Chris Duncan, managing director of the National Business Group of Marsh USA Inc., in Atlanta, Ga., and former chief risk officer of Delta Airlines, Inc., spoke at the October 18, 2005 Enterprise Risk Management (ERM) Roundtable hosted by NC State’s College of Management ERM Initiative. Over 100 business professionals attending the presentation in which Duncan provided an overview of how ERM was launched at Delta following the terrorist attacks of September 11, 2001.

Driven by a desire to impact shareholder value and improve overall governance, Delta launched its ERM efforts by first focusing on a subjective evaluation of risks rather than building a risk analysis system using detailed quantitative approaches. As the first chief risk officer (CRO), Duncan worked on building a process that continued to push responsibility of managing risks to key leaders of Delta’s core business functions, while at the same time bringing information about risks together at the enterprise level. The emphasis was on strengthening the consistency of communications about risks across key business functions, while at the same time facilitating a more holistic view of key risks threatening Delta’s core strategies and reputation.

To accomplish this at Delta, Duncan pulled together a team of executives to serve as Delta’s Enterprise Risk Council (the ERC). These executives included leaders from Delta’s safety, security, legal, internal audit, treasury, controller, and information security functions. Chris, as CRO, led the ERC.

The primary task of the ERC was to oversee Delta’s enterprise-wide view of risks and coordinate key risk oversight functions and to strive towards early identification of key risks threatening the enterprise. This group met monthly, while Duncan as CRO met quarterly with the chief financial officer and twice annually with the audit committee to discuss key risk exposures.

As CRO, Duncan worked with the ERC to map key risks affecting these core categories of business operations:

  • Financial
  • Operational
  • Compliance
  • Legal
  • Security
  • Human Capital
  • Technology
  • Political
  • Reputation

As risks were identified, Duncan and the ERC mapped those risks based on the risks’ likelihood and consequence. Consequence was ranked ordered based on these subjective evaluations:

  • Survival Bet – the most severe consequence – the survivability of Delta is threatened
  • High
  • Medium
  • Low

Likelihood was assessed along these dimensions:

  • The lottery – extremely hard to predict
  • High
  • Medium
  • Low

Building on his experiences of leading Delta’s ERM function from 2001 through 2004 and his experiences in leading risk management initiatives at Frito Lay and Kentucky Fried Chicken, Duncan offered these insights about critical success factors in any ERM effort:

  • There must be clear ownership and accountability of risks across the organization (the CRO can’t be the owner and or accountability person for risks – core business line leaders must be designated as the risk owner).
  • The entity must have realistic expectations of success of risk control plans.
  • Be aware leaders tend to over-estimate the effectiveness of a response to manage risks – executives need to be conservative in the assessment of residual risks (e.g., risks remaining after a response is implemented).
  • The priority should be on closing key risk gaps for risks with the highest likelihood and consequence, particularly those that threaten the entity’s survivability.
  • Risk management must be integrated into financial planning (e.g., budgeting) and human capital processes (e.g., compensation).
  • The entity’s leaders must ensure that there is a process of ongoing communications about risks.
  • Governance leaders within the enterprise must continually re-rank risks and identify new ones on an ongoing basis.

In his closing remarks, Duncan noted that “ERM is ultimately about changing culture and behavior and driving decision making and measurable results.” He also said that “ERM is a matter of future survivability” and that getting ERM underway is more important than trying to develop the most sophisticated risk management system at the start. In essence – “just start.”