Confucius said: “I hear and I forget. I see and I remember. I do and I understand.”

Indeed, the value of knowledge is not in its acquisition but in its application. I am grateful that I have had opportunities to apply risk management in a wide range of roles throughout my 30-year career in risk management. As a consultant, I've worked with clients with different requirements based on their size, complexity, and industry. As a risk manager, I've implemented enterprise risk management (ERM) programs while overcoming data, technical, and cultural challenges. As a founder of a technology start-up, I've worked with customers to leverage advanced analytics to improve their risk quantification and reporting. In the past four years, as a board member and risk committee chair, I've worked with my board colleagues to provide independent risk oversight while respecting the operating role of management.

These experiences have taught me that knowledge of ERM best practices is insufficient. Value can be created only if these practices are integrated into the decision-making processes of an organization. The purpose of this book is to help my fellow risk practitioners to bridge the gap between knowledge and practical applications.

In my first book, Enterprise Risk Management—From Incentives to Controls (Wiley, 1st edition 2003, 2nd edition 2014), the focus was on the what questions related to ERM:

• What is enterprise risk management?
• What are the key components of an ERM framework? ...