Tag Archives: galer

3 Reasons Why Risks Are Mismanaged

ERM can bring great benefits. By managing risk, it helps to minimize loss as well as maximize strategic profitability, optimize opportunities and enhance culture and reputation. Thus, when a loss occurs in a company that has been practicing ERM, the reaction is to be disappointed in ERM as a practice or to blame the ERM leader for faulty execution. It would be unwise, however, to react without further analysis and greater understanding.

No process or person is perfect; there will be times when ERM may fail to live up to expectations. Even with excellent execution, there will be times when a risk is too opaque or too complicated to be identified or managed effectively.

All ERM practitioners must determine how much they can rely on what their colleagues in other functions or business units say about a business situation and how much risk it holds, because there are, at least, three circumstances that might cause a business leader or “expert” to overlook or underestimate a risk. They are:

  1. Reluctance to expose or report a risk, for whatever reason,
  2. Lack of sufficient expertise or experience to recognize a risk or determine its size.
  3. Reliance on imprecise or inadequate standards and models that fail to signal a risk.


It is really not such a mystery why a business leader or staff member might be reluctant to identify a risk. Among the reasons are:

  • Fear of being labeled a naysayer,
  • Fear of derailing an initiative that has favor in the C-Suite, thus becoming persona non grata,
  • Concern that identifying a risk might hurt personal compensation, at least in the short term.

An environment that is rife with these cultural stimuli will never produce transparency in risk identification and mitigation. Factors that can give rise to such an environment include:

  • Senior management who cannot distinguish between a naysayer and someone who is risk-aware and committed,
  • Senior management who have shown themselves to be closed-minded or have “shot the messenger” when presented with an issue,
  • Staff at any level who are not able or willing to consider the long-term health of the organization.

An environment where risk is openly discussed is a prerequisite to being able to manage risk well, but producing such an atmosphere takes time and effort. Much has been written about ERM and culture, and this literature holds great advice about how to build a risk-aware culture.  Among the collected wisdom is:

  • The board and CEO must continuously champion ERM,
  • Risk must be represented in strategy discussions, organizational performance management, various employee communications and individual performance plans,
  • ERM must be given effective resources,
  • The ERM process should be robust and repeatable,
  • Mitigation plans should be closely monitored,
  • Rewards or lack thereof should be determined on the basis of how well risk is managed per plans. 

Lack of Expertise

Less sinister but no less dangerous a situation exists when the presumed experts do not have the knowledge or skill to identify risks within their spheres of responsibility.The person involved could be a business unit leader, a plant manager, a department/function head or a member of the C-Suite.

Consider the testimony given by Jamie Dimon, chairman and CEO of JPMorgan Chase, about the bank’s chief investment office (CIO). His bank lost billions of dollars from a large accumulation of synthetic derivatives tied to credit default swaps that crashed in value. These investments were handled by staff based in London, in a debacle nicknamed “The London Whale.” The following is an excerpt of that testimony before the Committee on Banking, Housing, and Urban Affairs in the U.S. Senate on June 13, 2012:

• “CIO’s strategy for reducing the synthetic credit portfolio was poorly conceived and vetted. The strategy was not carefully analyzed or subjected to rigorous stress testing within CIO and was not reviewed outside CIO.

• “In hindsight, CIO’s traders did not have the requisite understanding of the risks they took. When the positions began to experience losses in March and early April, they incorrectly concluded that those losses were the result of anomalous and temporary market movements, and therefore were likely to reverse themselves.

• “The risk limits for the synthetic credit portfolio should have been specific to the portfolio and much more granular, i.e., only allowing lower limits on each specific risk being taken.

• “Personnel in key control roles in CIO were in transition, and risk control functions were generally ineffective in challenging the judgment of CIO’s trading personnel. Risk committee structures and processes in CIO were not as formal or robust as they should have been.

• “CIO, particularly the synthetic credit portfolio, should have gotten more scrutiny from both senior management and the firmwide risk control function. “

This is truly a wake-up call to all organizations. It is an example of consciously adopted risk that produced billions of dollars of loss. The reason for its having reached the proportions that it did is described by the CEO as a lack of expertise, whether it be in terms of market knowledge, management controls and processes or something else.

To help ensure appropriate levels of expertise, an organization should ask these questions and act when the answer is negative:

  • Do the leaders of significant areas of the organization have deep knowledge of their operations?
  • Do the leaders of significant areas of the organization understand the importance of managing risk?
  • Do the leaders of significant areas of the organization have critical thinking capabilities and the communication skills to articulate what the risk profile of their operation looks like?
  • Do the leaders of significant areas of the organization ask for input from others who may be expert about risk?
  • Are those who facilitate the risk management process adequately knowledgeable and given sufficient resources?
  • Are there specialized risk management professionals in place in key areas, e.g. a chief information security officer (CISO) for information technology, as needed? Alternatively, is this role competently outsourced? 

Inadequate Standards or Models

Organizations of all sizes rely on standards or models, either self-designed or designed by an expert group (governmental or professional), which indicate when some aspect of the business is exceeding a safe level of operation. Insurers use loss-modeling tools; banks use “value at risk” models; manufacturers use all sorts of gauges, such as air safety levels and equipment safe usage levels.  There are also standards of safety applied to all manner of things both public and private, from buildings to transportation to infrastructure such as bridges, power grids and so on. These are routinely inspected to ascertain performance against pre-established standards of acceptability.

As can be readily appreciated, if the standard or model is faulty, then the business leader, staff or  risk professional is placed at a disadvantage in identifying or evaluating the likelihood or the size of a risk.

Consider that the models used by many banks and investment houses before the financial crisis of 2008 did not help them avoid major losses. The testimony quoted above shows issues with the model used to monitor the synthetic credit portfolio at JPMorgan Chase.

Consider that, according to the Associated Press in 2013, “Of 607,380 bridges, the most recent Federal Bridge Inventory showed that 65.605 were classified as structurally deficient and 20, 808 were as fracture critical. . . . Officials say the bridges are safe.” How can a state or city risk manager know how to handle risk associated with the bridges when the standard of safety is so confusing? Not surprisingly, there have been some major bridge failures in the recent past.

Organizations need to vet their standards and models. For example, they could:

  • Get second opinions on the model of choice,
  • Use multiple models, not just one,
  • Stress test the model at regular intervals,
  • Establish contingency plans in case the model fails.

No organization will eliminate all uncertainty. However, with the right risk culture, knowledgeable leaders and robust models, an organization can minimize exposure to unanticipated and unmitigated risk.

What Insurers Can Teach Others on ERM

The risk management practices of insurance companies have been scrutinized by rating agencies, regulators, analysts and others for years because insurers are financial institutions that deal with high levels of risk that, improperly managed, could not only hurt their creditworthiness but damage the financial well-being of their customers. As a result of this scrutiny, insurers have developed robust and comprehensive risk management processes, increasingly known as enterprise risk management (ERM). The ERM process covers the entire company, from strategy setting to core business operations and even relationships with external stakeholders. The maturity of insurers’ models means that there are some best practices worthy of emulation or adaptation by other industries.

A selection of these is presented in this article: aggregation of risk, correlation of risk and opportunity risk management.

Aggregation of risks

Within the ERM process step of “risk identification,” insurers pay special attention to aggregation of risk. How much of the same risk can be prudently taken, and how much risk is represented by one catastrophic event?

A simple example would relate to how much property insurance is being written in Florida, which is prone to hurricane losses. Or, how much workers’ compensation is being written for one industry group that could be affected by a pervasive occupational health hazard such as mesothelioma.

A proper assessment requires: 1) knowledge of what business is being written (sold), 2) fine-tuned understanding of that business (e.g., not all property in the state of Florida is subject to the same degree of hurricane loss), 3) recognition of what could be a potential risk issue within a book of business (e.g., workers in industries that still handle asbestos or operate in older buildings that have not been remediated).

Having taken account of accumulations, insurers proceed to reduce their exposure to them. This can take many forms, including: 1) writing less business within the geography, customer segment or type of coverage making up the accumulation, 2) adding exclusions or sub-limits into the insurance policy to eliminate or reduce what is covered if the risk produces a loss, 3) requiring/ helping customers to make themselves less vulnerable to the risk and 4) developing rapid responses to minimize the extent of loss after the risk has created a loss.

Moving outside the insurance company realm, any company can be subject to a variety of types of aggregations that can be above a normal, acceptable range of risk. Some examples might include:

• Shopping center management companies with many centers in neighborhoods with poor economic outlooks
• Banks with loan portfolios too heavily balanced toward governments or businesses in countries with low ratings for economic or political stability
• OEM manufacturers that supply parts to only one industry — one that may be in the process of technological obsolescence or some other life cycle dip
• Consumer goods manufacturers with narrow product lines that are tied to one demographic group that is fickle or is becoming economically pinched

Consider a large company with many silos, one that is not very good at sharing information and not tightly managed. What would happen if: 1) one unit of that company placed its call center in one of the BRIC countries (Brazil, Russia, India and China), 2) another unit opened a major manufacturing plant in that country, 3) another unit outsourced its IT code development to that country and 4) the finance unit invested in bonds from that same country — and that country suddenly had a debilitating natural catastrophe, the government or currency collapsed or a nationwide problem developed? The point is that the company in the example should be aware that it is creating an aggregated risk potential by having so many ties to that country with varying exposures.

Any significant concentration of geography, market segmentation or product offering can pose a risk to a business.

What makes ERM so powerful is that all important risks get identified, whether insurable or not, especially strategic risks, and that these risks get addressed through mitigation action plans. It is surprising how often companies do not see the magnitude or variations of risks they are facing; an effective ERM process should prevent that blindness.

Having identified an aggregation risk, companies can create mitigation plans for managing the risk. Mitigation tactics for aggregation risks in non-insurance businesses could include:

• Diversification in geographic spread
• Diversification in product portfolio
• Diversification in customer segmentation
• Innovation around uses of current products
• Innovation around ways to be more profitable with current products such that margins could increase while sales decrease
• Growth limits in risky areas; growth goals in less risky areas

Correlation of risks

Insurers have also become adept at identifying correlated risks. These are risks that may not appear to be connected but could be realized as part of the same event. Or they could be risks that have a cause and effect relationship on each other — a domino effect.

Correlated risks could dramatically strain an insurer’s ability to pay claims or remain fiscally viable. A hurricane, for example, might not only trigger covered property damage but also business interruption, supply chain, losses from canceled event and so on. Unless the insurer understands the totality of correlated losses, it cannot determine how much business it should write in any single hurricane-prone territory. Also correlated to the hurricane is an increase in the cost of repair and rebuilding property because of what is termed “storm surge” — when goods or services are in greater demand after a major event. So, the insurer is not only paying out on claims from different policies (or lines of business) but may also be paying more than usual because of inflated costs.

The concept of correlated risk is not very prevalent in non-insurance companies but could be just as serious an exposure. Consider an electrical power company. It knows that its dependence on an adequate supply of water leads to a risk that drought could affect its output capabilities and its customer satisfaction. The utility may not be fully cognizant of the correlated risks. Therefore, its risk mitigation and contingency planning may not include those risks. These might include: 1) the risk that government subsidies or support could be cut as the government attends to other issues arising from drought; 2) the risk that the cost of water or expense for routing the water supply will increase because of low water levels; 3) the risk that malfunctions will occur with power plant equipment because of lower or inconsistent water supply feeds, or 4) the risk that business customers that do not get sufficient water for their operations may sue the supplier. Without a robust ERM process to help identify both insurable and non-insurable risks, these risks may go unrecognized and unmitigated and without an effective response plan.

In fact, all companies fear that “perfect storm” where many risks materialize at once that could damage and destabilize the business. Yet, some correlations might have been identifiable and action taken to ameliorate the risks, had an effective ERM strategy been in place.

Opportunity risks

There is risk in both taking and missing a potential opportunity. It may be too much to ask businesses to identify the risks and calculate the cost of not taking every opportunity that management decides against for strategic, risk-related or other reasons. However, it is expected, within an ERM oriented business, that the risks of taking or avoiding an opportunity are considered and addressed.

When an insurer offers a new type of coverage for exposures such as supply chain, or cyber or reputation for the first time, the risk is great. That is because there is often no historical loss data upon which to estimate losses and price the product. For initial losses, there is no historical data to use in setting up an adequate reserve. Additionally, there is no guarantee that enough business will be written to create a large enough pool of policy holders (law of large numbers) to spread the odds of loss enough to produce favorable outcomes.

The ERM process that insurers employ compels them to look for opportunity risks and to devise ways to ameliorate the risks. How do insurers do this? They build their risk mitigation action plans using expertise across their many functions.

For new product risk, insurers might start out by: 1) offering low limits, 2) requiring higher deductibles or self-insured retentions, 3) buying more reinsurance or partnering with a reinsurer on the new book of business, or 4) charging prices that may appear to be high but that take into account the risk-adjusted cost of capital.

In other industries, new products also pose opportunity risks. Key questions to ask include: Will the new product reach the required ROI set for it within the timeframe set? Will the new product cannibalize some existing product or products? Will the new product create issues related to product recall, patent infringement or other lawsuits?

Through the application of a robust ERM process, all or most of the risks can be identified and mitigation action plans developed. This creates a safety net for the company and makes it more likely that it will get more comfortable and proficient at product innovation. There are so many types of opportunity risk beyond new products. ERM can help with each of them.

ITL Introduces a Channel for ERM

With the traction that InsuranceThoughtLeadership.com (ITL) is now seeing in the marketplace, a consensus developed among the principals that it was time for the addition of a new channel of expertise to further flesh out the rapidly evolving practice of risk management and help influence its course and impact on the success of organizations.

This description of risk management’s potential is resonating more and more with both practitioners and senior leaders, including board members. Yet risk management is morphing under several different rubrics, including enterprise risk management (ERM), strategic risk management (SRM), governance, risk and compliance (GRC) and older terms like holistic or integrated risk management that do not seem to have gained much traction. Confusion is increasing among practitioners and leaders as the semantics shift. For various reasons, some good and some not so good, the emphasis on risk management is shifting, as well.

One could easily argue that names and acronyms shouldn’t matter, but they do, if only to gain recognition and acceptance for the discipline among a remaining, and not insignificant, group of observers. There are meaningful differences between ERM, SRM and GRC that relate to the focal point of each practice. In addition, there are practitioners who use these terms/acronyms in different ways.

I might, as I often do, like to say that it’s all just “risk management” or at least should have been had we not pursued these tangential efforts that have not served a portion of the user community well. You might note the irony in this statement because my reputed expertise is in ERM, for which I have had direct connections as a practitioner and consultant, as an author and as simply an advocate for a more robust approach to managing risk for over 13 years. Nevertheless, for the more astute, these nuances in risk management have often been beneficial. They have allowed advanced practitioners to evolve their profession further by narrowing their focus to the more material and significant aspects of the discipline, as they relate to their specific environment, culture and situation.

Confused yet?

Well, don’t be. But realize that a key pillar of great risk management is doing it in a way that is most germane to your organization and its needs and priorities. Customization is the order of the day for managing risk well. That means that, while some organizations may want to deploy a comprehensive approach, others will want to pick and choose those components that are meaningful and will have the most impact. Customization also means that certain risk stakeholders will have greater stakes in the outcomes than others. Each organization’s risk stakeholder group will be unique in its make-up, and this drives other aspects of customization that enable alignment among all players.

But the key question now for this launch of a new topic channel for ITL is how it fits into the ITL “conversation” strategy, which is focused on driving change in the broader insurance industry space. We have decided to take the “risk management” channel that has existed since the beginning and rename it as ERM.

Risk management, since the inception of its use as a term of art, has overwhelmingly meant the management of hazardous or insurable risks; strictly construed — a subset of operational risk. Traditional risk management is no doubt an important discipline in its own right, but companies need to broaden their thinking and include risks that are not insurable (e.g. financial and strategic). I love to say, “Enterprise risk management is what risk management should have always been.” So while we will always need what I consider “traditional” risk management to address insurable risks, an enterprise-wide approach to managing risks must ultimately be employed, regardless of the label or name given to the activity. This will improve the chances of survival in an increasingly challenging world and ultimately success – even if it comes at the expense of those who ignore this truth.

Regardless of the choices people make, what really matters is managing risk with excellence and ensuring that, no matter who is involved, all significant risks are addressed. Why? Because effective risk management is directly tied to organizational success. I like to say, “A risk is not a risk unless it either threatens or facilitates an objective.” If this foundational principle is true (and why would I lie?), then the effective management of all significant risks must become a mandate for leadership and a top priority for the board.

We can say this has always been a truism for organizations, but evidence suggests otherwise. The landscape is littered with extinct companies that failed in this regard. And while it is true that effective risk management is simply a part of good management, so are many other components that fail regularly.

So the question then becomes, how will businesses achieve this fundamental (though lofty for some) goal to increase the chances of both short- and long-term success? Answering that question is what this ITL channel will make its mission. We will do so by providing you content from some of the best ERM thought leaders and successful practitioners who have achieved or are well on their way to achieving this goal. To that end, I am happy to introduce today, the first group of contributors who will work with me to bring you the best new ideas in ERM, including tools, advice for avoiding pitfalls, techniques, strategies, tactics and success stories. This group will include:

  • Russell McGuire, director of ERM/GRC practice, Riskonnect (U.S.)
  • Grace Crickett, senior vice president and chief risk officer, AAA of Northern California, Nevada and Utah (U.S.)
  • Marc Dominus, ERM practice leader, Crowe Horwath (U.S.)
  • Dave Ingram, executive vice president, Willis Re (formerly S&P’s ERM leader) (U.S.)
  • Donna Galer,  chief administrative officer, Zurich (retired) (U.S.)
  • Rick Machold, chief audit executive, Total Systems Services (U.S.)
  • Mark Stephens, managing director, Milliman Risk Advisory Services  (U.S.)
  • Peador Duffy, chairman, Risk Management International (UK)
  • Horst Simon, director, risk management, Horwath MAK, (Dubai)
  • Gary Bierc, CEO and founder of rPM3 Solutions (U.S.)
  • Norman Marks, vice president and chief audit executive, SAP,(retired) (U.S.)

While you may not know all of these names, I assure you they are big thinkers, have accomplished much and will stimulate new thinking for this discipline and help you, our readers, reach new heights of ERM success.

So, stay tuned and come back frequently. What you’ll see here will always be fresh and insightful.


Contributor Biographies

Marc Dominus

Marc is the enterprise risk management (ERM) solution leader for Crowe. His responsibilities include coordinating the design and delivery of Crowe’s ERM services and directing innovation initiatives in this area. His experience includes more than 20 years of providing risk management consulting services. Marc’s areas of expertise include ERM framework specification and  implementation, enterprise risk assessment (ERA), professional training, executive strategic workshop facilitation, risk culture enablement and change management. He has performed consulting engagements and delivered training programs for significant and complex private and government organizations for major corporate and public entities across the world. He frequently writes, presents and delivers professional training on topics related to ERM.

Donna Galer

Donna is a consultant, author and lecturer. Her top-selling book, Enterprise Risk Management – Straight to the Point, with co-author Al Decker, was published in 2013.

She served as the chairwoman of the Spencer Educational Foundation from 2006-2010, following retirement from Zurich Insurance. This foundation awards scholarships to students studying risk management and insurance. She held a number of positions in her 17 years at Zurich from 1989 to 2006. Her last position at the company was chief administrative officer for Zurich’s world-wide general insurance business ($36 billion gross written premium, or GWP), with responsibility for strategic planning among other areas.

She began her insurance career at Crum & Forster Insurance after a brief time at JPMorgan Chase (Chase Manhattan).

She has served on numerous industry and academic boards, published many articles on ERM and strategy and was named among the Top 100 Insurance Women by Business Insurance in 2000.

Horst Simon

Horst is the director of risk management at Horwath MAK (a member firm of Crowe Horwath International) in the Dubai International Financial Centre. He has held positions with Mashreq Bank, Emirates NBD, Barclays Bank and Standard Bank Group of South-Africa. He has lived in four countries and worked in more than 20.

He worked as an associate with a number of renowned global firms in banking, professional services, training and business process outsourcing and has been in the banking and consulting industries for more than 34 years.  Supported by the UK-based consultancy Genius Methods, he developed and launched the risk culture maturity monitor, an online tool that accurately measures the level of maturity of an organization’s risk culture.

His special interest is in the field of people risk, and he is a regular speaker at international conferences, a trainer in operational risk and enterprise risk culture in the Middle East, Asia and Africa and a blogger on www.Zawya.com.

He supported the capacity building program of the Macroeconomic and Financial Management Institute of Eastern and Southern Africa (MEFMI); he is the co-regional director of the Global Association of Risk Professionals (GARP), Dubai, UAE chapter, and a member of the Professional Risk Managers‘ International Association (PRMIA).

Grace Crickett

Grace’s career has been diverse, involving a variety of industries, ranging from equipment rental to healthcare and from not-for-profit to a Fortune 500, covering the U.S., Canada, Mexico and Singapore. The scope of her work has included self-administration of claims, safety and loss prevention, internal audit, benefits administration, continuity planning, emergency management, captive management and IT and physical security. As senior vice president of risk services and chief risk and compliance officer with AAA NCNU, she is charged with implementing ERM with her compliance, risk management and internal audit team.

Grace was chosen in 2011 as one of Business Insurance’s Women to Watch. Grace was also selected by Business Insurance magazine for its 2011 Risk Management Honor Roll. Also in 2011, Treasury and Risk magazine named Grace as one of the “100 Most Influential People in Finance.” She received the Information Security Executive (ISE) of the Decade Award in 2012 and West and North America Awards in 2011.  She is actively engaged with various professional organizations, including RIMS, as a member of the ERM committee and president of the Golden Gate Chapter.

Peador Duffy

As founder and chairman of Risk Management International (RMI), a successful and growing risk management practice for the past 20 years, Peador has been at the leading edge of risk professionalism and assisting companies to manage strategic risks to their business model. A former officer with the Irish Defence Forces, he has taken first-hand military experience to the boardroom in helping businesses develop superior risk analysis and in conducting crisis scenarios with senior management teams in major corporations and businesses of critical national interest. He provides thought leadership and a pragmatic approach as a strategic overlay to risk traditionalists and has seen risk management grow from board room buy-in, as a compliance imperative, to board room traction as a competitive countermeasure after the global financial crisis.

Dave Ingram

Dave is a member of Willis Re’s analytics team based in New York, offering insurers a practical way to use ERM to identify specific actions and strategies that will enhance the risk-adjusted value of the firm. He assists clients with developing their first ORSA, presenting their ERM programs to rating agencies, developing and enhancing ERM programs and developing and using economic capital models.

In 2012, Dave was named one of the 100 most influential people in finance by Treasury and Risk Magazine.

With more than 30 years of actuarial and general management experience in the insurance industry, Dave has served as corporate actuary, business unit head and planning officer for a major U.S. insurance company. He was previously the senior director, ERM, in the insurance ratings group of Standard & Poor’s (S&P). In that position, he spearheaded the initiative to incorporate ERM as one of the primary insurance ratings criteria and the development of the framework for reviewing economic capital models. He also was a consulting actuary providing advice on risk management and risk analysis to banks, investors and insurers with Milliman.

In addition to writing some 100 published articles relating to ERM, Dave has spoken on ERM at more than 100 events in North America, Asia, Europe, Middle East, Africa, Australia and South America. He was the first chair of the 2,500-member Joint SOA/CAS/CIA Risk Management Section. Dave is now the chair of the International Actuarial Association’s enterprise and financial risks committee and chair of the Actuarial Standards Board ERM committee.

Dave is a graduate of Lehigh University and has an enterprise risk analyst charter from the SOA, financial risk manager certification from GARP and professional risk manager certification from the PRMIA.

Rick Machold

Rick has more than 28 years experience across multiple industries and disciplines, including business risk management, process design and improvement, change facilitation, forensic accounting and strategic planning. He was most recently head of enterprise risk at Invesco and had global responsibility for the company’s enterprise risk management efforts. As administrative coordinator and member of Invesco’s corporate risk management committee, he oversaw the continuing development of the company’s ERM framework, tools and practices.

His background is primarily in management consulting and public accounting, having served as a partner in PricewaterhouseCoopers global risk management solutions practice in both St. Louis and Atlanta. His clients have included the Centers for Disease Control and Prevention (CDC), the New York Yankees Partnership, Wyeth-Ayerst, Ryder System,  Dell and many others. For several years before joining Invesco in January 2007, Rick was an independent consultant in enterprise risk management to First Data, based in Denver. He subsequently served as senior vice president and chief risk officer for Certegy, a transaction processing provider based in Atlanta.

Rick serves on the board of City of Refuge in downtown Atlanta and is an active member of the Institute of Internal Auditors and the Risk Management Research Council. He is a frequent speaker on enterprise risk management and has written several articles on enterprise risk management and internal control. Rick is a regular guest lecturer on ERM for the University of Georgia’s EMBA program and most recently for Kennesaw State University.

Mark Stephens

Mark manages the Milliman Risk Advisory Services practice group. The practice delivers a portfolio of risk consulting services, such as enterprise risk design, test and build projects, operational risk assessments, ERM education and training and ERM technology evaluation. The ERM practice uses diagnostic consulting strategies to understand an organization’s enterprise risk goals and challenges and then customizes solutions to deliver required business results.

In addition, Mark is the executive director of the Milliman Risk Institute, which supports enterprise risk management research and development. The Milliman Risk Institute advisory board meets on a semi-annual basis and conducts corporate surveys and publishes the results along with expert commentary.

Mark began his career as a risk management consultant for Federated Mutual and later became managing director for Aon Risk Services. While at Aon, Mark designed and managed Aon Value Exchange, which provided pricing and margin guidance for broker products and services.

In addition, Mark managed the Aon Global eSolutions Group, which developed risk analytics software for multinational clients to assist with enterprise risk, claims management, exposure management and policy management. Mark served on the management teams for Aon’s enterprise risk practice council, the financial institutions practice group and the ARS-US national service board. Mark also led national and international change-management teams for risk software integration and for margin improvement. Finally, Mark was CEO of Aon RiskLabs and led the M&A team for Aon’s acquisition of Risk Laboratories and Valley Oak Systems.

In 2007, Mark founded Strategic Risk Partners, where he designed industry-leading best practices for enterprise risk management and operational risk management. In addition, he developed unique online software platforms for collaboration around governance, risk and compliance, ERM and operational risk

Russell McGuire

At Riskonnect, Russell is director of ERM Services and in charge of development and implementation of solutions for ERM, including design of GRC software. He consults with clients on the establishment of an effective, sustainable ERM framework supported by the necessary technology to ensure success.

Gary Bierc

Gary founded and is CEO of rPM3 Solutions, a software and services firm specializing in the practical application of “cost of risk” in an ERM context. rPM3’s ARQ Technology software creates powerful outputs and analysis around the cost of risk, which exposes important links between risk and performance. This unique software delivers a patented method to make the process of identification and quantification easy and repeatable for any business or enterprise.

Norman Marks

Norman has spent more than a decade as a chief audit executive for major companies, with as much as $28 billion in revenue. He has implemented isk management, ethics programs and disclosure processes at multiple organizations and is a recognized thought leader in the professions of internal auditing and risk management.

A frequent speaker and writer on governance, risk and controls, he is the author of the popular book from the Institute of Internal Auditors’ on Sarbanes-Oxley Section 404 and of the IIA’s GAIT family of guidance products.

Norman has built or repaired internal audit functions to standards that are recognized as world class by management, audit committee members, service providers, CPA firms, peer CAEs and other internal audit leaders.