Cavalcade of Risk #131: All Things Risk

Welcome to the Cavalcade of Risk blog carnival, an aggregation of some of the best risk management and insurance-related blog posts out there. Before I get to the rundown of posts, thanks go out to David E. Williams at Health Business Blog for his insightful hosting of Cavalcade of Risk #130.

  • Let us begin with Dave Ingram‘s post regarding risk management entertainment systems (RMES), where he states, “The Risk Management Entertainment Systems create a very strong impression that ERM is a talking and paper shuffling activity.  A waste of scarce corporate time, resources and dollars. ERM needs to be about action.  If in the end, ERM does not result in any changes to a firm’s treatment of risks or selection of risks, then there was no real business reason for ERM.”
  • Claire Wilkinson writes about protecting your personal information on Terms + Conditions, the Insurance Information Institute’s blog regarding all things risk and insurance. She states, “the average organizational cost of a data breach increased to $7.2 million in 2010 and cost companies an average of $214 per compromised record up from $204 in 2009.”

And a few more from around the blogoshpere:

The next host is Russell Hutchinson at Chatswood Consulting — he’ll host the 5th anniversary edition of Cavalcade of Risk on June 1st. Don’t miss it!

Discussing ERM at RIMS 2011

ERM was a big topic at this year’s RIMS Conference & Exhibition. As it increasingly becomes apparent that enterprise risk management is a vital component of business management as a whole, many attendees were taking the next step past simple understanding and actively looking for practical ways to actually implement the strategy for their businesses. And many sessions at RIMS 2011 were designed for that very purpose.

For instance, “Building an ERM Roadmap” and “ERM Technology Tool Review” included a variety of practical guidelines and sample tools. The discussions focused on how to develop, report and monitor an effective program that meets the business area and board’s needs.

Grace Crickette, chief risk officer at the University of California, offered a useful online resource, based on the university’s own ERM efforts, to help companies define and implement ERM programs in their organizations.

Like organizations within the private sector, the UC system operates in an inherently risky environment. By strategically managing risk, we can reduce the chance of loss, create greater financial stability, and protect our resources so we can continue our mission of supporting teaching, research and public service.

As part of this strategic approach to managing risk, the UC leverages an Enterprise Risk Management Information System, which provides users with a single portal through which they can access and analyze information related to their specific area.

For anyone looking to make progress with their own ERM program, this might be a good place to start.

SRM: The New Core Competency

Strategic risk management (SRM) has become an increasingly hot topic, with risk managers, C-suite execs and managers across all industries looking to continuously improve their risk management plan. After hearing so much buzz about SRM lately, I decided to attend a session on the topic at RIMS 2011.

Speaking on the issue were none other than the celebrated director of strategic and enterprise risk practice for RIMS, Carol Fox; the director of the center for strategies, execution and valuation for DePaul University, Dr. Mark Frigo; and Hans Laessoe, senior director of strategic risk management at LEGO Systems.

Starting off the presentation to a packed room, Fox reminded everyone of the RIMS/Advisen survey, which notes that, to survey participants, the primary value of SRM is:

  • 28% avoided and or mitigated risk
  • 16% compliance with regulatory and legal requirements
  • 17% eliminated silos
  • 5% process consolidation
  • 24% increased certainty in meeting strategic and operational objectives

Fox noted that SRM was a discipline focused on the upside of risk. More specifically, RIMS defines SRM as a business discipline that drives deliberation and action regarding uncertainties and untapped opportunities that affect an organization’s strategy and strategy execution.

Closing her portion of the presentation, Fox questioned the way that most risk managers think. “Are we too focused on known risks or analyzing the past?” asked Fox. “There appears to be an unmet need for risk management to take a lead role in SRM.”

Following Fox, Laessoe began his speech by explaining LEGO’s theory on risk management, which is:

Prepare for uncertainty –> Active risk and opportunity planning (AROP) –> enterprise risk management –> Monte Carlo simulation

Monte Carlo simulation “has enhanced LEGO’s understanding of uncertainty,” according to Laessoe.

The company applies Monte Carlo simulation to achieve the following:

  1. Budget and estimate uncertainties to show earnings volatility and pinpoint key drivers based on input from business controllers.
  2. Simulation on ERM risk portfolio to consolidate risk exposure and identify 5% worst case scenarios which is the base of LEGO’s defined risk appetite.
  3. Simulation of credit risk portfolio as a “tool” to have a more frank discussion with insurance partners.

Frigo wrapped up the session with some inspiring words on the future of SRM. “SRM is the new core competency,” he said. “If ERM encompasses all areas of organizational exposure to risk, including strategic, why is SRM the NEW core competency? We believe SRM is a foundation for elevating the value of ERM, and for that matter, management in general.”

Amen!

ERM on the Rise

An uprising in Egypt or a catastrophic natural disaster in Japan can make a company stop and think about how that event impacts their business. And events like these are helping to spur companies to fully embrace enterprise risk management (ERM).

This is a good thing. And, according to some, it’s only going to get better.

James Lam, president of risk-management consulting firm James Lam & Associates, has high expectations for the future of ERM, telling CFO magazine that “We’re going to make more progress in ERM implementations and its standardization in the next couple of years than we did in the last dozen.” According to his research, almost 90% of global organizations with more than $1 billion in revenue are either putting an ERM program in place or, in 25% of those cases, already have a program up and running.

Russ Banham, a contributing editor of CFO magazine, also has some great insight into the present state and future situation of the risk management movement. He penned quite an interesting ERM article that was published today. In it, Banham states that it’s not just black swan events that are to credit for the spike in ERM popularity, three trends have also caused an increase in interest.

  1. Corporate boards are under regulatory pressure to address risk management explicitly.
  2. Proponents of ERM are making progress in having it acknowledged as a best practice for overall risk management.
  3. New technologies are enhancing companies’ ability to evaluate, measure, and prioritize risks, and to test and report on their potential impact.

Banham points to the Dodd-Frank Act, the fact ratings agencies factor in ERM criteria into their ratings process, COSO II (the Committee of Sponsoring Organizations) and the SEC’s sharpened stance on risk management as why some companies, especially larger ones, have no option other than the fully implement an ERM program.

Governance issues aside, ERM would get a major boost if it were widely regarded as an industry standard for best practices. “We are not talking about a one-size-fits-all standard, since risk management is part art and part science, and organizations differ by geographies, markets, business lines, and organizational structure,” Lam says. “It can, however, be an industry-by-industry standard, customized by companies within a given industry.”

Optimism aside, most companies still have a long way to go in terms of developing a comprehensive, efficient and successful ERM strategy. As we see by the second graphic below, more than half of companies still have little or no common risk management processes implemented.

Let’s hope Lam’s predictions come to fruition.