Is it Time to Reconsider the Concept of Risk Management?

Seen from an outside perspective, there are several schools of thought in the field of risk management. The Nordic perspective and approach has long been characterised by ‘hard and technical matters’. In the last few years, particular attention has been paid to IT security and business continuity planning, these having gained a firm foothold in risk management work aimed at preventing, eliminating, minimising and controlling risks identified in business enterprises.

Different Approaches to Risk Management

The Anglo-Saxon approach to risk management focuses on compliance and legality issues, placing a major emphasis on the company’s related internal processes. The Sarbanes Oxley Act, the Patriot Act and other U.S. legislation have had a major impact on this Anglo-Saxon approach making a breakthrough all over Europe. As we know, European companies listed in the stock exchanges of the United States must follow U.S. legislation.

There are also clear differences in the way municipalities and regions handle their risks compared to private businesses. nesses. In many local and regional government units, the risk management function’s duty is mainly to acquire insurance cover in order to manage risks. In only a few exceptions is risk management systematic and holistic and risks prevented with a long-term approach.

Definitions of Risk

The way a company defines risk clearly reflects its approach to risk and risk management. The plethora of such definitions – almost every company has one – ranges from “a threat with major consequences” to “events that prevent the company from achieving its goals”.

In the last few years, we have seen the definition of risk adjusted dramatically, comprising not only traditional risks but also ‘lost business opportunities’, i.e. events that prevent the company from achieving its goals.

An increasing number of companies have started to use the following definirisktion of risk that complies with the Basel II agreement: “Operational risk is a risk of losses resulting from inadequate or failed internal processes, people, technical systems or external events”. Adoption of this definition helps companies to analyse and classify operational risks appropriately and focus more on risk areas that until now have not received the attention they deserve.

From ’Hard and Technical Matters’ to Soft and Human Ones

One of the benefits of a broader ap proach to risk is a major shift in em phasis towards human factors. Various cases around the world such as Arthur Andersen, Enron, Bearings Bank and World Com have proved the amount of definirisk involved in people and internal processes. Who would have believed that a company like Arthur Andersen, valued at billions of dollars, would be wiped off the map only four weeks after one of its employees spent a few nights destroying documents with a shredder?

These examples have contributed to the fact that risk management focus has shifted to employees, managers and corporate culture in a completely different way than before. Consequently, the importance of key employee dependence, leadership, corporate demography, bonus contracts, internal crime and other such factors has grown substantially.

From an Internal, Backward Approach to an External, Forward One

The events of September 11, 2001 in the United States left deep scars, making companies realise how vulnerable they were to uncontrollable events. Furthermore, the tsunami in Asia and the storm, Gudrun, have clearly demonstrated the need for a systematic analysis and monitoring of the operating environment.

Elements of an Environmental Analysis

Analysis of the operating environment can be divided into the following areas:

Business Intelligence – simply defined as a way of handling the known and anticipated operating environment (e.g. competitor monitoring) in order to maintain one’s own position.

Scenario planning – briefly expressed as an analysis of the operating environment with a future perspective, where operations are planned on the basis of various, imagined future scenarios.

Trend scanning – the analysis of the unpredictable and unknown operating environment, encompassing broad areas of data, finding unexpected material and increasing one’s lead on competitors.

Disturbance monitoring – the analysis of events such as paradigm shifts and changes in discourse and trends as well as boundary-breakers and passionate persons that turn our lives upside down.

The three key questions of environmental analysis are as follows:

Relevance?
• How interesting is this event from the viewpoint of our operations?
• What long-term implications does this event have?

Impact?
• How much can this event affect our operations?

Timetable?
• How quickly can this event affect our operations?

In many companies, environmental analysis and monitoring has become a key tool for achieving success.

Risk Management of the Future?

In my opinion, risk management has acquired a completely different meaning over a short period of time. Dramatic national and global events have triggered new needs, placing entirely new requirements on risk management which is now seen as an activity that must support business operations. While I find this a positive trend, it also provides major challenges for we who participate in and develop current and future risk management.


Ulf Rönndahl
ulf.ronndahl@if.se

http://ifnews.if.fi/en/

Will your company survive the crisis

Enterprises sometimes encounter crisis situations. The smaller situations are maybe managed with pure luck, but for the real crisis situations, the enterprise needs a carefully-planned continuity plan. The writer has helped a number of If’s clients to develop their own continuity plans during the past years.

When the World Trade Centre was attacked by terrorists in September 2001, the companies that had prepared themselves with a continuity plan managed the crisis much better than the other companies. Many of the companies situated in the buildings had updated their plans after the previous terrorist attack in 1994, and those plans were now activated. For example a well-known rating company had set up its own ”hot” spare office on Manhattan, where everything was ready if the company would have to move from the WTC premises. Thus, already that same morning the personnel were servicing their clients ”normally” from their new offices.

In their study ” The Impact of Catastrophes on Shareholder Value” (Oxford Executive Research Briefings), Rory F Knight and Deborah J Pretty looked at the operations of 15 major US companies after they had experienced a catastrophe. They found that the companies that were prepared for such a situation and managed to show that they could handle the crisis (the Recoverers) could see their share prices increased by 12% on average after 250 days. However, those companies that were not prepared for the crisis and handled the situation in a less effective manner could see their share price decreased by about 15%.

In the Nordic countries the importance of a continuity plan has been realised during the past years. Quality thinking has caused many companies to improve their operations by documenting their own processes, and risk management with all its sectors has also been defined in writing. The company’s risk management policy, strategy, insurance strategy and continuity plan are now often part of the company’s written processes. Corporate Governance has also helped to spread this way of thinking.

Generally, at least the companies’ IT departments have been thinking about the continuity problems. IT cannot be at a standstill too long before it causes problems throughout any company. As a matter of fact, the companies’ processes are today all so integrated that if one of these parts is out of the game, it will have an impact on all the other sectors. Emergency preparedness plans, media plans and other similar plans are normally in place in different parts of the organisation. The continuity plan, which covers the whole group, is a wide package that bundles up all these plans and provides the framework for the company’s crisis operations during a crisis.

Organising a continuity plan

The continuity actions can be split into three main phases: actions before, during and after the crisis. Before the crisis, obviously the planning must be done including also the continuity plan. The most important thing is that top management must commit itself to the project and communicate this to all parties. Top management will choose the planning group members, who will represent all sectors of the company – at least production, IT, HR, Finance, Logistics and PR should participate, but when needed, also maintenance, purchasing, marketing and storage will be represented in the project.

When the planning group has been formed, a BIA (Business Impact Analysis) will be carried out, i.e. the members of the group will discuss different crisis scenarios, imagining the impact of those scenarios and how to deal with them. If a somewhat updated risk analysis is available, its findings will be used in the work. It is, however, important to realise, that reality is often much more amazing than what we can imagine, and it is impossible to plan for all situations. But the framework for crisis management can be built, and the processes with which the crisis management will proceed in a controlled way can be defined. To operate in a crisis often needs some improvising, and if that can be done based on check lists and directives prepared in advance, it is possible to save a lot of time. In the projects where the writer of this article has participated, the best results have been reached when the planning group really has been enthusiastically working together from the beginning and the discussions have been lively. As a so-called spin-off effect, valuable information about other parts of the organisation has come out that might not otherwise have been available to all participants.

Information and communication

Communication and media planning is an important part of the Continuity Plan. It has been said that no crisis can be so bad that it couldn’t be worse through bad communication. On the other hand, a crisis can be turned into an advantage by handling the communication in an exemplary way.

The media plan defines who will inform what and to whom and in what order. One way is to split the information into two parts the initial information and the follow-up information. The contents of the bulletin must be planned including who the receivers will be, what media and channel are to be used. Generally there should only be one person and his substitute who will give out information about the crisis, and to whom all contacts should be directed. It is most important not to give out false information, and that the information is received exactly as it has been intended to.

When the crisis is over, one generally releases a final bulletin where the final facts about the crisis are explained, and also how the crisis finally was handled.

It is advisable to use the available expert training services in crisis communication.

Crisis management in a planned way

It is a good idea to draw a flow chart of how the beginning of the crisis will be handled. It will define the responsibilities and tasks of each organisation level. It might be sensible to divide the flow chart into local measures and Group measures. The chart will also define at what stage the local crisis management teams and the Group crisis management teams will be convened.

The crisis management team is one of the most vital parts of the continuity plan. The team members, their tasks and responsibilities and where they convene should be stated in the plan.

The crisis management team gives advice to the management in matters pertaining to the crisis, and will assess the needs of the parties involved in the crisis. The team will convene whenever needed and makes plans for all the sub-areas. The premises of the team, the crisis management centre, have been planned and reserved in advance. All decisions and pieces of information received during the crisis will be marked in the logbook.

After the crisis

When the acute crisis is over, the “after crisis phase” will commence. This can be split into three parts: psychological first aid, company recovery and learning from losses.

It is natural that HR must be responsible for the personnel’s well being and psychological recovery by recruiting skilled outside help as soon as possible. Directives as to what authority one should turn to and where help will be given will be stated in the continuity plan. There are organisations specified into this activity in most countries.

How the company’s recovery is handled will at the end of the day decide if the company will survive after the crisis. When the recovery plan is drafted, one has to know the company and its resources thoroughly. From that follows that only the company staff can draft the recovery plan and choose the right recovery strategies.

Group level and local level crisis management often need different skills; thus the local level crisis management team can be more or less equal to the recovery team. Recovery includes all the measures that have to be undertaken in order to get the company back in business fast and effectively. The recovery team starts its work simultaneously with the crisis management team. When the group crisis management team is convened, this fact does not cause any trouble, but if the local crisis management team is supposed to convene at the same time with the local recovery team, it might be difficult, and the operation must be planned carefully. It is worth while to specially consider the structure of the recovery team. Persons who are practical and creative should be allocated to this group.

The recovery strategy work starts by assessing the critical needs for the personnel, raw material, machinery, storage and logistics etc. The critical time for certain functions, i.e. the time that the plant can cope without those functions, must be defined. After this the processes and parts of production must be prioritised. After the prioritisation has been done, the recovery strategies for each sub-operation will be drafted. The following matters must be considered in the recovery strategy: what resources are needed to get the fundamental functions back on track within the critical time frame? Can the production be moved to another unit? Is there spare capacity available? Can personnel be moved to another unit? In that case, how do we solve the logistic, IT, overtime and other similar problems?

One also has to remember the legal facts when drafting the recovery plan. Concerning these matters, the company’s legal department has to be consulted. Matters like how to interpret the force majeure paragraphs, what obligations there are towards business partners in a crisis situation and other legal problems will be discussed with the legal department.

Dependencies are one of the key areas in recovery planning. When assessing the risks, the size of all the dependency risks is considered, but the recovery plan has to define how to deal with these risks during crisis. The dependencies can be split into internal (interdependency) and external risks. The production chain has to be considered starting from suppliers of raw materials and commodities ending with customers and logistics. In this work it is a good idea to use the experts from your insurance company.

One must learn from losses. All incidents, even the minor ones, should be analysed. A process of how to follow up the losses and what was done right and what was done wrong should be created. This is normal quality work, but it is often forgotten in connection to losses. The knowledge gained from the loss must then be put to use in training programmes, thus ensuring that the perhaps very expensive experience can be of benefit to the personnel throughout the company.

Communicating the continuity plan and training

When the plan has been completed, it must be communicated to the whole staff. A good channel for this is the company’s own intranet. Staff should be trained in activating the plan. The crisis management team could be trained by using case exercises in order to see whether the plan would function in practice. The plan and all its appendices must be updated continuously. This way the company’s continuity plan will turn into a tool that helps and serves the whole company and perhaps even its survival.


Lars von Hertzen

http://ifnews.if.fi/en/

Enterprise Risk Management model increases If capacity

To consolidate its position as the leading insurer of major risks in the Nordic countries, If has increased its capacity. This growth in capacity has also been supported by If raising its own retention during recent years. As a token of our commitment to the Nordic market, If recently increased the upper limit on automatic Property per risk capacity available to €200m; thereby placing us, among our peers, at the top-end in terms of capital available for Nordic clients. The Casualty and Cargo capacity of If also supports the needs of most Nordic based clients. This capacity increase is also supported by the gradually increased net retention for If over the last few years.

In this article our aim is to describe how
• Holistic risk management perspective utilizing state-of-the-art analytical techniques (DFA modelling)
• Diversification across all perils in If
• Allowing for "unbalanced" local portfolios
• Underwriting combining individual responsibility and team-work approach through standardized processes form the basis of our philosophy regarding capacity and risk appetite.

Hopefully, this also offers some inspiration to our clients in the continuous search for the optimal risk based management of your operation.

Capital allocation, investment versus insurance risk and reinsurance strategy

The capitalization versus risk appetite, the investment policy, the reinsurance strategy as well as the allocation of capital to individual lines, countries and risks is in If governed through a centralized actuarial unit running a DFA (Dynamic Financial Analysis) model. These models have been gradually refined in If through the last decade or so. Currently, we consider our expertise in this area to be world-class. In addition to supporting us in today’s business decisions, the development of new regulatory regimes within the insurance industry (Solvency 2) make these types of tools strategically important for the total ERM (Enterprise Risk Management) work going forward.

The DFA tool aims at deriving a holistic view on all risks in If, ranging from insurance risks, investment risks, credit risks, business risks to operational risks. The latter ones, however, are still in an early phase when it comes to quantitative models.

Based on combining regulatory requirements, rating agency requirements (preserving our S&P A rating) and the DFA model, there are 3 pillars leading to the risk profile of the different insurance operations in If:


Balanced risk taking in the investment operations
The main principles behind If’s investment strategy are asset-liability matching and diversification. In the allocation of investment assets, the structure and requirements of the technical provisions are taken into account in order to reduce the overall risk for the company. Duration targets for the fixed income investment portfolios are set based on the durations of the liabilities, in order to hedge the economic exposure of assets and liabilities. Furthermore by having investments spread across various asset classes and markets, diversification is achieved and thereby contributes to a balanced risk profile of the investment operations.


Capital allocation based on risk contribution
All insurance companies need capital to support the risks of its business. The need for capital will depend on the level of the risk. The main principle behind allocating the total capital (essentially shareholders’ equity) in If to individual lines of insurance is the idea of risk contribution: We are not primarily interested in the risk in a portfolio on a stand-alone basis. Rather, we analyze how a risk class contributes to the total volatility of the operating result of the whole of If.

Since risks are not fully correlated, some in fact work in opposite direction creating hedges, diversification benefits are achieved. Being a large insurance company, writing insurance in different geographical areas and across several classes of insurance is one of If’s key advantages. This is taken into account when allocating capital to different insurance classes. This is also to a large extent the key behind the risk taking ability of the industrial organization where we are able to write business at a risk level which as an isolated portfolio would be considered as quite unbalanced. The diagram below – based on actual analysis of BA Industrial’s portfolio –illustrates the effect of the aggregation of two insurance classes that are not fully correlated.

If Industrial’s Loss ratio volatility for Property and Liability insurances
In this diagram the fully correlated dotted line shows that there is clearly a wider spread in the range of Loss Ratio compared with the Aggregated one. The narrower this range is the more stable the insurance carrier’s Loss Ratio is also from year to year. As another example, the 1,8 bn € Nordic and Baltic motor portfolio of If balances by its non-correlation much of the large fire risk volatility of Industrial.

If’s reinsurance strategy
Supporting the holistic view on capital allocation through risk contribution, reinsurance in If is always purchased from a corporate perspective (though taking into account the solidity of the different legal entities). In essence, this means that we buy a highly efficient and stream-lined reinsurance program protecting the total capital for If, but allowing for significantly higher result volatility for individual lines or countries than with a more conventional “balancing each portfolio” way of looking at reinsurance. However, it is fair to add that If also lives in the real world of quarterly capitalism leading to some protections being installed simply in order to protect our more short-term key ratios.


In this graph the basic reinsurance program takes a capital protection point of view. The stabilizing reinsurance program (if any) should then protect the (quarterly) financial results of an insurance company.

Capacity and retention for If
The somewhat theoretical considerations above result in If being able to
• Provide a higher amount of capacity for individual risks than traditionally seen.
• Retain more of our clients' risks on a net basis than in earlier days.
• Lead to a more efficient price for capacity.

The automatic treaty capacity for If, which enables a swifter response to clients and brokers, has been raised in cooperation with our re-insurers as a consequence of a long-term stable relationship. Thus as the international reinsurance market trusts our underwriting and insurance skills, we are able to lead in an efficient manner the whole programme for our Nordic clients.

Of course this also demonstrates the trust in our own organization; underwriters are equipped with considerable mandates leaving short decision making processes. On top of this, the underwriter is supported by analytical tools, where the price for all layers and sections are included.

For the underwriting decision, capacity only is one factor, and not even the most important one; as risk profile, wording and pricing are also of utmost importance. However, modern analytical techniques definitely have shed light also on this highly traditional discipline of large corporate client underwriting.


Revitalized underwriting

One interesting consequence of this corporate managing of risks is that the portfolio of each underwriter can not offer a stable financial performance by itself. This has lead to the development of concepts such as 4 eye underwriting, re-underwriting meetings and generally more team-work and cooperation securing same treatment and risk evaluation for all risks and clients. However, the authority and responsibility of each underwriter is maintained. In this way we combine the best pieces of analytical tools and collective approach without compromising the importance of each individual underwriter’s responsibility and the use of each individual’s uw-knowledge.

Client trends

Do we see similar trends among our clients? Firstly, the Enterprise Risk Management (ERM), prompted through the Sarbanes-Oxley (SOX) at the aftermath of Enron, WorldCom and other corporate scandals alike has given an enhanced focus on a holistic view on all risks in a company. Guidance on the implementation of ERM has been provided by the Committee of the Tredway Commission (COSO) ERM framework.

The SOX together with ERM emphasize the fact that companies need a clear picture of potential risks, an idea on how to deal with them and prior to this, management has to evaluate and decide on a company’s risk appetite. Among other things ERM clearly has raised the interest toward more efficient insurance programs.

The clearest trends we see among our clients are
• Lift of program trend • Holistic risk management approach
• Service and quality expectations from the insurer
• Clarification of captive strategies

Lift of program trend
We clearly have seen a need for higher capacity. When mapping risks and corresponding risk management measures – including insurance – companies have started to check if the old worst loss scnarios and sums insured are sufficient for their current business operations. At the same time requests for broader wordings have increased as protection for the more unlikely events are sought. And naturally this does not just concern the working layers. It has become even more important with similar coverage also on the upper layers of insurance programmes. This trend can be seen in both property and liability insurance programmes. This corresponds also with the way If evaluates reinsurance. The graph below demonstrates the relationship between the probability of a risk and the financial magnitude of a possible risk.

Holistic risk management approach
This is the result of the same type of awakening process as If has been through, where for many of our clients, e.g., financial risks more severely could violate bottom-line performance than, say, the fire exposure.

However, also business (e.g., share price), operational and other risk factors need to be considered. A major fire in a key facility or a large product liability claim, could affect the share price of the company to a much larger extent than its purely financial effect would indicate. Thus, a holistic risk management perspective is needed in order to assess the appropriate insurance cover to set up.

Service and quality expectations from the insurer
ERM also puts pressure on the effective and efficient use of a company’s resources – not only limited to capital resources. In order to have a finger on a company’s risk management pulse one has to be able to trust external service providers’ capabilities. For insurance carriers this means serving clients not only on clear underwriting issues, but also on claims handling, risk management and global and also local services wherever our clients have their business operations.

As an example If Industrial acknowledges this trend by tailoring Claims Models in order to find the most suitable claims service package to match a client. In addition, we are now further improving our service standards for handling international insurance programmes (ISM models).

Clarification of captive strategies
When the captive evolution started in the Nordic region back in the 1970s, Captive insurance companies used to be considered more of a financial vehicle than a real risk management tool and were mainly run by the companies’ CFO.

The development during the 1990s made captives more of a risk management tool for the companies’ CRO. After careful evaluation of the company’s risk map and appetite, the captive is used as a method for retaining part of the risks and also a tool for insuring risks that do not fall within the basic scope of property and casualty risks - like some of the pharmaceutical or automotive industries´ risks.

However, captives should be subject to the very same holistic risk management considerations as for any other risk carrier. As for insurance companies in general, companies using captives have to consider at least the following issues:
• Operational risks, e.g., claims handling and international service for global units
• Cost for reinsurance versus retaining risks
• Reserve setting / balance sheet risks
• Market risks
• Exit possibilities from the captive solution

Example 1: With a widespread international/local insurance need with many locations it could, say, be more beneficial from an operational point of view to utilize a reinsurance captive rather than a direct captive.

Example 2: In order to prepare the company for being divested, one stops writing liability in the captive in order to avoid putting old exposures up for sale.

Summary

Regulatory environment such as solvency 2, SOX and thereby ERM has put a lot of positive pressure on our and our clients’ risk management and capital allocation. We have to be well aware of our risk map and at the same time evaluate how to allocate the capital in use in the most efficient manner.

If has increased its treaty capacity in order to respond to the needs of our Nordic clients. At the same time we increased our service level to match the requirements of holistic risk management and larger risks. Consequently, I believe we have an excellent foundation for dealing with the challenges of large risks and capital efficiency together with our clients.

Espen Husstad

http://ifnews.if.fi/en/

The Chief Risk Officer is multi-talented

The Chief Risk Officer (CRO) or Risk Management Director is now an established position in Finnish companies and is responsible for a wide range of tasks, the emphasis of which is moving from property risks to business risks. The most significant challenge for these professionals is considered to be establishing risk management as an integrated part of the management system and business process. In order to be successful, the CRO must first convince line managers of the importance of risk management.

At the same time as enterprise wide risk management (ERM) has become more common, a new group of professionals – the CRO:s – has evolved. The views and opinions of these professionals and the challenges they have experienced were studied in a research project during the spring of 2007. The research was organized by Ernst & Young in co-operation with the Finnish Risk Management Association. The target group was the risk management professionals working in Finnish companies and associations.


The professional background of individual CRO:s varies a lot (figure 1). This may be due to the relative newness of the position and that risk management in its entirety is quite an extensive area, covering many different sectors.

The risk management professionals who answered the questionnaire represented 15 different educational and experience backgrounds in total. When asked, only 17 % of those who answered stated that their education and experience were specifically connected to risk management. The vast majority, i.e. over 80%, have therefore moved to risk management work from another sector, the most common of which is insurance. The other common backgrounds are corporate safety, accounting and financing.

Risk management seeks security

The objectives that an organisation sets for risk management form an important starting point for the work of a CRO (figure 2). The most common objective that the organisations participating in the research work identified for risk management is “ensuring the achievement of targets”. Three-quarters of those who answered the questionnaire stated that they had set this objective.


Setting objectives is a fundamental part of ERM. According to this, hazards are all those factors that can put the achieving of business targets at risk – no matter which risk class they represent. Other objectives, which have been most commonly set are connected with improving risk awareness and the risk management function within the organisation, loss prevention and securing continuity of business operations.

In contrast, the objectives connected to economy and financing, such as reducing the fluctuations in profits or cash flow, or ensuring the achievement of the forecasted profit are only rarely set. Thus the dogmas of business economics and financing do not seem to be applied to any significant degree in practical risk management work. This is despite the fact that business economics and financing are well represented in the backgrounds of risk management professionals and that risk management directors or CRO:s very often report to the Chief Finance Officer.

Chief Risk Officers participate in many activities and must work in several areas of risk in order to meet the objectives. Typical areas of work cover physical as well as intangible risks, technical as well as commercial risks, together with risks that are internal as well as external to the organisation. However, this does not mean that the CRO would be responsible for all of these risks; according to an established model, the Group Risk Management operates primarily as a coordinator and internal consultant for the managers of the business units, who in practise are responsible for the line risk management.

Based on the research results, it is clearly more common for the CRO to participate in developing and co-ordinating risk management activities rather than to be completely responsible for the work. According to the survey, property risk management is the area for which the CRO bears most responsibility for developing risk management strategies.


It has been estimated that nowadays property risks occupy most of the time of the CRO (figure 3). Property risks represent the traditional area of risk management, as do health and safety risks, which also demand a substantial portion of the CRO’s time. Furthermore risks related to marketing, client contact, competitors and supply chain management have recently emerged, to broaden the scope of CRO’s area of responsibility.

In the future the emphasis will be on strategic risks

The results of the survey suggest that this trend will be further strengthened in the future. When asking the question; which types of risk the CRO:s will put the most effort into during the next three years, it is clear that the risks connected with marketing, clients contact, competitors, partners and networks are clearly expected to rise above the others.

It seems that the focus for risk management work in the future will be concentrated towards the strategic risks of business operations. This is an area in which the CRO:s have not traditionally been involved. Only a few of those who answered the questionnaire were of the opinion that in the future the focus should be on property risks. It was also considered that the risks connected to health & safety and economic reporting will demand less consideration in the future than is currently the case. However, this does not mean that these risks will disappear. But so much effort has already been put into these risks, that in the future it is anticipated they will demand less consideration, relative to the newly emerging areas of risk.


The main risk management activities for which the CRO:s are responsible include the development of risk management principles, reporting practices and tools and insurance (figure 4). However, only one in four of the CROs are responsible for identifying and assessing risks. The survey indicates that this task belongs primarily to those who are directly responsible for the risk, being typically found within the sphere of the specific business operations management.

However, it would be beneficial if those working in risk management, actually participate in the risk assessment and provide the necessary methods and tools to carry out the process. Thus it is alarming that almost 40 % of those who answered the questionnaire advised that the risk assessments of investments are carried out without the participation of the CRO, although, it is more common for the CRO to participate in due diligence processes.

The challenge is to take risk management to the business operation units

The biggest challenges for CRO:s are in connection with introducing risk management to the organisation (figure 5). As many as 80% of those who answered the questionnaire felt their main challenge was to integrate risk management into the management system and business processes. The second most important challenge the questionnaire highlighted was marketing risk management and proving its benefits to line management and business operation units. One third of those who answered also felt that the maintenance of defined operating methods in the organisation was a significant challenge. These three issues are closely connected to each other.


To ensure that the organisation maintains the risk management processes, it is necessary that risk management is integrated into practical management and that the benefits it brings are clear for the business operation units. The selling of risk management to senior management in a company seems however, to be a lesser challenge, only stated by 25% of the participants. Using the words of one of those who answered the questionnaire: “Senior management has already begun to understand the significance of risk management, however, how do we increase the understanding of the next management levels”?

The most significant challenges when communicating with senior management are connected to understanding their expectations, clarifying their targets and meeting their targets, i.e. proving the operating ability of risk management to them and the board of directors.

The operating environment of companies is constantly changing and developing and the new phenomena that are emerging in addition to familiar risks must be understood and managed. The world of risk is continuously expanding, so that the challenges facing the Chief Risk Officers will not decrease. On the other hand, the same development might ensure that the services of the CRO in greater and greater demand in the future.


Fredrik Åström, Manager, Advisory Services unit of Ernst & Young

http://ifnews.if.fi/en/

Risk management is a clear competition factor

A good level of risk management helps a company to economically recover from a disaster. Senior management and its ability to perform correctly in the aftermath of a crisis situation are of crucial importance. Risk management is therefore a clear competition factor.

Oxford Metrica recently published an international research study in which the impact of mass fatality events on the shareholder value is clarified. Companies can be clearly divided into companies which deal effectively with the situation and whose shareholder value after initially declining eventually strengthens and those companies whose shareholder value does not recover. In the latter group, the decrease in shareholder value became deeper and stayed permanently on a low level during one calendar year (261 trading days).


One of the key conclusions from the study was that the ability of senior management to perform in the aftermath of a disaster and in the crisis caused by the disaster is a significant factor in influencing the company’s value. 74 companies which suffered from disasters were analyzed in the research study.

A good level of risk management has become a significant competition factor and Enterprise Risk Management-process (ERM) has become an integral part of almost every major enterprise’s Corporate Governance system. At the same time, the demands which have been imposed have increased.

The task of the ERM process is to ensure the management of all of the types of risks, that can threaten business operations and which can prevent the company from reaching the targets that have been set for its business operations.

One of ERM’s important areas is accident risks. The task of If Industrial is to support our client companies in this area by providing insurance and risk management solutions which will secure the business of our clients. The solutions include client specific risk assessment, loss prevention, an insurance solution and claims handling.

With regard to risk assessment and loss prevention If Industrial has the largest RM unit in the Nordic insurance industry. In addition to property and loss of profits risks, it concentrates on cargo, health and safety and liability risks. The unit supports our client companies’ domestic and international risk management work.

One of the most challenging risk management areas is the management of liability risks. The risks in this area have not be so well predicted or evaluated in comparison to property and loss of profits, for example.

The health effects of chemicals and their associated liability issues might not appear until many decades have passed. The risks associated with components as part of a safety critical system can be difficult to analyse, too. In the same way, the risks connected with different product user groups can be a challenge from the assessment point of view.

Legislation varies in different countries and the laws can be amended and this can have an impact on risk assessment. There are also many different forms of liability. In addition to the third party and product liability areas, the an alysing of professional indemnity and directors’ and officers’ liability requires its own expertise.

If Industrial has carried out consultancy work connected to liability risk management for its client companies in Finland for over 10 years. The operating model has now been refocused and is being extended to every Nordic country. The new approach supports underwriting decisions and at the same time provides a good overall picture of the management of the liability risks in its entirety on an enterprise level for our client companies.

The operating model is based on co-operation with our client companies. The tools used to assess the risks are:

(1) Positioning and analysis of the liability risks
(2) A Navigator analysis of high risk liability areas.



The operating model is the same for all areas of risk management and it is based on co-operation between our client companies, brokers and If Industrial. Our objective is the correct identification and assessment of the risks and a thorough review of the risk management in a constructive manner. We handle identified risks openly with our client. The target is to produce a three year programme for improving the level of risk management.

Juha Ettala

http://ifnews.if.fi/en/

A holistic risk management framework

Risk in general is the likelihood or probability of a negative consequence, typically a loss or a missed profit opportunity. For a P&C insurance company like If, the largest risk is insurance risk. However, we are also exposed to other risks such as credit, market, operational and business risks. No one can predict the future with 100% certainty, but there are many ways of handling its uncertainties. Management of risks is important for both small and large corporations, either it is a manufacturing company or a financial institution. For an insurance company in particular, risks and management of risks are part of the daily operations, since insurance by definition is about transferring risk from the insured to the insurance company.

For us, the purpose of risk management is to identify, analyze, control and mitigate all risks that could prevent us from achieving our goals and targets as well as to determine, implement and improve risk management methods. There are risks connected to both pricing insurance products, cost management, investment strategies and claims handling. Therefore we aim to secure that the risk management work is continuously ongoing in all parts of our organization. The ultimate objective of our risk management process is to ensure adequacy of capital in relation to the risks we carry, as well as limit fluctuations in financial results.

During the last couple of years, there has been a development in risk management, from traditional risk management where risks were managed on a stand-alone basis into Enterprise Risk Management (ERM), which places emphasis on a holistic view of risk management at an enterprise level and the integration of risk management with other business processes. The drivers behind this development are:

• more complicated risks
• enhancing the deployment of capital
• internal requirements from owners and management
• external requirements from regulators and rating agencies
• more sophisticated methods to quantify risks

One of the drivers behind the change in the insurance industry is the current on-going EU-driven project (named “Solvency II”) aimed at establishing new risk-based capital requirements for the European insurance industry. The new regulation will to a greater extent encourage and give incentives for insurance companies to measure and manage all their risks properly and on an aggregated level. “Solvency II” is expected to come into force in 2010 and we are actively taking part in this project in our efforts to be “Best in Risk” and in having a leading risk management practice.

Enterprise Risk Management

For us, ERM is the assessment, exploitation, financing and monitoring of risks from all sources for the purpose of ensuring that the aggregated risk exposure is in relation to our capitalization (Based on CasualtyActuarial Society’s definition of ERM). Through our ERM process, risks across the whole group are managed holistically.


ERM encompasses for example:

• identifying and managing multiple and cross-enterprise risks
• aligning risk appetite and strategy
• improving deployment of capital

Identify and manage multiple and cross-enterprise risks

In order to properly assess exposures, companies must continuously measure all risks, both financial and operational, across the whole organization. When making this assessment, the correlation between risk classes and risks across all products, business areas, legal entities and geographies must be identified.

One of the main objectives of ERM is aggregating risks, explicitly capturing existing correlations. This will provide valuable insight into the interactions betweens risks and the diversification effects given certain business mixes, investments strategies etc.

In If, methods to assess the aggregation of exposures by risk type, within for example a business area, or country, as well as the ability to calculate total aggregated risk within the whole group has, been developed to help us understand our existing exposures and to define risk tolerances.

Aligning risk appetite and strategy

Effective ERM can help enhancing strategic decision-making and optimize return on capital by providing a better understanding of the trade-offs between risks and rewards. This will help decision making in issues like product design, product pricing, reinsurance program design, market and product expansion strategies etc.

Improving deployment of capital

ERM can improve the deployment of capital by aligning capital management with all risks and with diversification effects taken into account. By proper risk management and risk quantification, the need of solvency/risk capital can be more accurately quantified, thereby limiting the excess capital and consequently the cost of capital.

Implementation

In order to implement ERM, a new risk management governance framework was approved by If’s Board of Directors, in May 2005.

The following chart illustrates our current risk management governance framework.



The current risk management governance framework was established in order to:

• Create a centralized group risk management function responsible for monitoring all risks
• Identify, and as required quantify and aggregate, all risks in the organization
• Formalize and set-up of reporting routines to meet regulatory requirements as well as internal risk reporting

By this risk management governance framework, the If Risk Control Committee (IRCC) will appropriately assist the CEO and the Board of Directors in fulfilling their responsibilities relating to risk control. The IRCC is responsible for the review of systems and processes as well as for the coordination of efforts and actions related to internal control, risk management and compliance. The IRCC meets at least on a quarterly basis with an agenda that consists of aggregated risk and capital summary reports, in addition to specific risk reports for each risk area and legal entity.

Different sub-committees are responsible for measurement and follow-up of the various risks. For each risk area, the respective sub-committees are responsible for ensuring that the risk reports are produced and updated to the IRCC meetings.

The Chief Risk Officer (CRO) is responsible for coordinating the risk management work on behalf of the IRCC and for coordinating the risk reporting to IRCC. It is also within the responsibility of the CRO to secure a holistic view of the risks we are exposed to, including continuously monitoring our accumulated risk. In addition, the CRO is responsible for assessing and implementing processes related to risk management and for compliance with relevant legislation, policies and instructions.

Quantification of risk

In addition to the specific risks, which are individually associated with the insurance business or the investment assets, we are exposed to the aggregated effect of such risks. Some of the risks develop in different directions creating natural hedges. To analyze accumulation and diversification of risks, a Dynamic Financial Analysis (DFA)-model is used. The model is based on Monte Carlo-simulations, of both the investments and insurance operations. The purpose of our DFA-model is to be able to specifically quantify the risk profile of various risk types as well as the total risk, in terms of statistical measures. The model is used for instance to analyze the impact of different reinsurance strategies and investment allocations, in order to make decisions concerning for example the optimal retention level or share of equities in the investment portfolio. In addition, our DFA-model is used as basis for capital allocation to different insurance classes, depending on their respective risk contribution. By allocating capital in relation to risk, improvements are made in terms of a more correct pricing of different products.


The DFA-model is also used for calculating the economic capital. Economic capital is a measure of the aggregated risk, describing the amount of capital required in order to carry different kinds of risks given a certain confidence level and risk exposure. Insurance, market credit and operational risks determine the size of the economic capital.

Value creation

We believe a strong risk management framework adds value to both our customers and our owners.

First of all, by implementing ERM, we increase our knowledge of the aggregated and cross-enterprise risks we carry. Combined with an improved understanding of individual risks, it will enable us to utilize capital more efficiently. This will ultimately benefit our customers over time since an improved risk profile will result in pricing of our products which even more accurately reflects the transferred risks.

Furthermore, by being risk experts, we can share our improved knowledge with our customers, assisting them proactively in risk management issues – for instance, in terms of recommendation of risk-reducing actions and advice on need of insurance. We are also happy to share experiences on implementing a risk management framework, and on for example risk governance related issues.

ERM has also helped us to make decisions on issues like product design, product pricing, investment strategies and reinsurance program design. In general, through ERM we can ensure that we have a strong balance sheet and risk capital in relation to our risk exposure, which again gives our customers a strong and very solid insurance provider.

ERM should not be viewed as a “luxury”. We believe ERM is an essential tool for companies to engage in effective risk management, and to support strategic decision-making to protect stakeholders’ (owners as well as customers) interest. In other words, a strong risk management framework is a key success factor for small and large companies competing in increasingly complex environments.


Knut-Arne Alsaker

http://ifnews.if.fi/en/

ERM: Are directors on board?

ERM: Are directors on board?

Conference Board study shows directors pushing hard for ERM

Michael J. Moody, MBA, ARM

Much has been written about enterprise risk management (ERM) over the past few years. A number of reports and studies have discussed the rationale for adopting an ERM approach and how corporate management has been accepting of the concept. A variety of new laws and regulations following the Enron et al. financial collapses have clearly pointed out to corporate executives the wisdom of an enterprise view for risk management. And at this point in time, there is little doubt as to management’s commitment to ERM. However, until recently, little was known about the corporate directors’ commitment to ERM.

Recently, The Conference Board issued a report titled “The Role of U.S. Corporate Boards in Enterprise Risk Management.” This landmark study confirms that boards of directors of publicly traded companies have been heavily focused on the Sarbanes-Oxley requirements over the past couple of years. Despite this renewed interest in governance and compliance, boards are also beginning to assess their evolving role in risk management oversight. The report notes that most directors now realize that they must advance their focus from the traditional role of internal control to a more comprehensive ERM framework.

Emerging trends

The Conference Board identified a number of key findings in their report. Included in this list were the identification of several emerging trends with regard to corporate boards and the responsibilities of the directors. Among the more important trends were the evolving legal developments that make it prudent for directors to ensure they have a robust ERM oversight process is in place. Further, boards must be proactive in their oversight of the risk management process.

The report noted several developments that make this proactive involvement critical for a board. These developments include new New York Stock Exchange listing standards, SEC’s endorsement of self-regulatory frameworks to manage financial risks, Federal Sentencing Guidelines reform, and best practice standards being implemented in highly regulated industries such as banking and insurance. It also noted that several key groups are beginning to focus on whether companies have ERM processes in place. These include rating agencies, institutional investors and insurance companies directors and officers underwriting departments. As a result, the study suggests that corporate boards may soon choose to reassess their approach to risk oversight as a fundamental element of good governance.

The report also noted that an increasing number of directors are beginning to acknowledge that they must oversee business risk as part of their overall strategy-setting role. While most directors agree that they previously had a less than perfect understanding of business risks, just a few years ago, now many more directors say they have a better understanding of the major risks facing their companies. As a result of this improved understanding, directors believe that strategic risks rather than financial risks should be their key concern. They also recognize that an enterprise-wide approach to risk management should be viewed as a strategic effort rather than merely a compliance issue.

Despite the improved view of risk management, some directors still admit they need to make improvements in their risk management oversight processes. They indicate that every conversation they have about strategy embodies issues of risks and, as such, risk is now discussed on a case-by-case basis in connection with specific strategies or events. In addition, most directors say they have a “good’’ or “very good” grasp of the risk implications of different strategies their companies may choose.

However, while the survey results indicated that directors were satisfied with their risk oversight and management’s implementation, personal interviews with individual directors showed considerably less comfort. Areas of concern for the individual directors were the variation in knowledge of risks among their peers and significant differences in ERM practices among different industries.

The report also noted that sound ERM oversight and implementation practices are now a trend that is recognizable in a number of leading companies. Leading companies have indicated that the full board has clear oversight responsibility for strategy as well as ERM. And while management sets the agenda for both, the board must approve it. Additionally, it is the board’s responsibility to provide oversight as well as ensure that an effective process is in place for identifying, assessing, and mitigating risks that exist within the company. Management’s responsibility, on the other hand, is to see that risk management is embedded in everyday business decisions throughout the company on an enterprise-wide basis.

The Conference Board report also noted a trend that companies are beginning to look at best-in-class peer organizations for emerging practices in ERM oversight. They also noted that despite the reported variations from industry to industry, corporations could look to the financial service industry for more sophistication with regards to ERM oversight. This will provide the board with an opportunity to learn from the financial service firms while distinguishing themselves as leaders in ERM development.

Recommendations for boards

The Conference Board report notes that many directors are now considering recommending that their companies upgrade their ERM capabilities. They believe that directors may wish to consider several specific recommendations. For example, directors want to confirm that risk management oversight rests with the board. While some corporations have placed this responsibility within the audit committee, most directors believe that this committee is already too overburdened and may lack the skill sets to effectively handle this duty. In order to correct this problem, some organizations are now forming new ERM committees to handle this important task.

The Conference Board report also recommends examining the competencies of the board members to assure successful risk oversight. If needed, the report suggested strengthening the board to get people with a variety of expertise and proper risk management training. Further, corporate management should continue to work toward increasing directors’ risk management IQ. One method that can be used effectively is to dedicate time at each board meeting to discuss various risk management relevant topics.

The report also suggested that the board implement a risk management process that will ensure that the individual directors are fulfilling their fiduciary responsibilities. This process should center on the appropriate oversight of the ongoing ERM assessment, mitigation and monitoring. This process should begin with an in-depth review of the corporation’s performance drivers. It should continue with an inventory of risks and an analysis of how those risks will affect shareholder value.

Another important recom-mendation advanced in the report is to develop a robust ERM reporting system. Central to the reporting system is providing information that gives directors the data needed to understand the company’s risk. It is critical that the board understand which risks it needs to be aware of and how often it should review the handling of those risks. All risk reports should be designed to provide specific, decision-making information, and should prioritize the key risks and include management’s assessment of these risks.

A final suggestion stated that management should invest the time needed to relate the core risk issues to the directors. Further, management and the board should identify those key executives who have the best perspective on the organization’s risks and have ongoing dialogue with this group.

Conclusion

The recent Conference Board report has provided significant insight into how corporate boards are now viewing their responsibilities regarding risk management. As the report documents, there is little doubt that boards are now recognizing the critical nature of risks within their corporations and their oversight responsibilities. While a number of organizations are still struggling with ERM implemen-tation, their boards are painfully aware of their oversight role and their duties from a risk management standpoint. Speculation has been high as to who will be the ultimate driving force for ERM implementation. Among possible drivers, experts have recently identified directors & officers liability underwriters, lending institution requirements, rating agencies and institutional investors. However, as time goes on, it may well be the corporate directors who will insist on a state-of-the-art ERM program. *

The author
Michael J. Moody, MBA, ARM, is the managing director of Strategic Risk Financing, Inc. (SuRF). SuRF is an independent consulting firm that has been established to advance the practice of enterprise risk management. SuRF’s primary goal is to actively promote the concept of enterprise risk management by providing current, objective information about the concept, the structures being used, and the players involved.

The Top 10 Enterprise Risk-Management Myths

The Top 10 Enterprise Risk-Management Myths

Gordon Burnes

Few companies can grow without taking risks. But poor risk management leads to surprises in business operations that can impact shareholder confidence, regulatory oversight and the bottom line. An unprecedented wave of regulatory oversight in recent years has convinced many organizations how inadequate their enterprise risk management (ERM) policies and procedures really are.

Many of the world's largest companies have responded to external and internal pressures by embarking on a journey to unify governance, risk and compliance (GRC) management across the enterprise. Yet, many organizations that don't have a historical foundation in risk management are still struggling to come to grips with this new discipline and how to embed risk management into the business.

With that in mind, here's a Letterman-like look at the top 10 myths regarding ERM.

Myth Number 10: IT Risk Management = Information Security

Most information security programs place far too much emphasis on the how and what, and far too little on the why. Information risk management, on the other hand, is inherently focused on the why.

Unfortunately, there's always far too much for information technology (IT) staffs to do. There are too many vulnerabilities to remediate and too many controls to implement, so some critical deficiencies will go unmanaged.

True risk management requires a business perspective on these deficiencies to better manage and prioritize the issues that threaten the organization. A check-list approach to information security ignores business impact and criticality.

Myth Number 9: CIOs Embraced Enterprise GRC

To address Sarbanes-Oxley compliance, many companies put in place technology platforms that now support a variety of risk and compliance initiatives. Sarbanes-Oxley solutions were generally purchased with the tacit approval of IT, but few IT organizations standardized on a strategy for managing risk and compliance data. As a result, different parts of the problem are addressed by a wide and disparate range of solutions, including spreadsheets, custom and commercial applications.

In numerous buying decisions, IT is too often at the table in a support role, rather than as a strategic thinker focused on the long-term strategic benefits of a common GRC platform. Scattered risk and compliance data marts will cause an immense amount of pain for risk managers trying to get a clear picture of risk throughout the business.

Myth Number 8: A Rigid, Standardized Approach Is Best

ERM, similar to most business processes, is not a "one-size-fits-all" solution. It has to be customized and tailored for each firm. As Mark Olson, chairman of the Public Company Accounting Oversight Board (PCAOB), notes, "An effective enterprise-wide compliance-risk management program is flexible to respond to change and is tailored to an organization's corporate strategies, business activities and external environment."


Companies that try to implement an out-of-the-box methodology will likely fail. ERM methodologies and taxonomies must be adapted to a company's legal, regulatory, economic and competitive environment, all of which can vary dramatically by industry. Further, the risk framework must be able to adapt to change over time to avoid losing competitive advantage.

Myth Number 7: You Can Manage Risk Only from the Center

No one is likely to argue that strong, central risk management is a bad thing. Unfortunately, many organizations make the mistake of investing only in a centralized function because it's too difficult to federate, and they don't know how to push risk management to lower levels of responsibility in the organization. It's a classic issue of consistency vs. quality of information.

But, accurate information lies at the business line level. Organizations must augment their centralized risk management efforts with localized, distributed data, and the only way to reliably and cost-effectively do mat is to invest in automated technology solutions.

Myth Number 6: You Can Manage Risk and Compliance with Spreadsheets

Spreadsheet wizards have carved out a significant role in managing financial and operational data in many companies. The problem is that this approach is: a) manually intensive; and b) highly reliant on the individuals that manage and operate these spreadsheets. Further, the processes for linking, updating and archiving data in spreadsheets is mostly ad hoc, leading to significant risks.

In its 2005 annual report, for example, the Federal Home Loan Mortgage Corp. (Freddie Mac) noted that reliance on "end-user computing systems" (read: spreadsheets) posed a significant risk to its ability to report accurately on financial data. Using spreadsheets and file shares for risk and compliance data is a dead end; risk managers have trouble getting visibility into the data because of poor reporting capabilities, and will rightly question the accuracy of the data itself.

Myth Number 5: Traditional Audit Planning Is Good Enough

A traditional model to planning the audit process typically examines 10-20 risk factors for each element of the audit universe, and runnels each auditable entity into a risk category that will drive its audit frequency. But the known risk universe gets bigger by the day, and investing in a massive risk evaluation for each entity may not be the best use of resources.

Is it worth tying up valuable stakeholders in management and on the audit committee to assess the risk inherent in the coffee procurement process for a remote sales office? Progressive organizations are turning toward a more agile, top-down approach to risk assessment to drive audit scheduling. This will lead to more efficient resource allocations, ensuring that auditors are focused on the truly risky areas.

Myth Number 4: Enterprise Risk Management Is Dead!

David Martin and Michael Power assert in "The End of Enterprise Risk Management," a report published last year by the AEI-Brookings Joint Center for Regulatory Studies, that ERM frameworks are outmoded because they embody an unrealistic and outdated theory of organizations -- hierarchical, "bird's-eye views" from the top that are progressively detached from the reality of modern financial organizations.

Truth be told, the current regulatory climate has resulted in control-based ERM frameworks that have a bias for analysis versus action, and the production of evidence for regulators and auditors in some instances has become more important than managing real risks. But that doesn't mean we should abandon ERM.

ERM needs to be deployed bottom-up so that business managers are the first-line managers of risk, embedding enterprise risk management within the day-to-day business processes of the firm. They must understand the risk/reward trade-offs involved in their own decision-making. Risk management should create a bias for action, surfacing problems as they arise and empowering the entire organization to be risk managers.

Myth Number 3: It Just Takes Common Sense

"There are really no cookbook solutions. One has to use creativity and a lot of common sense." This was a May 16, 2000 email response from Enron Corp. risk expert Vince Kaminski, when asked by a colleague to recommend a good book on operational risk.

As Enron proved, creativity is a no-no and common sense alone just doesn't suffice when it comes to risk management. As business activities have become more complex, so has risk management. The sheer magnitude of the regulations leaves many firms struggling to put in place processes and infrastructure that are able to identify and control the compliance risks they face.

Risk management covers a wide variety of risk disciplines, including operational, compliance, financial controls, legal, liquidity, business strategy and technology, each of which has its own nuances and specialized models for assessing risk. It may not be rocket science, but it does require application of sophisticated models and analytics, aided with accompanying software tools.

Myth Number 2: TJX -- It Can't Happen Here

The TJX. Cos. data breach, perhaps one of the biggest business stories of 2007, involved the inadvertent dissemination of as many as 94 million credit card accounts. It is only one of the breaches that were publicly reported. Attrition.org maintains a list of public, high-profile data breaches that is staggeringly long, going back to the year 2000. When you consider companies have a vested interest in not making such events public and the many more breaches that undoubtedly go undiscovered, only the tip of the iceberg is visible to us.

But, shouldn't we be getting safer? Preventative technology and knowledge gets better and better every day. Unfortunately, the villains also get better and better every day, so the gap persists. Your organization is susceptible, and it's critical you do everything you can to keep the gap as narrow as possible to minimize your risk.

The Number One Myth about ERM: You Can't Plan for the Unknown

You may not be able to predict events that lie outside the realm of regular expectations, but risk managers have to plan for their occurrence. No one could predict or even imagine the series of events that occurred on 9/11, but some firms did plan for the possibility of a long-term disruption of their business operations due to a catastrophic event taking place in Manhattan and were up and running from alternate operational centers within hours of the fatal events of 9/11.

Key risk exposures, whether they are operational, market or credit risks, do not always follow a normal distribution or bell curve. Some risks have fat tails, and it is the events that lie at the lower and upper ends of the distribution curve that are most important to consider and plan for. You have to fight the natural tendency to focus on the known, the tangible and the repeated and devise strategies to cope with the unknown -- your company's viability may depend on it.

Companies that try to implement an out-of-the-box ERM methodology will likely fail. ERM methodologies and taxonomies must be adapted to a company's legal, regulatory, economic and competitive environment, which can vary dramatically by industry.

© 2008 Financial Executive, Morristown. All rights reserved.
© 2008 CIO Today. All rights reserved.

Enterprise risk management to the rescue*

A Canadian CA gives his perspective on COSO’s new integrated ERM framework

By Frank Martens

*This is an expanded version of a summary that originally appeared in the March 2005 issue of CAmagazine.

Effective enterprise risk management is more than just getting better at identifying and assessing risk. The true value of ERM is that it can help organizations operate more effectively in environments filled with risks. ERM is not about constraints; it’s about helping organizations get where they want to go.

Businesses in Canada and around the world are experiencing unprecedented change. Once-stable companies have dissolved and been replaced by seeming upstarts. Businesses that are flexible, readily adaptable and more anticipatory are being rewarded. This challenge – ensuring strong performance in an environment of accelerating change – is compounded by the mandate for companies to be accountable to stakeholders’ growing expectations. The resulting increase in uncertainty affects virtually every business, and has given rise to a need for aligning corporate governance, enterprise risk management and organization-wide compliance.

Most large companies have risk management processes in place. They know taking risks is part of doing business, and managing risk is critical to success. But enterprise risk management practices vary greatly and the term itself has meant different things to different people. As a result, boards and senior executives who are responsible for overseeing the identification, analysis and management of risk have not had comprehensive guidance from a single source by which to evaluate their approach to ERM.

In September 2004, the US Committee of Sponsoring Organizations of the Treadway Commission (COSO) released the Enterprise Risk Management – Integrated Framework. With the release of this framework, organizations have a principles-based framework to provide direction and criteria for improving their ability to manage risks to the enterprise. This emerging open standard should eliminate past confusion resulting from competing views of what ERM is and is not.

“This framework could not be completed at a more appropriate time,” says COSO chairman John J. Flaherty. “Organizations worldwide now recognize the linkage between corporate governance, enterprise risk management and entity performance. Many seek to improve processes for identifying, analysing and managing risks. Yet until now, there hasn’t been a comprehensive framework that truly meets the far-reaching demands of the new regulatory and competitive environment.”

The advantages of the COSO framework have not gone unnoticed. Says Tamara Ebl, manager, enterprise risk management and OSC compliance for Terasen Inc.: “Enterprise risk management provides management throughout the Terasen group of companies with a more holistic view of the enterprise from a corporate governance perspective. Management is cognizant of the importance of mitigating risk and periodically reassessing the risk profile of the enterprise in response to changes in the business environment, both internal and external. Management believes that Terasen’s shares command a premium as a result of investor confidence in the management of the enterprise’s risk profile and earnings consistency year over year.”

A strategic approach to risk management

COSO’s framework adopts the premise that every entity exists to provide value for its stakeholders. All entities face uncertainty and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. ERM enables management to effectively deal with uncertainty, enhancing its ability to build value.

This applies to for-profit as well as nonprofit organizations. Kay Best, executive vice president, risk management and CFO for the Calgary Health Region, puts it this way: “We are constantly challenged to find new ways to provide services with limited resources. Risks are being presented on multiple fronts, demanding well-coordinated and integrated responses to minimize uncertainty and maximize opportunities. To meet these challenges, healthcare organizations need to move beyond the traditional insurance and claims management focus and take a more strategic approach to risk. Our main focus is preserving and creating value for the people we serve by ensuring that our strategic efforts are not diminished through avoidable loss, or hampered by change and uncertainty.”

While COSO’s framework offers benefits to organizations that move to adopt it, there are other risk management frameworks in use today. Several organizations have adopted Standard Australia’s Risk Management framework and many government organizations have adopted the Treasury Board of Canada Secretariat’s Integrated Risk Management Framework. In addition, publications such as the CICA’s Criteria of Control (CoCo) guidance provide insight and assistance to organizations reviewing and assessing control, risk and governance.

One of the inevitable questions will be how the CICA intends to respond to the COSO framework and whether it also plans an update of its Criteria of Control publications to adopt emerging views on ERM. Says Gigi Dawe, principal, risk management and governance department at the CICA: “The CICA has no current plans to re-issue its Criteria of Control publications. However, this is not to say that the CICA has reduced its support for these publications, and continues to develop publications on risk and governance that, among other things, will be aimed at helping organizations respond to regulators’ expectations for internal control over financials and disclosure controls and procedures.”

While there remains support for these documents, it appears that a shift toward the adoption of the COSO framework has already begun. The recent CICA Exposure Draft on Service Organizations (Section 5900) has adopted COSO-based terminology. Many Canadian businesses seek to comply with their respective regulatory requirements are applying one of the COSO frameworks. The review of several major accounting firms’ publications on OSC material suggests few are promoting the use of the CICA’s internal control framework, deferring to COSO’s Internal Control – Integrated Framework for organizations both south and north of the border. Only time will tell whether organizations will look for a single source that integrates internal controls and risk management rather that relying on multiple sources.

The Canadian profession continues to seek to position CAs as the provider of choice by boards and management for guidance on governance and risk management, with recent publications providing questions for consideration at senior levels. Many of these publications focus primarily on internal roles and responsibilities for ERM – the CEO, risk manager and internal auditors. CAs filling these roles will most certainly bring their financial skills to the risk management processes.

Tamara Ebl notes, “The broad-based business knowledge I attained through the CA program has definitely been a fundamental asset. Development skill sets including researching, facilitation, critical analysis and application of professional scepticism, the ability to effectively communicate results in both written and oral form, professionalism, flexibility and ability to multitask, etc. can be attributed in large part to the CA training program and articling experience. The soft skills developed, such as management of client relationships, have been equally relevant in dealing internally with various levels of management and staff throughout the Terasen group of companies.”

As growing governance duties require board members to provide oversight to these risk management processes, members are looking for support from their trusted advisers. It is becoming more common for CAs in an external audit role to provide insight to boards and management seeking to understand this topic. Expect to see more and more CAs including material on enterprise risk management in regular communications to boards and audit committees, especially once the initial focus on regulatory compliance has passed.

Boards and senior management are also asking questions about the “value” derived from current certification efforts. Organizations continue to invest considerably in the regulatory compliance programs, an investment that continues to increase. Gartner Inc. estimates that by 2006 public companies that do not adopt compliance management processes will spend 50% more annually to achieve US regulatory compliance. Accordingly, building effective, sustainable processes that integrate governance, risk management and compliance efforts is becoming increasingly important, with organizations looking for some form of payback.

The COSO Enterprise Risk Management – Integrated Framework is built on the foundation of the Internal Control – Integrated Framework. The fact that COSO’s ERM framework incorporates the key elements established in the previous internal control framework may ease the transition from a focus on internal control to integrated risk management. However, COSO’s new framework does not replace the internal control framework, and organizations are not required to use it for regulatory reporting.

Getting started

Many companies are now shifting their focus to better leverage people, process and technology to help launch ERM initiatives that align with the goals of the organization and provide a value greater than periodic sign-offs. As with any endeavour, however, knowing where to start can be a challenge. A practical first step is to establish a core team that can bring energy and dedication to this effort. Include people from strategic planning, finance, operations, compliance, internal audit, marketing and human resources – people who play a key role in your organization’s success. This team will also take responsibility for overseeing the design of program tasks and monitoring them in the initial stages. Have each member research a specific topic, reach out to other organizations for insight, or develop a portion of the organization’s presentation on enterprise risk management and solicit feedback from peers. Hold practice Q&A sessions with this group until they are in-house experts on the topic. Develop responses to anticipated questions, such as “Why is this good for us?” and “Which organizations do this well?”

Once your core team is in place with an understanding of basic ERM principles, the organization can begin to identify potential benefits. Since organizations will not all pursue ERM in the same way, the benefits of ERM will differ for each. ERM offers many benefits, but finding those that are relevant for your organization is one of the most important choices you will make. Looking to enterprise risk management to reduce operational surprises and losses is of little value if these losses have not been significant in the past. However, ERM may be of significant value in helping your organization integrate responses that were traditionally managed through multiple and awkward internal channels. Once these benefits are determined, management can then begin to develop a business case. A recommendation to pursue ERM should be supported by an appropriate business case – one that captures the points above, anticipates how key planning tasks will be deployed and establishes authority and accountability.

Together these tasks can help an organization move forward. The tasks themselves need not be overly complex, but should be sufficiently rigorous so that management and the board can pursue the implementation of ERM with confidence.

So, will the COSO Enterprise Risk Management – Integrated Framework really make a difference to Canadian organizations? The answer will depend on how organizations choose to view risk management. Those that adopt the view that managing risk drives better business performance and facilitates achievement of strategic, operations, reporting and compliance objectives are likely to attain greater benefits from their efforts than those that focus their risk management efforts on protecting against bad things that can happen. That choice rests with managements and boards.

Frank Martens, B.Comm, CA, is a senior manager in PricewaterhouseCoopers Advisory practice in Vancouver and one of the principal contributors to the COSO Enterprise Risk Management – Integrated Framework. Contact: frank.j.martens@ca.pwc.com

http://www.camagazine.com