The Current State of ERM
Verisk Review Forum
Enterprise risk management has existed for more than a decade. While its definition may vary, the goal is the same: to embed sound risk management practices into the operational areas of the full organization.
In this Verisk Review forum, Ken Rado of the Verisk Insurance Solutions risk management practice and notable ERM practitioner Jim Noble discuss the origins and current state of ERM. They share their views on what needs to be done to sustain risk management as a valued corporate activity and position ERM as a viable practice.
How is ERM defined and integrated into the culture of a firm?
Ken Rado: It is critically important to select a definition of ERM that specifically fits the firm and its objectives. Given the subjective nature of such an assessment, this may qualify as one of the top challenges in the successful integration of ERM into the organizational framework.
The specific nature of that challenge notwithstanding, the definition may address general issues as well:
My working definition of ERM is this: an entity-wide process to identify, assess, and prioritize key internal and external risk drivers to assure strategic response with focus on value creation and preservation.
What are the objectives of the company ERM effort?
Jim Noble: The key goal is to promote better risk-adjusted decision making. To achieve this, the ERM initiative should include strategic, operations, reporting, and compliance components; recognize that executives have direct responsibility for different risk groups; and include objectives designed to support management of external risks technically lying beyond the firm's control.
The strategic component assures a portfolio view of risks and how they interrelate at a business unit and organization level with the mission and strategic objectives of the organization.
The operations component includes the identification and assessment of key internal and external risks that could affect strategies and critical business objectives.
The reporting component includes all control and monitoring activities, policies, and procedures throughout the organization, along with monitoring the role of internal auditors.
The compliance component assures focus on results through established roles and responsibilities throughout the organization. External compliance with applicable laws and regulations would consider Sarbanes-Oxley Act requirements and the emerging ISO 31000 suggested family of standards relating to risk management codified by the International Organization for Standardization.
Does the ERM process prioritize risks by frequency, severity, and cost to control?
Noble: Prioritization is fundamental for a properly functioning ERM program. It provides a road map by which departments and units can focus their efforts, including development and assessment of response strategies and discovery of new risk opportunities.
ERM must also help measure the impact of a single event across multiple areas of the enterprise, such as product safety, capital markets, employee relations, reputation risk, or management succession planning. This is best achieved by applying risk weighting prioritization (resource allocation) across every unit in the organization to aggregate financial and human capital costs.
While asset, income, and liability risks can generally be estimated in financial terms, the impact to an organization of catastrophic injury, illness, or death of staff members is difficult to measure in terms of lost skill sets, knowledge, experience, and training.
What is the role of the risk management group in the ERM effort?
Rado: The risk management group should be a catalyst and resource for the chief risk officer, risk committees, oversight groups, and business units. Risk managers are trained to prioritize risk. They follow accepted risk management concepts and risk assessment, response, control, and monitoring practices. Risk managers contribute organizational knowledge, loss data, and risk bearer (insurer) experience.
What additional skills may be needed for risk management to maintain a key role in ERM?
Noble: Risk management needs to deal with risk as "uncertainty of loss involving opportunity cost" versus "traditional pure risks" (loss or no loss), where insurance is the goal for the latter. Additionally, risk management must understand and effectively deal with key drivers of finance and supply chain risk management. Other notable attributes include the ability to develop personal influence and senior-level visibility and trust through demonstrated cost-effective practices and results.
What holds back the development of ERM as a more widely practiced discipline?
Rado: As a broad-based discipline, ERM has generally developed more slowly than the marketplace first indicated. Factors contributing to this include the following:
What hurdles exist for transitioning from classic risk management (as historically defined within the insurance discipline) to a wider operationally based approach?
Noble: Classic risk management is historically focused on discrete catastrophic risks that result in financial loss to an entity and may be covered by insurance.
Operationally based risk management requires the ability to work with and influence various risk oversight groups, where estimating loss is more subjective and/or loss affects the entity cross-functionally.
Enterprise risk management aims to seize opportunities to enhance or preserve the value of the entity by identifying and managing the top risk drivers rather than insuring individual events on a loss or no-loss basis.
What role do you see for analytics and risk decision support, such as catastrophe and noncatastrophe modeling and impact analysis?
Rado: With the advent of large databases combined with sophisticated computer software and subject-matter expertise, organizations of all types need more support. Key issues for risk managers will be achieving cost-effective delivery of services, proving value to customers, and aligning technical findings with actual business-driven solutions.
What are your thoughts on whether the concept of risk may be difficult for many line managers to appreciate in the ERM context?
Noble: Line managers normally focus on business results and not portfolio risk profile, so the concept of opportunity cost with a multifaceted overlay process will likely require raising the level of awareness needed for success. Risk may be more abstract than real. Providing concrete examples of catastrophic events can clarify the concept of risk for line managers.
ERM clearly takes risk management well beyond the "insurance buyer" role it has traditionally played. This comes at a time when risk management departments may already be downsized and stretched. Here's what I consider effective ERM implementation:
Become the catalyst for enterprise risk management and an expert on the key capabilities that will facilitate a successful ERM program, including the use of advanced analytics, business-continuity planning, risk-based decision making, and effective data management. After all, the risk manager is among the most qualified to determine the impact of risk on the organization.