Enterprise Risk Management
January 14-15, 2004
National Academy of Sciences Building
2100 C Street, NW
The objectives of the workshop are to:
- Explore the frontiers of the ERM discipline. We need to examine best practices, current issues and emerging ideas on as many aspects of ERM as possible.
- Exchange best thinking between the public and private sectors. We should be challenging the IRS and other public sector agencies as well as private sector experts to explain what they do, how they are organized to do it, how they have approached risk management up to now, what enterprise risks worry them most, and how they hope to see their ERM evolve. As a workshop, it is important this is not a one-way street.
- Provide participants with useful perspectives and insights. Participants should leave with new ideas which will improve their understanding of enterprise risks and lead them to manage them differently going forward. The take away of the Workshop may not be an action plan for ERM, but it should have practical implications.
- Provide participants with an extended network. Participants should leave knowing new people in the ERM discipline, an extended network with which to work to improve their ERM going forward.
Charles Taylor, Director Operational Risk, Risk Management Association, chair
Mary Davis, Director, Strategy & Finance, IRS
Mark Gillen, Director, Office of Program Evaluation & Risk Analysis, IRS
Louise Gray, Strategic Planning, Large & Mid-Size Businesses, IRS
Mike Haubenstock, Director, Risk Management, Capital One
Andrew Hilton, Center for the Study of Financial Innovation, London
Paul Kleindorfer, The Wharton School, University of Pennsylvania
Arjen Lenstra, Citigroup Information Security Office
Chuck Lucas, Head of Global Market Risk, AIG Corp.
Don McPartland, Large & Mid-Size Businesses, IRS
Karlene Roberts, Haas School of Business, UC Berkeley
Frank Spiegelberg, Senior Advisor, Wage & Investment, IRS
Richard Teed, Director, Strategy, Research and Program Planning, IRS
Dorene Viglione, Wage & Investment, IRS
Chris G. Whipple, Principal, Environ, Inc.
Wednesday, January 14
8:00 a.m. Registration and continental breakfast. C Street Lobby.
8:45 a.m. Welcome and overview of goals. Auditorium
Remarks from Charles Taylor, Risk Management Association
8:50 a.m. IRS welcome. Auditorium
9:00 a.m. Framing the Challenges (plenary panel discussion). Auditorium.
This will be a level-setting and thought-provoking session discussing the relevance and definition of enterprise risk management, the challenges faced by enterprise risk managers, and where the science of risk management is heading. This session will establish a common framework and language for ERM to facilitate discussions among workshop participants. Each speaker will address the sorts of risk they deal with, when and how they began moving to an ERM framework, measurement and aggregation methods they have tried, cultural impediments they’ve faced, what remains to be done, etc. Speakers will be prepped to draw connections between their own experience/domain and that of other segments of the audience. Participants will walk away with an essential understanding of ERM (including an introduction to its concepts and trends), how ERM works in the real world, and where the science of ERM is heading. This will set the stage for subsequent sessions.
Lucian Leape, Harvard University School of Public Health
Irv Rosenthal, President’s Chemical Safety Board (ret.)
Carol Stender-Larkin, IRS
Charles Taylor, Risk Management Association
10:30 a.m. Break
10:45 a.m. Measuring Risk (plenary panel discussion). Auditorium.
This session will give a high-level view of the state-of-the-art of risk measurement techniques, both quantitative and non-quantitative, to help participants understand what is and is not feasible and to stimulate discussion of how far measurement can and should be pushed. The session will cover the benefits and limitations of measurement techniques, and the appropriate use of these techniques within various decision-making contexts. The discussion will address the following questions, with examples: Why measure risk? What are some of the challenges to measuring risk? How can challenges be overcome? How much data is enough for decision making? What’s the connection between organizational performance and risk indicators/measures? Participants will leave this session with a basic understanding of what risk measurement is, what qualitative and quantitative techniques are available, how to combine quantitative and non-quantitative risk estimates, and which are more appropriate for different decision-making needs. The session will also cover estimating and managing government-specific risks, such as political risks and risks from OMB, GAO, or other oversight bodies, and the management of risks to the physical plant when self-insured. This session will be supplemented by Break-out Session A that delves deeper into specific measurement challenges.
Christine Cumming, Federal Reserve Bank of New York
Kathryn Dick, Office of the Comptroller of the Currency
John Kindinger, Los Alamos National Laboratory
Andrew Hilton, Center for the Study of Financial Innovation
12:15 p.m. Lunch. Great Hall
1:30 p.m. Parallel breakout sessions
Session A - Data for operational risks (Room 150)
This panel discussion will cover how risks encountered by support functions impact line organizations. It also should include how to articulate/estimate/quantify risks in terms of meaningful business impacts.
- Can better estimates be realized in practice through pooled data?
- Technical challenges in anonymizing and combining sources
- Experience from the trenches (experience dealing with real data, commercial compilations---their imperfections and how to overcome same)
- How to conduct an effective small-scale survey
Claude Greengard, IBM
Lloyd Hardin, FitchRisk
Eric Rosengren, Federal Reserve Bank of Boston (will also moderate)
Session B – Reporting and operational risks (Room 180)
Operational risks of various stripes make up a significant portion of the overall portfolio of risks to be managed under ERM. This session will present results of recent research and practice concerning the challenges of reporting information to be used in the identification and management of operational risks. We will address the following questions. How does an organization frame the problem of operational risk reporting and what are some models for organizing for operational risk reporting? How can an organization aggregate and prioritize reports from audits and near-miss management systems that are useful and understandable in triggering mitigation and risk transfer activities in the resulting ERM process intended to manage these risks? What special problems are there in public sector organizations like the IRS in gathering and processing reports on operational risks?
Daniel Galik, IRS
Paul Kleindorfer, The Wharton School (will also moderate)
Tim Shepheard Walwyn, Lightfoot Solutions
Session C - Training and personnel issues (Room 250)
This panel discussion will cover topics such as how to train staff to understand probabilities and risks; how to develop a common understanding of risks across a diverse organization; how to create incentives for controlling risks.
James Bagian, Veterans Health Administration
John Schmidt, U.S. Navy
David Walker, ABS Consulting (will also moderate)
Session D – Committee of Sponsoring Organizations of the Treadway Commission (COSO) Enterprise Risk Management Framework (Room 280)
COSO will provide an overview of its project to develop a conceptually sound framework providing integrated principles, common terminology and practical implementation guidance supporting entities' programs to develop or benchmark their enterprise risk management processes.
Donald Christian, COSO
Melissa Glynn, COSO
Andrew Hilton, Center for the Study of Financial Innovation
3:15 p.m. Break
3:40 p.m. Organizing Enterprise Risk Management: Structures, responsibilities, and risk ownership in different organizational settings (plenary panel discussion). Auditorium
Panelists will present case study examples of how organizations and industry sectors have come to embrace enterprise risk management. Panelists will seek to help workshop attendees clarify the organizational aspects of enterprise risk by addressing the following questions. How do organizations identify and manage their portfolio of risks, including understanding the aggregate impacts and interplay among risks? How do they ensure a decision-making and governance process that adequately ensures that risks are identified and communicated to the right level, and the portfolio of risks is satisfactorily considered in its entirety?
Mark Gillen, IRS (for Todd Grams)
Leslie Rahl, Capital Market Risk Advisors
Paul Kleindorfer, The Wharton School
Alden Toevs, First Manhattan Consulting Group
5:15 p.m. Reception. Members’ Room and Rotunda
6:00 p.m. Dinner. Great Hall. Welcoming Remarks from Wm. A. Wulf, President, National Academy of Engineering
7:30 p.m. After-dinner speaker: Richard Meserve, President, Carnegie Institute of Washington; former Chairman, Nuclear Regulatory Commission
Thursday, January 15
8:00 a.m. Continental breakfast. Great Hall
9:00 a.m. Compliance (plenary panel discussion). Auditorium
Representatives from several organizations will present their perspectives on assessing risks of compliance with standards in their respective "industries."
Don McPartland, IRS
Dennis O’Leary, Joint Commission on the Accreditation of Healthcare Organizations
Shelley Parratt, SEC
Mark Mazur, IRS
10:15 a.m. Break
10:45 a.m. Organizational Culture (plenary panel discussion). Auditorium
This session will discuss the challenges and benefits of developing a healthy risk management culture within organizations, one that is open and communicative, with distributed decision making, and that takes measured and appropriate risks. The session will discuss how ERM affects and is affected by organizational culture. Drawing on case studies and basic research, speakers will address incentives, habits, leadership and measurement and management of organizational factors. Questions answered in this session include: Can ERM help change culture? How can risk management take hold in risk-verse organizations? What can organizations and their constituencies do to mitigate risk and improve reliable performance? Participants will walk away from this session with a realistic understanding of the challenges that organizational culture can place on effective ERM.
Tony Ciavarelli, U.S. Naval Postgraduate School
Linda Connell, NASA
Chris Hart, Federal Aviation Administration
Karlene Roberts, University of California at Berkeley (will also moderate)
12:15 p.m. Lunch
1:15 p.m. Aggregation (plenary panel discussion). Auditorium
This session will include some visual examples of how risks have been or could be aggregated. It also will include discussion on the utility of scorecards/dashboards – What are their strengths/limitations? Where have they been used effectively?
Chuck Lucas, AIG Corporation (will also moderate)
Shaun Wang, SCOR Group
2:30 p.m. Parallel breakout sessions
Session E - IT security (Room 280)
Panel discussion which includes experts who will talk about risks that are emerging or not yet well addressed. This session includes a discussion of data integrity, as well.
Kevin Behr, IP Services, Inc.
Colleen Murphy, IRS
John McHugh, Carnegie Mellon University (will also moderate)
Session F - Using estimates of contextual risks (Room 250)
Panel discussion of, for instance, how to choose external data; what to believe and not believe in estimates of credit and interest risks; how to properly account for the uncertainties in macroeconomic models.
Charles Fishkin, Fidelity Investments
Larry Jacobs, IRS
Chris Hess, IRS
Session G - Modeling heavy-tail events (Room 150)
Panel discussion to share experience in estimating the rare events that can have very serious, even catastrophic, impact. The goal is for participants to develop a better understanding of how much to trust risk estimates for such events.
Patrick Brockett, University of Texas at Austin (will also moderate)
Kevin Holian, Internal Revenue Service
John Nolan, American University
Nathan Siu, Nuclear Regulatory Commission
Session H - How to create and nurture a federal network for ERM (Room 180)
Open discussion among self-selected federal participants. Will include a short talk about NSF’s capabilities and interests in risk management and decision analysis, as a resource for other government agencies. It will also include a discussion of shared challenges and common concerns.
Earl Carnes, Department of Energy
Roger Frey, IRS
Melanie Herman, Nonprofit Risk Management Center
Scott Weidman, National Academies
Harriet Riofrio, Department of Defense
4:00 p.m. Break
4:15 p.m. Reports from all seven breakout groups, giving the high points of their discussions and take-home messages. 6 minutes per group. Auditorium
Charles Taylor, Risk Management Association
5:00 p.m. Adjourn