Implementing a successful ERM strategy
November 2010 | 10QUESTIONS | RISK MANAGEMENT
FW speaks with Neil Cantle at Milliman, Ltd. about the risks facing businesses and how they can be addressed through effective enterprise risk management (ERM).
FW: Are corporate boards and management teams paying enough attention to the risks facing their business?
Cantle: Some companies are clearly more advanced than others. Some boards have already taken the step of creating dedicated Risk Committees to ensure that sufficient time is spent discussing business performance from a risk perspective, and others are specifically allocating time in various forums to discuss risk. The recent crisis heightened interest in monitoring risk for a while but whether that persists as memories fade is yet to be seen. Perhaps an equally important question is whether or not a suitable level of risk information is available to inform these groups so the participants can engage in meaningful discussion of the risks. A number of companies are going through the journey of realising that they don’t know their risks as well as they thought they did.
FW: Is too much expected of executives with regards to risk management? Is it distracting them from their other responsibilities?
Cantle: Companies are in business to manage risk in some shape or form, so it is clear that managing risk is part of the executive role not something to do alongside it. The key is to operate a risk framework which is natural and aligned to the way the business operates and the risks it faces rather than creating a cumbersome ‘add-on’ which gets in the way. I don’t think it is unreasonable to expect executives to know what risks the business faces and to have plans in place to manage and monitor them. Where some companies go wrong is to confuse having masses of measures and onerous controls with risk management – this is not the same thing at all. A proper understanding of how risks arise and propagate combined with useful tools to manage them should empower executives to make better decisions and ultimately deliver better, more stable, business results.
FW: What steps can companies take to identify potential and actual threats to their operations?
Cantle: People in companies often know a lot more than they realise about the risks facing their business. The risk framework must be able to help them communicate what they know to a wider audience and combine their understanding with that of others. Even something as basic as a regular discussion about risks can help the organisation to calibrate its language and raise awareness of the interplay between emerging risk factors in different areas of the business – techniques like cognitive mapping can add rigour to this process. The main thing is that the risk system must be capable of making risk factor interactions visible and enabling the business to understand quickly what the consequences might be. Using measurement techniques which look beneath headline performance and can spot non-linear relationships is key to being able to see the complex patterns of emerging risk early.
FW: Is it important for companies to quantify and prioritise the risks they identify? How can this be achieved?
Cantle: Clearly companies have finite resources and have to choose where to allocate them to keep performance within risk appetite. The risk system needs to support decision-making by helping companies to understand the potential impact of a risk if it materialises and give an indication of how likely the risk is to materialise. This is problematic where the potential risk has not been encountered frequently, or ever, and so data is sparse. Techniques are therefore needed to combine any available data with expert judgement to assess the risks. Typical risk systems prioritise risks on a silo basis, but it is important to consider the significance of risk factors in the context of how they interact. It is generally more efficient and effective to tackle a factor which appears early on in the development of several risk scenarios than it is to wait for those scenarios to develop and try to mitigate each of them separately.
FW: What advice would you give to companies on rolling out an enterprise-wide risk management strategy? What key aspects do they need to consider?
Cantle: Don’t think of it as a control and compliance exercise – it is much more like a change programme, so culture is absolutely key. You need to get people to a place where they culturally feel able to raise and discuss risks and feel that doing so in some way helps them to do their jobs more effectively and deliver the desired level of organisational performance. Don’t build an aggregation of silos – risks arise through the complex interactions of many factors and research shows that studying the sub-components of the company’s performance alone tells you little about the overall performance. A true ERM system therefore needs to be capable of identifying risk factor interactions and help people in the business make sense of them. An ERM strategy has to be absolutely aligned to the strategic goals of the business – after all it is meant to reduce the uncertainty you have around achieving them.
FW: When rolling out an ERM strategy, where do companies typically fall short? Are there certain areas they tend to overlook or undervalue?
Cantle: At the moment, most firms still struggle with non-financial risks, such as operational risk. Part of the problem with studying non-financial risks is that they are quite heterogeneous with a lack of structured data, so trends are hard to monitor.
Another problem is that, even where data is collected, it is simplified to make it easier to aggregate but this simplification usually removes too much information which makes it almost impossible to spot meaningful patterns and identify emerging risks. Companies also struggle to clearly articulate their risk appetite and formulate a clear connection between overall risk appetite and the limits on metrics for individual activities intended to keep the business within appetite. There is still a disconnect in many frameworks between the quantification of risk and the understanding and management of it. Using modelling techniques which more explicitly link drivers to outputs can help to overcome this.
FW: What options might exist for companies to transfer their risks to third parties?
Cantle: This depends upon the nature of the risk and the additional risks introduced by the mitigant. The transfer of certain financial risks and insurance risks is possible through a variety of financial and (re)insurance instruments, and outsourcing can be a way to transfer certain operational risks, for example. Firms often forget that a mitigant can itself bring new risks which need to be understood and managed as part of the ERM programme. It is also important to stress-test the mitigant to identify the extent to which the risk has actually been transferred. In extreme cases firms can find that the transfer was not as complete as they thought in the very scenarios they were trying to protect against.
FW: What is the role of the board in the ERM process? Are they an essential part of installing a risk management culture throughout the organisation?
Cantle: The board set the tone for how risk management fits into the organisation. If the board shows a strong interest in risk and provides good challenge to the executive, then there is a greater likelihood that people within the business will be motivated to consider risks in their decision-making. The board comprises individuals with a breadth of experience, so by engaging them in meaningful discussion about emerging trends and patterns, executives have access to a valuable resource which can help them to identify risks earlier and to make thoughtful responses.
FW: Why should companies regularly review and update their ERM strategies?
Cantle: The environment within which organisations operate changes dynamically on a regular basis, so it would be surprising if the risk strategy did not need to be reviewed at least as often as the business strategy. The danger of not reviewing the risk system regularly is that approaches which worked in one environment may no longer be effective in another. Over time risks may become better understood and new solutions may be available to help manage them. Since risk management requires an allocation of finite resource, it is important to revisit the allocation of defences in light of any new information about the risks and possible mitigants.
FW: Do you expect to see improvements in ERM frameworks across businesses in the years ahead?
Cantle: Risk management is an integral part of running modern business, so the natural desire to achieve better performance should partly drive that trend. I would expect to see increased use of techniques which naturally cope with complexity and interacting factors, which is where many current techniques are cumbersome or fall down completely. There have also been huge advances in techniques to make sense of large volumes of information of all types and we are already seeing firms beginning to take advantage of this in sniffing out trends early, either for strategic advantage or to mitigate risks earlier while they are small. As people get better at embedding risk management thinking into daily processes you should see frameworks becoming more pervasive but less intrusive.
Neil Cantle is a Principal of Milliman working in the London office. With over 20 years’ industry experience he has worked both in business and consulting. Prior to joining Milliman, Mr Cantle sat on the UK board of a large insurer, with executive responsibility for areas such as strategy, risk management and finance. At Milliman Mr Cantle leads the global development of CRisALIS, Milliman’s cutting-edge approach to identifying, understanding, managing and modelling enterprise risk. He can be contacted on +44 (0)20 7847 1537 or by email: firstname.lastname@example.org.
© Financier Worldwide