Category Archives: Enterprise Risk Management

Enterprise Risk Lagging Globally, Study Finds

Posted on by

Despite a widening range of risks faced by organizations globally, less than 35% of companies say they have an enterprise risk management (ERM) plan in place. What’s more, 70% would not describe their oversight as mature, according to the Chartered Global Management Accountant (CGMA) report Global State of Enterprise Risk Oversight 2nd Edition.

The study found that 60% of boards of directors globally are pressuring their companies to increase involvement of senior management.
buy vardenafil online https://royalcitydrugs.com/vardenafil.html no prescription

The U.S. is lagging in some areas, with only 46% of its boards assigning risk oversight responsibilities to a committee compared to 70% globally.

One survey conclusion:

Unfortunately, many executives view risk management as mostly focused on compliance and loss prevention with little connection to strategy and value creation. As organizations evaluate their risk management processes, they may benefit from providing an honest assessment about the extent to which risk management in their organization is an important input to the strategic planning process. Given executives understand the importance of taking risks to generate returns, shouldn’t risk management be an important strategic tool by providing risk insights that inform strategy?

Other key findings of the study include:

Navigating the risk landscape infographic

Gauging the Impact of Reputational Risk

Posted on by

The following article is part of a continuing blog series that will explore ideas, concepts, discussions, arguments and applications associated with the field of enterprise and strategic risk management.

online pharmacy nolvadex with best prices today in the USA

In my previous article, I made the point that the public discussion of reputational risk lacks a set of common standards or definitions. This lack of consistency allows organizations to interpret or define the concept of reputational risk in very different ways. For some, reputation is beginning to be viewed as something like the “risk of risks” in the same way people are starting to discuss the concept of the “internet of things.” I questioned whether reputation or brand is actually a risk or a residual event stemming from other extenuating risk domains or actions.

Upon further reflection and discussions with academics and risk professionals who are thinking carefully about this issue, I would go further now to suggest that reputation or brand risk involves perceived or real human behaviors that are, to some extent, measured against societal, economic or moral standards. The adherence or deviation from established standards generates the basis for the risk, and the variability from the standard influences the duration of the outcome.

The bigger question is: What impact does reputational risk have on economic performance when possibly mitigated by the existence of a robust enterprise or strategic risk management methodology? Is the data available to see the “correlates” between a reputational risk event that trigger or influence operational key process indicators like EBIT, ROA, ROE and share price (public or private)?

What we do know from the Aon 2015 Global Risk Management Survey is that business leaders are concerned about reputational risk in general and the possible linkages with other hazard and operational risks within their organizations.

The respondents to the survey said that they worried that a reputational risk event would significantly impact financial performance.

reprisk1If reputation/brand risk was identified as a precipitating event, the respondents identified regulatory change, increasing competition, talent retention, cash flow/liquidity and share price volatility as “follow on” risk consequences. In effect, reputation/brand risk might constitute a “gateway” risk, where other related “follow on” risk consequences are triggered and serve to increase the overall volatility/impact of the reputation event.

Another way to view the data is to see what events could trigger a reputation event.

reprisk2In this case, the survey respondents identified nine non-correlated risks that could precipitate a reputation/brand event. Here social media plays an important role.

online pharmacy champix with best prices today in the USA

The speed by which information, accurate or not, is transmitted, consumed and iterated across the nine risk categories may have a material impact on the basis and duration of the reputation/brand event. There is also an error component associated with social media.

online pharmacy periactin with best prices today in the USA

How many times have we witnessed an initial media report of a brand damaging event that turns out to be prematurely reported and the facts distorted, only to be corrected in a later reporting cycle?

Next up: Fat vs. thin tail distributions.

Defining Reputational Risk

Posted on by

The following article is part of a new blog series that will explore ideas, concepts, discussions, arguments and applications associated with the field of enterprise and strategic risk management.

One of the more striking conclusions contained in Aon’s 2015 Global Risk Management Survey is that damage to reputation and/or brand was considered by the survey cohort to be the most significant risk to the enterprise. The survey was conducted in Q4 of 2014 and received input from over 1,400 respondents coming from both the private and public business on a worldwide basis.

The “Top Ten” most identified risks included:

  1. Damage to reputation/brand
  2. Economic slowdown/slow recovery
  3. Regulatory/legislative changes
  4. Increasing competition
  5. Failure to act or retain top talent
  6. Failure to innovate/meet customer needs
  7. Business interruption
  8. Third-party liability
  9. Computer crime/hacking/viruses/malicious codes
  10. Property damage.

The survey results should not come as any real surprise given the number of sensational news stories coming from around the world that highlight potential or real reputational or brand problems. We have witnessed data breaches ranging from credit card identity theft in consumer retail, to serious product recall notifications in the food and beverage industry, to product performance/ warranty failures in the automotive arena, as well as “hints of reputational quality,” defined as “trust” in the early stage politics of the presidential selection process involving private vs. public use of email servers. There is little doubt that news, sensational or not, impacting reputational or brand, will continue for some to come. The real question is: Should anyone care?

Defining reputational/brand risk is hard to accomplish:

Based on some additional research done by my colleague Sylvesto Lorello, reputational risk is not a new concept, but it arguably has no established or universally agreed upon definition. Academic and business thinking about this subject continues to evolve. Within the insurance underwriting community that I have been in touch with, reputational or brand risk is being compared in scope to contingent liability risks, but with a serious caveat: the basis of the risk is highly variable and the duration of the risk event/loss event is difficult to pin down economically.

The concept of reputation and brand for example, are notably absent from the 2004 framework for enterprise risk management proposed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO). It is also overlooked in the Basel II international accord for regulating bank capital, which was also issued in 2004.

A lack of common standards or definitions of reputational risk mean that companies perceive it in different ways.

buy cytotec online orthomich.com/img/blog/jpg/cytotec.html no prescription pharmacy

Some risk practioners are beginning to view reputation as a “risk of risks” similar to the dialogue surrounding the “internet of things/objects.” Interestingly, an emerging dialogue is developing around whether reputation or brand is actually a risk or a residual event stemming from other extenuating risk domains or actions.

The ISO 31000 (2009)/ISO Guide 73:2002 definition of risk is the “effect of uncertainty on objectives.” In this definition, uncertainties include events (which may or may not happen) and uncertainties caused by ambiguity or a lack of information.

The U.S. Federal Reserve in 1995 defined reputational risk as “…the potential that negative publicity regarding an institution’s business practices, whether true or not, will cause a decline in the customer base, costly litigation or revenue reductions.

buy vidalista online orthomich.com/img/blog/jpg/vidalista.html no prescription pharmacy

In this case, the definition points to the potential for hard data from which basis and duration can be calculated.

Definitional issues aside, eventually societies will develop benchmarks with which to measure reputational or brand acceptability. One way of thinking about this approach is shown in the following exhibit.

UntitledHere we ignore some of the more difficult definitional discussion around a combined reputation/brand perspective, and limit our view to reputation alone.

buy fluoxetine online thecifhw.com/wp-content/uploads/2023/10/jpg/fluoxetine.html no prescription pharmacy

From a practical early stage standpoint, an entities reputation could be view from potential threat and potential impact perspective. On the threat side, it may be possible to segregate threats into four categories:

  • Risk to reputation stemming from employment activities;
  • Risk to reputation coming from product or customer issues;
  • Risk to reputation derived from governance; and,
  • Other less easily classified risks to reputation.

These categories appear for graphical purposes as if they are mutually exclusive, but in reality, there are good examples of causal overlap that increased risk volatility and severity. Recent oil spills and automobile product failure/recalls are enduring situations where more than one causal category created a economically catastrophic reputational problem.

On the other side of the graphic we outline the potential impacts to reputation coming from the threat categories. Again, while not mutually exclusive or exhaustive, the impact areas include:

  • Customer base
  • Financial valuation
  • Brand and media
  • Staf
  • Other less easily defined impacts.

Coming next, who are the stakeholders and how might one approach measuring reputational risk.

Linking ERM and the Insurance Underwriting Process

Posted on by

Enterprise Risk Management (ERM), in one form or another, has been around for almost two decades. The number of publicly traded companies, especially those in highly regulated industry sectors, have been deploying the ERM process primarily because they were pushed (explicitly or implicitly) to do so by the major credit rating agencies, government mandates such as SEC 33-9089 or Dodd-Frank, their internal/external auditors, or members of the board of directors.  No matter where the spark came from, however, the number of companies utilizing the ERM process continues to grow.

CFOs, CROs, and risk managers that have been practicing ERM for years have been incurring the expenses for doing so. As ERM programs mature it might be time to consider, in monetary terms, the value the company and its insurers places on all the work that has been done over the years. CFOs ask questions about return on investment (ROI) all the time – why not about ERM? Linking enterprise risk management and the insurance underwriting process is one approach to produce a tangible result. Because the vast majority of commercial insurance renewals are Jan. 1, CROs and risk managers should consider initiating a discussion with some of their insurers to determine the potential credits for having a functioning ERM program.

Brokers typically represent the vast majority of larger middle-market and Fortune 1000 publicly traded accounts. Brokers start to work with their larger accounts months before renewal dates and assemble a submission package for insurance underwriters. The inclusion of a timely and relevant ERM report to the underwriting submission that demonstrates the changes to the risk profile of the company should make a stronger case for favorable rate considerations for their clients. The general headings that we recommend for discussion within the underwriting submission include:

• Risk organization and governance

• Risk appetite, tolerance and limits

• Risk metrics and measurement

• Risk management process, procedures and controls

• Risk monitoring, reporting and communication

These are the same general areas that insurers themselves are being asked to discuss with their own regulators as part of the new Own Risk and Solvency Assessment (ORSA) soon to be issued by the National Association of Insurance Commissioners. If the broker or insurer does not think that having a functioning ERM program does not merit a price reduction – especially for directors & officers liability insurance – investigate further and dig deeper. Early in the renewal process is a good time for the risk manager, CRO, or CFO to meet directly with underwriters to discuss their ERM from two different perspectives: the amount of rate reduction, or the steps that could be taken to improve the risk profile enough to warrant a premium reduction.

Executive management of a company that adopted and implemented an ERM program five years ago should be considering the return on the investment that the company has made over the years. It will be up to the CFO and risk manager to demonstrate how the ERM process has been used to either change or improve the company’s risk profile from what it had been. We suggest a close working collaboration between the company and their insurance broker to craft an underwriting submission that details the benefits of the ERM program.

The collaboration would also be enhanced by including a company representative such as the CFO on the team, to represent the company in front of underwriters that may be encountering this negotiating tactic for the first time. Since the majority of corporate insurance renewals take place on Jan. 1, initiating a conversation in the summer with the insurance broker(s) involved would not be a bad idea. One caveat however, ERM in one company is not ERM in another. Completing a risk identification and assessment does not an ERM program make.