Keeping danger at bay
The role of risk managers is expanding at many companies

by Joan Tupponce
for Virginia Business
May 2007

The $4.9 billion dollar deal was just a few days from closing in August 2005 when Hurricane Katrina barreled through New Orleans, hometown of Hibernia Bank.

Credit card giant Capital One Financial Corp. was looking to diversify its holdings by adding the bank to its fold. The company, with the help of its Enterprise Risk Management (ERM) group, swung into action to help the ailing bank after the catastrophe.

The hurricane devastated homes and businesses throughout the Gulf Coast, where more than 100 of Hibernia’s 321 branches were hit by the storm. Capital One’s mission was twofold: It had to figure out whether to continue with the acquisition and what steps to put in place to assist Hibernia employees, so they could continue doing business. “We assisted them with getting backup systems in place, and we brought in computer equipment,” says Scott Green, Capital One’s managing vice president of ERM. “We helped them secure real estate and helped them move their operations.”

Despite the devas­tation to Hibernia’s region, the deal closed that November. Things went smoothly because Capital One’s ERM group was ready for a catastrophic event such as Katrina. The group handles the corporation’s overall approach to managing risk. “It drives Capital One’s capability to balance risk and reward and to minimize surprises,” explains Green.

As part of its risk management strategy, the company has a Business Continuity Management program that studies the effects of catastrophic events such as hurricanes. “Part of the program involves scenario analysis,” says Green. “We conduct exercises internally to see how it will play out. We monitor the impact and identify potential scenarios.”

Capital One’s approach is one example of the changing and broadening role of risk management. Today, companies try to plan for an array of risks that could affect their well-being, everything from catastrophes to cyber threats and accounting scandals.

The trend represents a departure from past practices. Originally, risk managers oversaw safety and insurance issues. “The traditional risk manager would provide loss control and loss prevention techniques and would conduct cost/benefits analysis to justify buying the loss control tools and insurance,” says Etti G. Baranoff, associate professor of insurance and finance at Virginia Commonwealth University. Moreover, the position would be entrenched under the treasurer or chief financial officer. “It would be responsible for buying insurance or providing alternative risk financing, if a risk was not insurable or the coverage was too expensive,” adds Baranoff.

Now the job is as diverse as the risks that threaten a company, physically and financially. “The field has grown increasingly complex,” says Marc Lipson, associate professor of finance at the University of Virginia’s Darden School of Business. “The scope of things you can insure has increased. It takes tremendous expertise and understanding.”

Risks that keep these professionals up at night range from global pandemic to breakdowns in the supply chain. There also are financial risks, which can include market and interest-rate shifts to regulatory and operational risks. But risks can have positive outcomes as well negative ones. “The old model of isolated pure risk [of only loss and no gain] has given way to the paradigm of enterprise risk” (gains as well as losses), Baranoff says.

Seven years ago the role of risk manger at Capital One was narrowly focused. The company had employees who specialized in credit risk, others who specialized in managing liquidity (funding to support the business) and still others who specialized in buying insurance as protection. “We think more broadly and more strategically about risks we take as an organization,” Green says.

The line that delineates a risk man­ager from an enterprise risk manager is hazy because some of the responsibilities overlap. “A risk manager tends to focus on insurable risks of the organization,” explains Tom Heim, managing director of casualty and risk management practice at Hilb Rogal & Hobbs. “Enterprise risk managers are more holistic in their scope.”

In 2002 when Capital One went to the ERM model (many large companies have adopted a similar model) the company defined eight risk categories — operational, credit, compliance, strategic, reputation, legal, marketing and liquidity — and began looking across the company to formulate a risk profile. “We make sure the business managers and division heads are making the business decisions with the right degree of rigor,” explains Green.

Five years ago, the company also added a chief enterprise officer, now chief risk officer, who reports to the company’s CEO. (Capital One’s chief risk officer is Peter Schnall.) “We were expanding products as well as the scope and size of the organization,” says Green. “External expectations among rating agencies, regulators and analysts were rising. There were a lot of forces driving us to invest more into risk management.”

Because of their in­creasing responsibilities, risk managers often have a broad view of a company’s operations. Take Wendy Tate, for example. The vice president of insurance services and risk management for Southern States Cooperative, Tate is responsible for everything from the company’s corporate insurance program to its executive risk and fiduciary coverage. She also works with different divisions to develop policies, procedures and reporting structures. As a result of her wide connections in the company, Tate often helps departments communicate with one another. “I get to bring in new thought processes from different operating groups,” she says. “That’s the fun and challenging part of the job.”

Another responsibility is complying with requirements of the Sarbanes-Oxley Act of 2002, which regulates corporate governance and finance practices. “The Sarbanes-Oxley Act and the Enron case opened up a whole new idea of liability,” she says. “Although Southern States Cooperative isn’t a public company, we have adopted all the Sarbanes-Oxley requirements that are economically feasible to our organization because we do strive to fulfill the same level of fiduciary responsibility that stock/public companies do.”

Enterprise risk managers must be planners, says Heim. “You have to create a template to define the risks of the company and create a glossary of risk terminology,” he says.

Not all risks are equal. For example, a merger and acquisition deal that would pay off in millions of dollars could be a financial plus if it succeeds or a huge risk if it fails. “An enterprise risk manager steps in and helps to evaluate some of those things,” Heim says.

Because the country is more litigious than ever before, enterprise risk managers may have to address concerns about punitive damages. “Right now errors and omissions, professional liability, and directors and officers [insurance] coverage are in the forefront when it comes to risks, as are identify theft, cyber risks and brand protection,” says Matthew McDavid, assistant vice president of business development at Marsh and McLennan Cos. “Look at companies like Enron and WorldCom who have had hiccups. It hurts the brand. You want to address risks and control them the best you can to protect your brand.”

That adds just another item to the list of things risk managers worry about.