Our previous article discussed possible roles the ERM function may assume in organizations. This article addresses what are, from our perspective, the most two most overlooked steps in the entire ERM process:
Quitesimply, organizations do not invest enough time or effort into organizing therisks they identify into logical groups, or into drafting Risk Appetite Statementsthat are useful. This is a criticalshortcoming that often handicaps the entire ERM process, because these twoelements provide the overall direction and risk boundaries for every unit ofthe organization. And when doneproperly, they ensure that risk ownership and management extend to the businessunit level.
Thegood news, however, is that these problems can be quickly addressed with just abit of focused attention. Let’s lay out the steps required for you tostrengthen your processes and build that ownership within your organization.
Whenbeginning the ERM process, organizations typically jump into the process ofinventorying and defining the specific risks they face, based on theirindividual situations and the specific industries to which they belong. This isgood, but the results are too specific and often idiosyncratic. And why reinvest the wheel? Many detailed and useful Risk Taxonomies currentlyexist which provide comprehensive risk inventories and descriptions, which inturn vastly simplify the process of benchmarking performance with peercompanies in the future. In theInsurance industry, for instance, ISO 31000, COSO, and the NAIC all haveindustry-specific taxonomies. If you arejust starting out, try to use one of them. If you already have a risk inventory, try to harmonize your work withthese established frameworks. It willorganize your existing work into groupings that facilitate peer comparisons, andenable you to generate reports and comparisons that will intrigue your company executives,and are increasingly being requested by regulators and rating agencies.
Oncethe high-level risk identifying and organizing are completed, you must over-investin creating high quality Risk Appetite Statements, first at the corporate andthen at the Line of Business level. TheRisk Appetite Statement is the company’s formal pronouncement of desire orreluctance to assume specified risks, and at what levels. It is, in effect, the Company’s “StrategicPlan” for Risk, and should be closely integrated with the Company’s overallstrategic plan. Very few of the RASsthat we have reviewed, however, even come close to meeting this objective.
Ata minimum, the Corporate RAS should provide a general narrative on thecompany’s risk management philosophy and contain the following elements:
· A description ofthe 8-10 critical risks the company faces,
· Quantitativemetrics for the Risk Capacity, Risk Tolerance, and Risk Appetite for the Risk,
· Key RiskIndicators and their defined ranges, typically in “traffic light” groupings.
Thesegroupings form the basis for the Risk Reporting templates which are developedat this time and included as part of the RAS effort. Higher quality RASs usuallyinclude some discussion on the exact mechanisms for risk measurement,monitoring, and frequency, and what the control and governance processes are asthey relate to the individual risk groups. Occasionally, RASs also include abrief glossary of Risk Terms and Definitions as an addendum. We strongly endorse this practice, as itpromotes the establishment of a common risk language and vocabulary across theorganization. RASs may also discuss waysto align overall compensation on a risk-adjusted basis, but these goals remainlargely aspirational. The CFO or CRO isoften the Executive Sponsor for the Corporate RAS effort, and the Boardtypically approves the Corporate RAS after significant input and deliberationfrom the C-suite and other stakeholders.
ManyERM organizations miss an opportunity to help their organizations and createvalue by neglecting to extend this process to the individual lines of business. Once the Corporate RAS has been accepted, thecorporate sets the risk tolerances and limits. How do these aggregate limits align with the sum of business unitrisks? How do they change as thepostures of each of the business units change? And what are the interactions? These are hard questions that must beaddressed—especially by the ERM function. Very few of them do so effectively, however.
Yet,most of the raw materials for risk managers to develop these insights areavailable if they are willing to partner with their businesscounterparts. Every business unitcreates a budget and strategy document (admittedly of varying qualities!). Translating these objectives into Key RiskIndicators and Tolerances, at least initially, is something that RiskManagement should be doing proactively. Anddrafting an LOB-specific RAS is a straightforward process, based on theparameters established in the Corporate RAS and on what can be inferred fromthe LOB budget and strategy documents.
Amore strategic perspective greatly enhances both ERM’s effectiveness and yourpersonal stature in the organization. Moreover,information is power. No otherorganization in the company has the mandate to review and own risk acrossbusiness lines or to manage it. And theinsights you can create are tremendously valuable to the organization. Knowing our defined corporate risk capacity,what businesses are exceeding or “overusing” that capacity? Why? Is this contemplated, accidental, or intentional? And how can it be managed most effectively,both immediately and over the longer term? No individual business manager can answer these questions, and manymight not even want to know the answers even if they could find them. But you can, and in service to yourorganization’s health and future, you should.
Whyaren’t you seizing the opportunity?
P.S.: If you would like a sample template of adetailed Corporate Risk Appetite Statement which exceeds what’s commonly usedcurrently, feel free to download it from our website, www.srarisk.com/insurance.