Taking a holistic, business-focused approach to enterprise risk management can reap dividends, writes Frank Strenk, senior vice president Risk Management Services for Lockton.
Most corporations today have developed formal business strategies for marketing, human resources, information technology, operations, and other business areas. It’s puzzling that more companies don’t use this approach when it comes to managing risk. In some cases, strategic discussions occur around the purchase of insurance needed to protect the entity’s assets, but in many cases these plans are not formalized to include risks beyond the traditional property and casualty exposures.
I recently worked with a company that owned and operated a network of hospitals. While the risk manager’s primary responsibility was procuring insurance coverage, she was also asked to evaluate risk on a broader basis. As she explored ways to manage risk more strategically, she was confronted with many roadblocks. The biggest roadblock was the company’s ‘silo’ approach to managing risk, without a clear, integrated strategy or formal process. She soon found that individuals in the company managed a myriad of risks in different ways, but there was no consistent or systematic process. We’ll come back to this example a little later.
What is enterprise risk management?
Enterprise risk management (ERM) is a process designed to identify potential events or threats to an organization and enable it to manage risk in a way that provides reasonable assurance that it will be able to meet its objectives. It is a top-down process which requires the full support and backing of senior management.
“There is no quick fix for implementing a strategic, enterprise approach to managing risk. Support for this process must start at the executive level.”
The concept of ERM has been discussed for several years in the risk management community. It takes on many names, including holistic risk management, aggregate risk management, and strategic risk management. Regardless of name, adopting the concept typically requires rethinking how risk will be managed within an organization.
A well-defined risk management strategy includes the following attributes:
1. The risk strategy is linked to and supports the business strategy;
2. A risk culture is created and encouraged throughout the organization;
3. Risk management is a continuous, systematic process integrated into corporate culture;
4. Risk is identified, quantified, aggregated, and studied for interrelationships; and
5. Risk management responsibility is clearly defined, and risk is a key consideration for financial decision-making.
Why is ERM becoming more important within the corporate framework?
There are many forces at work here. Global economic and political conditions, the uptick in cyber events and regulatory scrutiny related to risk, have all contributed to an enhanced focus on risk management. Boards of directors have heightened the need to better identify, mitigate, and manage business risk. Companies have reacted by rethinking their internal business processes and external risk profile. Many companies are recognizing that competitors that excel at managing risk have used superior risk management to gain a competitive advantage in the marketplace.
Entities exist to provide value for their stakeholders. All entities face uncertainty. ERM helps companies decide how much uncertainty to accept as they strive to increase stakeholder value.
ERM works because risks and uncertainties are evaluated and appropriate action taken. Maximum value is reached when strategies and objectives strike a balance between managing risks and deploying resources in pursuit of growth and the entity’s objectives.
What does the ERM process look like?
Several ERM frameworks are available to companies that are interested in implementing an enterprise approach to managing risk. However, there is no cookie-cutter approach. For ERM to be successful, it must fit within the operational culture of the organization.
Figure 1 displays a typical ERM process
The 10-phase process shown above encompasses risk identification (Phases 1-3), risk assessment (Phases 4-6) and risk mitigation (Phases 7-10).
Gathering risk data during the risk identification phase can be done through a variety of methods including surveys, facilitated workshops, and one-on-one risk interviews. A key to successfully gathering the risk information is to prepare the participants in advance. Here are a few questions that participants should be thinking about:
- What are the three to five things that keep you awake at night about the risks of our company and why?
- What would cause us to be unable to achieve our objectives?
- Describe a scenario of what could go wrong and how we would respond today?
- What controls are currently in place? What should be done better?
- What risks should we consider over the next 12 to 18 months?
- What risks will be important for our sustainability 10 years from now?
- How severe can the risk be, and what is the likelihood of it occurring?
- What are the consequences if the risk occurs?
- What are the early warning signs that the risk may occur?
Assessing the likelihood and severity of risk based on operations is a critical first step of our process. The heat map (Figure 2) presents an assessment of the population of risks faced by the organization. Mutual discussion of this risk population and likelihood/severity is vital to the development of the heat map. Next, risks will be further assessed to determine if they are insured, partially insured, or uninsured. This process offers a perspective of the risk universe and how existing programs will respond. An example of a heat map is shown below:
Figure 2: Heat map of risks faced by an organization
A risk map (see Figure 3) can also be used to identify:
- Inherent risk (what is the true risk to the company in the absence of controls?);
- Residual risk (what is the risk taking into account the current mitigation strategies?); and
- Target risk level (what does senior management or the board feel the acceptable risk level is?).
Figure 3: Risk map of severity vs likelihood of risks
Identifying key business risks is only the first piece of a successful ERM program. Developing mitigation strategies for each risk is where the rubber meets the road with ERM. One methodology that can work well is identifying current mitigating factors, or what is currently being done that is serving to contain the risk. In addition, identifying aggravating risk factors (what is serving to aggravate the risk or make it worse) should be identified. Go-forward mitigation strategies can then be developed by attacking those aggravating factors.
ERM takes time
Finally, there is no quick fix for implementing a strategic, enterprise approach to managing risk. Support for this process must start at the executive level and be driven throughout the organization. It requires a formal process supported by focused project management, with all levels of the company involved and committed. However, once achieved, companies will better understand their risk profile, optimizing the risk:reward trade-off, which ultimately can lead to a competitive advantage in the marketplace.
A few points to keep in mind:
- Identifying and prioritizing multiple and cross-enterprise risks: every enterprise faces a myriad of risks affecting different parts of the organization, and ERM facilitates effective response to the interrelated impacts, and integrated responses to multiple risks. Risk identification is not limited to traditional insurable risks and may encompass strategic, operational, legal, and economic issues.
- Aligning risk appetite and strategy: management considers and quantifies the company’s risk appetite in evaluating strategic alternatives, setting related objectives, and developing mechanisms to manage related risks.
- Enhancing risk response decisions: ERM provides the rigor to identify and select among alternative risk responses: risk avoidance, reduction, sharing, and acceptance.
- Reducing operational surprises and losses: entities gain enhanced capability to identify potential events and establish responses, reducing surprises and associated costs or losses.
- Seizing opportunities: by considering a full range of potential events, management is positioned to identify and proactively realize opportunities.
- Improving deployment of capital: obtaining robust risk information allows management to effectively assess overall capital needs and enhance capital allocation.
So what about our hospital group, and how did the risk manager bring an enterprise approach to managing risk? With the support of her CEO, she was able to bring the management team together to form an enterprise risk committee. The committee led the charge to identify top risks (see Figure 4), assess and prioritize those risks, identify risk owners, and develop go-forward mitigation strategies. Today, the company has a formal risk strategy that has become an integral part of each operating division’s annual business plan.
Figure 4: Company’s top risk profile
Lockton, US, Frank Strenk, Holistic, Healthcare, Risk management, Insurance, Technology, IT, Data, Crisis management, Special report, ERM