Practical Enterprise Risk Management

Author: Gregory H. Duckert

The book builds logically from corporate governance, and indicates a number of shortcomings herein, mainly system implementation. Then the actual story of risk and ERM begins. In this the author curses against everything that is for a subjective assessment of chance and impact and the related conclusions. He swears by cold facts and data. In this way he comes to the idea that risk assessment is about management. Risk management is an unmissable tool in this. After an overview of types of risks, he shows us how we should perceive risks objectively. He speaks about a data-centered model where it is possible to keep track based on all data in the company, and to do bench-marks on your own company. By introducing the concept of KRI (key risk indicators) instead of KPI (key performance indicators) linked to outcome of the processes instead of the output and with a number of analysis techniques such as trends, ratios, thresholds etc it is possible to build historical data and to find triggers of things that go wrong, with root-cause analysis. Then measures can be defined and implemented.

In addition, it is possible to pour this data into useful tools, so that the data neatly presents at meetings throughout the organization, the right KRIs at the right level. In doing so, he provides a handle on how to bring risk management to the board of directors, or to the board of directors.

As a penultimate chapter, the author discusses the phenomenon of outsourcing and a select number of risks at the various stages. It is therefore not surprising that he, for example, thinks of the outsourcing of IT as a bad thing; IT is according to him a core business of the company because everything depends on it.

The author concludes the book with the ownership of ERM. It is essential to know that everyone contributes. Everyone has a role to play in one way or another.

The Fantods Of Risk

Author: H. Felix Kloman

This book is one of the two ‘collected works’ by H. Felix Kloman.

In this work the author starts from some premisses, preliminary conclusions actually: what is risk, what is risk management, what is the process, what are the goals? Throughout the book, the author tells about it, and tests these conclusions to his ideas and to all kinds of situations in the world. This leads to a first climax in the book in chapter 14: “Does Risk Matter?” In that chapter he also discusses “four times three”: four hypotheses, four questions and four cautions about risk management and the risk manager. The book concludes with an introduction: “The Future of Risk Management, Again”. In it he gives an overview of new objectives (the most important one seems to me is “to build and maintain the confidence of critical stakeholder groups”), new standards, in which he cites the ISO 31000 standard, new insights, (directly perceptible risks, scientifically predictable risks and virtual risks) and new tools for ERM.

In the context of this book, I also want to refer to his other book, “Mumpsimus Revisited”, which also contains many of his ideas, and which could have been used in this book during the build-up to the end.

Mumpsimus Revisited

Author: H. Felix Kloman

The author starts with the history of risk management in 1905-1912, with a foundation in 1881 by Otto Von Bismarck, and in doing so reaches highlights until 1996, with mentioning the start of “The Global Association of Risk Professionals”. From then on, the book is a succession of articles, classified according to the main topic in chapters, varying in subjects within risk management, and difficulty.

Although the author in a funny way in the last chapter denounces the use of jargon, he assumes in the chapters about investments that the reader can follow the reasoning about captives. As a result, it is not a book for higher management, unless they have expertise in this and other matters.

In previous chapters, where he tells history, where he  breaks down the icons of risk management, and where he tells the parables, he is much more humane in his language. Towards the end of the book he gives an overview of the history of the captives.

The way in which the book is written makes it difficult to find a common thread. It is more a book to get a short piece of refreshing ideas about risk management in the evenings, or to learn about an aspect of risk management or its history that you were previously unaware of.

Throughout the book reference is made to the works of other authors. Unfortunately, they are not shown in a bibliography at the back.

Fundamentals of Risk Management

Author: Paul Hopkin


Throughout the book, the author approaches all the concepts for which risk management is concerned: the implementation of risk management in organizations. The book is divided into 6 parts and an important appendix:

Introduction to risk management
Risk strategy
Risk assessment
Risk response
Risk and organizations
Risk insurance and reporting
Appendix “C”: implementation guide

To read this work well you start with appendix C: this gives a manual on how to best read this work with its implementation as an objective. Then you start with the first four chapters of part 1. There the author lays the foundation for the reason of risk management. As an eye opener for risk management, one discovers that risks are something that is versatile. Afterwards, the chapters can be read in the order indicated in Appendix C. Thanks to this appendix, the book is a stepping stone for anyone who is involved in risk management. This makes it a stepping stone for every organization that has to work out its own risk management: using this book, each organization can write and maintain its own book as an implementation. I would like to see this book developed into an encyclopaedia series for which the ISO 31xxx series could form a basis. The book is a good introduction for every type of CxO in every type of organization.

However, what I feel is lacking is how to classify someone as CRO. There is no warning to be found in the book concerning appointed volunteers or people who do it on a non-priority basis.

Another mistake in my view is the discussion of BCM in this book. BCM deserved more than a chapter of about 10 pages and what is also lacking is how, in the current evolution of BCM regarding ERM, these two issues in cadence can run together. To that end, appendix C could be used as an approach, but this did not happen.

In addition, the author put some emphasis on supply chain (for the economic sector) and the financial sector. The government is also discussed, but only very little.

The problem of ICT is also not really addressed, nor is the ISO 2700x series of standards. However, there too a whole space is open for a book like this.

The benefits of risk management are also insufficiently emphasized.


This book is suitable as eye-opener for CxO’s and holds a promise for the elaboration of all risk management-related matters, for which, in chapter 36, it is stated that more risk management development must take place. Given that risk management applies to all management topics, at all levels in every organization, but also for governments, and globally the whole world, humanity is committed to supporting and implementing risk management, at all levels of society. After all, we are all experts in risk management in our own environment.