New skills for new challenges: Risk managers have to start now to develop the skills they will need to face the challenges of tomorrow

New skills for new challenges: Risk managers have to start now to develop the skills they will need to face the challenges of tomorrow – Cover Story

Maura C. Ciccarelli

What a difference six months makes. Last year, Enron was lauded for its model enterprise risk management program led by a smart and progressive chief risk officer. In February, CRO Richard Buy was fired by the company’s board and taken to task by pundits and the media for reaping financial benefits from stock sales. People asked, if the risk managers weren’t minding the store, who was?

In 2001, Kmart was struggling but working toward a retail turnaround. This year, the company filed for a bankruptcy said to be hastened by two factors: it was heavily self-insured for workers’ compensation and some liability coverage, and then the sagging economy and the Enron scandal caused huge losses in the surety-bond market, which Kmart used to help finance its self-insurance. Had routine risk management decisions now become bad choices?

In early September, most risk managers were worried about how their upcoming renewal negotiations would go, in light of a hardening insurance market. After September 11th they not only had to worry about losing coverage and negotiating new and more creative deals with their insurers, but they also had to figure out how to add terrorist attacks to their lists of potential hazards. How can you plan for the inconceivable?

Some of these risk management challenges have, of course, been evolving over the last five years, but the pace, scope, and urgency has picked up in the last six months, fueled by a declining economy, tightening risk transfer options, increased public scrutiny on the risk management field, and, of course, the terrorist attack.

Chris Duncan, newly named CRO of Delta Airlines in Atlanta, has been on the front lines of the changes, in an industry particularly caught in the nexus of tougher economic times and terrorist attacks.

“Pre-9/11, risk managers were very much focused on insurance issues,” Duncan says. “After 9/l1, the size and scope of risk we were involved in managing was gargantuan. You had to be able to flex your world view to go from narrow issues to broad issues at a moment’s notice. The day before, I was wondering how my captive would operate and after, I was trying to figure out how I was going to keep my planes in the air.”

Industry watchers and risk managers like Duncan are seeing new issues faced by top risk managers, ranging from a renewed focus on corporate governance, new concerns about executive liability and security issues, to increased pressure on workers’ comp, and declining coverage and increasing costs. To be ready, they’ll need abilities that are focused on financial modeling and analysis, as well as a deeper understanding of alternative risk transfer programs such as captives and risk retention groups, and, increasingly, management, sales, and people skills necessary to be effective.

Risk managers such as Duncan, as well as Cindy Stevens of AT&T Broadband and Jim Presmanes of furniture retailer Haverty’s, are putting into action today the skills needed for tomorrow’s challenges.

Cold Sweat

It’s no news that the airline industry had its world rocked by the crashes of four airplanes last September into the Pentagon, the World Trade Center Towers, and a western Pennsylvania field. Hundreds of personnel and passengers were among the thousands of victims of the terrorist attacks. Politicians in Washington called for greater security in airports and, even while helping out the airline industry, were asking for more effective risk management approaches such as bolstering security with passenger screening and improving cockpit safety.

“Unless you got some nerve, it’s a little tough,” Duncan says. “I went home in a cold sweat many nights, wondering what I had done that day.”

Duncan says the experience required him to muster up his skills as a financial analyst as well as a public speaker and political lobbyist. “I’ve been in Washington (briefing members of Congress and meeting with government officials) more in the last nine months than I was in my entire career,” he reports. As an outspoken proponent of risk management techniques for the industry, Duncan has adopted a public role, a role that requires a skill set many risk managers had never considered.

Martin C. Leinweber, the new managing director of Georgia State University’s Center for Enterprise Risk Management and Assurance Services (CERMAS), says the personality trait of political adroitness is increasingly required of risk managers.

“As we see increasing complexity in the profession, being responsible to the board, and playing a reviewing role regarding the business units, risk managers need a level of sophistication and political savvy not seen before,” says Leinweber, who formerly was with Accenture consulting. “This is not just the guy who bought your insurance in the past.”

In fact, adds Duncan, risk managers “are a notoriously risk-averse bunch. We’re missing some chromosome and that causes us to be risk averse.”

“After September 11th, for the first time, any company’s senior leadership saw in action the value of good risk management or a narrowly averted crisis because of poor risk management,” he says.

And, with the tough renewal processes that followed the attacks, insurance costs have become issues of the board of directors, requiring the same skills as top executives.

Duncan, who began his risk management career at Pepsico, was named CRO of Delta in January, part of the company’s developing enterprise risk management (ERM) program. Now, he has responsibility for internal audit, risk management, and claims.

Like many other companies, Delta is hoping its ERM program will prepare the airline to respond to a variety of crises, both foreseen and unforeseen. To prepare for such an approach, Duncan adds that risk managers should have skills in both finance and technology.

“I came into the industry in the mid-1980s, when the big thing was to be able to use Lotus,” he says. “We went from ruler and paper to computers. Now, just minimal entry into the game is to be a good Lotus or Excel user. Now, you also have to understand statistical modeling, quantitative analysis, capital markets, investment theory, game theory. It’s hopelessly more complex than it was five to 10 years ago. You really have to have an in-depth understanding of how organizational finance works.”

That said, Duncan says his view of what a risk manager needs in his or her background is not a popular one: “I think the best risk managers of the future will not be people with an insurance background, but people from an operational and financial background. An effective RM is about changing behavior, not just about insurance. I’m convinced that over the long-term, the best risk managers will be the ones with a broad background. Going to Pepsico was one of the best things I could have done as they provided me opportunities to do things other than traditional risk management. I admire (risk managers with a nontraditional risk management background) for going into this weird and wonderful field.”

CFO In Training

Cindy Stevens is one of those nontraditional risk management types. Currently manager of strategic information for AT&T Broadband, she came to risk management three years ago after a 17-year career on the finance side as a credit manager and treasury manager for BP Amoco and a French oil concern. “Broadband was just a pipeline of another nature,” she says. She wanted to fill a gap in her resume on her career path to becoming a chief financial officer.

“Enterprisewide risk management is an initiative we’ve been doing over the last nine months,” says Stevens, who is based in Englewood, Colo. “It’s an emerging process where we’ve interviewed people within the organization in various levels of business background and expertise on how we want to go forward.”

Her group has mapped high level risks in four major categories–financial, strategic, operational, and hazard. Network security also falls into the integrated risk management operation.

For Stevens, her background in using technology such as Risk Lab’s various strategic modeling modules, as well as financial analysis and strategic planning skills, has served her career well.

That financial skill set will be valuable in the future, says Rich Phillips, an associate professor of Georgia State and founding faculty member of the CERMAS center. For example, if risk managers have a holistic view, they can see that an operation in Mexico might be well served to tie its workers’ compensation program to foreign exchange rates.

“They can make deductibles vary with the exchange rate,” says Phillips. “That limits the size of that profit loading and applies risk management techniques in a much more focused way. For terrorism insurance, you might pinpoint double triggers, building a trigger for your retention of terrorism exposure related to overall corporate profits.”

On the technical side, Stevens suggests proficiency in using database programs such as Access, spreadsheet programs such as Excel, and even Visual Basic software development to manage a data set. And, understanding a portfolio of claims and challenges from inflation, rising costs, and even knowledge of counter party risk are helpful to tell the risk management story internally and at the board level.

“I enjoy risk management, as long as it’s not just insurance and claims,” says Stevens, who added that her parent company, AT&T, handles the risk transfer management. “If it’s the big picture, the integrated role of enterprise risk, that’s what I find interesting. It’s really just another way of protecting the revenue stream.’

Because of her finance and project assessment background, Stevens believes risk management should be a part of any evaluation for every project that a company does. That type of a risk manager can ask, ” ‘Have you looked at risks of counter parties or suppliers?’ Then you apply probability, and the expected value of a firm is driven by this profile.

“It’s hard to get projects approved in today’s world,” she says. “You have to show your return.”

At the time of this interview, AT&T Broadband was in merger conversations with Comcast, and her operation was geared up to move data. “Data portability is very important to us,” she says. “Because we’ve grown up with mergers and acquisitions over time and always had data portability with Risk Labs.”

Ice Savvy

With the increased focus on financial and technical skills, what is a dyed-in-the-wool risk manager to do?

Jim Presmanes, assistant vice president, risk management for Haverty’s, a 116-year-old Atlanta-based furniture retailer with 104 retail locations in the Southeast and Midwest, has been with his company for 10 years and has managed corporate risk for about 15 years.

“You have to skate where the puck is going,” he says, quoting hockey great Wayne Gretzky. To get there in his risk management career, he went back to school.

After earning an MBA in 1990, Presmanes followed up with additional managerial leadership training at University of Pennsylvania’s Wharton School of Business. He took one course–understanding economic issues and financial markets–twice because he found the approach so valuable and deep. “I learned a lot and grew a lot through that process. That combined with the MBA took me to one level. I then had to become an expert in the area of finance.”

Now, he’s enrolled at Georgia State’s risk management certificate program. In the past, most MBA programs offered little exposure to issues such as derivatives. “Georgia State’s program is tailored specifically for people like me who’ve been in the business for a while and have a business degree already, so you don’t have to spend time gearing up and you can hit the ground running. It’s presumed you understand corporate finance when you come into the program.”

Presmanes is using the knowledge learned from this training to develop an enterprise risk management program for his company.

“Looking forward, risk management will be more about the continuous mapping of corporate risks across the enterprise and determining the degree to which these risks, either by themselves or in correlation with other risks, block the organizations’ effort to achieve strategic objectives,” Presmanes says.

Robert E. Hoyt, University of Georgia professor and head of the Terry College of Business’s Risk Management & Insurance Program, based in Athens, says that corporate America has been increasingly interested in the role of risk in strategic operations of their organizations. “I think we’ve seen that trend line over the last four to five years at least. The concept of ERM has really emerged in an environment where companies are contemplating whether they are managing risk in the proper way.”

The additional financial training has been helpful, says Presmanes. “A person with an MBA from few years ago would have a difficult time interpreting insurance programs with things like put options. That is just around the corner.”

Echoing Duncan’s view of the increasingly visible role of the risk manager in an organization, he concludes: “A risk manager can be smart as a whip and technically proficient as can be, but unless you can influence high ranking managers with your ideas, then it’s all for naught.”

Maura C. Ciccarelli can be reached at

RELATED ARTICLE: The Reputation Question: Are CROs and ERM Programs Tainted?

Now that everyone in American has learned through Enron’s media coverage about the details of one of the biggest corporate downfalls in history, the question arises: what will be the reputation of the chief risk officer position and enterprise risk management programs since neither were able to forestall the collapse?

“Although it’s clear that Enron’s activities were touted as the advantages of risk management across an organization,” says Robert Hoyt of the University of Georgia, “it’s important to add that, at this point, it looks like a lot of people were trying to pull the wool over people’s eyes. There are no management techniques to prevent organizations from widespread deception. If you’re going to lie to people, it doesn’t matter whether you coordinate communication or not.”

Adds Chris Duncan, CRO of Delta: “I think there’s been so much marketing hype around ERM that we’re doing ourselves a disservice to throw the baby out with the bath water because (the approach) is in it’s infancy.”

And, ERM is not a one-size-fits-all program; it’s particular to each company. Duncan says that companies should do ERM in a smart and appropriate way to the extent necessary in their own company.

Martin Leinweber of Georgia State’s CERMAS says the Enron debacle will focus more attention on governance issues. “They appointed a CRO, gave him independence. He reported to the board (of directors). They dedicated a great deal of investment into this–50 people were devoted to this issue.

He said the picture that’s been emerging is that former Enron CRO Richard Buy, who was fired in early February by the company’s board, “tended to ignore the recommendation of these talented people. Congress is going to tell us and the media is going to tell us that Buy made a significant amount of money through this-around $4 million. That will raise issues of how you compensate top executives to get around conflict of interest.”

Richard Phillips, associate professor of risk management at Georgia State, adds that the public’s perception of the CRO role will depend on why the CRO position didn’t work. He agrees with Senator John Dingle that the situation might boil down to: it was criminally stupid people and/or stupidly criminal people.

“I agree with Dingle’s point of view that it is the case, rather than that the CRO is a flawed concept,” he says.

The CRO Defined

According to a survey results released last fall by the Conference Board of Canada, the University of Georgia’s Center for Enterprise Risk Management, and Tillinghast-Towers Perrin:

* 85 percent of CROs exist in two industry sectors: energy/utilities, and insurance/banking/financial services.

* 50 percent of responding organizations had CRO positions for less than two years; 20 percent said three years and only 1 percent said five years.

* Why was the position created? Three themes emerged: centralization and coordination of all risk management activities; introduction and development of an enterprise (or integrated) risk management framework; and improvement of risk communication to management, the board and others.

* Most important training/experience and skills of the CRO: Communication (18 percent); managerial (8 percent); accounting (15 percent); finance (22 percent); math/quantitative skills (24 percent); and risk management (13 percent).

* 45 percent of CROs reported directly to the CEO; 35 percent to the CFO and 20 percent to “other.”

* Where is the CRO position heading: fading into the CFO (26 percent); stagnation (5 percent); decline (16 percent); and continued growth (53 percent).

* What types of organizations are likely to create a CRO/risk executive position in the future? Financial and energy industries will continue to do so, but respondents anticipated growth in trading and telecommunications organizations, as well as in large multinational organizations from within other industry groups. A few respondents said there is a “need for enterprisewide, coordinated focus on risk” in most organizations, regardless of size or industry. Within these organizations, they anticipate the adoption of a broader focus on risk, with the responsibility falling to an existing executive.

COPYRIGHT 2002 Axon Group

COPYRIGHT 2002 Gale Group