High Performance Risk Management

LOS ANGELES—Risk managers, whose job once focused on a basic “bucket of risks,” and making decisions about which risks are transferable and which ones the company should retain, have been “migrating along an evolutionary path which is allowing us to be more strategic,” said Chris Mandel, senior vice president of strategic solutions at Sedgwick, at the RIMS ERM Conference 2017.

During the session “The Trouble with ERM,” he noted that risk managers now need to alter their focus. “The question for risk managers now is, how do we get our organizations to focus on long-term success and recognize the link between strategy and risk?” he said.

Erin Sedor, president at Black Fox Strategy, said that personal experience taught her the importance of connecting with the CEO and aligning with the company’s strategy when setting up a program. “You need to know what they are talking about and understand strategy,” she said.

Unable to find a satisfactory definition of strategy for ERM, Sedor came up with her own: “A strategic business discipline that allows an organization to manage risks and seize opportunities related to the achievement of its objectives.” She added that, unfortunately, enterprise risk is not a term that resonates with the C-suite, but strategy is.

She identified three major problems with ERM that can dampen its prospects:

  1. A limited view of the organization’s mission, growth and survival.
  2. Silos. Breaking through them is a nonstop process, no matter how a company tries to improve the situation—especially in the areas of risk management, continuity planning and strategy, which typically happen in very different parts of the company. “It is important to link risk management and continuity planning in the strategic planning process, because that will get some attention and get the program where it needs to be,” she said.
  3. Size. Because ERM programs are notoriously huge, she said, “the thought is that ERM will cost too much money, take too many resources and take too long to implement. And that by the time it’s finished, everything will have changed anyway.”

Starting the process by “saying you’re going to focus on mission-critical,” however, can help get the conversation moving. “Because as you focus on that, the lines between risk management, continuity planning and strategic planning begin to blur,” she said.

Sedor described mission-critical as any activity, asset, resource, service or system that materially impacts (positively or negatively) the organization’s ability to successfully achieve its strategic goals and objectives.

She said to find out what mission-critical means to the organization, what is the company’s appetite and tolerance for mission-critical, and the impacts of mission-critical exposures on the organization. “Risk managers will often ask this question first, but you have to come to grips with the fact that not every risk is a mission-critical risk,” she said. “And not everything in a risk management program is mission-critical.” Using that context helps in gaining perspective, she added.

When viewing risk management, continuity planning and strategic planning from a traditional perspective, strategic planning is about capturing opportunity and mitigating threats; risk management is the identification, assessment and mitigation of risk; and business continuity planning is about planning for and mitigating catastrophic threats.

Looking at them from a different vantage, however, strategic planning is planning for growth; risk management allows you to eliminate weaknesses that will impede growth, which is why it’s important; and continuity planning will identify and mitigate the threats that impact sustainability. “That is how they work together,” she said, adding, “you are also looking at weaknesses that, when coupled with a threat, will take you out. Those are your high-priority weaknesses. Using a mission-critical context makes it all manageable.”

At this point, if a risk manager can gain enough leverage to talk to executives throughout the organization about what mission-critical means to the company, its impact, and then about tolerances and creating a more integrated program, “all of a sudden, you’ve talked about ERM and they didn’t even know it,” she said. “They thought you were talking about strategy.”

Top Board and C-Suite Risks for 2016

Regulatory changes, economic conditions and cyberthreats are the top concerns of board members and company executives this year, according to a new enterprise risk management survey. U.S.-based companies listed several operational risks as top concerns, while non-U.S. companies listed only one, cyberthreat, as a major concern, according to the report, Executive Perspectives on Top Risks for 2016, by North Carolina State’s ERM Initiative and Protiviti.

Overall, companies see the current business environment as riskier than in 2015, but not as risky as 2014. With increased inquiries and added concerns about risk from boards of directors and company executives, respondents indicated they will be investing more in risk management this year. “More organizations are realizing that additional risk management sophistication is warranted given the fast pace in which complex risks are emerging,” the study found.

Boards of directors rated only one strategic risk among their top five concerns, with the remaining falling into macroeconomic and operational risk categories. CEOs, on the other hand, saw strategic risks as three out of their top five issues.
According to the study:

“This disparity in the viewpoints emphasizes the critical importance of both the board and management team engaging in risk discussions, given their unique perspectives may be contributing to an apparent lack of consensus about the organization’s most significant emerging risks.”

ERM Risks

Internal Audit Role Expanding Further into Risk Areas

With more companies focusing on enterprise risk management and strategic risk, the role of internal auditors is being expanded to include risk identification and risk management, a study by the Institute of Internal Auditors (IIA) and Protiviti has found.

According to Relationships and Risk, Insights from Stakeholders in North America, the top three areas where respondents wish to expand the role of internal audit involve identifying and managing risk. Of 433 North American stakeholders surveyed, 85% said they want internal audit involved in identifying known and emerging risk areas; 78% would like to see internal audit facilitating and monitoring effective risk management practices by operational management; and 78% want audit to identify appropriate risk management frameworks, practices and processes.
IIA 2

The survey also found that 58% of stakeholders believe internal audit should be more active in assessing strategic risk.
IIA 1

When asked to choose the best avenues for internal audit to improve its role in responding to the organization’s strategic risks, stakeholders said:

  • Internal audit should focus on strategic risks as well as operational, financial, and compliance risks during audit projects.
  • Internal audit should periodically evaluate and communicate key risks to the board and executive management.

The report concluded that chief audit executives (CAEs) should consider methods to meet and surpass the needs and expectations of their stakeholders, including:

  • Focusing on risk activities—risk identification and management—when performing advisory services.
  • Demonstrating an understanding of strategic risks in all audit work. Educating stakeholders on ways you can give attention to nontraditional strategic risks.
  • Building soft skills. Communication and relationship building are needed to set priorities when there are competing expectations.

Survey Finds Alliance with Organizations and Risk Reporting Structures

NEW ORLEANS—Seventy-nine percent of companies are aligned with their risk management reporting structure, however, only 27% of risk professionals believe that emerging risks will be a company priority in the coming year, according to the 12th annual “Excellence in Risk Management Survey” released here by Marsh and RIMS.

In the last five or six years, “We have seen significant narrowing of the gap, where there is better alignment of what risk managers and risk executives are providing their organization and what their C-suite and management is looking for and needing in this riskier world that we all live in,” said Brian Elowe, a managing director at Marsh and co-author of the report. Findings are based on more than 300 responses to an online survey and a series of focus groups with leading risk executives.

Elowe explained that the study focused on organizational alignment, risk management effectiveness, data analytics and technology and cyberrisk.

In their study of organizational dynamics, he said, “We looked at priority setting, organizational structure and performance measurement standards to understand effective execution of a risk management strategy.”

The first insight was in respect to structures risk management reports to inside an organization. “We also asked whether the people responding to the survey felt risk management was reporting to the correct area inside the organization. We found that 79% of the respondents said they felt risk management was reporting into the appropriate area inside their organization,” Elowe said.

Looking deeper, he said the survey found that 50% of executives report into the finance area. The other half reports into a wide number of areas inside the company–12% report to general counsel, 8% to other C-suite members, 5% to internal audit, 5% to operations, 2% to human resources and 11% to “other” functions.

“We found that while they are all in the risk management function, those that report to areas outside of finance tend to be involved in areas deemed to be more strategic in nature. So they are more likely to be involved with things like ERM strategies, IT, privacy and security.”

Elowe said, “We think that finance executives might be well-served to help facilitate greater connections inside their companies to help broaden the perspective that risk executives reporting into finance might be able to have inside their own companies.”

In addition, only 27% of risk professionals reporting to the CFO or treasurer said they expected an increase in spending for training risk management staff. This is compared to 46% in increases expected by those reporting to other areas.

The top-five programs reporting to risk management were insurance management (92%), claims management (88%), enterprise risk management (67%), captive operations (65%) and emergency response (63%).

Looking at functions that report into risk management, he said that while the traditional functions of insurance and claims were well aligned, there is a significant alignment with IT. This is compared to several years ago when IT “operated in and of itself in an organization. That is an outcome of the growing cyberrrisk and the need for organizations to have a multi-disciplinary approach to how cyber is affecting their organization.”

Discussion groups agreed that the “here and now” is most important to their companies and that more needs to be done to develop understanding of emerging risks. “Risk managers are concerned they are not looking far enough ahead,” Elowe said, adding that company focus is largely directed to regulations and compliance. Carol Fox, director of the strategic and enterprise risk practice at RIMS and co-author of the report observed that organizations focused on operations are generally not as involved in strategy. She said management understands risks, but fell off in actually planning for emerging risks.

Findings include:

  • Risk management departments that do not report into finance are generally better aligned with other strategic functions within their organizations — most notably in the areas of enterprise risk management, compliance, information technology (IT) risk management, privacy, and security.
  • Despite the importance placed on emerging risks by many board members, senior leaders, and risk executives, only 27% of survey respondents said that identifying emerging risks would be a priority in the coming year.
  • Over the next two years, 42% of organizations expect to increase the level of investment in risk analytics, according to our survey, with 57% saying it would remain flat.
  • Nearly 60% of respondents said their organization has no formal communications plan in anticipation of a cyber event.
  • Risk professionals who report into the CFO or treasurer are much less likely to expect an increase in spending for training risk management staff in the coming year compared to those reporting elsewhere.