There are nine enterprise risk management (ERM) activities that at least nine-in-ten of the North American chief risk officers (CROs) we surveyed said that they perform in one way or another over the course of a year. None of these activities is necessarily strategic, but a strategic CRO can put a strategic spin on any of them.
And the more times CROs are heard speaking strategically about their work, the more likely they will be invited to play a role in the future strategic activities of the firm.
In general, the way to make any of these activities more strategic is to shift orientation away from focusing on separating information by risk and toward presenting the information in the context of strategy. Easy to say, but the nuances of how to do that play out differently for each activity.
Let’s review these nine activities and see how the seemingly mundane can be strategic.
1. Present periodic risk management report to board — The typical board risk report is organized by risks, usually with the most significant one on top and the rest ranked with diminishing significance. A strategic CRO organizes the risk report in terms of the insurer’s major strategic initiatives. It would be very revealing and highly strategic for the board to see the degree to which the major strategies also are tied to the largest risks or not. And when the risk report indicates that a risk is becoming more dangerous, it would also be helpful for the board to see which of the insurer’s strategies might be endangered.
2. Hold management risk committee meetings — It is refreshing to learn that almost all CROs say that they are actually holding these meetings, though 17% admit that they are primarily on an “as requested” basis. The worst risk committee meetings consist primarily of rushed reviews of items such as risk appetite and tolerance statements that are required to be “from” that risk committee, along with “show and tell” about individual risks by individual members of the committee.
A strategic CRO will work to focus these meetings on both the risks that might have significant impacts to the company and on the insurer’s highest risk concentrations. One CRO suggested that after three years of meetings, her risk committee members had become advocates for a risk point of view at the strategy meetings.
3. Communicate/interact with risk owners — Some insurers follow a “three lines of defense” model for their risk management, with the risk owners as the first line, risk management staff as the second and audit as the third. But this model does not by itself create an open communications channel; CROs can create a forum for cross silo communications about risk management. And while the specific considerations of that forum may not necessarily be strategic, the idea of healthy cross-silo discussion of any substantive subject is likely to eventually lead to better strategic thinking for the insurer (with the strategic CRO as the catalyst).
4. Update risk register — An ERM program can drift into irrelevancy in several ways. One of the easiest is by letting the risk register get out of date. One of the common causes of out-of-date risk registers is a change in the firm’s strategies. As clients’ needs grow and competitors’ offerings and approaches evolve, old strategies become decreasingly effective. Old strategies must adapt, and new strategies must replace failing ones. As this happens, the relative importance of risks will shift.
Some risks, that were always there but were too small to worry about, may now become significant. Other, once-dominant risks can fall to the middle of the pack. A risk management program that stays consistent threatens to put too much emphasis on old risks and not enough on new risks. The CRO needs to lead a discussion of how shifting strategy or changes to the external environment lead to changes in the risk register.
5. Identify, assess, and plan for emerging risks — The new risks that go hand in hand with the new strategies may not be significant or even destined to happen; or, it may very well be that you are too inexperienced to know yet. The emerging risk process is the solution for this problem. An effective emerging risk process enables you to place known unknowns on a list to be periodically monitored and escalated as experience warrants. The process of linking the emerging risks to strategies makes this ERM activity a more strategic exercise.
6. Update risk tolerance — The CFO I worked for in the 1990’s told me that he saw it as his job to make sure that the company had access to enough capital to support the strategies of the firm. Many people see the idea of setting a risk tolerance as almost the exact opposite activity – putting a strait jacket on the business planning. To be strategic, the CRO needs to think more like my old CFO when updating the risk tolerance.
If it appears that the capital available is not sufficient to fund the company’s strategies, the CRO’s first recourse should be to work with the CFO and others in the firm to see how that they can gain access to additional capital. Then, they should discuss with the business leaders to see how the plans can be made more capital efficient. Only after doing as much as is healthy in those two directions should they consider a risk tolerance that would limit risk taking to below the expected strategic needs.
7. Perform stress and scenario testing — Stress and scenario tests are probably the most effective ERM tool; they are possibly the best way to illustrate the magnitude of various risks to the firm. They can also be used to produce risk capital values for risks that are too challenging to model statistically. Therefore, it shouldn’t be a surprise to learn that they can also be a great strategic analysis tool.
Strategies are usually formed to take advantage of conditions in the most likely expected future scenario. Stress and scenario testing can be a part of strategy formation by requiring the analysis of a strategy’s effectiveness under several potential future situations. The firms that have publicly talked about using this technique have had some pretty remarkable results when the expected scenario failed to emerge.
They had already anticipated an adverse situation similar to what actually happened. An ERM program that is ready to analyze stress scenarios for risk management can assist with strategic analysis of alternate scenarios with much less start-up time than it would take for the strategy folks to develop the capability from scratch.
8. Assess and report on changes to risk environment — The CRO needs to avoid the “Chicken Little” problem when assessing the risk environment. Continually reporting that the “sky is falling” is a sure way to get limited air time in strategic settings. A good way to act as a strategic partner when presenting changes to the risk environment is to include constructive suggestions for adaptation to the changes. Even better would be if business leaders work with the CRO to develop the suggestions.
9. Update risk profile — It is pretty common for the risk profile to be shown two ways: by risk and by business unit. To make this information more strategic, the CRO needs to look at whether the risk strategies overlap with company strategies. For example, one strategy might be to get all business units to continue or to add a focus on products and services to a particular customer segment. In that case, a risk profile that is segregated by customer segments would be in order.
At the other end of the spectrum, less than two-thirds of the CROs who responded to our query participated in the following eight tasks. Now, two thirds seems like a positive take-up rate, but when you look at these items, you will see that most of them are among the most directly strategic activities performed by many of the CROs. So, we see these activities as a major area for development for the third of CROs who are not already doing them, and a possible area of major improvement for some of the rest.
- Capital utilization / allocation
- General employee ERM education and training (risk communication across the business)
- Help identify business opportunities
- Help develop proposals from opportunities
- Assist in identifying failed strategies
- Provide return on risk for prior period or plan
- ERM training for board
- Support product design and pricing
Chief risk officers have a unique, risk-focused perspective into the activities of their companies. By taking the specific steps outlined above, they can promote this perspective to help achieve strategic goals.
Previous in series: Using the ERM framework to support capital management
Next in series: Risk heat maps: Moving from fear to danger to strategy
Dave Ingram is an Executive Vice President of Willis Re, specialising in theory and practice of ERM for insurers.
Mark Mennemeyer is a senior Enterprise Risk Management practitioner in Willis Towers Watson’s Insurance Consulting and Technology business.