Take the case of paint manufacturers. Falling real estate values put fewer homes on the market, translating into fewer houses needing a fresh coat of paint prior to sale. Lam calls this a classic strategic risk–occurrences in one industry that can sorely affect another industry. The smart paint company has tagged "real estate values and sales" as a key metric affecting performance, interpreting this data to direct quick and nimble decisions about production, inventory and internal resources. The paint manufacturer that acts late invites earnings below expectations. "It all comes down to strategic planning," says Douglas French, managing principal in insurance and actuarial advisory services at Ernst & Young. "You fail to realize a strategic risk and your stock price is decimated."

Others agree. "When ERM fails, in many cases it's because there was a misalignment or complete omission of the strategic risk relative to all other risk assessment going on," says Pamela Easley, director and practice leader of national enterprise risk services at RSM McGladrey, a Minneapolis-based accounting and consulting organization.

Easley maintains that subprime risk wasn't on many non-financial organizations' radar screens from a strategic standpoint. "Home Depot and Lowe's, for example, both suffered financially from the housing crisis because fewer people were remodeling their homes," she says. "That data is out there somewhere and can be monitored. While companies are getting good at performing an enterprise-wide risk assessment of themselves, they need to perform the same assessment of key stakeholders."

Lam has a similar take. "If you're a lumber company, you make some assumptions about supply and demand and then posit the strategic uncertainties that might or could affect this," he says. "This is not an operational or a financial risk–it's a business risk that you accept and manage, yet many companies think of ERM primarily, if not solely, in terms of financial and operational risks. Others see it purely as a compliance tool." Lam adds: "ERM must go from the back room to the boardroom."

Obtaining a visitor's pass to the boardroom is on the agenda of today's second-generation CROs. "The new chapter in ERM is greater understanding of strategic risk," says Axel Lehmann, group CRO since February at Zurich Financial Services, the Switzerland-based insurance giant. "There needs to be a clear link between corporate strategy, risk appetite and financial and operational plans. To do this–to define risk tolerance and appetite across the organization and among key stakeholders–requires executive level and board discussions with risk management."

Such interactions are few and far between. Most CROs have so-called dotted line reporting to the board, and in many cases it's limited to the audit or compliance committee. CRO influence also is limited. In the insurance industry, for example, fewer than half of CROs or risk committees have explicit authority to influence key activities, such as strategic planning, financial planning, investment strategy decisions and product design and pricing, according to the 2008 Insurance Risk Leadership Survey by Ernst & Young. The survey noted that only half the CROs queried had oversight of equity, interest rate, credit or operational risk, though the vast majority indicated they expected to take on these responsibilities in the future.

Lam says dotted line CRO reporting must become a solid line to the CEO and full board, and the latter must be charged with strategic risk management, in consultation with the CRO. "If [directors] are too busy or the board doesn't have the right makeup to address this, then they should set up a risk committee," he says. Zurich did just that 18 months ago, forming a board-level risk committee initiated by its chairman.

"To be truly effective in their roles, CROs must be completely independent and highly vocal," Lam continues. "What is astounding about the subprime crisis is the relative lack of outcry among risk professionals saying 'This doesn't make sense; taking bad credit and securitizing it is still bad credit.' I blame it on a lack of CRO independence. When the profit motive and culture are so strong, where the company is always trying to maximize profit and meet earnings expectations, risk professionals have no outlet to voice their concerns."

CROs need to be made of sterner stuff. "You need a CRO who not only understands the organization's operational and financial risks, but also the strategic risks," says Ernst & Young's French. This profile seems to fit Lehmann, a former CEO of Zurich's North American Commercial division and, before that, head of a major company division in Europe. In short, he did not spend his career at Zurich in the trenches of risk management. "When I was asked to become CRO, the board and the CEO explained they wanted someone who understands the business, knows the risks and hopefully has some strategic conceptual abilities," Lehmann says. "While we had a well-structured risk management organization here before, it wasn't close enough to the business. Risk management didn't understand what the business side was doing, and the business side didn't understand what the risk organization provided. My job is to close these gaps."

One way he is planning to do that is through information technology. Lehmann, who also heads up Zurich's IT group, believes he can improve the company's risk-return model by integrating its disparate IT systems geographically. Given the data-intensive nature of the insurance business, an industry whose earnings are predicated on assessing and absorbing others' risks, this makes strategic sense.

Lehmann is not alone in the insurance industry in developing formal, structured processes for making strategic risk-versus-reward assessments. According to the Ernst & Young survey, 60% of insurer CROs expect to have such processes in place within three years. Ninety percent, meanwhile, also expect, that within five years, "economic capital"–the market value of assets minus the fair value of liabilities–will be a key or main performance measure. One CRO in the survey attributed the drive for measuring economic capital to the intense pressure the industry is receiving from rating agencies like Standard & Poor's, which requires ERM evaluations by insurers and banks, and has recently extended it to non-financial services businesses.

If and when that happens, companies would do well not only to measure their risks, but to routinely measure the success of their ERM processes. "Stakeholders will demand very explicit measurement of the effectiveness of risk management," says Lam. One metric, he suggests, should be the degree to which the CRO and risk committee have identified and addressed potential unexpected sources of earnings volatility. "If you're projecting $3 a share, what are the factors that could end up making it $1 a share, such as housing prices, oil prices and/or interest rates," he says. "You need to identify the risk factors and the sensitivity of earnings to them."

Allen from Marsh suggests organizations beef up their signal detection systems–dashboards that beam a red light when some key metric blows through a barrier and suddenly poses imminent danger to the strategic plan. "Rather than be heavily dependent on historical data, you want performance metrics that anticipate risks," he says. The point is, whether you're a paint manufacturer or major securities firm, data from seven years ago won't tell you a thing about tomorrow.