The Talks@Columbia: Learn for Life podcast explores the people, the skills and the global forces driving change in our professional lives, with host Dr. Jason Wingard.
Listen and subscribe on Soundcloud or iTunes.
This episode features Sim Segal, F.S.A., Academic Director of the Enterprise Risk Management program. The two discuss "risk/return," and what it means in the context of large, highly complex organizations.
Listen to Dean Wingard and Sim Segal, and read the full transcript below.
Jason Wingard (0:00):
Risk return. It's a common phrase in business, but what does it mean in the context of large highly complex organizations? What does it mean for places that employ diverse and widely dispersed workforces? And what does it mean for places that need to navigate realms where policies and laws aren't yet in place to guide them? And finally, what does it mean for places that need to stay attuned to changing attitudes in the market and sometimes need to do so very quickly? And so the question we ask ourselves today is, who is really managing both risk and return in an effective way? I'm Jason Wingard and welcome to the Learn for Life podcast.
More and more organizations are learning how to quantify all risks in a practical way. The old adage, you can't manage what you don't measure is always true. So those that don't make that shift to actually quantifying, all risks are going to be at risk of falling farther behind.
Organizations that will succeed in the future will be those that adopt a robust Enterprise Risk Management program aligned to a clear organizational strategy. And so today we'll be exploring this topic, Enterprise Risk Management, an emerging field that is central to business and in the future will be increasingly vital in order to survive and to thrive in the world of work. With me to discuss this topic today as Sim Segal. Fellow of the Society of Actuaries and academic director of the Master of Science and Enterprise Risk Management program here at Columbia university. Welcome, Sim.
Sim Segal (01:45):
Thank you, Dean Wingard.
So, Sim, when you think about the future of work and how it's affecting sectors and industries worldwide, what do you see as the biggest upcoming shifts that professionals at all stages of their careers should take note of? And you can frame your response in terms of both threats and opportunities.
Well, with the shift to data analytics, and that's going to be important. We can't even see now the massive changes that's going to read globally in all sectors. That's important. I think that there's a shift that's too far. In many areas we're going to need to shift back to the human element for better projections of the future. Studies have all shown the same thing. Projections of the future that involve both human element and machine generated input are superior to machine generated input alone. We know this. And for ERM, making a bigger risk reward decisions, it's even more of an issue. I always say the only way to do anything of value is with and through other people.
In a value-based Enterprise Risk Management approach, which is what we teach here at Columbia, the combination of value-based management and Enterprise Risk Management, we teach students how to effectively conduct some of the most challenging aspects of the work, which is interviews, interactions with other people. There's two sets. The first set of interviews is with the most senior leaders in the organization, the C-suite, the heads of the businesses, head of HR, head of IT, et cetera.
The second layer of interviews is with subject matter experts. And without knowledge of how to really effectively conduct those interactions, organizations are going to make poor risk assessments, have a poor understanding of their risk reward profile and opportunities as well, and are at risk of being outflanked by competitors and making poor decisions. Which is why, although this is a robust and technical, a master's degree on Enterprise Risk Management, and my favorite course is actually strategic communications for risk professionals. Which I built specifically to train our students on the critical skills of how to interact effectively with others.
And it's partly a competitive differentiator because a lot of technical professionals in the market, they're under taught these skills. Even at some of the most popular business schools. I would say another shift that's taking place in Enterprise Risk Management is that more and more organizations are learning how to quantify all risks, including strategic and operational risks in a practical way. And most organizations are currently limiting their ERM programs to red, yellow, green, high, medium, low qualitative treatments. And the old adage, you can't manage what you don't measure is always true. So those that don't make that shift to actually quantifying all risks, are going to be at risk of falling farther behind also.
But you ask about opportunities as well. And on the opportunity side, I would say that there's a shift taking place to using Enterprise Risk Management to actually enhance the strategic planning process. And that's unusual for the risk folks to get dealt into the strategy table. But it's happening for those that are using the correct approach. And that's what we're teaching here. So as an example, and this is what we do here at our school, it's practical. Our faculty are all in the market. This is not dusty theory. It's practical. Folks bringing stuff that works right to our students.
As an example, I'm also in the market with my consulting firm, I had a client recently, we were presenting the main upshots of the work, and the CEO pulled me aside after the meeting and he said, he goes, "I want you to understand how excited I am about this." He said, "I want you to know we will be using this for strategic planning." And we're still working together to do just that.
Yeah, absolutely. So you've given us a sense of the current skills landscape that ERM, Enterprise Risk Management, currently supports. What does risk management though look like? What does the work look like say 10 years from now, 50 years from now?
I'm going to be on record of making these predictions?
No, it's a great question because it is an emerging field and what's happening now is going to change. And that's what future work, we have to think down the road. So one I would say regarding Enterprise Risk Management, a thing that comes to mind is that chief risk officers that are enhancing their decision making at the highest levels including strategic planning. That would be 10 years. I think more and more of them will be doing that. But Enterprise Risk Management is similar to risk management. Like, it sounds similar but it's a world away. So risk management is more granular, more narrow, more say market risk management, or credit risk management, or our InfoSec risk management, enterprises across all of these. But even in the silo, traditional risk management, heads of these silo risk management areas will also be applying Enterprise Risk Management.
I believe in the value-based form that we're teaching at that emerging technique to enhance their decision making. And there's case studies of that. One I can share because they've talked publicly about is that Twitter had hired my firm to apply what we're teaching here, the value-based ERM approach to just their InfoSec risk management. Now I'm not an InfoSec expert, I'm an enterprise risk management expert with whole framework, the process across all of them. But of course I know a lot about this because every organization, this is on their risk list. But the project sponsor, I remember he was very young. He had formerly been at Google. He had two patents already to his name, just in InfoSec, but just the power of applying these techniques, which is why I'm really excited for our students and graduates. The power of applying these techniques we're teaching, when we were done the project sponsor said publicly that Twitter's InfoSec risk management was head and shoulders above what had been before.
So I know there's CISOs out there that are all facing the same issues. How do we prioritize from all these different threats? How do we make the business case for what we should mitigate and what not. And how do we ever draw a defensible line in the sand that we're going to, we're going to address these, these risks out to here and no further. And we answer those kinds of questions with our master's degree here. So that's pretty exciting. I think that as we're training more and more people on this and we're the most successful program. We're getting people out there that are doing this. In 10 years I think we'll change that. It's already happening.
You asked about 50 years. That's a little harder. Of course, I hope I'm here to defend my guess, but-
We’ll hold you to it.
I would say all organizations, not just financial, will have a chief risk officer. It is more prominent to have a chief risk officer in banks and insurance companies, maybe energy companies, but there'll be more and more of that. We are already seeing that. The YMCA, largest charity in America has also spoken publicly about their work with value-based Enterprise Risk Management with me. Also government. Several years ago, the organization for economic cooperation development though, ECD, came out with the paper. It was actually only the third time in the OECD's history that ministers from all the participating countries had signed this agreement, which made it what they call soft law. That they have to implement it.
It was a three year timeline. And what it essentially said was countries at the country level have to have good ERM. And I was invited to a discussion in Washington to talk about that at the time. It was really interesting. They knew that they weren't that sophisticated but they got to get better at it and they're doing this.
And just two years ago, the Office of Management and Budget in the United States issued a circular letter 8-123 which essentially requires requires Enterprise Risk Management for executive government agencies and strongly encourages it for non-executive. So they're doing this. This is moving forward. Very recently Chicago mayor Lori Lightfoot had made a campaign promise and she's delivering on that to make a chief risk officer type of individual a cabinet level role. And they'd called me to talk about that. It was kind of interesting that this is happening at all levels of government.
I think eventually there will be a national chief risk officer, which is something that I've been advocating for and I've written a white paper on the subject of applying the value-based technique, which we again, teach here, to our country. It was funded by three different risk organizations. I had to write it in a way it could apply to all countries with all the different goals. So it was an interesting paper, but it's being looked at by people that are now sitting on committees that are thinking about... you're moving in a direction of what may emerge to be a national chief risk officer.
I think one last thought I have about the 50 years is that the chief risk officer role might be absorbed into the strategic planning role. We used to have quality officers and we don't anymore because quality is part of everybody's job. It's just there, it's embedded, it's ingrained. I think if ERM is successful the way I think it will be, the chief risk officer role is a natural role to merge into strategic planning. Under strategic planning. And I already see some starting to merge these roles. I know one that had both at the same time. And a lot of former heads of strategic planning are serving in chief risk officer roles. So we'll see how it plays out. But those are my guesses.
We certainly will. So if ERM does play out the way you predict in the next 10 years, it will have implications for students of the discipline. And so as I stated earlier, you lead the esteemed Enterprise Risk Management program here at Columbia university. What do you think your students need to learn so that they will be equipped to succeed in the job market across these industries and at these companies such as Twitter, or Goldman Sachs, or Time Inc? What do they need to learn to be successful in the way you think the market is going and the field is going in the next 10 years?
So that's a big question. I'll try to answer in a couple of ways, I think. Let me first take the part about the basic elements, the core of what they need, the technical Enterprise Risk Management and risk management skills. That's what I've been alluding to is that that value-based approach, it really brings together both the risk and return side of the equation. I think in the old day, you mentioned at the top that risk reward, right? Who's doing it. And that's something that I think about is that risk reward people, it's the most common phrase in business, but who's actually doing it effectively? Most organizations they do reward and strategic planning, which always has that hockey stick of, "Hey, we're going to grow fantastic. It's all going to be upside for the future." And then the risk side is off to the side. It's always traditionally been, all the bad things are going to happen. And the strategic planning folks say, "Well, your risk folks are always so negative. You're always looking at the downsides. What about the opportunities?" And they're right.
And the risk folks are saying, "Well, your strategic planning folks, you always have these optimistic projections, but are you sure you're going to get there? Do you know what's in your way? Do you know how to increase your chances of succeeding that?" And they're right. So actually they both need each other. And I think bringing those together, the risk reward side of the equation is what we do here. And so the value-based approach, I think the approach is going to emerge successful.
The other aspect of this that you mentioned was how to be successful in business with their careers. The key to that I think is for technical professionals, we're typically under-trained in the human interaction skills. And I say this in my communications class, I say people often talk about the soft skills. And we teach. We teach robust client skills. We teach robust here, I mean, risk skills, but people often say, "Well, you have the soft skills, the people skills, the communication skills." And so I tell them, "Okay, here's how to think of soft skills." I take out a lot of cash and I start flipping through it. I say, "It's soft like this is soft." Because if you look up at the top of any organization, the people that are there, they've got the technical, there's table stakes. What they have really strong are these communication skills because it's under taught. And some people have an innate ability. Others just have understood it's important and gotten themselves trained on it.
So this is why we're doing this. Two of our seven core courses are communications related. Managing human behavior in the organization and the strategic communications course I mentioned. Another course that's very interesting, a sexy course that we've introduced just recently that's very popular is Cognitive Bias in Enterprise Risk Management. So we're recognizing more and more the science behind how our mind works and how it interferes with sometimes our making the best decisions. So we also teach these biases and ways to compensate for these biases.
And I often say, these skills, the difference in the lift that it's going to give the trajectory of your career will outpace all the others. Yes, you've got to get the tactical after, and we're going to give you that. No question about that. We've got the best methodologies and techniques and practical, yes. And the lift that they're going to get, that trajectory, and some technical professionals they're like, "Well, those folks over there like marketing folks, they have the gift of gab, they're born with it. We're born with different skills. Just give us a pass. Like, this is what we do well."
And I think it's a persistent myth that these skills are not learnable. But it's not true. You can learn them. You just have to learn them by learning the theory, practicing them and getting expert led feedback, which is how we teach it. So I'm very excited for our students and our grads that that will be the biggest difference. And the feedback that I get from people, it's happening.
So riffing on that then, successful leaders, they always want to stay ahead of the curve. That's for any trend, any activity that will be affecting their operations or the market. When it comes to risk management, what is your advice, because they're going to be coming to you now, what is your advice for those leaders who want to stay ahead of the curve with respect to risk?
For me, it's such a clear answer. To that, I always say the same thing when I hear this kind of a question, invest in people, right? Invest in people. It's the single most rewarding thing that you'll do. I have always counted as my investment portfolio is made up of people. Is made up those few times that I've had the opportunity to really make a difference in someone's career path. It is so rewarding. And that's what... We're in Manhattan. One of our advantages, right? We have a lot of masters of the universe from Wall Street working here and they all tell me the same thing. Helping a company is great, and they combine some of you a hundred times, but what they say is their favorite part of the week is when they come here and they're looking in someone's eyes and knowing they're giving them the skills that they need to change their career path and help their organizations.
So you want to help your organization, invest in your people, send them here, develop them, and apply these techniques.
So you've done a good job of explaining to us and establishing the importance of this topic both for students as well as for managers and organizations. And you've articulated the value proposition of your program, the program of Enterprise Risk Management here at Columbia University.
So, when you're studying this topic, or if you're a company interested in either sending your employees or going to the best provider of Enterprise Risk Management theory and practice, is Columbia the best? Is another place the best? Why is Columbia the best?
Absolutely. Great question. Now, this is something I'm very passionate about. And it's very clear. I'm excited about it because we're so far in the lead, there's no one even close to us. And there's a number of reasons for it. Whereas several unique aspects of our program, we really built it from the ground up for an Enterprise Risk Management program. You'll see some others have sort of twisted or cobbled together things that were more from other places, and that's not really strong. But here's some specifics to answer your question.
First is, we cover all aspects of Enterprise Risk Management. You will see other programs may be covered, risk identification, risk governance, a little bit of risk quantification, but we cover it all. We cover ERM infrastructure, which is risk governance and ERM frameworks, and all four of the ERM process cycle steps, which are repeated throughout every business cycle. So this is... And continuously. So first is risk identification. Then there's risk quantification. There's then risk decision making, which is integrating ERM into not just mitigation decisions, but even more sexy is into strategic planning, strategic and tactical decisions and transactions.
That's where we have that sort of a vacuum sound pulling those risk folks up in the organization, dealing them into the strategy table, which is all what we want to do. We want to make the biggest most powerful positive impact we can make to our society and our organizations. And this is the way to do it. So that's one. Enterprise Risk Management is supposed to be holistic and all encompassing. You better start out by including all aspects because you got to learn them all. And we provide that.
Second, we cover all risks. If you look at some other programs they... Yeah, Enterprise Risk Management. You look a couple of clicks later, you'll find out, "Well, it's really just financial risk management." Not that it's not that. It's good, it's good work that's always going to be there. This is marketing, credit risk, liquidity, economic risk, commodity price risk, FRM. That's great. It's not Enterprise Risk Management. It's much broader as Enterprise Risk Management. And much more strategic. So there's others that are just insurance risk management, or insurable risk management. There's others that's just operational risk management. We cover all risks.
And it's really important because every industry study I've ever seen, including all my client work, including any insurance companies and banks shows the same thing. Enterprise risks are the volatility items, both upper down volatility. They're big items. They're not the small minutia. They're big items. And when you look at that, you'll find that if you draw a pie chart, two thirds of the Enterprise Risk Management risks are strategic risks. It's really interesting. This is the risk that the strategy may not be developed correctly, that our choice of a company of products and services to offer through our distribution channel to what target markets will be profitable. What's our value prop? That those choices may have been some optimal, some risk, or even more common, many risks that are in the top 20 or 30 key risks of companies is strategic execution.
Our strategy is fine. We may not be able to perfectly executed in some areas. Or a competitor may attack us. Or regulation may get changed that ruins one of our markets. So we may have governance issues, or we have supply chain issues. These are the strategic risks. The next smallest chunk, about 20 something percent is operational risks. So these are people related risk, technology related risk, not just cyber but data integrity, capacity, innovation, reliability, and then process risk, and then disasters, either natural or man-made disasters.
And then there's the financial risk, which is the smallest piece of the pie actually in terms of the independent... Not that it's not important, but in terms of the sheer number of independent things that can go wrong, there's way more strategic risk. And every study shows this. And when you talk to senior executives, they know this. But if you look at the more advanced organizations that are doing Enterprise Risk Management, which is the banks and insurance companies, they're spending all, or almost all of their quantitative energy just in the financial risks. And they're giving like qualitative short shrift, like high, medium and low, red, yellow, green to the operational. And they're virtually ignoring the strategic risks, which is two thirds.
So it's like saying, "Well, it's going to rain." I go out and I roll up the windows in my car, but it's a convertible. I know, put the top up. It makes no sense. But this is the opportunity for our students that are learning how to deal with all risks. Because at the end of the day, executives, they don't care where risk comes from. They just don't want to miss their goals. We have to make plans. If we don't make a plan, we're short of playing, we're in trouble. So, having a chief risk officer and staff that understand that, you can make everybody safer in their job. Make them more likely to achieve their goals, keep their job and get paid. And when you do that in an organization, you make a lot of friends. So that's very powerful. So that's the second aspect of why we're unique.
The last one I'll mention, because there's many others too, is that we're practical. And this is what we do in the school of professional studies. Is we're born from this. This is where we come from. Scholar practitioner model. Not dusty theory where you blow off dust off a big... It's actual practitioners in the market testing techniques and bringing them in, into the classroom. That all, or almost all of our faculty are currently in the market or have recently been in the market. So it's extremely practical.
In addition, we give you the business communication skills that we've been talking a little bit about. We give you a Ferrari of an engine in terms of the techniques. But we also have to give you transmission to translate that to advance your career on the ground. And that's the business communication skills. So that's the third aspect of our uniqueness.
Okay. So it's been established, the Enterprise Risk Management program at the School of Professional Studies at Columbia University, hands down is the best program in the world.
No one's even close.
So, Sim, now we're going to take a question from Twitter. And those of you who are listening, you can find it by pulling up #TalksatColumbia. And the question reads, new technologies such as artificial intelligence, automation and machine learning are dramatically impacting the world of work. Are you seeing an impact in risk management?
It's interesting how that question is phrased--because the truth is it is affecting risk management, but not Enterprise Risk Management. So Enterprise Risk Management is finding that the top 20 to 30 threats. Like in that range of an organization and opportunities. Risk management is more granular. It may be millions of things, thousands of things. For machine learning and artificial intelligence to work, you need a huge amount of data and the transactions to mine. You need to look at patterns and see patterns and figure things out.
In Enterprise Risk Management there's a handful of very important movements. These have to be gotten from people from these interviews that we talked about earlier with executives and subject matter experts. So it won't change Enterprise Risk Management as much if it's done the right way, but it definitely has a huge opportunity to affect our risk management and some people are starting to apply that. But Enterprise Risk Management itself will be a disruptor. Enterprise Risk Management can be applied to retail financial planning.
In fact, we had a student in my class about a year ago who is in wealth management in one of the top firms. And in the value-based Enterprise Risk Management course we're teaching a new way to look at risk and to look at the risk reward side of the equation, make better decisions. You're more on the efficient frontier when you can apply that. And when we got to the part right in the middle of the class, like the middle of the entire semester where we got to where I taught them like, how do you actually quantify all the risk on a consistent basis to look at the overall volatility around our goals, even for individuals, the wealth management that he does? He came up to me after class. He says, "Sim," he goes, "I feel like you just gave me the keys to the kingdom." I said, "I did. Now go reinvent your field because you can do it. You can take it back to his firm and really do it completely differently and innovate." So that can be disruptive.
It can also be applied to performance management. One example I give is balanced scorecards. This is something that virtually all of the Fortune 1000 are doing. This is a way of evaluating people where you look at their performance evaluation, maybe 50% is on your numbers, and then there's 10% on your clients. Client's happy, 10% on our staff happy, and then these other softer ones. The invention of the balanced scorecard is ironic because it's fundamentally unbalanced. Because those weights are typically arbitrary. Enterprise Risk Management can actually be used to recalibrate those so they're actually more effective.
So how is the industry responding to the applications of these techniques and technologies?
AI and ML, artificial intelligence and machine learning. Yes, it will change mostly risk management. In fact, I just got approached by someone, I think somewhere in Europe who's doing something pretty innovative, applying techniques, but more at the risk management level, not so much at at Enterprise Risk Management level.
All right, Sim, my last question might be the hardest one we've had this afternoon. What's the riskiest thing you have ever done?
And be honest.
I guess I never thought of myself as a risk taker when I started out my life. I was more of a safe kind of guy. But looking back I suppose I have made some bold decisions and people say, "Well, that's pretty risky of you." But risk and reward go together. Right? I would have to say that the riskiest thing might have been to launch my consulting firm in the middle of a financial crisis. That was pretty risky. Leaving a good paying job and just launching out on my own. And what happened though was... That was about 10 years ago.
So what happened though is I had developed the value-based Enterprise Risk Management technique, which again I think is leading, it's definitely changing methodologies, it's influenced, and my opinion has influenced ORSA, which is regulatory requirements driving insurance companies in the US banks and insurance companies in Canada, et cetera. It's influenced the change a couple of years ago in COSO ERM, which is the most widely used methodology. They've, I would say adopted certain elements of the value-based approach, which the key is, defining risk as anything that causes a change from strategic plan expectations, not just losses. Up and down volatility around plan, and also looking at risks by source, which is critical for correct projections. So I think it's worth it.
I mean, for me it was worth it because it gave birth to that methodology, which then became the foundation of the master's degree that we developed here, which is now by far, again, it's a top program globally. We're certainly the largest, we have phenomenal faculty and it makes me very happy to know we're changing people's careers, we're enhancing Enterprise Risk Management around the world, and I just can't wait to see where it's going to go next.
I can't either. Well, let's review. We've heard several key takeaways from you during this session. So keep me honest. I'll go through them. Number one thing that you said, organizations that don't emphasize the human element of their work do so at their own peril.
Number two, ERM, Enterprise Risk Management is changing from focusing primarily on limiting downside risk exposure, which is just focusing on the potential negatives, to informing strategic decisions that can be creative, that can be forward thinking and can be aspirational.
Absolutely true. That's the most common misconception. There's only downside. It's definitely opposite.
And then number three, ERM has the potential to disrupt many different fields of work.
Yes. Well said.
Well, Sim, thank you very much for joining me.