V olume 1 9 | N umber 4 | Fall 2 0 0 7

Journal of
APPLIED COR PORATE FINANCE
A MO RG A N S TA N L E Y P U B L I C AT I O N

In This Issue:  Managing Financial Trouble

A Message from the Editor 2

Executive Summaries 4

Toward a New Corporate Reorganization Paradigm 8

Donald S. Bernstein, Davis Polk & Wardwell

Morgan Stanley Roundtable on Managing Financial Trouble 16

Panelists: Edward Altman, NYU; Douglas Baird, University of Chicago; Donald Bernstein,
Davis Polk & Wardwell; Steve Gidumal, Resurgence Asset Management;
Gary Hindes, Deltec Asset Management; and Max Holmes, Plainfield Asset Management.
Moderated by Don Chew, Morgan Stanley

Private Equity: Boom and Bust? 44

Viral V. Acharya, Julian Franks, and Henri Servaes, London Business School, CEPR, and ECGI

Statement of the Financial Economists Roundtable on 54

the International Competitiveness of U.S. Capital Markets
Franklin Edwards, Columbia University, and Kenneth Scott, Stanford University

What Companies Need to Know About International Cross-Listing 60

Michael R. King, Bank of Canada, and Usha R. Mittoo, University of Manitoba

Ten Common Misconceptions About Enterprise Risk Management 75

John R. S. Fraser, Hydro One, and Betty J. Simkins, Oklahoma State University

Choices and Best Practice in Corporate Risk Management Disclosure 82

Ekaterina E. Emm, Seattle University, Gerald D. Gay, Georgia State University,
and Chen-Miao Lin, Clark Atlanta University

How Banks Price Loans to Public-Private Partnerships: Evidence from European Markets 94
Frederic Blanc-Brude and Roger Strange, King’s College London

Euro Membership as a Real Option Trigger: An Empirical Study of EU15 Manufacturing Firms 107
Tom Aabo, University of Aarhus, and Christos Pantzalis, College of
Business Administration, University of South Florida

Lessons from the Financial Crisis of 1907 115

Robert Bruner and Sean Carr, University of Virginia
Ten Common Misconceptions About Enterprise Risk Management
by John R. S. Fraser, Hydro One, and Betty J. Simkins, Oklahoma State University
hile most large corporations have expressed
W
B interest in enterprise-wide risk management
(ERM) programs, only about 10% of the firms
that responded to recent surveys claim to have
achieved successful implementations of ERM.1 And based
on our own conversations with executives and participation
in conferences on the subject, we feel that even these modest
claims overstate the degree of corporate progress in establish-
ing truly enterprise-wide systems.
Why has it taken so long to get ERM up and running?
There are a large number of common misconceptions about
both the approach and the process that have become obstacles
to successful implementation. As Jason Toledano, Vice President
of Risk Management at Bell Aliant Regional Communications
in Canada, told us in a recent conversation, “Some companies
fool themselves into believing they are doing ERM by running
a few workshops and looking just at business risk. In so doing,
they are really ignoring important risks.”2
This article aims to correct what we believe to be the ten
most common corporate misconceptions that now stand in
the way of successful applications of ERM. Most of these
errors of thinking or execution stem from a common source:
the failure to recognize that ERM is in fact an easier, simpler,
and more logical undertaking than most people realize. The
result has been needless complications that have in turn bred
misunderstandings and frustration among implementers and
senior management, along with doubts about the contribu-
tion of ERM to the firm’s major objectives. As we argue in
the pages that follow, a well-designed and carefully executed
ERM program can add value by reducing a company’s cost of
capital. It does so by strengthening the confidence of investors
in management’s ability to carry out the firm’s business plan,
while at the same time reassuring the rating agencies of the firm’s
ability to service debt, under most foreseeable circumstances.
Mistake #1: Inherent Risk is a Workable Basis for ERM.
One major source of confusion is a concept called “inher-
ent risk.” Defined as a state that exists in the absence of
1. See S. Gates, “Incorporating Strategic Risk into Enterprise Risk Management: A
Survey of Current Corporate Practice,” Journal of Applied Corporate Finance, (Fall
2006), 81-90 and K. Schoening-Thiessen, Enterprise Risk Management: Inside and
Out, The Conference Board of Canada (2005).
Journal of Applied Corporate Finance • Volume 19 Number 4 A Morgan Stanley Publication • Fall 2007
any controls or mitigants, this idea is often held up by risk
management consultants—as well as influential publications
like COSO—as a useful starting point for ERM implemen-
tations.3 But, as Todd Perkins, Director of Enterprise Risk
at the Southern Company, has commented, “In many cases,
the concept of ‘inherent risk’ is impossible to measure or even
define. The idea of looking at risk absent all hard controls,
soft controls, or mitigations, provides little or no useful infor-
mation in most cases.”
To illustrate the problem, try to imagine the “inherent” risk
of a plane in flight. Such a plane would have no fuel, no pilot,
no aerodynamics—in other words, without human influence
or controls of any kind. The main effect of this approach is the
proliferation of risks to the point where a corporate-wide risk
management approach becomes impossible to contemplate.
For most business managers, moreover, the concept is void of
practical meaning and likely to destroy credibility.
A far more practical way of achieving the desired assess-
ment is to use as a starting point a definition of “largest
credible risk.” Such a term could be translated as follows:
“What is the worst that could happen if several controls fail?”
This formulation is readily understood and often used by
business managers.
The major focus of ERM, then, should be not inherent
risk, but rather what is sometimes called “residual risk”—
that is, the risk that remains after management has used all
operational measures to limit the business and financial risks
of the firm. As Jason Toledano says, “ERM is really about
managing residual risk—that is, things that could happen.
That’s what senior management needs to know.”
Mistake #2: Risk Management is an
End unto Itself, Independent of Business Objectives.
We have seen articles and presentations that recommend
immediate identification of hundreds of risks at the outset
without reference to key business objectives. As a result,
many corporate risk managers who are starting out facilitate
risk workshops or assess risk without first clearly defining
2. Telephone conversation with Jason Toledano on August 9, 2007.
3. The COSO Enterprise Risk Management Integrated Framework (September 2004)
defines Inherent Risk as follows: “Inherent risk is the risk to an entity in the absence of
any actions management might take to alter either the risk’s likelihood or impact.” See
page 49 of the Executive Summary.
75
the business objectives of the organization and the expected
contribution of ERM to those goals.
To implement ERM effectively, all participants in the
program must clearly understand what the organization is
trying to achieve and how ERM will help bring it about.
And COSO agrees with us: “Within the context of an entity’s
established mission or vision, management establishes strategic
objectives, selects strategy, and sets aligned objectives cascad-
ing through the enterprise. This enterprise risk management
framework is geared to achieving an entity’s objectives.”4
With the help of such a shared understanding, companies
can avoid the excessively long and impractical cataloguing
of corporate risks—often without distinguishing degrees of
importance—that can result from a failure to pay attention
to objectives. In simple terms, managers should not attempt
to define risks or risk tolerances in a vacuum. Establishing the
objectives first will greatly increase the clarity of any further
discussions.
For example, when ERM was started at Hydro One in
2000, one of the organization’s major objectives was to grow
the business by acquisition, and management was asked to
identify the main risks to such growth and to formulate the
tolerances associated with such risks. Years later, when this
growth objective was dropped, so were the risks and risk
tolerances associated with this objective. Simply stated, no
objectives means no risk. In other words, if management
identifies a risk that it feels requires managing, it needs to be
clearly articulated which corporate objective(s) is threatened
by such risk. If no objective can be identified, the risk may
not merit attention—or, alternatively, the objectives may need
to be restated.
Some companies, to be sure, may face risks to business
objectives that are not explicitly stated but implied. For example,
the company may not explicitly identify maintaining a good
public image as a business objective. However, in implementing
ERM and developing risk tolerances, such an objective may well
need to be stated as a key objective. In such cases, the ERM
process can help articulate and prioritize such goals, thereby
contributing to the business planning process.5
Mistake #3: Risk Tolerance is the Same as
Risk Appetite.6
Somewhat surprisingly, given the amount of discussion and
literature on this topic, there is still considerable confusion
about the concepts of “risk tolerance” and “risk appetite,”
with definitions often seeming to shift on a daily basis. Some-
times the terms are regarded as synonymous, and in some
cases one or both are expressed in terms of trading or credit
4. See page 3 of “Enterprise Risk Management – Integrated Framework: Executive
Summary”, Committee of Sponsoring Organizations of the Treadway Commission (COSO)
(September 2004).
5. For a more comprehensive discussion on developing business objectives, see T.
Aabo, J. Fraser, and B. Simkins, “The Rise and Evolution of the Chief Risk Officer: Enter-
prise Risk Management at Hydro One, Journal of Applied Corporate Finance, Vol. 17,
76 Journal of Applied Corporate Finance • Volume 19 Number 4 A Morgan Stanley Publication • Fall 2007
“limits.” Risk tolerances should define outcomes or effects on
the business that are viewed as acceptable. The purpose of
establishing risk tolerances is simple: to ensure that the board,
the management team, and line managers and staff have a
clear understanding of what outcomes are acceptable to the
business, what outcomes are not, and any shades between.
Because such limits are so important to an organization,
the risk tolerances should be “owned” by senior manage-
ment. Just as senior management defines objectives and
expectations, it should also define acceptable and unaccept-
able outcomes. Without such definitions it is impossible to
facilitate a meaningful discussion or workshop on risks. For
example, staff are sometimes asked to decide whether given
risks are “high or “low.” To make an informed decision,
however, participants need clear definitions of what is consid-
ered “high” versus “low.”
One of the most effective ways of quantifying and gaining
agreement on risk tolerances has been to establish defini-
tions on a five-point (or similar) scale that can be discussed
and agreed to by all parties in advance. At Hydro One, for
example, the Management Team and Audit & Finance
Committee review these tolerances annually in prepara-
tion for the business planning process. To illustrate, Figure
1 shows some typical risk tolerances for three categories of
risk at Hydro One: Financial (Creditworthiness), Business
Efficiency and Effectiveness (Productivity), and Safety and
Environment (Environmental Performance). The tolerances
define the range of possible impacts from Minor (rating of 1)
to Worst Case (rating of 5) of the specific risks on business
objectives. For example, Hydro One has a financial objective
related to creditworthiness of limiting the change in financial
ratios or credit risk. A “moderate” risk tolerance (rating of
2) would be to have their credit rating placed on “watch”
whereas a “severe” risk tolerance (rating of 4) would be a
credit rating downgrade to below investment grade.
Mistake #4: Risk Management Can Be Decentralized
and Done Piecemeal.
Many organizations that claim to have implemented ERM
continue to manage major risks independently of one another.
In such cases, managers of credit risk, or market risk, or oper-
ational risk may be quite vigilant in monitoring their different
risks, but often only within their limited sphere of influence,
and with no real understanding of their effects on the total
risk of the firm. By instead taking a holistic approach, a
true ERM system ensures that one type of risk does not get
excessive attention and resources at the expense of less well
understood risks.
No. 3 (Summer 2005), 62-75.
6. The terms “risk tolerances” and “risk appetite” are defined separately by COSO, the
main difference seemingly that tolerances are measurable “acceptable variations” from
objectives whereas risk appetite is defined as the “broad-based” amount of risk that a
company is willing to accept in pursuit of its mission (or vision).
Figure 1 Definition of Risk Tolerances
(1) Minor: Noticeable disruption to results; manageable; (2) Moderate: Material deterioration in results;
a concern; may not be acceptable; management response would be considered; (3) Major: Significant deterioration
in results; not acceptable; management response required; (4) Severe: Fundamental threat to operating results;
immediate senior management attention; (5) Worst Case: Results threaten survival of company in current form,
potentially full-time senior management response until resolved.

Objective Attribute Event 5 4 3 2 1

Worst Case Severe Major Moderate Minor

FINANCIAL Credit Worthiness Change in Event of Default; Credit rating Credit rating Company put on Credit Rating
financial ratios or Unable to raise downgrade to downgrade that credit “watch” agencies and
risk any capital due below impacts costs in bondholders
to credit rating “investment a major way or express concern
grade;” Unable borrowing
to raise full capability.
amount of
required capital

BUSINESS Productivity Failure to Reduce Unit labour Costs Unit labor Costs Unit labor Costs Unit labor Costs Unit labor costs
EFFICIENCY AND Unit Costs (incl. increase by increase by increase by increase by not reduced
EFFECTIVENESS overhead & non- >15% 10% - 15% 5% - 10% 3% - 5%
billable time)

SAFETY AND Environmental Adverse Widespread Multiple local Significant local Minor local Minor impact on
ENVIRONMENT Performance Environment offsite impacts offsite impacts offsite impact offsite impact. Hydro One Inc.
Impact from oil (eg. Regional or (eg. Multiple (eg. a public Significant spill/ property only
or chemical spill Municipal water residential thoroughfare) release with
supply) properties or impact on
private water company
supplies) property only

In many organizations, management reacts to surprises
rather than trying to be ahead of the curve. For example,
banks focused primarily on credit risk until the 1990s, when
they discovered and began to manage their exposures to
market risk. Then, with a nudge from BASEL II, attention
shifted to operational risk. But the ERM systems of the future
will anticipate all major sources of risk, effectively assigning
each their place within a unified, coordinated system.
A 2004 study by Deloitte & Touche LLP of 100 compa-
nies with the largest losses in equity value from 1994 to 2003
found that 80% of the companies that suffered the greatest
losses were exposed to more than one type of major risk.
Furthermore, many of these firms failed to recognize and
manage the relationships among different types of risks. A
striking example is the experience in 2002 of energy trading
companies and energy firms with large trading operations.
A number of these companies that claimed to have ERM
programs in place drastically underestimated the credit risk
exposure of their trading operations. During that year, all
three of the leading credit rating agencies updated their
approaches to energy trading firms, refining their assess-
ments of market risk, credit risk, and liquidity risk. And
with the resulting “raising of the bar,” 7 a number of large
energy trading companies, including Dynegy, Aquila Energy,
Mirant, and The Williams Companies, were downgraded to
below investment grade, a “kiss of death” for most trading
operations.
Mistake #5: One Skill Set is Enough.
Yet another widespread misconception is the assumption
that ERM can be implemented by executives with a single
skill set. One clear trait of successful ERM programs has
been their effectiveness in drawing on and making use of
expertise from all parts of an organization. Currently, there
is no single professional group or association that is seen
as a clear leader in ERM. The reason is straightforward:
whereas professions are usually organized around a single
skill set, such as insurance, accounting, actuarial science,
or valuation, ERM requires extensive ongoing input from
all these disciplines and from marketing and operations as
well. As risk management is practiced in many companies
today, insurance specialists restrict their view of ERM to
those risks that can be insured, market risk managers to
portfolio risk of securities, actuaries to risks that require

7. “Ratings Agencies Raise the Bar,” Energy Power and Risk Management (now En-
ergy Risk), Vol. 7 No. 4 (July 2002).

Journal of Applied Corporate Finance • Volume 19 Number 4 A Morgan Stanley Publication • Fall 2007 77
Figure 2 Control Voting Scale for Hydro One

Full Controls,
Highly Prescriptive, 5
Board Oversight

Full Controls,
Prescriptive, 4
Senior Management
Oversight
Full Controls
3

Partial Controls
Established 2

Few Controls
Established 1

precise quantitative analysis, and so on.8 In the absence of an
integrated approach, the consequence is a “Tower of Babble”
in which numerous “risk languages” are spoken and confu-
sion reigns.9
In sum, no profession or specialty currently appears to be
totally suited to the needs of ERM, which requires a wide range
of technical and interpersonal skills. And while some predomi-
nantly financial approaches to ERM are clearly too divorced
from operations, other corporate programs are run by people
with operational backgrounds in areas like health and safety.
Although extremely well versed in specific operating risks, such
risk managers are likely to lack the financial background neces-
sary to evaluate these operating risks in the broader context of
the firm’s business and financial strategy.10
Mistake #6: ERM is a Low-level
Treasury or Finance Project.
Related to the last misconception, many companies view
ERM as a set of separate, largely independent departmental
undertakings. To be effective, ERM must be a major manage-
ment initiative at the highest levels of the organization and a
critical part of overall planning.
8. For example, the Society of Actuaries’ redefines ERM to correspond with their skill
set in their paper: S. Wang and R. Faber, “Enterprise Risk Management for Property-
Casualty Insurance Companies”, (August 1, 2006), a research project sponsored by the
Casualty Actuarial Society, the ERM Institute International and the Joint SOA/CAS Risk
Management Section.
9. Likewise, a similar trend can be observed in academia where researchers focus
primarily on the specific risks most closely related to their specialty when discussing
ERM.
As already suggested, there are two main reasons for imple-
menting ERM. One is to reduce the chances of surprises in
the future; the other is to allocate valuable resources accord-
ing to risk priorities. The two goals are complementary and
mutually reinforcing in the sense that efforts to reduce uncer-
tainty also increase management’s confidence in carrying out a
major capital investment program. And as a result of this effect
on strategy, effective ERM programs must be designed and
carried out in the context of the overall strategic and business
planning activities of the organization.
There are many other reasons given for implementing
ERM that detract from these essentials. Sometimes compa-
nies rush into the creation of resource-intensive activities
for ERM without a clear vision of what is needed to give
the most effective return on ERM-related investments. For
example, some firms set up extensive loss databases that can
be very expensive and time consuming to build and maintain,
but of limited value unless the risks they help to quantify
and manage are expected to materialize with considerable
frequency in the future.
The critical change in this regard is to require business
plans and budgets to articulate and address specific risks to
10. Many of their techniques echo the assessment and mitigation techniques refer-
enced in ERM handbooks. A brief history of the evolution of ERM is described in S.
D’Arcy, “Enterprise Risk Management,” Journal of Risk Management of Korea (2001).
As noted by the author, each risk management specialty has its own different terminolo-
gies and methodologies. Vital to the success of ERM is the ability for the firm to develop
an integrated approach across all specialties.

78 Journal of Applied Corporate Finance • Volume 19 Number 4 A Morgan Stanley Publication • Fall 2007
Figure 3 Risk vs Control Map
High Risk, Low Control
High
More control
needed
Medium
Zone of Balanced
Risks and Controls
Low levels of risk
Risk Score
would merit a
lower level of control
Low
1 2 3 4 5
Control Requirements
the business objectives. What’s more, the design of ERM
helps ensure that managers will disclose the risks they face.
If the managers fail to disclose such risks, corporate efforts
to manage such risks will not be funded; that is, “no risks”
means “no funds needed” to meet objectives. This addresses
the problem faced by many ERM implementers who tell us
that managers are often reluctant to admit to having any
significant risks in their functions.
Mistake #7: All Risks are Equally Important.
Many companies, when starting to implement ERM, fail to
distinguish clearly enough between greater and lesser risks.
As a consequence, “process-driven” ERM systems can result
in high scores assigned, and excessive attention paid, to areas
of relatively low risk.
In the case of Hydro One, management was forced to
learn that “High Control” scores can be justified only in
cases where risk threatens the organization’s ability to carry
out its business plan and not for merely routine activities.
Hydro One now defines its ultimate control-level risks as
those requiring the involvement of the board, the CEO, and
senior management—that is, areas of critical risk, such as
Y2K or a serious electricity outage.
We illustrate this concept in Figure 2, which shows the
11. For example, Hydro One has identified the following two (among many) risks:
possible harm from electromagnetic fields and failure of a major computer system
conversion. Because electromagnetic fields from transmission lines have not been proven
harmful to people, this is a low-probability, but potentially high-impact risk; hence the
board and management spend little time on it. At the same time, Hydro One has a mas-
Journal of Applied Corporate Finance • Volume 19 Number 4 A Morgan Stanley Publication • Fall 2007
High risk merits executive
or even board member
involvement, e.g. crisis
Control may be excessive for
amount of risk
Low Risk, High Control
different control voting levels at Hydro One along with a brief
description of how each level is defined. Classifying risk in this
way forced the company to recognize that high risks should be
defined as only those areas where the board and CEO might
need to get involved if conditions warrant—that is, risks involv-
ing high impact and material probability of occurring.11
Figure 3 provides a basic illustration of how levels of
control need to be consistent with the level of risks. In the
typical organization, without a clear understanding of what
constitutes high levels of control, low and moderate levels of
risk are likely to receive more control than they warrant (that
is, in terms of Figure 3, they might show up in the bottom
right quadrant rather than in the balanced zone). When this
happens, the expenditure of corporate resources is dispropor-
tionate to the problem being managed.
Mistake #8: Managing Upside Risk is a Routine
Focus of ERM.
Much of the strategic risk literature that addresses upside risks
gives the impression that everyone in the company should
be constantly thinking of upside opportunities as well as
downside risks. But if the concept of upside risk is useful
and important in some circumstances, it is irrelevant and a
distraction in others.
sive computer conversion under way, which (like most computer conversions) has both-
large potential consequences and a significant probability of failure unless well managed.
As a result, this project has been accorded our highest rating of controls, including
monitoring by a board committee.
79
Figure 4 ERM Basics
Annual Strategic Planning (or major Re-set)
Mission, Vision,
Values Risks,
Opportunites
Annual
Strategic Business Risk
Planning (or Objectives Tolerances
major Re-set)
Evaluate Upside
and Downside
Risks Here
During Normal Operations – Stick to the Plan Using ERM Methodologies
As Figure 4 is meant to suggest, the time for weighing
the upside versus the downside potential in the ERM process
is during the initial strategic planning phase, not at every
twist and turn in daily business. Unlike many observers,
we believe that the upside of risk should be dealt with only
periodically, during periodic strategic planning exercises or
following a major crisis or extreme change in circumstances.
In such cases, a review and possible revision of the existing
strategic plan should take account of the upside as well as the
downside, leading to a possible change in business objectives
and KPIs as well as risk tolerances and hedging policies.
But when a company’s strategy is in place, ERM method-
ologies should be focused on their main task of limiting
downside risk. By keeping shifts in strategy and discussions
of the upside apart from normal operations, companies avoid
having their management and staff distracted by every whim
or misunderstood opportunity.
As Todd Perkins of Southern Company puts it, “At
Southern Company, ERM is integrated in many ways
with strategic planning, which considers both upside and
12. For additional discussion of ERM and its effect on credit ratings, see “Morgan
Stanley Roundtable on Enterprise Risk Management and Corporate Strategy,” Journal of
Applied Corporate Finance, Vol 17. No. 3 (Summer 2005), 32-61.
13. In analyzing the ERM programs of financial institutions, S&P looks at business
risk, risk management, risk governance, operational risk, credit risk, reputational risk,
and the quality of management itself. As S&P states, “Excellent ERM practices are likely
to have a positive impact on an institution’s ratings.” See P. Samanta, R. Barnes, and M.
Puccia, “Accessing Enterprise Risk Management Practices of Financial Institutions,”
Standard and Poor’s Ratings Direct (September 22, 2005).
In the case of insurance companies, S&P states: “We analyze nine financial and op-
80 Journal of Applied Corporate Finance • Volume 19 Number 4 A Morgan Stanley Publication • Fall 2007
Risk Mitigants Business
Identification Success
TIME
downside. However, upside risks or opportunities must be
considered in the context of strategic planning, at critical
decisions points, and when considering earnings guidance.
Ongoing risk management activities clearly primarily focus
on the downside risks.”
Mistake #9: ERM Has no Discernible
Effect on Financial Markets or Firm Value.
Another common misconception is that an ERM program
has no obvious or immediate effect on a company’s value.
The benefits of such a program are realized only if and when
the risks being managed actually materialize and the expen-
ditures on ERM are vindicated.
The reality, however, is that the reduction in risk accom-
plished by an effective ERM can help a company maintain
or improve its credit rating.12 In recent years, credit rating
agencies such as Moody’s and Standard & Poor’s have placed
increasing weight on the existence and quality of a company’s
ERM program in their ratings process.13 And to the extent
that a higher credit rating means greater access to and a lower
erations aspects to determine a rating. They are: industry risk, competitive position,
management and strategy, enterprise risk management (ERM), operating performance,
investments, liquidity, capitalization, and financial flexibility. These aspects are all ana-
lytically interconnected, and their weight in the rating process depends on company-
specific circumstances.” S&P classifies ERM programs at insurance companies into four
categories: excellent, strong, adequate, and weak. The assessment takes into account an
analysis of several components of the ERM program: risk management culture, risk
controls, emerging-risk management, risk and economic capital modeling, and strategic
risk management. See “Credit RAQ: The Updated Insurance Capital Model – An Over-
view,” Standard and Poor’s Ratings Direct (November 14, 2006).
cost of debt, ERM can be seen as reducing a company’s overall
cost of capital and increasing its value.
As one example, Hydro One achieved a lower than
expected interest cost on a $1 billion debt issue that was
heavily oversubscribed. The credit analysts from Moody’s
and S&P who rated the issue cited the firm’s ERM program
as a factor in the ratings process.14
Todd Perkins reinforces this view in describing the South-
ern Company as “an A rated company and viewed as having a
conservative risk management program. A secondary objective
of our ERM program is documenting and communicating
our ERM efforts to demonstrate to rating agencies and other
external parties that we are doing the right things.”
But the most forceful statement comes from Andrew
Sunderman, Chief Risk Officer of The Williams Compa-
nies, who summarized the importance of ERM and credit
ratings in helping the firm navigate financial distress: “for
a company trying to continuously improve shareholder
value and strengthen its credit standing, a continuing focus
on managing our commodity price risk is critical for us to
achieve these goals… an effective risk management program
can help a distressed company lower its cost of capital.” 15
Mistake #10: ERM is Primarily a
Response to Sarbanes Oxley.
Numerous articles have identified Section 404 of the
Sarbanes-Oxley (SOX) Act as a primary corporate motive
for implementing ERM.16 The reality, however, is that these
two processes are fundamentally different in both their main
impetus and their approach. ERM is forward looking and
concerned with major risks to corporate profitability and
value, while SOX is backward looking and focused on compli-
ance with financial reporting requirements. And because
of these fundamental differences, attempts to link the two
processes appear to be misguided and destined to fail.
The attempt is being driven by the thought that both of
these new processes are intended to improve organizations
through better controls. Our experience, along with the
14. Refer to T. Aabo, J. Fraser, and B. Simkins (2005), cited earlier.
15. See “Morgan Stanley Roundtable on Enterprise Risk Management and Corporate
Strategy”, previously cited.
16. Examples of articles attempting to link SOX and ERM include T. Neff, “Proof that
Cos. Can Go From SOX to ERM”, Compliance Week (August 7, 2007); J. Roth and P.
Journal of Applied Corporate Finance • Volume 19 Number 4 A Morgan Stanley Publication • Fall 2007
observations of many companies, suggests that the effort and
costs of linking them will far outweigh any potential savings
and that such effort would be better directed to making these
very separate conceptual processes successful in their own
way. Greg Woodall, Director of Business Transformation and
Control of a subsidiary of the Canadian bank CIBC, put it
well when he said, “Overlaying the requirements of SOX on
top of an ERM program that is already in place weakens
the ERM approach rather than improves it. SOX may help
a company that has nothing in the area of ERM. But if you
already have an ERM system in place, trying to link SOX
with the ERM function will pull you backward.”
Conclusion
This article describes ten common misconceptions about
enterprise risk management that we have encountered during
the past five or so years of talking to executives and attending
conferences on the subject. Our hope is that highlighting
some of the misconceptions will reduce the effort and frustra-
tion experienced by those many organizations starting down
this road. The shortest, most reliable path to a successful
implementation is to get executive management and board-
level buy-in while reaching agreement on business objectives
and establishment of risk tolerances. The next step is to
allocate resources through the business planning process to
mitigate identified risks from all sources that could affect
those objectives. In other words, get agreement on the broad
concepts and, on that foundation, begin to build the more
detailed analysis and structure that must come from all parts
and levels of the organization.
john fraser is Chief Risk Officer and Vice President Internal Audit at
Hydro One, which implemented an enterprise risk management (ERM)
system in 2000.
betty simkins is The Williams Companies Professor of Business at
Oklahoma State University.
Sobel, “Four Approaches to Enterprise Risk Management…and Opportunities in Sar-
banes-Oxley Compliance” IIA Research Foundation (2007); W. Spinard, “Turning Lem-
ons into Lemonade: Leveraging Sarbanes-Oxley to Evaluate Enterprise-Wide Risk”,
Marsh (2004); J. Sammer, “Companies Migrating From SOX ‘Myopia’ to ERM”, Compli-
ance Week (October 24, 2004).
81
Journal of Applied Corporate Finance (ISSN 1078-1196 [print], ISSN
1745-6622 [online]) is published quarterly, on behalf of Morgan Stanley by
Blackwell Publishing, with offices at 350 Main Street, Malden, MA 02148,
USA, and PO Box 1354, 9600 Garsington Road, Oxford OX4 2XG, UK. Call
US: (800) 835-6770, UK: +44 1865 778315; fax US: (781) 388-8232,
UK: +44 1865 471775.
Information for Subscribers For new orders, renewals, sample copy requests,
claims, changes of address, and all other subscription correspondence,
please contact the Customer Service Department at your nearest Blackwell
office (see above) or e-mail customerservices@blackwellpublishing.com.
Subscription Rates for Volume 19 (four issues) Institutional Premium Rate*
The Americas† $377, Rest of World £231; Commercial Company Premium
Rate, The Americas $504, Rest of World £307; Individual Rate, The Ameri-
cas $100, Rest of World £56, €84‡; Students** The Americas $35, Rest of
World £20, €30.
*The Premium institutional price includes online access to current content
and all online back files to January 1st 1997, where available.
†
Customers in Canada should add 6% GST or provide evidence of entitlement
to exemption.
‡
Customers in the UK should add VAT at 6%; customers in the EU should
also add VAT at 6%, or provide a VAT registration number or evidence of
entitlement to exemption.
**Students must present a copy of their student ID card to receive this rate.
For more information about Blackwell Publishing journals, including online
access information, terms and conditions, and other pricing options, please
visit www.blackwellpublishing.com or contact your nearest Customer Service
Department.
Back Issues Back issues are available from the publisher at the current single-
issue rate.
Mailing Journal of Applied Corporate Finance is mailed Standard Rate. Mail-
ing to rest of world by DHL Smart & Global Mail. Canadian mail is sent
by Canadian publications mail agreement number 40573520. Postmaster
Send all address changes to Journal of Applied Corporate Finance, Blackwell
Publishing Inc., Journals Subscription Department, 350 Main St., Malden,
MA 02148-5020.
Journal of Applied Corporate Finance is available online through Synergy,
Blackwell’s online journal service, which allows you to:
• Browse tables of contents and abstracts from over 290 professional,
science, social science, and medical journals
• Create your own Personal Homepage from which you can access your
personal subscriptions, set up e-mail table of contents alerts, and run
saved searches
• Perform detailed searches across our database of titles and save the
search criteria for future use
• Link to and from bibliographic databases such as ISI.
Sign up for free today at http://www.blackwell-synergy.com.
Disclaimer The Publisher, Morgan Stanley, its affiliates, and the Editor cannot
be held responsible for errors or any consequences arising from the use of in-
formation contained in this journal. The views and opinions expressed in this
journal do not necessarily represent those of the Publisher, Morgan Stanley,
its affiliates, and Editor, neither does the publication of advertisements con-
stitute any endorsement by the Publisher, Morgan Stanley, its affiliates, and
Editor of the products advertised. No person should purchase or sell any
security or asset in reliance on any information in this journal.
Morgan Stanley is a full service financial services company active in the
securities, investment management, and credit services businesses. Morgan
Stanley may have and may seek to have business relationships with any
person or company named in this journal.
Copyright © 2007 Morgan Stanley. All rights reserved. No part of this publi-
cation may be reproduced, stored, or transmitted in whole or part in any form
or by any means without the prior permission in writing from the copyright
holder. Authorization to photocopy items for internal or personal use or for
the internal or personal use of specific clients is granted by the copyright
holder for libraries and other users of the Copyright Clearance Center (CCC),
222 Rosewood Drive, Danvers, MA 01923, USA (www.copyright.com), pro-
vided the appropriate fee is paid directly to the CCC. This consent does not
extend to other kinds of copying, such as copying for general distribution
for advertising or promotional purposes, for creating new collective works,
or for resale. Institutions with a paid subscription to this journal may make
photocopies for teaching purposes and academic course-packs free of charge
provided such copies are not resold. Special requests should be addressed to
Blackwell Publishing at: journalsrights@oxon.blackwellpublishing.com.