RMIS may be fine at flagging up natural catastrophes, but when presented with seven other risk categories, less than a quarter of our survey’s respondents said their systems had been much help

cyber

Risk identification is a crucial activity of a modern, enterprise-wide risk management team, and the capability of RMIS to support this task within an organisation has been developed to varying degrees by vendors.

However, the message that emerged from our survey about risk identification was summed up by a comment from one respondent, the deputy group risk and insurance director of a French environmental services company: “It’s quite rare that our RMIS has helped to identify potential risks, except during the risk-mapping process – the RMIS is only a medium.”

When asked which risks RMIS has helped to identify, risk managers’ strongest response was natural catastrophes, at 38%, suggesting that many systems are good at risk identification for physical-type risks; next was regulatory and compliance risk at 33%; and third, at 27%, people risk (see risk identification, below). For each of the remaining seven risks surveyed – technology risk, geopolitical risk, supply chain, terrorism and political violence, management liability, environmental liability, and reputation damage – less than a quarter of risk managers say that they have identified the risk by using an RMIS.

The spread of the results, with reputation damage the risk least likely to be identified in an RMIS (11%), gives the impression that for complex and intangible risks, RMIS are less good at supporting risk identification. Olivier Balmat, MCH Group head of corporate risk, says: “The maturity of risk management when you look at it from an ERM perspective, the insurable risk part is 15% of the risks you have identified. The rest is mainly operational, and then you have a chunk which is entrepreneurial, which you just take.”

Balmat discovered, through his experience of introducing an RMIS while at Syngenta, that identification of all types of risk was enhanced by aligning risk practices and methodologies because intelligence-sharing improved significantly between departments. Prior to implementing an RMIS, it was “hard to ensure consistency across the board”, he says.

Adrian Clements, operational risk manager at steelmaker ArcelorMittal, echoes the experience that risk identification is often more a result of good-quality communication and business intelligence than the outcome of a system’s functionality. By developing its own internal system, ArcelorMittal has uncovered certain trends in risk identification.

“Let’s say we have around 150 major sites, and each one does its own risk assessment.

They report on a quarterly basis what they think their risks are, and that bubbles up to corporate level, and we have, at each layer – country, segment, group – people who have a broader view and can add risks. But we’re finding that at site level, sometimes they miss risks or are underestimating them.”

Rather than relying on information provided by the business through a system, Clements therefore incorporates an element of proactive risk education in his enterprise-wide risk role.

Overall, the verdict on risk identification by RMIS seems vague. “Certain systems are quite supportive of risk identification, although not all,” explains Francois Beaume, deputy group risk manager and insurance director at Bureau Veritas. “Risk identification methodology is encapsulated into the application, and the system therefore ensures that risk analysis is done according to the group’s methodology and principles.”

He adds: “RMIS is a way to share best practice, for example on risk mitigation. It helps to transversalise best practice across departments and to blur the boundaries between them.”

Graph p35

 

Topics