ERM in uncertain times

With reports of allegedly anything between $5.6bn and $13bn of losses in AIG triggered by its massive exposure to bad debts in the mortgage industry it is no wonder that as we approach the last quarter of 2008 there is much speculation about the ripple effects of the credit crunch, and specifically what that means for buyers of insurance in the commercial sector.

Inevitably companies will have to think more strategically about their use of insurance and the areas of risk that they seek to mitigate. However, through this process there is an opportunity for companies to actually create value, improve efficiencies within the business, improve the effectiveness of reporting on business performance, and demonstrate improved governance practices.

Insurance mitigates impact, not the risk itself

All too often insurance is used as a ‘default control’ on risk. For new projects or new initiatives, or simply where insurance has been in place historically it continues to be used as an acceptable control on the potential impact of incidents or occurrences of some form of financial loss. Whilst in these situations there may well be ‘implicit’ controls in place that help to prevent incidents of loss, typically companies do not properly assess, manage and report on these, far less actually put in place active controls to prevent and/or detect incidents, and have these formally managed and reported on.

In effect however, it is mostly the impact of an incident that insurance mitigates, and very often companies accept that a reduced loss (perhaps only the excess and increased future premiums) through insurance cover is an acceptable loss, and the annual premiums are an acceptable price to pay, but make a minimal attempt to actually reduce the likelihood of a loss occurring, or to understand what additional losses might be associated with an incident occurring, such as loss of productivity, or continuity, or reputation.

This is where an embedded Enterprise Risk Management (ERM) framework and technology can provide significant benefits and bottom-line value for any company, through reduction in premiums, or very often through the formation of a captive and acceptance of the risk internally, thus eliminating net premium payments altogether.

Understand the risks better, and reduce or eliminate the need for insurance

Two very simple examples illustrate the theory. The first example is a local government authority, where its large vehicle fleet of cars, trucks and other municipal vehicles were insured comprehensively. By applying simple ERM principles to analyse the level of capital risk exposure the organization faced through vehicle accidents, and comparing that to the levels of insurance premiums paid, it was quickly determined that by changing the terms to only 3rd-party cover and adding vehicles to the same policy as its other capital assets, the cost saving through the reduced premium by far outweighed the expected loss, as determined by the history of claims.

A second example relates to a company in the travel and transport sector, who put in place clear documentation and assurance evidence of good risk management and controls management practices and reporting as it related to the mitigation of fire risk in all its buildings. The company then asked 3 major underwriters to pitch for their buildings insurance, and in demonstrating well managed risk and control processes and reporting, managed to get approximately $2.5m (£1.3m) reduction in insurance premiums over a 3-year period.

These are two very simple examples, but show that basic ERM principles of identification, assessment, mitigation, monitoring and reporting can bring very real savings benefits in the areas of insurance alone.

By applying these principles to all areas of the business, and by clearly demonstrating that the company understands its risks and has those quantified, mitigated and iteratively managed and reported on, then the cumulative savings on premiums can be substantial, and the level of actual claims reduced dramatically.

Additionally however, significant associated benefits can be derived, and further value created such as:

• negative things being less likely to happen;

• positive achievement of objectives and goals being more likely to happen;

• better use of capital;

• better decision-making;

• increased efficiency throughout the business;

• reduced disruption as there are fewer incidents, which may also have reduced impacts;

• business continuity improvement;

• early warning of potential problems before they escalate

Convincing the underwriters that you manage your risks

The objective is to get reduced premiums, or to be confident enough in your assessment of the risks in a particular area to accept them internally and save the insurance premium costs completely. To get reduced premiums, the underwriter will need to be confident that you understand the business area, or project, or initiative that you are seeking cover for, that you can quantify the risks, that there is clear responsibility and accountability for those risks, and that you have a mitigation plan and business processes that monitor and report on those mitigation activities such that the likelihood and level of impact of incidents are reduced. As your ERM activities mature you can start to capture Loss information and monitor incidents, both internal and external, even near-miss information, so that with the benefit of hindsight your future risk exposure forecast can become more scientific over time.

Couple a strong risk management and mitigation approach with evidence of regular testing and independent auditing of controls, as well as key performance indicators (KPIs) that give tangible metrics on the performance of controls or the monitoring of actions, and you have an irresistible argument to demand reduced premiums on the basis that the inherent risks are understood and managed down to a much lower level than without such a framework in place.

The more you do, the more you save! There-in lies the challenge

ERM by definition should encompass all the risks that a business faces, and consequently must be embedded throughout an organization. The deeper and broader a company can embed ERM practices, the greater will be the benefits and the resultant bottom-line value created, particularly where insurance premiums can be either reduced or eliminated all together. Also by definition, embedded ERM practices means that the responsibility lies with the people within the business hierarchy to identify, assess, mitigate, monitor and report on risks, and the associated mitigation and monitoring requirements. However, the very people who an organization will be looking to for regular updates are already likely to be very busy, very pre-occupied individuals, who are not risk experts, so any embedded ERM framework must be a very ‘light-touch’ intuitive process for everyone, in order to gain their enthusiastic participation.

There is not only a responsibility for owners of risks to update information, but also owners of controls, actions, losses and key performance indicators (KPIs). All of these people, as well as the risk owners are likely to be occasional participants in the process, reporting weekly, monthly, quarterly, annually, and of course any time the situation demands an update, even outside the defined regimes.

Managing and reporting on all these data elements demands a systematic approach, where users are notified when reports are due, and alerted to any changes that require their attention, such as risk thresholds being breached, KPIs being exceeded, or the status of risks, controls, actions or losses worsening etc. The data itself must be comprehensively categorized such that analysis of the information can be achieved easily and intuitively, and will provide the basis for strategic decision-making.

A systematic approach to ERM will demand a structured framework in which to capture information from the field for analysis and reporting, and below is an illustration of the data elements (Fig. 1) that should form the basis of an ERM system:

Multiple hierarchical definitions in the data structure, with risk, control and action data at the centre, allow for a very granular categorization of information that provides for valuable and revealing analysis of areas of exposure or anomaly that otherwise would not necessarily be apparent with simple risk registers.

Business Objectives and goals must be captured as they relate to the Business Unit hierarchy, which when linked to performance metrics such as KPIs and Loss data will give powerful indicators of business performance against stated strategic goals.

Risks must be categorized though risk categories themselves, which are fully flexible in definition, as well as by business processes or business functions, as well as user-defined custom parameters that allow additional parameters to be added to definitions of risks, controls, actions, losses or KPIs for specific aggregation and reporting requirements in a particular company implementation.

The ability to link to external content and KPI metrics is extremely important, so around the core data structure external content connectors link to productivity tools and external content connectors (Fig. 2) such as a Portal, email for alerts and notifications as well as off-line workshop tools, external content management or document management systems and other corporate applications.

Implement ERM and Improve your Rating

Apart from allowing a company to drive down its insurance premiums, and to create real value through improved business practices, ERM frameworks and practices have been given notable legitimacy earlier in 2008 by the announcement from Standard & Poor’s (S&P) that the company will enhance its global rating process for non-financial companies to include a review of their ERM programs.

One of the declared aims of S&P’s assessment process is to evaluate the extent to which companies have addressed risk management from an integrated, enterprise-wide perspective. It is now up to the executive management of companies to monitor and assess their performance against stated strategic objectives, and to embed a culture of risk awareness and accountability across the organization.

Examples that S&P have given as to their analysis of risk management culture are:

• Risk-management frameworks or structures currently in use;

• The roles of staff responsible for risk management and reporting lines;

• Internal and external risk-management communications;

• Broad risk-management policies and metrics for successful risk management; and

• The influence of risk management on budgeting and management compensation.

In addition, analysis of strategic risk management will explore:

• ?Management's view of the most consequential risks the firm faces, their likelihood, and potential effect on credit;

• The frequency and nature of updating the identification of these top risks;

• The influence of risk sensitivity on liability management and financing decisions; and

• The role of risk management in strategic decision making.

In this extremely volatile insurance market, caused by the credit crunch and the associated demise of even the biggest of the world’s finance institutions, prudent companies will seek to mitigate their exposure by improving their knowledge of the risks they face rather than simply insuring them. This can only be achieved successfully by implementing an embedded ERM framework and risk management practices.

Do that, and there is a wealth of evidence to support the widely accepted assertion that by embedding ERM technology and practices, real benefits can be derived, both in terms of financial savings on insurance premiums, as well as improved efficiencies in the business that will create bottom-line value.

In a recent study by The Aberdeen Group, “Is your GRC Strategy Intelligent?” (July 2008), that was co-sponsored by Neohapsis, their Competitive Maturity Assessment results showed that Best-in-Class organizations are 107% more likely than all other organizations to incorporate analytics and tools for visibility into the status of risks and compliance processes. Also, Best-in-Class organizations are 74% more likely than all others to map GRC process and technology implementations back to the company’s overall business goals.

Profit is the reward for successful risk-taking, so accept the risk, gain maximum awareness and visibility of it, and reap the rewards.