Mr. Vance and Ms. Makomaski--co-authors of "Enterprise Risk Management for Dummies," distributed by the Risk and Insurance Management Society--said that with new exposures emerging, it will be up to risk managers to seize the opportunity to expand their capabilities and responsibilities within organizations that might have pigeon-holed them as insurance buyers or as strictly dealing with property, liability and workers' compensation risks.

Why practice ERM? "I found out the first time I sat on the RIMS board that when you're on a board of directors, people are coming to you with their requests for expenditures," said Mr. Vance. "Knowing that you have a finite number of resources, you realize that you simply cannot do everything that you want to do."

He used his car to illustrate his point.

"Risk reminds me of when my car breaks down and I take it to a mechanic," he said. "Inevitably, I get a call during the day giving me a list of all the things that must be fixed in my car. Maybe I need new brakes, but he'll point out that I need new tires, new windshield wipers, maybe new sparkplugs and the alignment might be out."

He explained that "my main goal of having a car is to get to meetings and work and the airport on time. To hit that goal, I need to make some decisions about what to do with my car." The same holistic, strategic goal-oriented approach applies to ERM, he added, to deal with the new types of exposures emerging.

"We will see increasing scrutiny by ratings agencies to look at the risk management practices in various companies as part of the credit-worthiness of their credit rating," said Mr. Vance.

He added that rating agencies plan to take the risk management scrutiny being applied to financial institutions--such as banks, trading organizations and insurers--to the rest of the corporate world.

He noted that Sarbanes-Oxley compliance mandates are also responsible for the increase of ERM.

"Very often the SOX efforts aren't seen as being part of ERM," he said. But he noted that a new rule--Accounting Standard No. 5--allows corporations to make a risk-based determination on what should be looked at by the SOX process. This means that risk management will be applied to the SOX process itself, he said.

Mr. Vance said risk management has been in a growth trend since 1955 because all business inherently must control risks to assure positive results.

"Since we don't know the future, that means that all results are uncertain," he said. "Business is filled with uncertainty. In fact, any time you take a risk or any time you're going for a reward, you're going to have a risk associated with that reward."

Increasingly, however, focus has shifted from the reward "to those risks that could prevent people from achieving the reward. The recent meltdown in the subprime space is a great example of what can happen if you're not paying enough attention to the risk."

Such enterprisewide exposures are "starting to drive risk management," he said, and as a result, "what you're seeing is a lot of different kinds of risk management arising."

During the 1970s and 1980s, he explained, risk management was comprised primarily of insurance purchase and risk transfer. Now, however, "we've got little pockets of risk management that are focused strictly on small areas."

Ms. Makomaski, offering some practical advice to risk managers, cited five steps to establish a comprehensive ERM program. While they involve the same steps in standard risk management--to identify, assess, evaluate, mitigate and monitor risks--ERM expands the types of exposures addressed to include any threat to an organization's bottom-line success.

Since not every organization is at the same level of ERM maturity, however, "where to start might be dictated by what you're already doing well within your organization."

For instance, she said, most companies have some form of auditing and monitoring programs in place. "If that is an area your company is doing strongly in, it's a good stepping stone to adopting all the other steps of the program," she added.

She recommended that organizations need to:

o Start small, which gives them a chance to backtrack and start over, if necessary.

o Start with what's working, since most organizations have one or several elements of an ERM program already in place.

o Secure support of upper management and board approval. "A great way to achieve support is to do a risk assessment on an area that is in the 'hot seat' that day," she said.

o Develop soft skills. "When it comes to selling ERM to the organization, the risk manager's role changes," she said. "It's no longer about claims and insurance management. You now become a teacher, a presenter, a facilitator, a spokesperson."

o Simplify ERM, explaining its function and value in practical terms, she said. "Use language that matches your organization and systems that complement the processes already working within the organization. Dumb it down."

When asked by a conference attendee how to get support for a program from the company, she explained that ERM is a cultural change within an organization and that the processes and ways of thinking need to be imbedded into the employee base.

While some people "prefer to start off these types of risk assessments as stealth operations or guerilla warfare" at lower levels in the organization, she said, "the key thing is to deliver what the C-suite needs and to probe the questions: What information do they need to do their job better and to fulfill fiduciary obligations to appease the board?"

She said that once these questions are answered, "support can come if you start from the bottom up."

Another attendee asked about the broker's role in helping a risk manager implementing an ERM strategy.

"The more help, the more successful the project will be," Ms. Makomaski said, although she cautioned: "I hope the intentions of the broker will be to add value and to make sure the client is managing their losses, and not just pushing insurance."