Our previous article discussed possible roles the ERM function may assume in organizations. This article addresses what are, from our perspective, the most two most overlooked steps in the entire ERM process:
Quite simply, organizations do not invest enough time or effort into organizing the risks they identify into logical groups, or into drafting Risk Appetite Statements that are useful. This is a critical shortcoming that often handicaps the entire ERM process, because these two elements provide the overall direction and risk boundaries for every unit of the organization. And when done properly, they ensure that risk ownership and management extend to the business unit level.
The good news, however, is that these problems can be quickly addressed with just a bit of focused attention. Let’s lay out the steps required for you to strengthen your processes and build that ownership within your organization.
When beginning the ERM process, organizations typically jump into the process of inventorying and defining the specific risks they face, based on their individual situations and the specific industries to which they belong. This is good, but the results are too specific and often idiosyncratic. And why reinvest the wheel? Many detailed and useful Risk Taxonomies currently exist which provide comprehensive risk inventories and descriptions, which in turn vastly simplify the process of benchmarking performance with peer companies in the future. In the Insurance industry, for instance, ISO 31000, COSO, and the NAIC all have industry-specific taxonomies. If you are just starting out, try to use one of them. If you already have a risk inventory, try to harmonize your work with these established frameworks. It will organize your existing work into groupings that facilitate peer comparisons, and enable you to generate reports and comparisons that will intrigue your company executives, and are increasingly being requested by regulators and rating agencies.
Once the high-level risk identifying and organizing are completed, you must over-invest in creating high quality Risk Appetite Statements, first at the corporate and then at the Line of Business level. The Risk Appetite Statement is the company’s formal pronouncement of desire or reluctance to assume specified risks, and at what levels. It is, in effect, the Company’s “Strategic Plan” for Risk, and should be closely integrated with the Company’s overall strategic plan. Very few of the RASs that we have reviewed, however, even come close to meeting this objective.
At a minimum, the Corporate RAS should provide a general narrative on the company’s risk management philosophy and contain the following elements:
These groupings form the basis for the Risk Reporting templates which are developed at this time and included as part of the RAS effort. Higher quality RASs often include some discussion on the exact mechanisms for risk measurement, monitoring, and frequency, and what the control and governance processes are as they relate to the individual risk groups. They may also delegate these tasks to specific business units. Occasionally, RASs also include a brief glossary of Risk Terms and Definitions as an addendum. We strongly endorse this practice, as it promotes the establishment of a common risk language and vocabulary across the organization. RASs may also discuss ways to align overall compensation on a risk-adjusted basis, but these goals remain largely aspirational. The CFO or CRO is often the Executive Sponsor for the Corporate RAS effort, and the Board typically approves the Corporate RAS after significant input and deliberation from the C-suite and other stakeholders.
Many ERM organizations miss an opportunity to help their organizations and create value by neglecting to extend this process to the individual lines of business. Once the Corporate RAS has been accepted, it sets the aggregate risk tolerances and limits. How do these aggregate limits align with the sum of business unit risks? How do they change as the postures of each of the business units change? And what are the interactions? These are hard questions that must bead dressed—especially by the ERM function. Very few of them do so effectively, however.
Yet, most of the raw materials for risk managers to develop these insights are available if they are willing to partner with their business counterparts. Every business unit creates a budget and strategy document (admittedly of varying qualities!). Translating these objectives into Key Risk Indicators and Tolerances, at least initially, is something that Risk Management should be doing proactively. And drafting an LOB-specific RAS is a straightforward process, based on the parameters established in the Corporate RAS and on what can be inferred from the LOB budget and strategy documents.
A more strategic perspective greatly enhances both ERM’s effectiveness and your personal stature in the organization. Moreover, information is power. No other organization in the company has the mandate to review and own risk across business lines or to manage it. And the insights you can create are tremendously valuable to the organization. Knowing our defined corporate risk capacity, what businesses are exceeding or “overusing” that capacity? Why? Is this contemplated, accidental, or intentional? And how can it be managed most effectively, both immediately and over the longer term? No individual business manager can answer these questions, and many might not even want to know the answers even if they could find them. But you can, and in service to your organization’s health and future, you should.
Share your email below to access sample templates of a detailed Risk Appetite Statement for corporate, reputational and third party risk.
%20(600%20%C3%97%20350%20px)%20(1).png)
.png)
%20(350%20%C3%97%20400%20px)%20(1000%20%C3%97%20800%20px)%20(2).png)