Signed in as:
filler@godaddy.com
Article series update: Risk Managers at Risk
7 Things You Need To Do To Save Your Company….And Your Job
introduction: How to Become Relevant and Effective
According to the 2023 AICPA/NC State Survey on Enterprise Risk Management Practice[1], only 11% of financial institutions surveyed indicated that ERM “Mostly” or “Extensively” provided competitive advantage to their organization. In contrast, 25% ranked it as only “Somewhat” valuable, and 64% felt the value was “Minimal” or “Not At All”!
Which leads to a simple question... How do you gain relevance and preserve your position when only 1 of 9 senior executives think your function provides them with a competitive advantage?
You do so by seizing the agenda and initiative, selling your organizations on the inherent value of ERM, and using better tools to monitor risk and create new insights and value.
But first, you address your current gaps!
1. AICPA/NC State Survey on Enterprise Risk Management Practice: Background and Findings
For nearly fifteen years, the AICPA and North Carolina State University have sponsored a survey on ERM practices and perceptions. The survey is detailed and of a high quality. For those interested in learning more, we encourage you to view the full report at https://erm.ncsu.edu/library/article/2023-risk-oversight-report-erm-ncstate-lp.
The survey reveals major gaps in current ERM processes and management in the following areas:
a) Overall State of Risk Management Maturity: End-to-End Risk Management Remains Elusive
· Only 34% of respondents felt that their ERM processes were “end-to-end.”
· 29% of Financial Institutions lacked formal ERM processes or were still in the planning stage.
b) Strategic Value of Risk Management: Few Emerging Insights and Low Impact on Decisions
· Only 11% of respondents felt that ERM provided enough competitive advantage.
· 57% felt that ERM didn’t track emerging strategic, market or industry risks effectively.
c) Impact of Culture on Risk Management: Existing Organizational Beliefs Limit ERM Effectiveness
· 55% of organizations gave little to no ERM training to executives over the past two years.
· 63% felt that risk activities had minimal or no influence on performance compensation.
d) Risk Identification and Assessment Processes: Uneven, Siloed and Not Holistic
· Only 54% use a consistent ERM form and process, usually only in “traditional” risk areas, such as IT, Legal/Regulatory/Compliance, and Financial.
· Market, Strategic, and Industry risk—along with newer emerging risk such as Reputational and Political Assessments—don’t receive enough focus.
· 72% of risk assessments are typically informal and qualitative rather than numbers-driven, with little integration across the enterprise.
e) Risk Monitoring Processes: More Explanatory and Robust KRIs Needed
· 72% of managers didn’t perceive existing KRIs as robust enough to provide early warning.
2. What Does it Mean for You and Your Current Role?
Ironically, survey participants largely agreed that the volume and complexity of enterprise risks have continued to increase over the last several years, but more than half felt that the current ERM process was not the most effective way to handle those risks.
This may be a communication or a perception problem, but it’s what people think. You are not a strategic priority, and your current value is low. Competing priorities frequently take precedence and your function is not perceived as a useful or strategic decision-making tool for the organization. This needs to change.
Drawing on these survey findings and our personal experience in creating effective ERM functions both as employees and consultants, we would like to share a 7-step action plan we have used successfully to assist you in the year ahead:
1. Clearly define—and communicate—the vision for ERM and sell it to the Senior Management, the C-Suite, and the Board.
2. Select a Risk Taxonomy and Refine / Update your Risk Appetite Statements
3. Scale Your KPIs and KRIs Properly with Better Frequency and Severity Rankings
4. Develop Appropriate ERM Systems that Emphasize LOB Accountability and Reporting
5. Prioritize and Triage Risks for Intervention Vs. Review
6. Develop Educational Programs Around Risk Frameworks
7. Monitor risk across the enterprise holistically by identifying correlations and potential cascades
In subsequent articles, we will expand on each of these seven topics to share our experiences and insights, drawing on what worked—and didn’t work—for us as we struggled with similar issues.
2024 represents a unique opportunity to seize the agenda and improve the current internal ERM perceptions. Let’s not waste it.
Welcome to 2024!
[1] 2023 The State of Risk Oversight An Overview of Enterprise Risk Management Practices, 14th Edition
Article series: Risk Managers at Risk
7 Things You Need To Do To Save Your Company….And Your Job
introduction: How to Become Relevant and Effective
According to the 2023 AICPA/NC State Survey on Enterprise Risk Management Practice[1], only 11% of financial institutions surveyed indicated that ERM “Mostly” or “Extensively” provided competitive advantage to their organization. In contrast, 25% ranked it as only “Somewhat” valuable, and 64% felt the value was “Minimal” or “Not At All”!
Which leads to a simple question... How do you gain relevance and preserve your position when only 1 of 9 senior executives think your function provides them with a competitive advantage?
You do so by seizing the agenda and initiative, selling your organizations on the inherent value of ERM, and using better tools to monitor risk and create new insights and value.
But first, you address your current gaps!
1. AICPA/NC State Survey on Enterprise Risk Management Practice: Background and Findings
For nearly fifteen years, the AICPA and North Carolina State University have sponsored a survey on ERM practices and perceptions. The survey is detailed and of a high quality. For those interested in learning more, we encourage you to view the full report at https://erm.ncsu.edu/library/article/2023-risk-oversight-report-erm-ncstate-lp.
The survey reveals major gaps in current ERM processes and management in the following areas:
a) Overall State of Risk Management Maturity: End-to-End Risk Management Remains Elusive
· Only 34% of respondents felt that their ERM processes were “end-to-end.”
· 29% of Financial Institutions lacked formal ERM processes or were still in the planning stage.
b) Strategic Value of Risk Management: Few Emerging Insights and Low Impact on Decisions
· Only 11% of respondents felt that ERM provided enough competitive advantage.
· 57% felt that ERM didn’t track emerging strategic, market or industry risks effectively.
c) Impact of Culture on Risk Management: Existing Organizational Beliefs Limit ERM Effectiveness
· 55% of organizations gave little to no ERM training to executives over the past two years.
· 63% felt that risk activities had minimal or no influence on performance compensation.
d) Risk Identification and Assessment Processes: Uneven, Siloed and Not Holistic
· Only 54% use a consistent ERM form and process, usually only in “traditional” risk areas, such as IT, Legal/Regulatory/Compliance, and Financial.
· Market, Strategic, and Industry risk—along with newer emerging risk such as Reputational and Political Assessments—don’t receive enough focus.
· 72% of risk assessments are typically informal and qualitative rather than numbers-driven, with little integration across the enterprise.
e) Risk Monitoring Processes: More Explanatory and Robust KRIs Needed
· 72% of managers didn’t perceive existing KRIs as robust enough to provide early warning.
2. What Does it Mean for You and Your Current Role?
Ironically, survey participants largely agreed that the volume and complexity of enterprise risks have continued to increase over the last several years, but more than half felt that the current ERM process was not the most effective way to handle those risks.
This may be a communication or a perception problem, but it’s what people think. You are not a strategic priority, and your current value is low. Competing priorities frequently take precedence and your function is not perceived as a useful or strategic decision-making tool for the organization. This needs to change.
Drawing on these survey findings and our personal experience in creating effective ERM functions both as employees and consultants, we would like to share a 7-step action plan we have used successfully to assist you in the year ahead:
1. Clearly define—and communicate—the vision for ERM and sell it to the Senior Management, the C-Suite, and the Board.
2. Select a Risk Taxonomy and Refine / Update your Risk Appetite Statements
3. Scale Your KPIs and KRIs Properly with Better Frequency and Severity Rankings
4. Develop Appropriate ERM Systems that Emphasize LOB Accountability and Reporting
5. Prioritize and Triage Risks for Intervention Vs. Review
6. Develop Educational Programs Around Risk Frameworks
7. Monitor risk across the enterprise holistically by identifying correlations and potential cascades
In subsequent articles, we will expand on each of these seven topics to share our experiences and insights, drawing on what worked—and didn’t work—for us as we struggled with similar issues.
2024 represents a unique opportunity to seize the agenda and improve the current internal ERM perceptions. Let’s not waste it.
Welcome to 2024!
[1] 2023 The State of Risk Oversight An Overview of Enterprise Risk Management Practices, 14th Edition
Risk Managers at Risk
#1: Clearly Define and Communicate Your ERM Vision
Begin with the end in mind. -Stephen Covey
Our previous article laid out 7 steps to restoring credibility and importance to the ERM function for organizations. In this article, we address the two most fundamental questions that ERM professionals frequently overlook:
1) What is the current role that the function has assumed? And more importantly,
2) What is the optimal role that best serves the larger organization’s ERM needs?
Hint: They are often misaligned.
In our experience, ERM organizations can evolve through three stages of development, although most get stuck in the process. The lines between the three are not fixed, of course, but the roles provide a good starting point for you to evaluate where you are currently and where you want—and need—to be.
The progression is as follows:
1. LOYAL SERVANT
In approximately 40% of the organizations we know or have worked in, ERM assumes the “Loyal Servant” role, and rarely evolves much beyond it. This role emphasizes procedure over content, and favors acquiescence over confrontation when dealing with individual business units or the organization as a whole. The Loyal Servant role aggregates rather than integrates information, and its Risk Management efforts deliver rather than interpret data in its interactions with the C-suite and Board. Mitigation efforts tend to be limited in scope and non-controversial, e.g., ergonomics, other workplace safety, etc., and ERM understanding of core business processes and risk nuances is weak. Because the unit focuses on procedural adherence and only on very limited process improvement or change management, it uses rudimentary technology (disparate spreadsheets) and risk classification categories, and has limited exchange with LOB risk owners. Furthermore, it has little if any Board visibility and carries little strategic weight. This type of ERM unit is largely perceived as “bureaucratic” and ineffective, and appears to reinforce the perception of ERM as a “check the box” exercise for the organization. The biggest challenge here is gaining relevance.
2. WATCHDOG
Another 50% of organizations succeed in developing more advanced ERM skills, and ascend to the “Watchdog” role. Watchdog organizations generally possess broader business knowledge and better technology (often including multiple Risk Registers / ERM systems), but struggle to integrate them. Although Watchdogs typically monitor KRIs and provide input to their development, they rarely lead the development process. They employ standard risk classifications, e.g., Probability vs. Severity (H, M, L). Their relationship and involvement with individual business units or risk owners varies greatly, i.e., close partners with some, distant from others. Watchdogs typically report to the Board at least annually on the top risks that the organization faces. Their focus, however, remains more on KRI trend reporting rather than true synthesis or holistic integration. They monitor traditional risks, such as Finance, IT, and Operations well, but don’t exhibit a great deal of creativity in exploring newer areas such as Cyber, International, or the identification of correlated risks. They are often perceived as simply covering the same ground as—or second guessing—the business units. This often creates friction across the organization, and the LOBs can be somewhat dismissive. The ERM staff does understand the business reasonably well and can contribute more than they do. But they often feel that they just don’t have a strong enough mandate to do so.
3. BUSINESS PARTNER
Only about 10% of ERM organizations grow into the “Business Partner” role within their respective companies, thereby achieving the highest levels of effectiveness. Their stature derives from three elements:
· A thorough understanding of the specific risks within all units of their businesses,
· Enabling technology to automate risk stratification, reporting and monitoring, and
· Ongoing partnerships with the rest of the organization to monitor risks as they change to calibrate potential correlations.
These ERM organizations provide strategic value by creating a holistic perspective on the enterprise’s total risk posture as it evolves over time. The unit typically concentrates its efforts not on evaluating the existing LOB mitigations around established risks, but on defining the interactions between those risk across LOBs, defining their interactions with new and emerging risks, and creating mitigation plans for those exposures and potential risk cascades. This provides unique value to the enterprise, as ERM is the only group with the mandate and the capabilities to view risk from this perspective. Enabling technology typically allows risk prioritization and focuses ERM attention on the highest value priorities. Many of these organizations are currently determining how to integrate AI into these efforts.
The three key questions for all CFOs, CROs and Risk Managers should first be: where are you, what do you want to be, and how can you best serve or save your organization? In our experience, we have often found significant divergence between ERM’s internal perception of itself, and the perception its corporate partners have of it.
So, what should you do NOW?
1. Evaluate your organization’s current perception of ERM.
2. Validate these perceptions with peers and management.
3. Create a roadmap to ensure your organization’s ERM future.
You may want to begin by surveying your senior management on what they expect or would like of you and then conduct an honest evaluation of your current skills and existing activities.
Risk Managers at Risk
#1 A: Clearly Define and Communicate Your ERM Vision: UPDATE
In the last edition of our article series on how to make ERM more effective, we laid out the typical roles that ERM organizations assume and how those roles can evolve over time. It generated a lot of interest and enthusiasm, especially among ERM professionals who have primarily invested in their organization’s technical and technology development, and not focused as much on defining their larger role within their organizations.
We received multiple inquiries from many of you who agreed with the three stages, but wanted a tool to help assess where you currently stood (especially in relation to your peers), and most importantly, what concrete steps you might take to accelerate your journey in increasing your organization’s effectiveness.
Thank you for your input and we hope we can address these issues. We have developed a brief survey assessment tool for you to gauge your current status and focus on your future priorities. We hope you find it useful, and based on your feedback on this article, we will try to provide similar tools and templates as appropriate in our future articles releases.
To review the prior article, which now includes a link to the assessment survey tool, please click here.
Thanks again for all your feedback and interest. Please keep the feedback and suggestions coming so we can be more effective in working together and learning from each other.
Risk Managers at Risk
#2: Select a Taxonomy and Draft Risk Appetite Statements
Our previous article discussed possible roles the ERM function may assume in organizations. This article addresses what are, from our perspective, the most two most overlooked steps in the entire ERM process:
1) How to build Risk inventories using a standard Risk Taxonomy? and
2) What is required to create an effective and useful Risk Appetite Statement (RAS)?
Quite simply, organizations do not invest enough time or effort into organizing the risks they identify into logical groups, or into drafting Risk Appetite Statements that are useful. This is a critical shortcoming that often handicaps the entire ERM process, because these two elements provide the overall direction and risk boundaries for every unit of the organization. And when done properly, they ensure that risk ownership and management extend to the business unit level.
The good news, however, is that these problems can be quickly addressed with just a bit of focused attention. Let’s lay out the steps required for you to strengthen your processes and build that ownership within your organization.
When beginning the ERM process, organizations typically jump into the process of inventorying and defining the specific risks they face, based on their individual situations and the specific industries to which they belong. This is good, but the results are too specific and often idiosyncratic. And why reinvest the wheel? Many detailed and useful Risk Taxonomies currently exist which provide comprehensive risk inventories and descriptions, which in turn vastly simplify the process of benchmarking performance with peer companies in the future. In the Insurance industry, for instance, ISO 31000, COSO, and the NAIC all have industry-specific taxonomies. If you are just starting out, try to use one of them. If you already have a risk inventory, try to harmonize your work with these established frameworks. It will organize your existing work into groupings that facilitate peer comparisons, and enable you to generate reports and comparisons that will intrigue your company executives, and are increasingly being requested by regulators and rating agencies.
Once the high-level risk identifying and organizing are completed, you must over-investin creating high quality Risk Appetite Statements, first at the corporate and then at the Line of Business level. The Risk Appetite Statement is the company’s formal pronouncement of desire or reluctance to assume specified risks, and at what levels. It is, in effect, the Company’s “Strategic Plan” for Risk, and should be closely integrated with the Company’s overall strategic plan. Very few of the RASs that we have reviewed, however, even come close to meeting this objective.
At a minimum, the Corporate RAS should provide a general narrative on the company’s risk management philosophy and contain the following elements:
· A description of the 8-10 critical risks the company faces,
· Quantitative metrics for the Risk Capacity, Risk Tolerance, and Risk Appetite for the Risk,
· Key Risk Indicators and their defined ranges, typically in “traffic light” groupings.
These groupings form the basis for the Risk Reporting templates which are developed at this time and included as part of the RAS effort. Higher quality RASs usually include some discussion on the exact mechanisms for risk measurement, monitoring, and frequency, and what the control and governance processes are as they relate to the individual risk groups. Occasionally, RASs also include a brief glossary of Risk Terms and Definitions as an addendum. We strongly endorse this practice, as it promotes the establishment of a common risk language and vocabulary across the organization. RASs may also discuss ways to align overall compensation on a risk-adjusted basis, but these goals remain largely aspirational. The CFO or CRO is often the Executive Sponsor for the Corporate RAS effort, and the Board typically approves the Corporate RAS after significant input and deliberation from the C-suite and other stakeholders.
Many ERM organizations miss an opportunity to help their organizations and create value by neglecting to extend this process to the individual lines of business. Once the Corporate RAS has been accepted, the corporate sets the risk tolerances and limits. How do these aggregate limits align with the sum of business unit risks? How do they change as the postures of each of the business units change? And what are the interactions? These are hard questions that must be addressed—especially by the ERM function. Very few of them do so effectively, however.
Yet, most of the raw materials for risk managers to develop these insights are available if they are willing to partner with their business counterparts. Every business unit creates a budget and strategy document (admittedly of varying qualities!). Translating these objectives into Key Risk Indicators and Tolerances, at least initially, is something that Risk Management should be doing proactively. And drafting an LOB-specific RAS is a straightforward process, based on the parameters established in the Corporate RAS and on what can be inferred from the LOB budget and strategy documents.
A more strategic perspective greatly enhances both ERM’s effectiveness and your personal stature in the organization. Moreover, information is power. No other organization in the company has the mandate to review and own risk across business lines or to manage it. And the insights you can create are tremendously valuable to the organization. Knowing our defined corporate risk capacity, what businesses are exceeding or “overusing” that capacity? Why? Is this contemplated, accidental, or intentional? And how can it be managed most effectively, both immediately and over the longer term? No individual business manager can answer these questions, and many might not even want to know the answers even if they could find them. But you can, and in service to your organization’s health and future, you should.
Why aren’t you seizing the opportunity?
P.S.: If you would like a sample template of a detailed Corporate Risk Appetite Statement which exceeds what’s commonly used currently, feel free to download it from our website, www.srarisk.com/insurance.
Risk Managers at Risk
#3: Be Careful, or You’ll Get Stuck in the Matrix
Everything Should Be Made as Simple as Possible, But Not Simpler. -Albert Einstein
Using Decision Matrix Risk Assessments (DMRA) to categorize and prioritize risks is clearly the standard tool for most Risk Managers as they evaluate risk tradeoffs. And Risk Matrices have a lot going for them: they’re extremely powerful visual tools to convey positional information, they condense large amounts of data into understandable groupings, and they’re easy to construct, based on the dimensions and scales chosen. They’re easier and cheaper to create than more sophisticated analyses like Failure Mode and Effects Analysis (FMEA) or Monte Carlo simulations, and readily explainable to everyone in the organization.
There is even a standard and common four step process that just about everyone has seen in their careers: 1) Identify the risk factors 2) Rate the risks 3) Combine / Multiply the ratings and 4) Rank the Risks. Determine what the matrix says. Depending on your risk tolerance and mitigation effectiveness, create your mitigation plan, work through it in sequence and then update the matrix. Your published output will look something like this:
Voila! You now have your plan is place and can begin ongoing monitoring and refining. But not so fast. What if everything you know about DMRA is wrong?... well, maybe not all. But quite a bit![1]
Risk matrices are inherently unreliable and should never be used to make decisions on risk plans or rank priorities in the absence of other data. They are a great data presentation tool, but they should never be a decisioning tool.
Let’s explain why:
Low, Medium, High scales are arbitrary
· In the absence of historical data, our three-way split assumes a sharp distinction between the three categories on each axis. When you convert these label categories numerically and multiply (typically 1=L, 2=M, 3=H), you can create non-sensical or grossly exaggerated distinctions.
o Silly example: Suppose I decide to create three groups of football players by weight: 0-250 lbs., >250-350, and >350 lbs. Does the >250-350 lbs. group really have double the effect of the 0-250 lbs. group?
o More importantly, does a 251 lb. player have double the impact of a 249 lb. player? Or does a 351 lb. player have 50% more than a 349 lb. player (multiplication factor of 3 vs. 2). That’s what the multiplication factor concludes.
· For any risk you identify, you are assuming the value of both the frequency and severity. Each of these can vary greatly depending on the standard deviations of each. This introduces confusion when comparing two risks, especially if frequency and severity are negatively correlated for them. The math is complicated, but the results are clear. It is possible and often likely that the risk score between two risks will simply be wrong.
Time Scales Must Be Consistent
· Misclassification of risk category is possible unless timeframes and severity are calculated uniformly across all of the risks under consideration, and most evaluation processes and scaling rarely take this into account or check consistently for this disconnect.
· Example: A pump leaks 4 oz of oil every 12 hours and therefore is labeled as 3 for Frequency and 1 for Severity, leading to a total score of 3. A transformer leaks 5 gallons once every four months, and is graded as 2 for Frequency and 3 for Severity, with a total score of 6. Is the transformer really the higher rated risk by a factor of two? It’s debatable. Over a year, the transformer leaks 15 gallons. Over the same period, the pump leaks almost 23 gallons. The definition of the scales can generate misleading results.
Individual Perceptions of Risk Vary Greatly
· Perceptions of risk vary widely, both from person to person and from business unit to business unit, i.e., what’s catastrophic to me may be trivial to you.
o Risk evaluation and perception is strongly (and even irrationally influenced) by prior experience. My perception of a risk is greatly exaggerated by my prior history of either being in close proximity to or experiencing the negative outcome of that risk.
o Psychological research strongly suggests that using an odd number of scales (3 or 5) generates over-emphasis on the middle. Human beings don’t like to stick out or go to extremes in their selections. Thus, a large bias toward the middle value.
o By the way, all of these biases apply equally to your perception and assessment of risk mitigation assessments and residual risk calculations. Be careful and skeptical of every assessment you make or receive.
Risk Correlations Need To Be Identified and Quantified
· Risk Matrices appear to rank order risk by on the mathematical product of their individual scaling factors, but provide no information on risk correlations across the entire enterprise. Thus, they provide an incomplete picture on the best enterprise approaches to mitigation.
o Where multiple risks are strongly correlated, individual mitigation efforts aimed toward an individual risk may also be effective on other risks within the organization. In any event, understanding the nature of strong risk correlations is critical to determining the breadth and interrelatedness of risk mitigation efforts.
o Instances of strong negative correlations between groups of risk also need to be identified and DMRA is also silent on this issue. If groups of risks share strong inverse correlations, they may in fact cancel each other out or at least require fewer mitigation efforts to maintain exposure within the enterprise’s risk tolerance. Because DMRA does not take this into account, resources may be misdirected or wasted on unnecessary mitigations efforts and controls.
Additional Limitations on DMRA Analysis
· There are limitations and restrictions that you should always keep in mind when you use risk matrices. Although the mathematics behind them are complicated (and beyond the scope of this article)[2], the conclusions are as follows:
o The usual or traditional coloring scheme most often used in decisions matrices is wrong. It is not possible to combine multiple cells into High or Low categories. Red can only be (H, H) and Green can only be (L, L). All other cells must be categorized as Medium. This will typically leave the initial risk grouping with a bulge in the middle or a reverse barbell type distribution.
o Within these three groups, it is not possible to make any rank ordering or prioritization on the relative importance of the risks without additional information.
o Your new starting point should be the following:
Where Does This Leave Risk Managers?
With a renewed opportunity to engage their peers in thoughtful conversation and analysis. In next week’s article, we’ll describe suggested approaches based on these findings.
[1]Krisper, Michael, “Problems with Risk Matrices Using Ordinal Scales.”
[2]Eight to Late, “Cox’s risk matrix theorem and its implications for project risk management.”
#3 a: Be Careful, or You’ll Get Stuck in the Matrix
Everything Should Be Made as Simple as Possible, But Not Simpler. -Albert Einstein
In last week’s article, we explored some of the shortcomings of the traditional Decision Matrix Risk Assessments (DMRA) approach to categorize and prioritize risks and their tradeoffs. The DMRA is the standard approach widely used to present risks to Senior Management, Rating Agencies, and Board Committees. Although the tool provides a starting point for risk analysis, it suffers from some serious mathematical shortcomings that limit its effectiveness to categorize risks based on the usual information used in creating the matrix.
We concluded with the revised DMRA, which more accurately reflects the grouping that can be logically inferred from the tool. It is as follows[1]:
Where Does This Leave Risk Managers?
· Overall, probably in a better place despite the extra work. As previously stated, DMRA should be a data presentation tool, but not a data decisioning tool.
· Building the Risk Matrix is the first step in the process, not the outcome. Because it’s so easy to create and populate, it’s tempting to skip the harder subsequent steps in refining the analysis.
· There is simply no substitute for thoughtful discussion and analysis, and no better way for you to demonstrate the quality of the risk thinking that you bring to the analysis.
What Should You Do Next?
· The next logical step for the Risk Manager is to evaluate each of the three groups, potentially layering additional categories to refine the analysis, such as the standard distribution of the risk, the type of distribution if not normal, the level of risk predictability, etc.
· This presents a great opportunity to educate your peers on risk evaluation, mitigation, and correlation issues. Typically, predictability is an important variable that often dictates the intensity of mitigation approaches required, i.e., compare approaches for floods, tsunamis, or earthquakes.
Recommendation: Don’t delegate your conclusions to the tool, use the tool as a tool to develop your own conclusions.
· Risk Managers have a renewed opportunity to engage in thoughtful discussions with your colleagues around all elements of your risk program, based on recent insights and improvements in risk methodology. Use it!
· Conduct workshops to reprioritize existing risks and check the quality of understanding throughout the organization.
o There is no substitute for common sense and individual expertise. Indeed, this more than anything is the key insight. You must now engage all your risk stakeholders to get underneath the risks your organization faces and figure out which ones matter, which ones don’t, and how to sequence your mitigation efforts.
o Do risk owners really understand the way their risks behave in terms of spread or standard deviation of frequency and severity? Without those insights, it is virtually impossible to prioritize approaches much better than leaving things to chance. Best to ask them, challenge them, and explore new insights and perspectives. In this way, you create value for them and your organization.
o As the matrix categories are now skinnier at the ends and much fatter in the middle, the middle needs to be addressed much more carefully and thoughtfully. You have an excellent opportunity to reset the discussion with the entire organization.
o Positive and negative risk correlations are neglected gems of risk management, because only ERM’s cross-functional perspective can identify them. Group your universe of risk by negative and positive correlations and understand how these different families of risk will behave under various scenarios. This may have significant impact of the cost and effectiveness of your mitigation efforts and the insights you generate will be unique within your organization.
o Finally, do all participants have a consistent set of perceptions and definitions of risk or has human bias crept into their thinking? Chances are that bias was always there.
· Use your expertise as a risk professional to uncover and mitigate the individual perceptual biases that always exist in human perception…. you are the best prepared umpire to enforce the rules and create sensible and internally consistent outcomes.
· In future articles, we’ll show you how we’re using AI-driven solutions to refine the revised Matrix, making it much more useful and informative. This provides real value to your risk management and mitigation efforts, and gives your efforts credibility and impact to the C-suite and the Board. Stay tuned.
You have an exciting job ahead of you. Attack it with insight and enthusiasm. And don’t get stuck in the matrix!
[1]Krisper, Michael, “Problems with Risk Matrices Using Ordinal Scales.”
Risk Managers at Risk
#4: Don’t Get Even; Don’t Get Ahead. Get MAD!
Everything Should Be Made as Simple as Possible, But Not Simpler. -Albert Einstein
Previously, we talked about the sort of role your ERM organization might choose to assume, based on three specific prototypes we have seen in the past. We next reviewed Risk Appetite Statements and KRIs. These are powerful tools to identify which risks your organization purposely decides to select from among the universe of risks that is faces, simply by being in business. We then suggested some approaches to use risk matrices more effectively as you prioritize your monitoring and mitigation efforts for those specific risks.
Today we ask: how do you tie all these pieces together? The answer: By ensuring tight and effective linkage between your ERM platform and process.
Unfortunately, many organizations (even decent sized ones) get this wrong, and fail at one of two extremes. One extreme is to use Excel spreadsheets and manual ad-hoc processes to aggregate their data. The resulting process leans very heavily on manual effort and the “tribal knowledge” of the individual participants. Thus, inconsistent approaches, slow and cumbersome processes, and knowledge gaps with absences, retirements, etc. The lengthy data preparation process reduces Senior Management and Board evaluation time and prevents high quality strategic evaluation and review.
The second extreme is to invest in the right tools, but in the wrong way, i.e., a proliferation of individual tools (usually GRCs) at the line of business level. Although this approach provides some discipline and consistency because of the individual tool itself, the proliferation of unique packages, risk frameworks, and approaches makes risk management at the enterprise level virtually impossible. Everyone is lost in the detail and the systems deployed excel at inventorying risks but not at interpreting or managing them strategically.
In both instances, the majority of the efforts revolve around collecting, aggregating, and preparing data rather than truly analyzing trends, identifying root causes, or fostering continuous improvement. These outcomes are a far cry from what Regulators, Rating Agencies, or Senior Management really require. And what we would consider to be strategic ERM, which is the capacity
There is actually a third group as well. They don’t fail, but they never quite succeed. They invest resources in the right systems and achieve reasonable consistency in their processes, striving to succeed but just muddling along. Overall ownership across the enterprise is uneven, as is individual performance. Overall, it’s fair to say that very few companies actually succeed in achieving a truly strategic ERM capability, which enables you to manage the risks you choose to take within your desire tolerance, monitor that risk continuously, and adjust as needed based on changes to the internal risk appetite and the external risk landscape.
From our perspective, the key to success resides not in the features of the systems used or the competence and sincerity of the participants involved. Rather it comes the superior integration of the two and can be achieved only when organizations ensure that all of their ERM processes are designed to be Measurable, Accountable, and Distributed (MAD).
Let’s explain: Profound organizational change—of any kind—only occurs when people redefine themselves and their roles in the organization in a new way to meet the changed expectation they face. This bears repeating any time an organization embarks upon an improvement project of any kind. Change the mindset, and you change the behavior. Don’t change the mindset….and you change nothing.
The implications for strategic ERM management, therefore, are simple and profound.
First, you need to be passionate about being Measurable and insist that your KPIs, KRIs, Risk Statements, and Metrics are numeric and quantifiable. Terms like “I think,” Medium, or “Excellent” are the enemy of strategic excellence. Replace them with “I know based on peer review,” “50% percentile based on competitor performance,” or “Highest Net Promoter Score in Latest Survey.” Banishing ambiguity enhances focus, reduces ambiguity, and builds commitment. Everyone says: “you get what you measure.” More important over time, however, is that people internalize the metrics on which they are measured.
Accountability breeds actions, decision, and resolution. No one wants to be identified as a slacker. In the ERM context, this means that individual Risk Owners or those responsible for risk identification, mitigation planning and implementation, etc. need not only to be identified, but explicitly tracked using a mechanism that is broadly transparent across the organization. Peer pressure is the most effective means to ensure consistent performance. Make sure that any process you create for risk deliverables is transparent enough to track ongoing performance of all of its participants, especially in regard to reporting individual performance all the way to the highest levels of the organization.
Finally, the overall effort needs to be Distributed to accelerate the process and move the ERM’s mix of data preparation vs. strategic analysis. You need timely and consistent ERM reporting with minimal effort. This happens only when you distribute risk tasks to multiple owners and automate the risk roll up and consolidation process through a centralized tool. Oddly enough, broadly distributing this part of the risk process actually makes it more efficient and resilient, as long as you can ensure that all parties behave appropriately (see Accountability above!).
If MAD are the three design principles to build a robust and strategic ERM process within your organization, what are the implications? And more specifically, what are the actual platform or system requirements that you should evaluate (or may need to reprioritize) when considering a new system or determining how to improve your current one? And how do these requirements support the underlying processes you need to create?
In next week’s article, we’ll address these important questions.
Risk Managers at Risk
#4 a: Don’t Get Even; Don’t Get Ahead. Get MAD!
In our previous articles, we reviewed the data and process elements required for superior ERM performance. As we mentioned, the key to success resides not in the features of the systems used or the competence and sincerity of the participants involved. Rather it comes the superior integration of the two and can be achieved only when organizations ensure that all of their ERM processes are designed to be Measurable, Accountable, and Distributed (MAD).
If MAD are the three design principles to build a robust and strategic ERM process within your organization, what are the implications? And more specifically, what are the actual platform or system requirements that you should evaluate (or may need to reprioritize) when considering a new system or determining how to improve your current one? And how do these requirements support the underlying processes you need to create?
Our observations here are necessarily speculative, and may of course depend on your individual circumstance, corporate culture, and business strategy. But the following considerations should always be major decision factors as you think about upgrading your system and process capabilities, both now and as the future landscape continues to evolve.
Here is a quick list of features and an initial assessment of their changing importance in light of our discussion.
HIGH IMPORTANCE
1. Risk Identification, Assessment, and Mitigation
2. Reporting
3. Collaboration Features
4. User Friendly Interface
5. Data Security
6. Updates and Improvements
Clearly any system has to identify, assess, and mitigate risk even to be considered. But increasingly, collaboration features and the user interface should be very high on your consideration list. As you distribute tasks and accountability across the organization and empower risk owners and participants, they need to give and receive feedback seamlessly, thereby refine their outputs to drive high quality and customized reporting. Tailored data permission and access is highly desired, but as a general rule data should be as freely accessible as possible to all participants. Cloud access is also important for ongoing data security, upgrades, backup, etc. As with any system, ongoing support and upgrades are essential.
MEDIUM IMPORTANCE
· Integration
· Regulatory Compliance
Although many platforms emphasize their extensive libraries of APIs and ability to integrate your multiple internal or home-grown systems, you may want to consider very carefully whether the benefit justifies the effort. If the best process is rooted in collaboration of distributed risk owners with highly specific and individualized KRIs, the need to automate the process becomes less compelling. Better to let the expertise and judgement reside with the Risk Owners and have them make the judgement calls and adjustments. Regulatory Compliance is a critical capability that organizations (particularly in regulated industries) require, but more likely falls into the realm of GRCs, not Strategic ERM. Don’t overwhelm your Board and Senior Management team with unnecessary detail that will distract them from focusing on the few critical issues that can threaten the enterprise. Compliance can become an existential issue, of course, but not every reporting period (we hope!).
EMERGING OR POTENTIAL FUTURE IMPORTANCE
· Scenario Analysis
· Incorporating New Technologies
Finally, some potential features and considerations may need additional time to evolve. As ERM becomes more sophisticated and nuanced in its approach, Scenario Analysis, Monte Carlo simulations, and What-if assessments will become a more important evaluation factor. For now, however, this is not a realistic consideration for all but the largest and most sophisticated companies. But this will likely change when ERM when there is tighter linkage between ERM platforms and processes. A similar theme is currently unfolding with the incorporation of new technologies in the ERM platform space. Many vendors tout their emerging AI capabilities for monitoring and analysis. This may prove to be a significant disruptor of existing business practices and processes, but only time will tell. Blockchain seemed to experience a similar level of enthusiasm previously, but its impact has been minimal in the ERM space. AI may prove to be different, but it’s unclear for now. And most companies have neither the data nor the processes to leverage the technology immediately. Best to stay seated for now, and invest your efforts in building core competencies rather than chasing new technologies.
Recommendation: Carefully think about how to mesh your ERM platform and organizational process to deliver higher level insights and value to your organizations. Redefine the traditional roles of participants and create enabling mechanisms to build and reinforce the new required behaviors.
Don’t settle for the status quo and continue with business as usual. Get MAD!
Risk Managers at Risk
#6: ERM Training Specific to Your Audience
I hear and I forget. I see and I remember. I do and I understand. -Attributed to Confucius
Introduction
In a recent LinkedIn post, my colleague Steven Strickman pointed out that some additional troubling insights about the state of ERM that I had overlooked. One was that the majority of organizations surveyed—by their own admission—lacked end-to-end processes and overall maturity in their ERM process. Perhaps more troubling, however, was their training performance, as nearly 70% of respondents indicated that senior management had received no ERM training within the last two years! Technical training is a crucial aspect of professional development in any industry, particularly in the regulation and technology-driven world of financial services and insurance.
Can you imagine a comparable time lag in Compliance, Employee Practices, or Product Training?
HR professionals in Financial Services argue passionately, and rightly so, that there’s an intensifying war for talent, especially post-Covid, the Great Resignation, etc. Yet, we are failing not only our future employees, but even our existing employees by not equipping them with essential knowledge and skills. What’s going on?
We don’t have all the answers, but we do have observations on how to make ERM training a more important and interesting part of the overall ERM process, and provide ERM professionals with better credibility and visibility within their organizations.
Tailored Learning By Style
Picture yourself in a room (like high school or college), listening to a monotonous lecture on quadratic equations or trigonometric functions. It's likely to be a tedious experience, especially when it’s chock full of theoretical concepts and lacks a practical context for understanding how to apply those concepts. In addition, communication is almost completely one way. Although the presenter may field questions during or after the lecture, lecture “participants” are “recipients,” and are often uncomfortable interrupting or slowing down the class when they don’t understand something. As a result, considerable opportunities for comprehension and knowledge retention are lost. Are concepts like Risk Thresholds, RAROC, VAR any different? And therefore, is ERM training any more effective?
Training often fails to consider “learning how people learn” to address their audience’s needs and spark their interest. Let me explain. There has been considerable research on how people learn and communicate, with the insight that there are 7 or 8 learning/communication styles, with one being dominant in any given individual.[1] Just like being right or left-handed, you are more comfortable and proficient with one style, although you may use the others at different times and to a lesser extent. Have you ever had a conversation with someone, and everything just clicked in terms of communication and understanding? Likely you both have the same dominant learning style.
And what about those instances where, as much as you tried, you just couldn’t get through to another person? Most likely, your dominant learning styles were different. The funny thing about human nature is that people don’t recognize this and often use their dominant style more forcefully rather than translating their thoughts into the other person’s style. This just makes things even more frustrating for both parties!
So, what does this have to do with ERM training? We would suggest a lot, because by addressing the audience on its own terms, you make the training much more engaging and meaningful.
Before we begin any ERM focused training, we start with a brief experiential exercise by breaking the audience into small groups of 5-6 people, with the groups competing to solve a given problem, typically under a 10–15-minute time constraint. We introduce the challenge in a central location, and each group works in private breakout rooms, reporting their solutions to the central location when they are finished. We then review and evaluate each team’s proposed solutions and later debrief them on their approaches.
The exercise is powerful because it reveals each person’s individual approach and how it corresponds with or differs from the approach of others on the team. Nothing is more predictive of a team’s success or failure than their ability to recognize and work through these differences. By debriefing the teams on how their efforts succeeded or where they went off-track, they gain a greater appreciation for their individual differences, which ironically, makes them subsequently function much better as a team.
In addition, we calibrate the training approaches used in our training discussions based on the insights we derive from the experiential exercise.[2] Concrete examples need to be created and translated into the different learning styles of the participants to ensure understanding, relevance, and audience engagement. This approach drives active participation in the learning process. This active involvement ensures that participants are not merely passive listeners, thereby enhancing their understanding and retention of the subject matter.
Typically, they find this approach to ERM training much more engaging and consistently grade it as more worthwhile and relevant than what they had previously experienced in other training sessions. It’s a shame that our high school and college instructors weren’t as familiar with this approach.
Other Considerations You May Want To Address
In addition to Tailored Learning By Style, all training (but especially ERM training) becomes more meaningful when participants can see its practical application. By incorporating real-world examples into the training, we can demonstrate how the theoretical concepts being taught are used in everyday life. In today’s complex risk environment, we could discuss how demographic, economic, or political challenges can create the potential for catastrophic losses, either individually or through correlated risk events. This not only makes the learning process more interesting but also helps participants remember the concepts better as they can relate the events to things they hear about daily on newsfeeds, Facebook, etc. This is a free and easy way to reinforce the knowledge and methodology that you have introduced in your sessions.
Attempting to grasp a large amount of information at once can be daunting. It's akin to trying to consume an entire meal in one bite! To make the learning process more manageable, complex topics are broken down into smaller, digestible parts. This method, known as incremental learning, starts with the basics and gradually introduces more complex ideas.
Obviously, lectures and handouts may not suffice to explain complex concepts. In such cases, visual aids such as diagrams, charts, and videos can be invaluable. These tools can simplify complex ideas and make them easier to understand. For instance, a flowchart could be used to illustrate the steps involved in explaining a risk correlation matrix, or a video could be used to demonstrate a complex risk concept. You should attempt to ensure that all participants easily understand the materials. Tailor your message to communicate to the dominant learning style of each participant. By catering to specific learner groups, these aids can make the learning material more engaging and comprehensible.
Reinforcement of previously learned material is also a powerful tool in the learning process, as it enhances recall, thereby making the training “stick.” This is unfortunately one area that is woefully neglected in most organizations. As an ERM professional, you are obligated to ensure that everyone in your organization not only learns how to be a risk manager, but remembers how to be one as well.
There are many schools of thought here, but most training information and memory of it decays rapidly after the initial delivery, unless it is reinforced. Generally, three reinforcements seem to work best, usually at 30, 90, and 180 days after the initial training. The good news is that you don’t need to repeat the training, provided that you reinforce shortly after the initial training. Short email reminders, questions, or anecdotes seem to be effective if they are relevant and directly related to the topics of the initial training.
Conclusion
Technical training can be a challenging endeavor, given the complexity of the subjects involved. This is as true in ERM as in other areas, but few organizations have figured out how to make the training more interesting and relevant so that participants enjoy rather than dread the experience. By applying the insights and approaches we have outlined in this article, you can propel not only ERM but your entire organization on a better training path. With the right strategies and tools, all training sessions—even ERM ones—can be transformed into engaging and rewarding experiences. The ultimate goal is not just to acquire knowledge but to apply it effectively in real-life scenarios. You know what to do. So, keep learning, stay curious, and learn by doing. And continue to explore and introduce others to the fascinating world of ERM. Your organization and your peers will thank you!
[1]Howard Gardner, Theory of Multiple Intelligences (Visual, Linguistic, Mathematical, Kinesthetic, Musical, Interpersonal, Intrapersonal, Naturalistic).
[2] If you are interested in learning more about the exercises we use and would like to try them, feel free to contact us directly. We only ask that you keep them confidential since they lose their impact if known to participants in advance.
Risk Managers at Risk
7 Risk Management Actions You Can Take This Quarter to Impress Your Board and Save Your Company
By Steven Strickman, LSSMBB and Gary Preysner, CPCU, LSSBB
A lot of companies have basic / rudimentary Risk Management Processes and Systems, which makes them sitting ducks for either the wrath of the Board Risk Committee (or Activist Shareholders) when they get pummeled by a risk…or two or three. But don't despair - here are some things you can start doing IMMEDIATELY that can lessen or negate these bad outcomes. Here are 7 things you can start doing right now / this quarter that will help your company navigate choppy business / economic climates and impress your Management team and the Board that you are proactively keeping the company and its interests safe.
How to upgrade your Risk Management Practices, quickly:
1. Review/Update Your Current Risk Register / System
a. A Risk Management process is a lot like an automobile – it runs really well when driven frequently, but is hard to start when it’s been idle for a long time. Thus, it’s time to update your risk register, prune risks which are no longer relevant / have been mitigated, and begin triaging the ones that matter.
2. Define Maximum Downsides to Each Risk, Along with Likelihoods, As They Stand Today
a. Next, it’s time to define your prioritization factors / method. And the best way to begin is by identifying the maximum impact that each of the risks can have on the company (and assigning dollar quantities), as well as the potential affected stakeholders, both internal and external that are affected.
3. Review the company's Near-Term Strategic Plans to See Which Risks have greatest potential impact
a. It’s also important to review the company’s Strategic Plan and Goals periodically and see which of them might be jeopardized by the higher-ranking risks on the list. Putting risks through this filter is critical to Senior Management and the Board.
4. Add Emerging Risks and Re-prioritize the List
a. Survey / Interview Business Process Owners / Subject Matter Experts on emerging risks, both internal and external. Be mindful about the changing Economic, Political and Environmental landscapes, and how they might present both risks and opportunities.
5. Define stakeholders who would be affected by the high priority risks and alert their departments
a. It's important to identify not just the “proximate” risk stakeholders, but also the adjacent upstream and downstream stakeholders, and how they would be affected by both the risks and the risk management actions.
6. Assign the Priority 1 and Priority 2 Risks to Owners / Responsible Parties, ASAP
a. Assign the top two priority tiers of risks to Risk Owners / Responsible Parties for management and mitigation. Ensure that these individuals are at the right level, and that reporting lines are clear.
b. Have the Risk Owners develop mitigation plans with milestones, as well as communications plans for reporting progress and escalating issues and incorporate them in the updated Risk Register.
7. Review progress on Risk Management and Mitigation, soon
a. Conduct progress review meetings.
b. Quickly identify and address constraints and dependencies which may hinder risk management efforts.
c. Update risk status based on actions taken / constraints identified, etc.
d. Go back to Step (a). Iterate and refine at least every six months.
These 7 steps will instill confidence in your Senior Management team and your investors, among others. They will show that you understand risk, take it seriously, and are doing more than just checking the “yes, we have a Risk Register" box. Good luck and smooth sailing.
Steven Strickman, LSSMBB is a Founding Partner in the Ironwood Consulting Group, LLC, as well as the President of Serratus Management Consulting, Inc. and specializes in Risk, Operations and Expense Consulting for the Insurance industry. He is also a development partner with SRA Watchtower.
Gary Preysner, CPCU, LSSBB Gary Preysner, CPCU, LSSBB, is the President of The Ironwood Consulting Group and is the Insurance Enterprise Risk Practice Leader with SRA Watchtower. He works with insurance companies across the globe to improve their insurance-specific processes and implement new technologies, while simultaneously strengthening their risk management capabilities. Contact Gary to discuss how he has developed creative and novel solutions to some of the most difficult process and risk challenges that insurance companies face.
SRA Watchtower (SRA) is a technology solution provider serving the Financial Services, Insurance and Technology Industries. SRA's proprietary technology and methodology was designed and built by industry experts to enable clients to navigate risk and drive growth. SRA Watchtower is an intuitive risk intelligence and performance management platform built to continuously inform, enlighten, and empower executives and boards. SRA has helped hundreds of banks effectively navigate through significant risk events since the 2008 financial crisis.
Learn more at https://www.srawatchtower.com/watchtower/insurance