Everest Group Chief Risk Officer Ari Moskowitz authored an article in InsuranceERM where he explains how to best integrate enterprise risk and risk management to create an effective enterprise risk management framework.
Why both approaches are critical and how to tie them together seamlessly.
We currently work in a constantly shifting risk environment. Climate, pandemic, food and energy supply, geopolitics, inflation…it’s all recently faced disruption. Shifts in the risk environment have always been the case but it seems to have accelerated in recent times. Between globalization and information sharing, the world seems to have gotten riskier at an increasing pace. Whether this is an actual change in the risk environment or just a change in our awareness of our risk environment, Enterprise Risk Management (ERM) is an important practice that helps keep company leaders apprised and informed. Now more than ever is an important time for companies to be ever so vigilant with ERM, and the insurance industry overall has continued to mature their risk frameworks due to this.
This expanding need for robust ERM practices has also drawn a certain intrigue from many industry practitioners. The idea of Enterprise Risk connotes an elevated view of the industry that draws in desk underwriters with the appeal of portfolio management. It provides a challenge for actuaries and modelers through implementing advanced analytics and model development that can inform corporate strategy. Big picture thinking is another exciting draw for members of operations teams to focus on companywide processes.
While all this draw certainly is rooted in the practicing reality of ERM, there’s also much more that must occur for a successful ERM framework to be robust enough to help protect a company. There is the tried-and-true practice of Risk Management which doesn’t always have the same appeal to non-practitioners: environment scanning, risk assessment, mitigation plans, controls testing, risk committee reporting and recommendations, and implementation monitoring. This is rigorous, yet ever-important, work for ERM to be successful.
Emphasis in the words can change the story here: does ERM mean Enterprise Risk Management or is it Enterprise Risk Management? The former highlights the need to manage any large, systemic risks to the company while the latter is a practice of reviewing all risks that the enterprise is faced with. Ultimately, both approaches are critical and in a mature framework they should tie together seamlessly. There are three key practices to include within an ERM framework to help make this happen:
1. Execution Management: Many ERM frameworks focus on critical accumulation assessments such as CAT Probable Maximum Loss (PML) management and investment portfolio stress testing. These are examples of focusing on the large, systemic risks via stated risk appetites to determine when a company needs to step on the brakes as it gets too close to the limit. This is all included under the headline of Exposure Management and is extremely important to protect any franchise. However, Exposure Management might fall short as reported information may be untimely and may only keep a line of sight into the risks which are already known to be highly material. An ERM framework that also maintains line of sight into the day-to-day business planning and execution could help management see around the bend and better manage risks which have not yet hit a threshold of materiality. This would be included under an alternate headline: Execution Management. The combination of Exposure Management and Execution Management is a powerful view into the metaphorical forest and the trees of our risk environment which enhances timely responses and preparedness.
2. Risk Funneling: Assessing every risk across the company is a daunting task. Even once complete via a strong ERM team, an executive management team focused on decision- making in the face of these risks can’t properly account for every single one. There needs to be a process by which the risk managers can properly elevate areas of concern to get onto management’s radar. Formal reporting channels, crisp communications, and clear elevation criteria will help funnel information to business leaders. Within this bottom-up process, ERM practitioners can also better identify if there are smaller risks which are reported by multiple functions within the company. While each risk may not be deemed material unto themselves, they do accumulate to something riskier. Further, ERM practitioners can also identify early warning signs as risks start elevating from the bottom level. A bottom-up approach of funneling risks to management ultimately places a ranking on risks and tracking shifts in the rankings can help identify future concerns.
3. Coffee and Lunch: Simply, network often. Sometimes employees view ERM like they view Audit…as a policing function. That sentiment couldn’t be more wrong for both ERM and Audit. The goal is to protect the franchise through enhancing informed decision making which is ultimately the same goal of every member on the front lines of the business. Nonetheless, some people may be hesitant to report an elevating risk too early when going through formal channels. This can ultimately lead to delays in reporting, which can be detrimental to controlling and mitigating the impact. Coffees and lunches are great ways for ERM practitioners to maintain a quick and timely pulse on the risk profile of the company by hearing business leaders’ concerns without the pressure of a rigorous assessment. The (re)insurance industry is unique as its purpose is to assume risk. The goal isn’t to remove risk from the equation; the goal is to simply be paid appropriately for the risk assumed through diligent underwriting and actuarial practices. Similarly, ERM plays an important role across all industries but has an elevated importance within the (re)insurance industry since we don’t shy away from risk. Risk is our opportunity set and a robust ERM framework seeks to better manage that through awareness and understanding.
This byline originally ran in InsuranceERM with the title, "Enterprise risk" management? Or enterprise "risk management"?