Enterprise-wide risk management and the increasing role of risk management in corporate strategies dominated the recent RIMS annual conference in Boston. Professor Jean-Paul Louisot reports

Think forward, think risk was the theme chosen by the leaders of the USA’s Risk and Insurance Management Society (RIMS), to attract the international risk management professional community to their 2010 annual conference in Boston in the last days of April.

In spite of the rainy and cool Massachusetts spring and the loss of some European delegates frightened off by Iceland’s volcanic ash cloud, almost 9,000 delegates and exhibitors gathered to wish the society a happy 60th anniversary.

It would be impossible here to give a complete account of the general sessions and the more than 200 workshops that took place during the four-day conference. However, it was clear that, in spite of the heavy presence of insurance and insurers in the daily life of most practitioners in the SME and middle-market range, the dominant topics were enterprise-wide risk management (ERM) and the increasing role of risk management in the development and execution of any corporate strategy.

However, that evolution – the coming of age of risk management as an overall management discipline – requires the current generation of risk managers to acquire new competencies to justify their seat at the executive table. As important as the insurance portfolio may be for any business, someone who is simply an experienced insurance technician is unlikely to be invited to participate in the strategic planning process. RIMS is aware of this need and offers ERM seminars to prepare its members for the new Associate in Risk Management-ERM designation developed by the Insurance Institute of America (IIA) to complement its widespread Associate in Risk Management professional qualification.

Financial crisis aftermath

The renewed interest from board members in the subject of risk management is really changing the landscape. After the Enron debacle and the resulting SOX legislation, the Committee of Sponsoring Organisations of the Treadway Commission (COSO), a voluntary private-sector organisation in the US, offered an ERM framework aimed at complying with the law. Most boards viewed risk management as just another compliance issue and did not get really involved. But in the aftermath of the 2007-08 financial crisis, the regulatory authorities worldwide have become more concerned and are insisting on a hands-on approach, clearly requiring the board to take responsibility for the management of risk and the disclosure of the process and its main findings. In Europe, the eighth company law directive is transposed in local legislation in the 27 member states, and the UK will go one step further with its new governance code (see Editor’s letter, page 2). As far as the USA is concerned, the Securities and Exchange Commission rule number 33-9089, in effect since 28 February, clearly sets the stage. It requires:

• the disclosure of board measures to manage enterprise-wide risks, including policies related to risk identification, risk tolerance, and management of risk/reward trade-offs throughout the enterprise;

• section A1 – compensation policies and practices, focusing on disclosure of risk-based compensation policies and practices for all employees, and compensation policies and practices that can create material risks; and

• section C – disclosure of the board’s role in risk oversight, including how the board or a committee receives information from those in charge of managing risk for the company. That risk management extends beyond the C-suite and seeks to enhance risk management awareness for all employees.

A roundtable recently convened by the North- East chapter of the US National Association of Corporate Directors, to evaluate whether companies benefit from greater board of directors’ involvement in risk management, concluded that companies could realise a benefit provided the SEC rule disclosure requirements become a catalyst for proper attention to risk management, rather than be an additional compliance exercise. The key considerations for the board of directors is shown in the box (right).

With the new development, the Open Compliance and Ethics Group has proposed to its members a corporate social risk management approach that it claims is the governance, risk management and compliance (GRC) model. It aims at a ‘principled performance’ with integrated management performance, proactive planning and execution integrated in the management process.

It can be seen from this list that the promoters of compliance and the GRC triangle recognise that GRC and ERM share essential elements and objectives. But they insist that the tools of GRC reinforce the ERM process.

In fact, the GRC triangle has no real existence without the ERM framework and process, as the decision-makers would have to decide in a fog. Lifting the fog of uncertainties that cloud the future brought by ERM is what maintains the organisation’s social licence to operate.

Whereas compliance risk has to be measured on a defined scale, and governance tends to be a matter of tick-box compliance with the established rules, risk requires more differentiation in the description.

Dashboards tend to generate simple output where a single point to measure risk may prove ‘risky’. In reality, uncertainty is better represented by a distribution of possible outcomes, with the proviso that past events do not help to predict the potential in the future for an exceptional event – namely, the ‘black swans’ described by Nassim Taleb in his book, The Black Swan: The Impact of the Highly Improbable, published in 2007.

Therefore, contrasting GRC and ERM would be pointless, as the ERM principles, framework and process as proposed by the ISO 31000 imply that all the operational risk owners are on board with the recognition of risk, both upside and downside, to ensure optimal risk-taking throughout the organisation.

What about audit?

The question of auditing has been an ongoing debate since risk management escaped from the insurance purchasing ghetto. The advancement of ERM with its strategic implications has whetted the appetite of many other departments in organisations. Nobody can ignore that auditors are generally closer to the C-suite than traditional risk managers. However, audit and risk management seem to be talking to each other more. A positive dialogue may ensue, provided none tries to swallow the other.

Clearly, with the devolution of the management of risk to operational managers, it is legitimate that the mission of the auditors be extended to include risk management activities. They are responsible for providing reasonable assurance to the board and the executive team that risks are efficiently managed throughout the organisation. However, auditors are aware that they need both specific competencies and the risk management professionals’ help for this – which is why auditors and risk managers have combined their efforts to develop a guide for auditing risk management. This guide only needs to be revised to take into account the modifications introduced by ISO 31000 when compared to the AUS/NZ 4360. The International Institute of Auditors seems ready to engage in the process of developing its own ERM curriculum, possibly with the help of the UK-based Institute of Risk Management.

Quantifying risks remains mystifying for auditors, who tend to prefer to crank numbers.

Indeed one may wonder if the worst risks of the future lend themselves to nothing better than an estimate based on plausible scenarios. “Not anything that counts can be counted and not everything that can be counted counts,” wrote Albert Einstein, but board members are reassured by numbers. That is where business intelligence systems come into play to provide complete and consistent information based on data shared throughout the organisation.

However, in a world of increasing complexity it may be the time to remember the advice from the Stanford energy economist Sam L Savage in his book, The Flaw of Averages: Why We Underestimate Risk in the Face of Uncertainty: “To get a large model to work, you must start with a small model that works, not a large model that does not”. Therefore, capability must be developed that allows at least plausible estimates to be produced.

Strategic risk management

Will the next generation of risk managers consist of strategic planners? This question that John Phelps, director of business risk and solutions for the Blue Cross Blue Shield of Florida, and RIMS treasurer, pondered over is quite legitimate when one takes into account his vision of the conditions for success in developing and implementing an ERM programme.

To summarise, success requires that:

• the executive committee, relaying the board concern, back the project wholeheartedly;

• the risk management competencies are grafted onto the existing organisation’s culture;

• tools and capability must be developed that help departments, managers and leaders make better decision as they take daily risks;

• the towers be torn down to allow for some understanding of the risk across the enterprise; and

• risks be evaluated from a risk portfolio standpoint rather than individually, thus facilitating the definition of risk appetite, while risk tolerance must remain granular. Finally, ERM may prove a temporary acronym before the final stage of strategic risk management (SRM) if ERM presents itself as a portfolio of upside risks and downside risks with the objective of enhancing opportunities and curbing threats to optimise risk taking. At the heart of this process is the management of risk to the main intangible asset of each organisation – its reputation – as has been clearly shown by recent developments at Toyota and the ripple effect on its partners.

At this final stage of SRM, the risk manager will be like the co-pilot in a rally, provided he or she acquires the stamina to use the tools of strategic planning and learn the essential skills to communicate in the language of the directors, the executives, the managers and the entire operational staff. But the law of survival is that they will not be the pilot behind the wheel who must make the final decisions. Only the chief executive has the responsibility and authority to do this.

In conclusion, to borrow a quote from the 1989 film Dead Poets Society: “There’s a time for daring and there’s a time for caution, and a wise man understands which is called for.”