17. James Lam on the new world of risk management and oversight for companies and boards

James Lam is a globally recognized risk expert, an early advocate of Enterprise Risk Management and the first-ever Chief Risk Officer.  He has served as a director and chair of the risk oversight and audit committees of both publicly and private companies. James was a commissioner for the NACD Blue Ribbon Commission on board oversight of disruptive risk.  In this episode he shares his most current thinking on the evolving state of risk management and the challenges and opportunities ahead.. 

Thanks for listening!

We love our listeners! Drop us a line or give us guest suggestions here.

Links

https://en.wikipedia.org/wiki/James_Lam

https://jameslam.com

NACD Cover Story: Animal Kingdom of Disruptive Risks

NACD Directorship: The View of ERM from E*Trade’s Risk Chair

Quotes

I think taking a proactive approach to risk management is one of the key responsibilities for the CRO. So, think about yourself in the first line of defense. You’re running a business. You’re running the IT function. You’re really focused on the day-to-day, and you might be responding to risk incidents or minor crises, but a Chief Risk Officer is much more forward-looking, much more proactive, looking at things outside in, looking at things much more long term….the Chief Risk Officer really provides the expertise, the time, the attention and focus on the most critical things that are going to drive performance in the future. So being proactive, being forward looking at key trends outside in, are really important things.

I think it is important that the board provides input in terms of the kind of risk management reporting that they want to see, the kind of metrics, and also guidance on the risk appetite statement and the integration between risk and strategy.

The Risk Committee and the Audit Committee wear different hats. They have very different scopes and mandates. The Audit Committee is paid to think inside the box: SEC requirements, financial disclosure, Sarbanes Oxley, FASB, etc. You don’t want to be creative in your accounting. You really want to make sure you’re in compliance of all the laws, regulations and standards.

Whereas the risk committee is paid to think outside the box. What are the uncertainties, what are the external drivers that could impact our earnings, our cash flows, our value? How do we expect the unexpected? How do we think around corners? So, you’re really paid to think outside the box, and I think that is a very compelling way of contrasting the scope and mandate of the Audit versus the Risk Committee.

Big Ideas/Thoughts

Even companies with risk committees might say appropriately that strategic risk, and reputational risk ought to be a full board agenda item. There are different ways of doing it, but I think the most important thing is to make sure that the risk agenda is well represented in terms of board and committee time.

What are the things that we should look at in determining whether, and to what extent, a board bears the responsibility for the catastrophic problem that might derail a company?

I think your listeners could benefit from looking at the Blue Bell Ice Cream case (Blue Bell case commentary) and the Clovis Oncology case (Clovis case commentary), both of which I think have really elevated the standards for duties of care and duties of loyalty in terms of risk management and compliance, and that it is important for the Board of Directors in exercising those two standards to make sure that there is a risk management and compliance system in place, and that system is working effectively and that the board is getting the right metrics, the right reporting and red flags in terms of risks, and that they hold management accountable.

Chief Risk Officer

The Chief Risk Officer is really tasked with making sure that there’s a robust and effective ERM program, that risk management policies, risk assessment and analytics, risk management strategies, and executive and board reporting are appropriate.

I would say the CRO is responsible to help the board and senior management to imagine the unimaginable. To expect the unexpected and be able to prepare for any scenario.  I worked with one Board of Directors and the company had a very strong ERM program.  In 2018, the board approved a pandemic management plan. Last year they stress test that plan and then when the pandemic hit early this year, they had a playbook.  The playbook didn’t anticipate everything, but it had a curve with different stages of a pandemic, it had social distancing, PPE, you know, working remotely and so forth. We probably had 70 to 80% of the eventualities and that really helped the company be prepared for this scenario. I would say that company probably wouldn’t have this plan in place if they hadn’t already addressed some of their core risks in their ERM program.

A lot of companies get stuck in risk identification, So the way many companies do risk assessments and heat maps, they generally get people in the room, they say, what are the risks facing the company?  They might come up with 20, 30 different risks and they would assess the probability one to five and then severity one to five and they’ll multiply the two scores to get an overall risk rating.

I believe this approach is fundamentally flawed.  Let me give you a very specific example. What’s the probability and severity of a Cyber Security attack that’s happening to the company right now? Your firewall and your controls are able to protect against it. Probability is high. One to five, it has to be at five it’s happening. Hundreds and thousands of times. What’s the severity? It’s low. The lowest you can be. It’s a one. So, five times one is a five. What’s the probability and severity of a major data breach. The probability is low. It’s a one. Severity is high. It’s a five, one times five, it’s five. So, you end up with the same score for two very different situations.  The math behind probability times severity gives you expected loss, but your risk is not driven by expected loss, it’s driven by stress loss or unexpected loss.

In determining how to assess risk, I like to start with the key strategic, business, and operational objectives of the company. What’s your strategy? What are the KPIs – Key Performance Indicators – that would indicate whether you’re achieving that strategy? Then you say, what are the risks that could drive variability in those KPIs. What are the key risk indicators and risk tolerances for those risks?  So, start with the business objectives of the company and let that drive your risk assessment and quantification.

Transcript

Joe: [00:00:00]  Hello and welcome to On Boards – a deep look at driving business success. I’m Joe Ayoub and I’m here with my co-host Raza Shaikh. On Boards is about Boards of Directors and Advisors and all aspects of board governance. Twice a month, this is the place to learn about one of the most critically important aspects of any company or organization, its Board of Directors or Advisors.

Raza: [00:00:32] Joe and I speak with a wide range of guests and we talk about what makes great boards great, what makes a board unsuccessful, what it takes to be a valuable member, and how to make your board one of the most valuable assets of your company.

Joe: [00:00:50] Our guest today is James Lam. James is a globally recognized risk expert, an early advocate of Enterprise Risk Management, and the [00:01:00] first ever company Chief Risk Officer. He is the President of James Lam and Associates; a highly regarded risk management consulting firm. He has served as the director of both public and private companies and served as commissioner for the National Association of Corporate Directors, Blue Ribbon Commission on Board Oversight of Disruptive Risks.

Raza: [00:01:24] His bestselling books on Enterprise Risk Management have been translated into many languages and have been adopted by top college degree and professional certification programs. James has been published and quoted in over 200 articles, including the Wall Street Journal, Harvard Business Review, The Economist, NACD Directorship, Forbes, Financial Times, and CFO Magazine.

Joe: [00:01:50] Welcome James. It’s great to have you today as our guest on On Boards.

James: [00:01:54] Thank you. It’s great to be here with you, Joe and Raza.

[00:02:00] Joe: [00:01:59] So James, you are one of the most widely-recognized risk experts in the world, and as I mentioned in my introduction, the first ever Chief Risk Officer for a company. How did assessment and management of risk become your professional passion?

James: [00:02:16] Well, if I go back to the beginning, I got my undergraduate degree in finance, and so I was always very interested in financial management and statistics. Risk management is my passion and I’m very fortunate to find a career where I could practice something that I truly believe in; something that leverage off my finance degree and learnings so that’s quite good, and I’ve had the opportunity to practice risk management in three different ways.

 One as a practitioner working inside a company, two, as a consultant [00:03:00] working with different companies and different industries and different stages of risk management and thirdly, as a director, providing risk governance and oversight, in terms of risk management and leadership.

Joe: [00:03:16]  Can you talk a little about what you do for the companies with which you work, to help improve the effectiveness of their Enterprise Risk Management programs.

James: [00:03:27] So I’ve worked with over 75 ERM or Enterprise Risk Management engagements, different companies, different industries, and typically, I would go into a company and assess their current risk management processes and then come up with a set of recommendations in terms of how they could enhance those processes. But what’s really important is to understand: What are their [00:04:00] business needs? What’s the size, complexity, business model and strategy for the company? So you could customize the Enterprise Risk Management program for their needs, and one thing that’s distinguished about what I do, given that I’ve been a practitioner when I do work with companies, I help them with implementation. You know the classic joke where the consultants tell you what to do, but they don’t help you do it? Well, I try to overcome that. So I do help my clients with implementation. I have templates, examples, case studies, so they could implement much more efficiently.

Joe: [00:04:41] Do you typically work with management, with the board, with both? How does that interaction take place?

James: [00:04:47] Yeah, usually both, and what I found to be a critical success factor is the commitment and engagement of the CEO. So if I could have one thing in each [00:05:00] engagement and I could tell you of the engagements that were highly successful, there’s a hundred percent correlation to how engaged and committed the CEO is, and then having board involvement, board input, I think is critical. If there’s a Chief Risk Officer, having a capable Chief Risk Officer and the alignment with other senior executives, I think all of those are critical things. So it’s not about getting the data model or even the analytics; it’s really about getting management buy-in and shaping the culture of the company.

Joe: [00:05:40] So I’ve always been intrigued by the fact that you were the very first Chief Risk Officer for a company. How did that come about and what did that role mean exactly?

James: [00:05:52] Well, this was in 1993. I joined GE Capital Market Services and I [00:06:00] had the responsibility for the middle and back office. So in the middle office, I had market risk and credit risk and back in ’93, there was no such thing as Operational Risk Management – it was just Operations. So, one day I walked in to my boss’s office, the President of the company. I said, ‘Hey, Rick I’m ordering some business cards. What’s my title?’ And he goes ‘Well, I didn’t come up with one for you. Why don’t you come up with one that fits your responsibilities?’ And at that point, the title of CIO – Chief Information Officer, was becoming very popular of having a senior level executive, a C-suite executive that’s going to integrate your mainframe, your client server, your PC and internet technologies, in support of the company’s strategy. And so why not risk? Why not have a C-level [00:07:00] executive, that’s going to integrate financial risk, operational risk and strategic risks and elevate it to a C-level agenda item, and so I thought, well, Chief Risk Officer sounds pretty good to me.

Joe: [00:07:14] That is good. So you kinda just made it up, put it on your card and it was born right there and then.

James: [00:07:21] Yeah. And over time, now I think there are thousands and thousands of Chief Risk Officers across many industries in the world, and I think it’s a good movement. I think companies have benefited from that role.

Joe: [00:07:37] So in the past, companies have had people called Chief Security Officers, or they’ve had Chief Information Security Officers. What is it that brings a company to kind of adopt the idea of having a Chief Risk Officer? What gets them there and what is the advantage that that brings to a company?

[00:08:00] James: [00:08:00] Yeah. So for most companies, the role of the Chief Risk Officer or Chief Compliance Officer is considered the second line of defense. Right? So the first line of defense are the business units, the operational units, so your business leaders, your CIO and your CTO are considered your first line of defense. They own the risk.

The Chief Risk Officer is the second line of defense. They provide policy, they provide oversight and best practices in support of the CEO and the executive team.To oversee risk management within the whole company, and the third line of defense, I would say is the Board of Directors with the support of the internal audit function.

Joe: [00:08:51] So, you’re posing it as a line of defense, but I’ve read some of your articles, and I really got the impression [00:09:00] that it’s more almost of a proactive position that a Chief Risk Officer is taking, rather than when you think of a line of defense, you almost think of a defensive position. So is it fair to say that a Chief Risk Officer and we’ll talk a bit also about a Risk Committee, makes it more proactive in addressing risk and thinking about risk. Is that a fair way to look at it?

James: [00:09:23] That’s exactly right, Joe. I think taking a proactive approach to risk management is one of the key responsibilities for the COO. So, think about yourself in the first line of defense. You’re running a business. You’re running the IT function. You’re really focused on the day-to-day, and you might be responding to risk incidents or minor crises, but a Chief Risk Officer is much more forward-looking, much more proactive, looking at things outside in, looking at things much more long [00:10:00] term. Defining policy, defining risk appetite, thinking about risk in a much broader context and how it may impact the company. These are not things that you would expect from the first line of defense, and it’s probably not something that executive management team spends a lot of its energy and time on, so having that role of a Chief Risk Officer really provides the expertise, the time, the attention and focus on the most critical things that’s going to drive performance in the future. So being proactive, being forward, looking at key trends outside in, are really important things.

Joe: [00:10:47] So in kind of following that, I know that you’ve recommended that the companies have Risk Committees on their boards and a number of companies have in fact adopted that practice, but many have [00:11:00] not. Why do you recommend a separate Risk Committee? Why can’t, for example, the audit committee, which typically is tasked with that function, why can’t they handle it, and doesn’t it to some degree depend on the level of risk that a company faces? So maybe a company that sells groceries, has a different kind of risk than a high-tech company, for example.

James: [00:11:25] I think the business models, complexity are important factors. But let me talk about why a company should at least consider setting up a Risk Committee from two dimensions. One is in terms of scope and mandate, and the other is just in terms of function. So in terms of scope and mandate, I’ll relate to you a conversation that I had with a board member, from a large energy firm. So I want to give credit to where it’s due, and she was a member of the Risk Committee [00:12:00] and the Audit Committee and that company was considering combining two, and she was a strong advocate of keeping both the risk and audit committee. And she said to me, ‘James, the risk committee and the audit committee wear different hats. We have very different scope in mandates. The Audit Committee is paid to think inside the box. Your SEC requirements, your financial disclosure, Sarbanes Oxley, FASB, et cetera. You don’t want to be creative in your accounting.

Joe: [00:12:40] Right.

James: [00:12:40] You really want to check the box, make sure you’re in compliance of all these laws, regulations and standards, whereas the risk committee is paid to think outside the box. What are the uncertainties, what are the external drivers that could impact [00:13:00] our earnings, our cash flows, our value? How do we expect the unexpected? How do we think around corners? So you’re really paid to think outside the box’, and I thought that was a very compelling way of contrasting the scope and mandate of the audit versus the risk committee, and I’ve chaired both. I’ve chaired a risk committee for E*Trade, I chaired an audit committee for RiskLens, and I would say the functioning of those two committees are very different. You look at the agenda items, you look at the reporting and you look at the oversight and decision making. They’re very distinct. Now, I’m not going to say that every company needs a risk committee. If you’re going to have it as part of the audit committee, you just have to make sure you have the right directors, the right skills, and that you spend enough time in that committee [00:14:00] on risk management issues, or it could be a part of the full board. Even companies with risk committees might say appropriately that strategic risk, and reputational risk ought to be a full board agenda item. So there are different ways of doing it, but I think the most important thing is to make sure that the risk agenda is well represented in terms of board and committee time.

Joe: [00:14:29] So, if you were populating a risk committee versus an audit committee, what are the skills and expertise you’d be looking for on the risk committee that might be different from the folks you would be appointing to the audit committee?

James: [00:14:45] Yeah. So for for the audit committee, you want financial experts, right? People come from a CFO auditing regulatory type of background, right? [00:15:00] For risk committee, you want risk experts. You want Cybersecurity professionals. You want business people who could translate risk in terms of strategy and operations, you know operational people would be very good. So I think the skill sets are very different, because the work is different.

Joe: [00:15:23] Okay.

James: [00:15:23] There’s some overlap, right? So I think it’s important for example, that the audit committee sits on the risk committee, and the audit chair sits on the risk committee and the risk chair sits on the audit committee when you have those two committees.

Joe: [00:15:40] That makes a lot of sense.

When you serve as a board member, what role have you typically filled and how have you worked with management in that role?

James: [00:15:52] Yeah. So I think we’ve all heard of the principle of “nose in and fingers out.”

Joe: [00:15:59] Right. [00:16:00] Yep.

James: [00:16:00] And I respect that principle. I also think that there’s a middle ground. So if a company is in a situation where they really need to up their game in risk management, and if there’s a director who has no deep risk management or Cybersecurity expertise, I think the middle ground with the providing a guiding hand. So it’s not ‘nose in and fingers out’, but you could provide some guidance in terms of your expectations and your standards.

So I think it is important that the board provides some input in terms of the kind of reporting that they want to see, the kind of metrics, that they provide input and guidance on the risk appetite statement and the integration between risk and strategy, and I’ve also found at a [00:17:00] practical level that having informal working groups, management and board members, could be very helpful. So you’re sitting outside of a formal board meeting, bause during a board meeting, if you provide critique or guidance, management might take it as being defensive, in terms of you criticizing the work that they’ve done, but if you do it in an informal working group, then you could bounce around ideas, brainstorming, draft things, and do it in a very constructive and non-threatening manner.

Joe: [00:17:38] Yeah, that’s a great idea. That really makes a lot of sense to me, especially with something like risk where it seems like you really need a more open conversation than you might in some other areas. So let me ask you this. So when something really bad happens at the corporate level, from whether it was Enron to [00:18:00] WeWork to Wirecard, the question is asked, “where was the board?” Why did this happen on their watch?

What are the things that we should look at in determining whether, and to what extent, a board bears the responsibility for the catastrophic problem that might derail a company?

James: [00:18:22] Yeah, I think boards need to go back to the basics in terms of fiduciary responsibilities, in our duties of care, duties of loyalty, but put that in the context of risk management and oversight. Besides the corporate scandals that you’ve just mentioned, I think your listeners could benefit from looking at the Blue Bell Ice Cream case and the Clovis Oncology cases, both of which I think have really [00:19:00] elevated the standards for duties of care and duties of loyalty in terms of risk management and compliance, and that it is important for the Board of Directors in exercising those two standards to make sure that there is a risk management and compliance system in place, and that system is working effectively and that the board is getting the right metrics, the reporting and red flags, in terms of risks and that they hold management accountable. So for anyboard, I think those are standards that we need to consider and make sure that we fulfill those, duties of care and loyalty.

Joe: [00:19:52] That’s great. That’s helpful.

Raza: [00:19:53] James. You know, you alluded to multiple levels of [00:20:00] managing risk or looking at risk. Some people would argue that at the end of the day, the CEO of the company is really the real Chief Risk Officer. How does the Chief Risk Officer in a company have a real impact if the risk that they are tasked at managing blow up? This is like asking is risk management job even real without skin in the game.

James: [00:20:26] Yeah, I think that’s a great question. In terms of the CEO, You could always argue the CEO is also ultimately the CFO, the CMO, and ‘C’ anything else – because ultimately that person is responsible for the performance of the company, and the reason why the CEO needs a C-suite of specialists is really to support him in managing the company, operating the company, executing against the [00:21:00] strategy.

I think the Chief Risk Officer is really tasked with making sure that there’s a robust and effective ERM program that the policies and the risk assessment analytics, the risk management strategies, the reporting are appropriate. If the CEO wants to do that, great! It should be explicit that the CEO is also the Chief Risk Officer. It should be explicit, not implicit. For example, if you look at Steve Jobs at Apple, he was the CEO, but you would argue he was also the Chief Product Officer, because that’s his expertise. So if you have a CEO, that’s also very risk-skilled, then that would be fine, but I don’t think you find that in too many organizations.

Raza: [00:21:56] We’ve heard about use of heat maps [00:22:00] and other quantification methods that look at risk at a glance. Can you give us an overview of what risk quantification solutions have evolved and how companies like RiskLens provide such tools? Are they suitable for boards or mostly for management?

James: [00:22:19] Yeah. Thank you for asking that. So I’m on the board of RiskLens and RiskLens is a Cyber Risk quantification company, and I chair our audit committee. But beyond Cyber Risk, if you go back to financial risks, so market risk in the nineties was a real challenge believe it or not, but if you go back, people will say ‘oh, it’s really hard to measure value, whereas it’s hard to measure mortgage prepayment and getting a lot of data and models together. We solved that, right? We do market risk monitoring real time, [00:23:00] 24/7 now, and then it was credit risk. Oh, it’s really hard to aggregate all of our lending and counterparty exposures across an organization. Well we solved that. Then it was Operational Risk, now Cyber. So if you go back to the nineties, even eighties, the past 30 plus years, we had challenges in risk quantification measurement, but we’ve overcome that, and I think we will overcome that with Cyber and any other types of risks. We manage what we measure and for us to get to good risk management, I think we need to get to good risk quantification. Many companies I see use risk assessments that are qualitative and heat maps that lays out these risk types in terms of probability range and the severity [00:24:00] range. And the directors and senior executives I talk to, don’t find these processes or reports useful or actionable.

Raza: [00:24:13] It may become white noise.

James: [00:24:16] It is, and I think a lot of companies get stuck in risk identification, as opposed to true risk assessments and reporting. I’ll give you an example of that.

So the way companies do risk assessments and heat maps, they generally get people in the room. They say, what are the risks facing the company?  They might come up with 20, 30 different risks and they would assess the probability one to five and then severity one to five and they’ll multiply the two scores to get an overall risk rating, [00:25:00] and let me tell you that I think we all strive in our business life and also our personal life, in terms of achieving some simplicity. Simplicity -it’s a great thing, but I would also distinguish something that’s simplistic and superficial versus something that’s really robust and analytical that you simplify. So I love simplification. I don’t love simplicity. I don’t love things that are superficial, and going back to that one to five rating,

Raza: [00:25:39] Yeah.

James: [00:25:40] I’ll give you a very specific example. What’s the probability and severity of a Cyber Security attack that’s happening to the company right now? Your firewall and your protections are able to protect it. Probability’s high. One to five, it [00:26:00] has to be at five it’s happening.

Raza: [00:26:01] Yeah.

James: [00:26:02] Hundreds and thousands of times. What’s the severity? It’s low. The lowest you can be. It’s a one. So five times one is a five. What’s the probability and severity of a major data breach, but probability is low. It’s a one. Severity is high. It’s a five, one times five, it’s five. So you end up with the same score for two very different…

Raza: [00:26:30] I think my example would be averages. So you may have heard, would you ever cross a river that’s told to be four feet deep on the average?  Like the average loses a lot of information in the guise of simplicity, but oversimplification and just doesn’t remain useful. So if somebody said the river is on the average [00:27:00] four feet deep, would you cross it?

James: [00:27:02] Yeah. And that’s exactly right. And the math behind probability times severity gives you your expected loss.

Raza: [00:27:11] Yes.

James: [00:27:13] Your risk is not driven by expected loss. It’s driven by stress loss or unexpected loss.

Joe: [00:27:21] Right. Great.

Raza: [00:27:22] Reversing that, the broader question James would be like, so what is a better or best practice way that management should be reporting risk to boards? What is a good way of seeing it? What is a good way of talking about it, from a reporting perspective to the board?

James: [00:27:42] Well, you’ll be surprised, and my clients are surprised with my answer to that, and that is don’t start with the risk. So a lot of times companies say, they start with, what are our risks?

Raza: [00:27:56] What are our risks.

James: [00:27:57] Yeah. That’s the first question, and I like to [00:28:00] start with the key strategic business and operational objectives of the company, so start with your strategy. What’s your strategy? What are the KPIs – Key Performance Indicators – that would indicate whether you’re achieving that strategy? Then you say, what are the risks I could drive variability in those KPIs. And then you could say, what are the key risk indicators and risk tolerances for those risks? All right. So in terms of metrics and KOIs and risk appetite, but don’t start with the risks. Start with the business objectives of the company and let that drive your risk assessment and quantification, and also what are the most important outcomes for the company in terms of earnings, market value, cash flows, [00:29:00] and even for non-profit organizations and government entities, what’s our mandate, how do we measure the achievement of that mandate in terms of metrics, and start with that, and design the risk management program and reporting around those…

Raza: [00:29:18] James, you talk about the risk zoo I’ll call. Tell us about black swans, white elephants, and gray rhinos.

James: [00:29:27] Well, this is some of the work that I did with the NACD in the 2018 Blue Ribbon Commission report on what oversight of disruptive risk. So one of the recommendations of that Blue Ribbon Commission Report is that you should make sure robust ERM program’s in place, in terms of your strategic, financial, operational, regulatory, reputational risk. And once you have that [00:30:00] core foundation, then you really need to think about doing scenario analysis, and think about these disruptive risks, things like AI, Cyber Security, climate change, pandemics, and I group them into three animal categories. It was the black swans and gray rhinos – two books written by other authors that I think very highly of – and black swans are improbable, but very severe events like September 11th, like the invention of the internet. Gray rhinos, or macro events that are charging at you, that you really see coming, like artificial intelligence. Now it’s like changing a lot of things and changing the world [00:31:00] in the business that we see, but Artificial Intelligence was invented in the 1990s, just North of here in Dartmouth, right? Where computer scientists taught computers how to play chess better than the average human, and now it’s becoming much more important. I would also say climate change, Cyber Security, are also gray rhinos, and white elephants is like the combination of a risk event and the elephant in the room. Things that, it’s here, right. It could be a dysfunctional CEO. It could be a money-losing business that a senior business executive is really invested in. We can’t get out of it. It could be an adverse culture of the company that we [00:32:00] all know is here. We should do something about it, that we don’t talk about it, and we try to avoid the topic. All of these disruptive risks, black swans, gray rhinos, and white elephants could have a severe impact on an organization, but for various reasons, cognitive biases, loyalties, emotional issues, we have a hard time dealing with them, and so the BRC report and my article really says that in addition to the risk that we traditionally look at, if you look at the world we live in today in 2020, it’s just an amazing example of that. We need to think about disruptive trends in this as well.

Joe: [00:32:47] So if a company had a Chief Risk Officer, that person would be charged with making sure the company and the board was looking at black swans and facing the white [00:33:00] elephant in the room, ect. I mean, that would be a compelling argument for “why have a Chief Risk Officer.”

James: [00:33:06] Yeah. And I would say, that person is responsible to help the board and senior management to imagine the unimaginable. To expect the unexpected and be able to prepare for any scenario. I think being prepared is really important. So I worked with one Board of Directors and the company had a very strong ERM program. And two years ago, the board approved a pandemic management plan. In 2018, the board approved a pandemic management plan. Last year they stress test that plan, and then when the pandemic hit early this year, they had a playbook. The playbook didn’t anticipate everything, but it had a [00:34:00] curve and it had different stages, it had social distancing, PPE. You know, working remotely and so forth. We probably had 70 to 80% of the eventualities and that really helped the company be prepared for this scenario. But I would also say that company probably wouldn’t have this plan in place if they didn’t already address some of their core risks in their ERM program.

Joe: [00:34:27] Great example. Thank you.

Raza: [00:34:28] James, so to use Donald Rumsfeld’s analogy of the unknown unknowns. Some of these things, as you mentioned, like imagine the unimaginable, what is the best way for boards or whoever is tasked at the board for, governing on risk, what are some of the best things and best ways for the boards to deal with that?

James: [00:34:56] Yeah. The key challenge to black swans or [00:35:00] unknown unknowns is you can’t predict it. So some people would argue that the pandemic was a gray rhino cause we’ve had pandemics before, we will have them in the future, but it’s really hard to predict when it’s going to happen, how severe it’s going to be. And there are going to be unknown unknowns that we would face in the future. What I think is really important for any company to have, is a system and the feedback loop that they could identify and isolate unexpected variance in performance. So when there are things happening in the company or in its marketplace that is driving unexpected performance variance, where there’s earnings and stock price value, you pick it up and you pick it up really quickly and say, okay, are there things happening without customers or [00:36:00] technologies, and markets that we were not aware of? And if you pick it up more quickly, then you could see the black swans coming, while they’re still gray swans. So things don’t happen all at once. These things happen over time. And so I think having those kind of early warning indicators, and be able to have those feedback loops are very important.

Joe: [00:36:28] That’s great. James, your book, Enterprise Risk Management from Incentives to Controls, came out in the early 2000s and then was fully revised and published in 2015. What had you observed and learned since the book was first published and the 2015 edition, and what have you learned since then that would [00:37:00] colour the advice that you would give to a company?

James: [00:37:04] Yeah. So I just want to say that my latest book came out in 2017 and it was about implementation. So the first book and the second edition was on: What are the best practices in risk management? What are some of the industry requirements? The second book or the most recent book in 2017 is on implementation, and it’s really on how. How do you implement, how do you create value? But even since those two books, I I’ve learned, especially with the pandemic that, health and safety is going to be a critical element of everyone’s risk management program,   going forward. I’ve learned that, we really need to be much more forward looking, in looking at macro trends. [00:38:00] It was a McKinsey study that shows 70% of board time and reporting is backward looking. And since that time I participated in the Blue Ribbon Commission panel and reinforced my belief that you need to have a robust ERM program that goes beyond risk assessments and heat maps, and you need to leverage that to look at some of the disruptive risks that we face, but I think ultimately this pandemic and the economic crisis that we’re going through, it really puts risk management in the front burner in terms of management and board attention, and I look forward to the lessons learned and the ways we need to, adjust our risk management programs, going forward.

Joe: [00:38:56] Great. James. It’s been great speaking with you today. [00:39:00] Thanks for joining us. I hope you and your family will continue to be well and stay safe.

James: [00:39:05] Thank you. Same to you, Joe. And thank you, Raza. It’s been a pleasure speaking with you.

Joe: [00:39:12] And thank you all for listening today, to On Boards with our special guest James Lam. Please take care of yourselves, your families, and your communities, as best you can. Raza you take care. I hope you and your family continue to be well and are staying safe.

Raza: [00:39:28] Yes, Joe, we’re staying safe and well. Hope same for your family as well.

Joe: [00:39:33] Thanks so much.

James: [00:39:34] All the best.