What is missing from the RMIS designs? Why enterprise Risk Management is not working
Warren, Brian
MANY RISK MANAGERS HAVE ATTEMPTED TO TAKE ENTERPRISE RISK MANAGEMENT (ERM) FROM A SLICK CONSULTING PITCH TO A PRACTICAL MANAGEMENT SYSTEM. BUT WHILE ERM HAS HELPED MANY OF THESE PROFESSIONALS IMPROVE THE STRATEGIC STRUCTURE OF THEIR RISK FINANCING PROGRAMS FEW HAVE FULLY ACHIEVED THEIR AMBITIONS. ONE OBSTACLE IS THE RISK MANAGEMENT INFORMATION SYSTEM (RMIS) BUILT WITHOUT AN ENTERPRISEWIDE ORIENTATION TOWARD RISK DATA.
For ERM programs to fulfill their potential, the RMIS must focus on the risk financing needs and processes of the entire company-i.e., reporting based on its specific financial and operational dynamics. It cannot just tally the insurance companies' claims and losses, as it does now. The system should incorporate occurrence descriptions and retained loss costs. It should support a range of risk financing methods and the financial analysis and reporting needs of the risk manager.
The recommendations that follow do not describe a total ERM system. (Indeed, building a separate ERM system would be like constructing an independent six sigma program. Both must be built into other enterprise processes to be effective.) Rather, the recommendations that follow offer suggestions for the next steps in the evolution of RMIS design, which will, if adopted, make RMIS an integral part of ERM practices.
ERM: Great Concept, Intractable Implementation?
Current professional and academic schools of thought dictate that ERM should achieve proper allocation of risk capital across three major risk categories-financial, credit and operational risk.
To this end, financial risk management is highly standardized. (This is possible because of the extensive statistical data available from large, open markets-equity, bond, currency, derivative and commodity trading systems-and the traders' interest in any analytical systems that provide a competitive advantage.) Credit risk management methods are less developed than those for financial risk management, but they are rapidly evolving. Operational risk is the least developed.
Operational risk includes traditional property/casualty risks, but it is also a catch-all term for any risk that is not financial- or credit-related. This includes risks that are typically beyond the scope of the traditional risk manager: business control risks, corporate governance risks and capital-intensive project risks. For these, we lack statistical data and validated statistical methods to gauge the risks, and therefore few transfer markets have developed for them.
Though we have accurate data on the actuarial dimensions of the frequency and severity of many risks, operational risks often are multidimensional. Across an enterprise, risks have widely varying time horizons, degrees of certainty and predictability. The nature of an occurrence or event can vary widely (e.g., discrete versus continuous occurrences, speculative versus fortuitous outcomes). And the correlations between risks typically are not well understood.
Operational risks frequently derive from specialized functions where evaluating the risks requires experience and expertise (e.g., information systems security, environmental health and safety, contractual risks). Within those business functions, specialists are often unwilling or unprepared to conform their risk assessment methods to a broader system. So while we may be able to get their participation in creating assessments, the assessments cannot be easily aggregated with other loss probability distributions across the organization. Even if we are somehow able to aggregate risk assessments, the credibility of the results may be questioned by the decision maker to whom it is presented because its method of calculation is not clear, or required assumptions are disputed.
All of this reflects a lack of commonly understood and accepted ERM principles, concepts and standards around which to build business processes and systems.
Where Current Generations RMIS Falls Short
Current generation RMIS technology was designed primarily to support insurance claims processing, and it does this quite well. It organizes data in a way that most closely resembles the claims processing systems used by insurance companies. The basic data record is for an insurance claim, meaning that incidents must at least be potential insurance claims to be supported. The data to fill these claims records are normally provided by the insurer or third party administrator and loaded into the database by the RMIS provider. In other words, the system is primarily intended for electronic storage and retrieval of traditional insurer loss runs. This is great if you are running a claims department, but ERM requires much more.
If the goal of ERM is to maximize the firm's net income, then the fundamental premise of ERM is that risk decisions are capital allocation decisions. Risk managers strive to assign the right amount of capital to a mix of risk financing or mitigation methods to optimize results. To accomplish this, they need to understand their company's risk tolerance in light of their organization's cash flows, debt position, credit rating and price-earnings ratio (if publicly traded).
But given that the fundamental concepts of ERM are not yet standardized, how could an information system be designed from the ground up to support it? There are systems that will, with the help of an analyst or actuary, allow risk managers to develop and run simulations of limited sets of risks. Few, however, are designed to collect the requisite data in the first place.
Because the insurer can predefine its risk through coverage definitions, exclusions, retentions, deductibles and limits, these risk-limiting tools ultimately shape the structure of today's RMIS. The risk manager, however, cannot predefine risks and cannot describe every loss incident in terms of the coverage definitions intended to serve the needs of the insurer. Risk managers need an information structure that extends beyond the insurers' boundaries.
Without standardized methods of management and analysis-and the technology to link the information together-it is difficult to implement ERM programs and information systems. And the lack of information systems to collect the loss experience data on nontraditional risks prevents the development of ERM procedures and methodologies. The absence of each element hinders the evolution of the other.
Making ERM tractable will require a pioneer effort to develop the intellectual tools, the prerequisite data standards and information systems that will let us achieve a real breakthrough. Unfortunately, today's RMIS provides no support for this kind of analytics. And a lack of compelling market demand for enterprise risk assessment tools has failed to induce IT entrepreneurs to invest in the development of systems that support ERM.
A Cost/Benefit Analysis
Risk managers already use elements of enterprisewide risk management to improve the efficiency of risk spending. They make estimates of the scope and size of risks facing the firm and thus allocate risk financing resources to bring the firm closer to an optimal allocation of risk capital. The estimates start with risk mapping-plotting the expected frequency and severity of each risk (often displayed on an x-y coordinate chart).
This is followed by scenario analysis, which stress-tests the potential loss amounts. A low probability (95 percentile) sequence of adverse outcomes is developed from the chain of events following a major loss event. The total cost of the path associated with these adverse outcomes is then calculated.
For example, an earthquake damages a key facility. This damage prevents delivery of products, leading to disruption of contracts and revenue loss. The lost revenue subsequently prevents wage increases, leading to a labor union action, which further disrupts production. Unreliable production drives away potential new customers, further reducing future sales.
An initial event often has ripple effects. The full cost of the loss extends far beyond the original damage to the facility. Stress-testing or scenario analysis allows the firm to paint a more complete picture of risks, and to gauge the extent of the firm's exposure to catastrophic events.
To improve these analyses, the risk manager needs to use RMIS to capture more data on the downstream effects of the initial loss event. Invisible costs could be calculated and incorporated into the overall risk picture. This might include the cost of overtime hours for recall and remediation of a defective product, lost sales due to bad publicity, or the added cost of debt service due to a downgrade of the firm's financial rating.
Unlike financial risks or even most traditional property/casualty risks, there is virtually no statistical history on these kinds of costs. And yet, these are the costs that most often threaten the viability of a company in the wake of a catastrophe.
Without more advanced RMIS technology, risk managers are limited to recording the company's loss experience or collecting other firms' case histories and using techniques like modeling and Monte Carlo simulations.
So, would the cost of developing a robust, ERM-supportive RMIS exceed its benefits? The costs are immediate and tangible; the benefit is difficult to estimate or demonstrate. Risk managers already struggle with how to explain the value of a loss that is prevented or financed, particularly as measured by the net present value of the improved capital allocation. Even if the risk reduction is significant, it is a potential future benefit, not an assured, immediate expense reduction.
Whether the risk assessments from RMIS are likely to lead to enough marginal benefits to offset the cost of data tracking and analysis depends on the company's risk profile. Large firms stand to gain the most from refining the efficiency of risk capital allocation. But as the cost of the computing tools needed to collect data and perform the sophisticated modeling and analyses continue to decrease, the benefits grow for all organizations. Ultimately, RMIS may pay for itself by empowering an organization to avoid or effectively finance that one catastrophic loss that would otherwise slash the company's financial results.
Say More: How far is the risk management community from realizing the double goal of ERM-oriented RMIS technology? Reader Forum at rmmag.com
Brian Warren is claims manager for Microsoft Corporation in Redmond, Washington. He is a member of the RIMS Technology Advisory Committee.
Copyright Risk Management Society Publishing, Inc. Oct 2002
Provided by ProQuest Information and Learning Company. All rights Reserved
No comments:
Post a Comment