Tag Archives: erm

Time to Move Climate Risk Center-Stage

Insurers are not big polluters in their own right. Nor do they typically have lots of physical assets at risk, except indirectly through investment portfolios either now or in the future when economic transition raises the possibility of stranded assets.

Yet the impacts of climate on insurance operations are only too evident. Losses from more frequent flood events and other climate-related events, such as the wildfires that have ravaged parts of the U.S. and Australia in recent months; changing attitudes toward insuring and investing in high carbon industries; burgeoning regulation and moves toward mandatory climate risk disclosure; and external ESG (environmental, social, governance) ratings that increasingly reflect assessments of climate risk management – are all changing insurers’ risk landscapes.

With the PRA letter to U.K. insurers also setting the expectation that “firms should have fully embedded their approaches to managing climate-related financial risks by the end of 2021,” it’s relatively unsurprising then that climate change has been rising rapidly up the rankings of the perceived most dangerous risks to an insurance enterprise. In the most recent Willis Towers Watson Dangerous Risks Survey, for example, climate change rose from 53rd position in 2019 to 9th in 2020.

On the other hand, the up-side should not be ignored: Climate risk also brings new insurable opportunities and insurance can often be an enabler of innovation, allowing new technologies to be developed as risks are shared. Insurers that are taking steps now to better understand the risks and opportunities and planning for changes in their mid- to long-term strategies will be better placed to deal with them. These insurers will have built up a body of data, tools, analytical capabilities, processes and frameworks, with experience of learning and refinement, to avoid having to play catch up with the rapidly evolving regulatory environment as our collective knowledge of climate impacts grows.

Climate risk is truly multi-dimensional

Much as loss events grab the headlines, climate risk for insurers is truly multi-dimensional (see Figure 1). Potential ramifications that may not be grabbing the headlines yet could have potentially devastating consequences in years to come, such as sea level rise or threats that destabilize fragile states. Equally, new pathways for mitigating climate risk and resilience that don’t exist now could offer respite from threats and open up business opportunities.

Figure 1. The multi-dimensionality of climate risk

The need for a multi-dimensional risk approach simply reflects this expanding diversity of climate risk drivers.

Even if we confine those to the current day, from one angle there are market factors, such as regulation and investors’ lengthening ESG agendas. From another angle, there is the societal pressure to consume less and reduce environmental impact. Then there is the role of science and advances in climate understanding and adaptation, together with mitigation technologies and what these tell us about the need to adapt collective behavior. Notably, many of the world’s central banks and supervisors, through the Network for Greening the Financial System (NGFS), have already upgraded their view on the financial risks from climate change. The risks from climate change are now increasingly seen as having “distinct characteristics,” which means these risks need to be “considered and managed differently.”

The potential impacts on operations are similarly diverse, not the least whether factors such as public policy and regulation may affect insurability of certain segments. Add in underwriting issues (risk assessment, pricing sufficiency/competitiveness), regulatory compliance (including solvency impact), capital considerations (risk accumulation for example) and emerging risks (and opportunities) – and you have a veritable cocktail of risk dimensions to consider.

ERM implications

In many ways, however, these risks are not new per se; they map onto existing categories of financial and non-financial risk such as credit, market, business, operation and legal risks that insurers have been managing for many years. But taking into account the vagaries of climate, the risks do present new challenges.

Specifically for ERM programs, they raise issues and questions that require explicit consideration:

  • Governance, including the board’s role in providing oversight of climate risk responses and defining management responsibility for climate risk and ESG integration.
  • Risk identification, identifying the key channels through which climate risks can affect the company and how these are articulated and monitored on a continuing basis.
  • Risk appetite, including forming a view as to whether climate risk should be considered as a separate element or part of aggregate risk and how this will be implemented in practice.
  • Risk measurement and reporting, including how to incorporate climate risk into financial risk models and reports and deciding on relevant metrics for decision making, a key element of Taskforce for Climate-related Financial Disclosure (TCFD) requirements, for example.
  • Investment – how does the investment approach meet ESG objectives and respond to investor pressure to reduce or eliminate funding of high-carbon industries, for example?
  • Reputation risk, including identifying public communications needs and a strategy for communicating a firm’s climate and ESG response.

And because all in turn feed through to strategic business considerations such as earnings, product development, long-term direction and acquisitions and divestments, having a solid understanding within the business of the connections between physical, transition and liability risks is increasingly essential. This also means that the risk and governance frameworks need to be holistic and that each aspect cannot be treated in isolation.

See also: An Early Taste of Climate Change Disrupting Insurance

Devil is in the details

Conceptually, this all probably makes sense. Where it starts to get trickier is getting into the long weeds of risk impact and mitigation. For that, quantification is key.

This requires proven analytics tools and methods that are constantly being refreshed to reflect the latest science and predictive climate change scenario datasets and the expertise to provide the context of how business decisions can affect potential futures. Typically, quantification will also entail a collective, systematic and open data collection initiative to capture appropriate data to represent the key risk-related attributes of assets and, equally importantly, to include the valuations needed to feed through into balance sheet and other decision-making views.

Examples of the types of outputs needed will include hazard and climate risk scoring and mapping, determination of hazard- and climate-adjusted financial losses and advanced modeling of current and future climate risks. And beyond the numbers, transparency of models, scenarios and parameters is also key to the credibility and flexibility of the approach.

Our view is that there are some key analytical building blocks in helping build understanding of climate risk. Even if these may represent a kind of analytical nirvana at the moment, principally due to lack of data, there are options. Drawing parallels with emerging cyber risk, many insurers relied on scenario analysis and a sort of risk disclosure statement to not only quantify risks but also to set risk appetite metrics:

  1. Identify hazards – review of the existing portfolio for exposure to climate and natural catastrophe perils to establish the hazard levels.
  2. Quantify current climate risk for key perils – modeling of the current portfolio of risks, taking into account the vulnerability of assets and the level of hazard with reference to past events.
  3. Quantify future climate risk for key perils – modeling of future portfolios of risks for key perils at different times (e.g. 2030, 2050) and climate development scenarios. This should also consider the connections between perils – compounding and cascading risks are difficult to model, but they are the real world.
  4. Identify opportunities to mitigate climate risk – identification and assessment of loss drivers and mitigation opportunities to help reduce the financial loss potential of climate change.
  5. Determine transition risk and opportunities – evaluation of potential transition routes in line with modeling and taking steps to embed them within the risk framework.
  6. Quantify transition risks – through breakdown of the top transition risks by region/climate scenarios.

As they become armed with this sort of information, insurers should be able to identify the regions and perils that are driving climate risk now and how this distribution could change. Critically, this capability will help to quantify and reduce the cost of climate risk and enable insurers to feed the results into reviewing and updating the risk appetite and management frameworks on a regular basis.

Given the evolving investment focus on the “social contract” and sustainable returns, the capability will also be increasingly important for being able to inform potential investors of both the impact of climate change on an organization and steps being taken by the business to reduce its climate impact.

This need has been accelerated by recent regulatory moves focused around reporting and disclosure, including proposals and consultations in some countries to make TCFD reporting mandatory sooner rather than later. Add to this the idea that COVID-19 may accelerate the broader appetite for ESG as financial markets look to build resilience to systemic risks, and there is an even stronger case for enhancing understanding and response.

The upside is that the positive reputational impacts of disclosure, enforced or otherwise, are likely to be more far-reaching than just compliance – working through this process provides a holistic stress test of strategic decision making and company direction.

Eye to the future

So where might the gaps lie? To be truly strategic, thinking about climate risk needs to properly address current climate risks and project five, 10 and 20 years into the future, at least. That means developing the climate trajectory scenarios and metrics (the areas incidentally where insurers say they expect to need most help, according to our TCFD survey) that are increasingly being demanded by various stakeholders to assess a company’s climate transition plans and contribution.

See also: COVID-19 Is No Black Swan

Not all companies will be equally affected, but it’s apparent that, in relatively quick time, climate will have to be a central component of ERM and strategic direction. Those running ERM programs at insurers are uniquely placed to ensure their companies are prepared to meet those rising and multi-faceted expectations of investors, regulators, employees, customers and other stakeholders.

Embedding climate risk into existing frameworks and ensuring boards are taking a strategic approach to the changes that are already happening, and those to come, will put companies in a position to deal more effectively with the threats and embrace the opportunities of a future low-carbon economy .

ERM Shows Its Worth in Pandemic

Although some say COVID-19 is a black swan event, it really is not. Pandemics have occurred in the recent as well as the remote past. A clearly articulated description of pandemic risk can be found in the World Economic Forum’s, The Global Risks Report 2019. “The spread of infectious disease” was among the top 10 risks listed, based on impact. There are estimates of the cost of a pandemic in one of the special chapters in the report, though these may look small compared with what COVID-19 might actually cost.

In the The Global Risk Report for 2020, “infectious diseases” is again among the top 10 risks. That report describes the readiness of countries to deal with epidemic or pandemic and cites a Nuclear Threat Initiative study that concluded that “no country is fully prepared to handle an epidemic or pandemic.”

The World Economic Forum’s (WEF) annual meeting in Davos, Switzerland is attended by government, business, scientific and other leaders from a plethora of countries. The ideas and data developed by its staff and contributors are widely distributed and well communicated. 

The WEF is not the only organization or individual to warn about pandemics. Bill Gates gave an excellent TED talk about pandemics in 2015 that has now gone viral on the internet. Heath organizations, think tanks focused on health and other types of organizations have put out the warning, as well. 

In the face of these warnings, it is puzzling as to why has there been the lack of preparation witnessed in some sectors. On the other hand, many major corporations reacted speedily and effectively to the challenges presented by the pandemic, even if they had not had it among their list of top risks. The reason they were able to do so rests, in large measure, on these companies’ adoption and implementation of enterprise risk management (ERM). 

ERM’s Premise

ERM is a process that addresses both operational and strategic risk across all facets of an organization by identifying, prioritizing, mitigating and monitoring risk to ensure that the mission and strategy of the organization can be assured. Below are the numerous ways ERM has proven its worth in ameliorating the potential adverse effects of the pandemic, whether the risk was fully recognized or not.

See also: How Risk Managers Must Adapt to COVID

How ERM Has Mitigated Pandemic Risk Among Practicing Companies 

A robust ERM implementation includes having both a business continuity and a disaster recovery plan. These plans enable companies to 1) assemble key decision makers immediately to approve responsive actions, 2) communicate to employees quickly and 3) move to “work at home” conditions without too many glitches. Many companies have indeed moved to a “digital only” environment with employees working at home. When this was not possible, companies rapidly put guidelines in place to create social distancing and other modes of worker protection.

ERM places a heavy emphasis on information technology security. Thus, as companies migrated to more work at home, employees already had cyber training. IT staff have implemented strong controls on aspects such as accessing systems and cloud security. Further, cyber insurance products have been purchased. 

ERM also includes having a solid handle on supply chain risks, meaning that supply chains are well-documented and diversified and that supply alternatives lined up. A number of ERM practitioners moderate the parameters of their just-in-time production and ordering to allow for a certain amount of inventory to be available in the event of a catastrophe. However, even a company following ERM best practices can experience supply difficulties and losses when a pandemic is truly global and lingering, but less so than others.

In addition, ERM-managed companies tend to have very solid financial underpinnings in terms of capital levels, credit lines, investment portfolio diversification, etc. The “however” in this case is that many small businesses are unable to have as substantial a financial foundation as larger ones, and even large companies with solid financials cannot sustain a severe drop in revenues for consecutive months. Nevertheless, to the extent that practicing ERM resulted in stronger financials, companies were better-positioned to withstand the financial impact of the pandemic.

Further, ERM fosters keen focus on reputation risk. Companies with dynamic ERM practices understand the need to aggressively protect corporate reputation. As such, many of such companies widely communicated what they were doing to protect all stakeholders from the effects of the pandemic, modified their advertising to take a more sober and caring tone and introduced a new level of caution in all they did.

See also: COVID: How Carriers Can Recover

An Example for Others

Governments and healthcare institutions could have benefited from ERM or more robust ERM. The list of mitigations that could have been in place is legion. For example, stockpiles of personal protective equipment and respirators could have greater, the number of ICU beds could have been higher, protocol for where to treat patients who contract the virus could have been drafted in advance and treaties among co-operating countries that address warnings and the closing of borders in the event of an outbreak could have been drawn in advance. 

It is hard to argue that companies with sound ERM practices were better-positioned to deal with the pandemic than those with less sound or no ERM. The benefit in dollars and cents may not be able to be determined accurately, but the benefit is real.

Key Indicators of Weak ERM Programs

Almost every insurer has an official list of risks, often referred to as a risk register. Maintaining a risk register is a basic step in managing risks, following risk identification, prioritization, assignment of risk owners and creation of mitigation plans. 

One problem with many risk registers is that they are filled with generic risks. Although these risks may be real ones for the company, their lack of specificity does not contribute to a true understanding of them in the necessary detail or to planning targeted mitigations for them. 

For example, a risk register might show a risk such as “premium receivables may be late, resulting in ‘over 90s’ or uncollectable premiums,” a risk that every insurer has to some degree. However, for the company in question the real risk is “underwriters may have too much discretion to change premium collection terms and conditions leading to ‘over 90s’ or uncollectable premium.” The generic version does not indicate the root cause of the risk and can lead to ineffective mitigation strategies.

Or, a risk register may show a risk as “difficulty in attracting talent for open positions” when the real risk is “social media and internet sites may not present the company in a good light, making it hard to attract talent.” By stating a generic risk, management does not have to admit what it may not want to acknowledge.

Yet another example is a risk register that has stated an IT risk as “too many legacy systems still exist, creating data and service issues,” when the actual risk is “the XYZ underwriting system is not adequately integrated with other systems to create accurate data and seamless processing or a competitive customer experiences.” Not naming the culprit system(s) omits the source and scope of the risk and not adding some modifiers to the effects of the risk omits the true nature of what is at stake if the risk is not addressed.

The more nebulously a risk is characterized, the less clear who should be the risk owner. Without a clear and appropriate risk owner, the greater the chance that the risk will not be adequately addressed.

Regardless of the category of risk, without specifics the entries in many risk registers seem more for external consumption than internal action. If the same list of risks could be adopted by any other insurer of the same size, age and business mix, then it is not fit for purpose for the insurer whose risks it is supposed to represent. It may be fine for an externally published list of risks to lack detail that could be considered proprietary, so long as it meets certain thresholds, but it is not fine for a list intended for internal use.

See also: Risks, Opportunities in the Next Wave  

Another big problem with risk registers is that many do not include the strategic risks the company needs to be concerned about. Strategic risks tend to stem from the vision, mission and goals of the company. A strategic risk might concern the lines of business written or the customer segments targeted or the geographic footprint. For example, a risk for a WC monoline insurer might be “premium volume may shrink significantly in the next five years due to robotics and AI reducing the size of the workforce.” A risk for an “internet only” insurer might be “there may be difficulty reaching sufficient scale because of the lack of barriers to entry by identical competitors and because some buyers will never buy over the internet. Such an insurer will also have a talent risk because of competition for IT talent across all insurers and industries.

Or, a risk for an insurer that has high concentrations in Cat-prone states might be: “Without further geographic expansion, the lack of diversification may hurt profitability significantly.”  

It is simply not common to see these types of strategic risks listed in the risk register. Yet, strategic risks tend to be the most existential of all risks. In the past, some large insurer failures stemmed from strategic risks not being addressed appropriately or at all. For example, risks associated with undisciplined growth or delayed reaction to underperforming books of business, which are strategic risks, have not been recognized by insurers, and such insurers have paid a steep price for that lack of recognition. 

An additional problem with risk registers is the mediocrity of the planned mitigations. A good risk register should minimally show: 1) the risk, 2) its ranking as to impact and likelihood, 3) the risk owner, 4) the planned mitigation and 5) the status of the mitigation efforts at each update of the register.

Undoubtedly, it is key to identify the risks, but identification and recording of the these does nothing to help to the organization unless there is adequate mitigation. Mitigation can take many forms: avoiding, transferring, minimizing or accepting the risk, albeit with a contingency. A planned mitigation that is too weak, too expensive versus the risk or too impossible to implement will not benefit the organization. Worse yet, an inadequate mitigation may allow the risk to grow while the board or senior management thinks it is being reduced.

The mitigations in the register should not be just a recounting of current controls or risk-reducing practices lessening; they should be innovative and robust tactics for attacking the risks.

Boards, senior management and chief risk officers should evaluate their risk registers based on these questions:

  • To what extent are risks stated clearly and specifically?
  • Are there risks included that are unique to the company?
  • Based on how the risk is stated, is it clear who the risk owner should be?
  • Based on how the risk is stated, does it help to pinpoint what type of mitigations are needed?
  • To what extent are strategic risks included?
  • Are there current or emerging strategic risks that are not included?
  • Are the planned mitigations equal to the seriousness of the risks; i.e. are they sufficiently robust? 
  • Is the cost of the planned mitigation in balance with the potential impact of the risk?   
  • Are the planned mitigations attainable, implementable?
  • Is the mitigation plan implementation on track?

Bottom line, a poorly constructed risk register points to a failure of the entire ERM process and practice. As an essential tool for managing risk across the enterprise, it reveals a lot about how well risk is being managed. Thus, the register can be a good indicator of the overall state of ERM in the organization.

A Renewed Focus on EERM Practices

With third-party risks on the rise, there is renewed focus on maturing extended enterprise risk management (EERM) practices within most organizations. This focus appears to be driven by a recognition of underinvestment in EERM, coupled with mistrust of the wider uncertain economic environment.

To understand the broader risk environment and provide organizations with the insights needed to effectively assess their risk and adapt processes accordingly, Deloitte recently conducted the EERM Risk Management Survey 2019, obtaining perspectives from more than 1,000 respondents across 19 countries covering all the major industry segments. Results shed light on crucial considerations surrounding economic and operating environments; investment; leadership; operating models; technology; and affiliate and subcontractor risk. More specifically:

Economic and operating environment: Economic uncertainty continues to drive a focus on cost reduction and talent investment in EERM. The main drivers for investing in third-party risk management are: cost reduction, at 62%, reduction of third-party-related incidents, at 50%, regulatory scrutiny, at 49%, and internal compliance, at 45%. Organizations urgently want to be more coordinated and consistent in extended enterprise risk management across their organization, as well to improve their processes, technologies and real-time management information across all significant risks.

Investment: Piecemeal investment has impaired EERM maturity, left certain risks neglected and hurt core basic tasks. Only 1% of organizations say they address all important EERM issues, and only a further 20% say they address most EERM issues. One of the main reasons for this maturity stall is that organizations are taking a piecemeal approach to investment – they are mostly making tactical improvements rather than investing in strategic, long-term solutions. This piecemeal approach has led to certain areas – such as exit planning and geopolitical and concentration risk – being neglected, and some organizations not doing core basic tasks well, such as understanding the nature of third-party relationships and related contractual terms.

See also: The Globalization of Risk Management  

Leadership: Boards and senior executives are championing an inside-out approach to EERM, which includes better engagement and coordination and smarter use of data. The survey reveals that boards and executive leadership continue to retain ultimate responsibility for EERM in the majority of organizations. Better engagement and coordination across internal EERM stakeholders is a top priority for boards and senior leaders. Boards are moving away from using periodically generated data to more succinct and real-time, actionable intelligence, generated online. But who has ultimate responsibility for third-party risk management? According to the survey results, 24% indicated the chief risk officer, 19% indicated other board members and 17% indicated the CEO.

Operating models: Federated structures are the most dominant operating model for EERM, underpinned by centers of excellence and shared services. More than two-thirds, 69%, of respondent organizations say they adopt a federated model, and only 11% of organizations are now highly centralized, which is down from 17% last year. Investments in shared assessments and utilities, and managed services models, are also increasing. Furthermore, co-ownership of EERM budgets is also emerging as a trend. Robust central oversight, policies, standards, services and technologies, combined with accountability by business unit and geographical leaders, is a pragmatic way to proceed.

Technology: Organizations are streamlining and standardizing EERM technology across diverse operating units. The survey confirms Deloitte’s prediction last year that a three-tiered approach for third-party risk management will continue. Smartly coordinated investments in third-party risk management technology across three tiers can drive efficiency, reduce costs, improve service levels, increase return on equity and create a more sustainable operating model. More specifically, 59% of the respondents adopted tier one, 75% adopted tier two and tier three continues to grow.

Affiliate and subcontractor risk: Organizations have poor oversight of the risks posed by their third parties’ subcontractors and affiliates. The lack of appropriate oversight of subcontractors is making it difficult for organizations to determine their strategy and approach to the management of subcontractor risk. Only 2% of survey respondents identify and monitor all subcontractors engaged by their third parties. And a further 8% only do so for their most critical relationships. Leading organizations are starting to address these blind spots through “illumination” initiatives to discover and understand these “networks within networks.” Less than 32% of organizations evaluate and monitor affiliate risks with the same rigor as they do other third parties. As affiliates are typically part of the same group, organizations are likely to have a higher level of risk intelligence on them than other third parties.

See also: Is There No Such Thing as a Bad Risk?  

For more information on Deloitte’s “2019 Extended Enterprise Risk Management Survey,” or to download a copy, please visit their website here. You can find the full report here.

Risk Culture Revisited: A Case In Point

True, a great deal has been written about the importance of inculcating a positive risk culture if an organization is serious about managing its enterprise risk. Yet, when it comes to discussions about organizational culture, many executives’ eyes glaze over because the topic is too nebulous or because they have no idea how to influence or develop a particular type of culture. Underwriters, considering an application from a commercial customer, generally do not look too deeply into the company’s risk culture. Given that risk is growing in magnitude and variety and with increasing speed of onset, it behooves leaders to take concrete actions to establish a sound risk culture or to maintain one if it already exists. And underwriters should also be interested in the risk culture of accounts they write for the same reasons.

Often, I am inspired to write about something because of some news I hear or read about. In this case, something on the law360 website caught my attention: A woman slipped and fell near a collapsed “wet floor” sign at a casino. This person, Ms. Sadowski, suffered serious injuries and was awarded $3 million by an Ohio jury.

“The sign lay flat on the floor that day in September 2016, and a Jack Cincinnati Casino employee even walked around it but did not pick it up,” Sadowski’s attorney, Matt Nakajima, said, according to the Cincinnati Enquirer. He said that, moments later, Sadowski tripped over it and broke one of her knee caps. There were no safety measures in place for floor inspections or fall prevention, he said, and the employee who walked around the collapsed sign was not reprimanded. So, despite the use of “wet floor” signs, other aspects of risk management were purportedly absent.

It seems the jury believed Nakajima’s description. If the description is accurate, the part about an employee walking around a collapsed “wet floor” sign is very troubling, as is the fact that there were no consequences for the employee. These kinds of actions point to a lack of a risk aware culture at various levels.

See also: Building a Risk Culture Is Simple–Really  

So, how do leaders build a risk culture and how do underwriters probe to see what kind of risk culture exists in their prospective insureds’ organizations.

Three Basic Steps to Build Risk Culture

  • Articulate the organization’s position on managing risk at key communication junctures and through different media with employees: 1) hiring interview, 2) orientation, 3) staff meetings, 4) webcasts, newsletters, bulletin boards.
  • Include a risk culture criterion in all performance reviews; e.g., does the employee perform duties safely and address or report hazards/risks when they are identified? Evaluate positively or negatively, as warranted. Celebrate exemplary cases of risk awareness or risk mitigation.
  • Ensure that policies, procedures and work instructions all describe what is expected in terms of safety, precaution and risk reporting

Three Basic Data Points for Underwriters to Ascertain

  • Does the organization have any losses in the loss history that show an egregious lack of risk awareness?
  • Does the organization practice ERM or, at least, have policies around required safety measures, risk/hazard reporting, training on avoiding cyber and other risks, etc.?
  • Does the organization discuss or evaluate risk awareness as part of normal performance management?

At a time when every insurer is streamlining the information it requests from potential insureds, adding more requests for data seems antithetical. However, in light of the thousands of ways that employees can create, increase or decrease risk in an organization, the culture they embrace is very important. For example, an HR staffer who delays inputting an employee termination to the appropriate systems can create huge data and physical security risks. Likewise, a factory worker who leaves equipment running while going on break, when it should be turned off, can create safety and property risk. Or, consider a finance employee who thinks a spoofed email is actually from the CEO and sends a payroll check to the hacker’s account because there was no secondary control or it was not adhered to. The questions above will help underwriters to get a glimpse of the risk culture at the company they are evaluating.

See also: Thinking Differently: Building a Risk Culture  

A risk aware culture plays a role regardless of the category of risk: financial, operational, legal, cyber, human resource, strategic, etc. Everyone from the top to the bottom of the organization needs to have an automatic and quickfire gut check regarding their actions – am I creating a risk by taking this action; have I recognized the risks in the situation that is leading me to action; do I need to vet a recognized risk with others? When an organization reaches the point where this type of thinking is natural, and almost universal, then it can be said that a positive risk culture has been embedded.

Her latest book, “Enterprise Risk Management: Straight Talk for Nonprofits,” can be found here.