How helpful are RMIS in embedding enterprise-wide risk management? The professionals’ views are mixed
Risk managers are increasingly looking for systems to make it easier to fulfil an enterprise-wide risk management role, but the profession has mixed views on whether the current crop can deliver.
Many report that they use Excel and Access to manage enterprise-wide risk. Others use RMIS in combination with Excel and Access, and some have designed their own systems in-house.
Olivier Balmat, MCH Group’s head of corporate risk, is one of those who’s successfully implemented an RMIS that supports ERM. During his time as head of group risk at global agrochemicals company Syngenta, he spent a year-and-a-half aligning all the risk matrices, scales, timelines, terminology, tools and techniques across his business, before gradually rolling out Wynyard Risk Management across 90 countries. “In terms of embedding enterprise-wide risk management, I believe that Syngenta is in the top 10 worldwide,” he says.
“We covered it from top down, bottom up and across, the whole matrix. All management teams, from global down to the country levels, and HR. Senior management didn’t want access to the system, they wanted the risk professionals to tell them what they see, which gave us the opportunity to be much quicker in responses and to tell them, ‘We think these and these are the risks, do you agree, and if not, why?’ So it helped to increase the transparency, it helped to save time, speeded up the process, and with that it gave us as risk professionals a chance to turn the conversations away from procedural topics to content topics.”
Saving cost and freeing up time to focus on the big issues is the holy grail of an enterprise risk management system, but some risk managers believe the systems on offer still have a way to go. While ERM and risk register functionality was ranked joint fourth in terms of effectiveness by respondents, scoring 3.2, another enterprise-level concern, supply chain tracking, came bottom of the table with a score of 2.1 (see RMIS functionality, effectiveness at the bottom of the article). Asked to rate the effectiveness of RMIS in helping to build an ERM framework, the jury is evenly split: 42% opt for “average”, 29% choose “poor”’ or “very poor” and 29% “good” or “excellent” (see RMIS effectiveness ratings, below).
A deputy group risk and insurance director of a French environmental services company adds: “In my experience, an RMIS is not usually in place from the beginning of ERM implementation, and thus is used more to empower and foster its deployment than to establish and implement.”
At Saga, a UK specialist insurer and travel agency for over-50s, chief risk officer Andy Bulgin says that as a conglomerate with a number of regulated entities, risk management differs by business unit. The firm has a risk portal, Protiviti, but does much of its enterprise-wide risk management manually in Excel.
“We have standard reviews, where are we in terms of the top risks, and it tends to be those that are directly driving strategy. So we look at it very much at a strategic level, and at high-level operational risks,” says Bulgin. “It’s very, very hard to report on risk appetite. I’d be interested to know if people have systems where they can easily do that, so that they can get an immediate snap check that says we’re either inside or outside of appetite on key risks. We do that manually.
“It’s important because there is an enormous drive that has come from the corporate governance standards. In an ideal world, that’s exactly what your system would throw out. It would say, we’ve got 15 risks of which 12 are well within appetite, three are close to being outside of it, and therefore those are the ones we should be paying attention to.”
John Irving, business development manager at Ventiv, says this type of ERM functionality is developing in tandem with the change that’s happened in risk managers’ roles. “Speaking as a former insurance manager, there has been a slow shift in what insurance managers and risk managers do within an organisation, and certainly they are taking on more prominent roles within organisations.
“Risk management is now higher up the agenda at board level; in turn, that means that risk managers need better access to information, and that’s driven by having more competent systems in place. We’re responding to that need, and driving change with products that haven’t been thought of as useful before to an insurance manager. It’s a two-way street.”
Irving adds that the future of RMIS is to integrate insurance functionality and enterprise risk management. “An engineer out in Australia working on a gas processing plant provides information which ultimately ends up on an underwriter’s desk, which may result in a claim being brought, which then needs to be managed through a system. That system needs to be able to manage the full chain of the insurance life-cycle. That is really the future for these systems.”
At steel corporation ArcelorMittal, operational risk manager Adrian Clements has yet to be convinced. “We have multi systems,” he says. “RMIS is insurance, it’s claims handling, premium handling, it’s addresses, it’s policies, that’s what 99% of people use RMIS for. It’s not for enterprise risk. The insurance department bought their system from Marsh, and it’s fine for insurance, but for enterprise risk, no way. It can’t handle it. Maybe for a smaller company, but not for us.”
After checking out the market three years ago, ArcelorMittal designed its own web-based applications for ERM. Among the shortcomings of commercial RMIS in Clements’ view are their inability to combine tangible and intangible risk, and an inflexibility when it comes to entrepreneurial risk: in other words, opportunities.
“The software needs to be designed for the opportunities, not only the risks. If at a site I want to do some innovation, do something completely out of the box, I will take this entrepreneurial risk – very risky, it could fail, but we need to be innovative, to stretch the limits. That falls within a company appetite but not within the plant’s appetite. We do have a couple of those within ArcelorMittal, where it’s the company taking the risk, not the plant. Then you need a model to do a simulation and say yes, it’s way beyond the plant, but the owner of that risk is at corporate level, therefore it’s OK. A lot of these models can’t handle that type of entrepreneurial, innovative-type opportunity.”