James Lam – a pioneer in enterprise risk management (ERM), and the world’s first-ever chief risk officer (CRO) - kicked off his career like any other risk manager. He specialized in certain areas, starting with market risk, asset liability management and hedging, before expanding his responsibilities to include operational risk and credit risk. In the early 1990s, he started to focus on economic capital – the basis for risk professionals to allocate a common currency to different types of risk - and this was his first inspiration for what’s widely known today as ERM.
At this point, Lam joined GE Capital Markets Services, part of the financial services division of General Electric, where he was responsible for middle office risk management, back office operations, and wider business strategy. He reflected: “One day, I walked into my boss’s office and said: ‘I’m ordering some business cards. What title should I use?’ He replies: ‘Oh, I didn’t actually come up with one. Why don’t you come up with one that fits your responsibilities?’ At that point, chief information officer (CIO) was becoming widely accepted as someone at the C-level who is responsible for integrating different technologies within a company, so I said: ‘Why not chief risk officer (CRO)?’ I put that title on my business card and that’s when I became the first CRO.”
As CRO, Lam implemented ERM programs at GE Capital Markets Services and later at Fidelity Investments. He addressed implementation challenges such as obtaining buy-in from corporate directors and executives, managing organizational change, and demonstrating value. In addition to his work as CRO, Lam has worked with a wide range of companies and industries around the world as an ERM consultant. He was founder and president at ERisk and partner and global ERM practice leader at Oliver Wyman, before founding his own consulting firm James Lam & Associates, Inc. in 2002.
The third part of Lam’s career has been in board service. He has sat on private and public company boards, encouraging directors to play an active role in risk oversight. His board experience includes risk oversight committee chair at E*TRADE (an S&P500 company), audit committee chair at RiskLens, director of Covarity, and vice chairman of ERisk.
“I think the risk management skill set is very important to the board because of the full spectrum [perspective] that a risk manager can bring,” said Lam, who will be delivering one of the keynote addresses at the RIMS ERM Virtual Conference in November. “It’s not in our human nature to fully consider risks in how we make decisions. Cognitive biases can also prevent us from seeing the full picture and create critical blind spots. Most people will think about the ‘expected scenario,’ while others might have more optimistic or pessimistic outlooks. But a risk manager brings that full spectrum of potential business outcomes to the table. That’s a skill set that’s unique to risk professionals, and it’s a mindset that, on a fundamental basis, is very useful for board oversight.”
In his upcoming RIMS ERM keynote, Lam hopes to inspire other risk managers to think beyond their current roles and beyond their next promotion. He will share why boards need risk experts to join their ranks and what skills risk professionals need to be a corporate director.
Before taking the leap into board service, it’s essential for risk managers to study and understand the role of the board, Lam stressed. He told Insurance Business: “They need to think about: what are the requirements of the board? What are the different committees’ functions? What distinguishes effective boards versus ineffective boards? When it comes to risk oversight, I use the acronym GPA to summarize the three key roles of the board. G is for governance, which revolves around how the board is organized and how risk oversight is allocated across committees. P is for policy, and the most important policies include having a risk appetite statement and a risk escalation policy. And A is for assurance, in terms of how we assure the organization, our shareholders and other stakeholders that our ERM is effective and we have the right metrics, the right reporting and the right feedback loops in place.”
Once they understand the role of the board, then risk managers should think about how they can best serve that role. That starts with “best practice ERM,” according to Lam. But “best practice ERM” doesn’t equate to simplistic risk assessments and heat maps – a trap a lot of ERM programs fall into, said Lam.
“Simplistic risk assessments and heat maps don’t serve board members well,” he said. “Risk managers need to consider what serves the needs of the board in terms of having good analytics, helping the board understand what drives earnings, what drives cash flows, and what drives value -all things that they’re very interested in. They need to translate their work into terms and contexts that the board would understand, and they need to connect their ERM work to the decision making that the board has to do in terms of risk appetite, capital structure, strategy and execution. Ultimately, I think the most important question for anybody, not just risk managers, is: How do I add value to the company to make sure that my work impacts decision making? It’s not just about risk monitoring and reporting; it’s about using risk insights and analytics to drive better business decisions.”