards for duties of care and duties of loyalty in terms of risk management and compliance, and that it is important for the Board of Directors in exercising those two standards to make sure that there is a risk management and compliance system in place, and that system is working effectively and that the board is getting the right metrics, the right reporting and red flags in terms of risks, and that they hold management accountable.

https://scholar.google.com/scholar_case?case=11357134939420858969&q=Marchand+v.+Barnhill.&hl=en&as_sdt=6,30&as_vis=1 (Blue Bell case)

Delaware Supreme Court Ruling in Fatal Blue Bell Listeria Shareholder Suit (natlawreview.com) (Blue Bell case commentary)

2019-ca-2017-0222-jrs.pdf (justia.com) (Clovis Oncology case)

Another Reminder From Delaware About the Duty of Oversight | WilmerHale (Clovis Oncology case commentary)

Chief Risk Officer

The Chief Risk Officer is really tasked with making sure that there's a robust and effective ERM program, that risk management policies, risk assessment and analytics, risk management strategies, and executive and board reporting are appropriate.

I would say the CRO is responsible to help the board and senior management to imagine the unimaginable. To expect the unexpected and be able to prepare for any scenario.  I worked with one Board of Directors and the company had a very strong ERM program.  In 2018, the board approved a pandemic management plan. Last year they stress test that plan and then when the pandemic hit early this year, they had a playbook.  The playbook didn't anticipate everything, but it had a curve with different stages of a pandemic, it had social distancing, PPE, you know, working remotely and so forth. We probably had 70 to 80% of the eventualities and that really helped the company be prepared for this scenario. I would say that company probably wouldn't have this plan in place if they hadn’t already addressed some of their core risks in their ERM program.

A lot of companies get stuck in risk identification, So the way many companies do risk assessments and heat maps, they generally get people in the room, they say, what are the risks facing the company?  They might come up with 20, 30 different risks and they would assess the probability one to five and then severity one to five and they'll multiply the two scores to get an overall risk rating.

I believe this approach is fundamentally flawed.  Let me give you a very specific example. What's the probability and severity of a Cyber Security attack that's happening to the company right now? Your firewall and your controls are able to protect against it. Probability is high. One to five, it has to be at five it's happening. Hundreds and thousands of times. What's the severity? It's low. The lowest you can be. It's a one. So, five times one is a five. What's the probability and severity of a major data breach. The probability is low. It's a one. Severity is high. It's a five, one times five, it's five. So, you end up with the same score for two very different situations.  The math behind probability times severity gives you expected loss, but your risk is not driven by expected loss, it's driven by stress loss or unexpected loss.

In determining how to assess risk, I like to start with the key strategic, business, and operational objectives of the company. What's your strategy? What are the KPIs - Key Performance Indicators - that would indicate whether you're achieving that strategy? Then you say, what are the risks that could drive variability in those KPIs. What are the key risk indicators and risk tolerances for those risks?  So, start with the business objectives of the company and let that drive your risk assessment and quantification.