What does the future hold for enterprise risk management? That’s exactly what a panel Q&A session touched on during the recent RIMS ERM Conference. Carol Fox, director of strategic and enterprise risk practice for RIMS, moderated the discussion between attendees and:
- Ryan Egerdahl, risk manager at Bonneville Power
- Mary Gardner, chief risk officer at Zurich North America
- Rob Torok, risk management consultant with IBM Global Services
To kick off the discussion, Fox asked the panelists what the biggest changes in ERM were within the last 10 years?
Mary: A really big issue is going to be risk based capital. Where do we require it and where are we going to reduce our investment so we can write insurance in growing areas of the world. We want to reduce our risk so we can free up our risk capital so we can go into growing areas such as BRIC nations.
Question: Have you spent much time talking aobut enterprise content management, like records management, which I’m hearing more and more about?
Rob: One of the things we’re rigorous about is information security, with both internal data and the data that belongs to our customers and our clients. We have an enourmous amount of customer data. Because of that, there are an enourmous amount of controls IBM has put into place.
Mary: It’s an emerging risk. In fact, On October 13th the SEC indicated that all companies will be required to provide information on past breaches and what they might expect in future breaches and what impact that may have on their financial statement. That’s scary and we need to figure out what that means. It’s something to definitely consider.
Question: Having a risk taxonomy — is that effective? Does it help you manage risks? By separating them into various categories?
Mary: I would say yes. We identify risks in each business division and analyze them. It’s kind of a top down, bottom up approach. We look at the different kinds of inputs. We also use that to determine systemic risks and see where we have risks concentrated in one particular area or business.
Rob: An organization must have a standard risk taxonomy. Everybody in the organization must look at those risks and talk about how those risks affect each particular business unit. We’ve developed a template of about 150 risks. That template is a fine starting point, but don’t use IBM’s or any other company’s template — it won’t apply to you.
A client gave me a list of 504 risks and asked me to comment on it. The reason they had 504 risks was because many risks were repeated in each business unit and geography. This is because they never had a standard taxonomy. That list could’ve dropped by 40 or 50% easily if they had a standard language or taxonomy.
Mary: Companies need to think of their standard taxonomy as a living document.
Question: What do you do to help identify emerging risks?
Ryan: I’m less concerned about the unknowables. i’m concentrating on the big risks facing us now. we have enough to worry about right now in our business alone.
Rob: I haven’t got a clue what that next risk is, but allow yourself to think broadly about it.Ddon’t close your eyes to things. Don’t shoot down ideas of someone who says “hey, what about this or what about that?”
Mary: Keep it simple. We can make this ERM process so complicated sometimes. Maybe if we just get back to basics it would be much better.
Ryan: If you’re just starting the ERM journey, don’t rush into the GRC software immediately — wait until you’re mature enough in the process to get there.
Mary: Get out of the box. There are a lot of conversations that may spur thoughts. Talking to risk managers in other industries may spark ideas.
Rob: What about your business and social network? What are they worried about? I’m not talking about things that have already occurred, but what has not happened yet in their enterprises. Use that information to help you think about risks in your own enterprise.