The Current State of ERM

Verisk Review Forum

Enterprise risk management has existed for more than a decade. While its definition may vary, the goal is the same: to embed sound risk management practices into the operational areas of the full organization.

In this Verisk Review forum, Ken Rado of the Verisk Insurance Solutions risk management practice and notable ERM practitioner Jim Noble discuss the origins and current state of ERM. They share their views on what needs to be done to sustain risk management as a valued corporate activity and position ERM as a viable practice.

Kenneth R. RadoKenneth R. Rado is director of the risk management and planning group at Verisk Insurance Solutions. The group develops and delivers leading-edge risk solutions, including analytics and data modeling, claims management, loss control, supply chain and business continuity, and property risk services, to a wide array of clients in numerous industries. James NobleJames Noble, CPCU, ARM, retired as vice president of risk management and insurance at a Fortune 500 company after 28 years with the firm. Noble was instrumental in establishing the company's Operations Risk Management Committee, a senior cross-functional group that champions global risk-reduction efforts. As vice president of the company, he also led its worldwide business-continuity preparedness initiative.

How is ERM defined and integrated into the culture of a firm?

Ken Rado: It is critically important to select a definition of ERM that specifically fits the firm and its objectives. Given the subjective nature of such an assessment, this may qualify as one of the top challenges in the successful integration of ERM into the organizational framework.

The specific nature of that challenge notwithstanding, the definition may address general issues as well:

  • value creation and preservation metrics
  • key material risks to assure optimal use of resources
  • the role of analytics and scenario planning to overcome the challenge of the inherently subjective nature of the perception of risk
  • the focus of line and staff managers principally on results, not on risk profile

My working definition of ERM is this: an entity-wide process to identify, assess, and prioritize key internal and external risk drivers to assure strategic response with focus on value creation and preservation.

What are the objectives of the company ERM effort?

Jim Noble: The key goal is to promote better risk-adjusted decision making. To achieve this, the ERM initiative should include strategic, operations, reporting, and compliance components; recognize that executives have direct responsibility for different risk groups; and include objectives designed to support management of external risks technically lying beyond the firm's control.

The strategic component assures a portfolio view of risks and how they interrelate at a business unit and organization level with the mission and strategic objectives of the organization.

The operations component includes the identification and assessment of key internal and external risks that could affect strategies and critical business objectives.

The reporting component includes all control and monitoring activities, policies, and procedures throughout the organization, along with monitoring the role of internal auditors.

The compliance component assures focus on results through established roles and responsibilities throughout the organization. External compliance with applicable laws and regulations would consider Sarbanes-Oxley Act requirements and the emerging ISO 31000 suggested family of standards relating to risk management codified by the International Organization for Standardization.

Does the ERM process prioritize risks by frequency, severity, and cost to control?

Noble: Prioritization is fundamental for a properly functioning ERM program. It provides a road map by which departments and units can focus their efforts, including development and assessment of response strategies and discovery of new risk opportunities.

ERM must also help measure the impact of a single event across multiple areas of the enterprise, such as product safety, capital markets, employee relations, reputation risk, or management succession planning. This is best achieved by applying risk weight­ing prioritization (resource allocation) across every unit in the organization to aggregate financial and human capital costs.

While asset, income, and liability risks can generally be estimated in financial terms, the impact to an organization of catastrophic injury, illness, or death of staff members is difficult to measure in terms of lost skill sets, knowledge, experience, and training.

What is the role of the risk management group in the ERM effort?

Rado: The risk management group should be a catalyst and resource for the chief risk officer, risk committees, oversight groups, and business units. Risk managers are trained to prioritize risk. They follow accepted risk management concepts and risk assessment, response, control, and monitoring practices. Risk managers contribute organizational knowledge, loss data, and risk bearer (insurer) experience.

What additional skills may be needed for risk management to maintain a key role in ERM?

Noble: Risk management needs to deal with risk as "uncertainty of loss involving opportunity cost" versus "traditional pure risks" (loss or no loss), where insurance is the goal for the latter. Additionally, risk management must understand and effectively deal with key drivers of finance and supply chain risk management. Other notable attributes include the ability to develop personal influence and senior-level visibility and trust through demonstrated cost-effective practices and results.

What holds back the development of ERM as a more widely practiced discipline?

Rado: As a broad-based discipline, ERM has generally developed more slowly than the marketplace first indicated. Factors contributing to this include the following:

  • Line and staff management are more focused on results than risk profile.
  • Entities usually think of risks in silos and manage them accordingly.
  • Board committees — not ERM teams — usually address risks that the entity considers significant.
  • The CEO is generally perceived to be responsible for ­managing enterprise risk.
  • ERM requires cutting across ownership lines, which creates ­priority issues.
  • ERM works best when an entity has key risks affecting multiple groups.
  • An ERM effort requires a significant and ongoing time ­com­mitment, which, no matter how valid, may be challenging to justify without a proven potential for catastrophic loss.

What hurdles exist for transitioning from classic risk management (as historically defined within the insurance discipline) to a wider operationally based approach?

Noble: Classic risk management is historically focused on discrete catastrophic risks that result in financial loss to an entity and may be covered by insurance.

Operationally based risk management requires the ability to work with and influence various risk oversight groups, where estimating loss is more subjective and/or loss affects the entity cross-functionally.

Enterprise risk management aims to seize opportunities to enhance or preserve the value of the entity by identifying and managing the top risk drivers rather than insuring individual events on a loss or no-loss basis.

What role do you see for analytics and risk decision support, such as catastrophe and noncatastrophe modeling and impact analysis?

Rado: With the advent of large databases combined with sophisticated computer software and subject-matter expertise, organizations of all types need more support. Key issues for risk managers will be achieving cost-effective delivery of services, proving value to customers, and aligning technical findings with actual business-driven solutions.

What are your thoughts on whether the concept of risk may be difficult for many line managers to appreciate in the ERM context?

Noble: Line managers normally focus on business results and not portfolio risk profile, so the concept of opportunity cost with a multifaceted overlay process will likely require raising the level of awareness needed for success. Risk may be more abstract than real. Providing concrete examples of catastrophic events can clarify the concept of risk for line managers.

ERM clearly takes risk management well beyond the "insurance buyer" role it has traditionally played. This comes at a time when risk management departments may already be downsized and stretched. Here's what I consider effective ERM implementation:

  • Obtain recognition and support of the concept from the organization's board and management. From the C-suite, choose a senior officer — preferably the CFO — to champion ERM. Establish regular board reviews.
  • Define ERM and tailor it to your organization, its goals, and its culture. Use ERM to align the organization's risk appetite with its strategic alternatives. Establish a risk committee with a strong leader.
  • Implement meaningful metrics and risk/penalty parameters for the progress of ERM; communicate them throughout the organization.
  • Understand that a key goal is to promote better risk-adjusted decision making. To achieve that, ERM should include strategic, operational, reporting, and compliance components.
  • Establish risk appetite, tolerance, and response strategies based on the potential impact of a given exposure on the organization. Identify preliminary risk categories and segment them via risk mapping; follow with an embedded application of risk-based analytics.
  • Use the supply chain as a guide for matching risk drivers with the appropriate risk management driver. Using risk-based analytics, prioritize risks by frequency, severity, and cost to control.

Become the catalyst for enterprise risk management and an expert on the key capabilities that will facilitate a successful ERM program, including the use of advanced analytics, business-continuity planning, risk-based decision making, and effective data management. After all, the risk manager is among the most qualified to determine the impact of risk on the organization.