Risk Managers at Risk: 7 Things You Need To Do To Save Your Company…. And Your Job

Begin with the end in mind.? -Stephen Covey

Our previous article laid out 7 steps to restoring credibility and importance to the ERM function for organizations.? In this article, we address the two most fundamental questions that ERM professionals frequently overlook:?

1)????? What is the current role that the function has assumed? And more importantly,

2)????? What is the optimal role that best serves the larger organization’s ERM needs??

Hint:? They are often misaligned.

In our experience, ERM organizations can evolve through three stages of development, although most get stuck in the process. ?The lines between the three are not fixed, of course, but the roles provide a good starting point for you to evaluate where you are currently and where you want—and need—to be.

The progression is as follows:

In approximately 40% of the organizations we know or have worked in, ERM assumes the “Loyal Servant” role, and rarely evolves much beyond it.? This role emphasizes procedure over content, and favors acquiescence over confrontation when dealing with individual business units or the organization as a whole.? The Loyal Servant role aggregates rather than integrates information, and its Risk Management efforts deliver rather than interpret data in its interactions with the C-suite and Board.? Mitigation efforts tend to be limited in scope and non-controversial, e.g., ergonomics, other workplace safety, etc., and ERM understanding of core business processes and risk nuances is weak.? Because the unit focuses on procedural adherence and only on very limited process improvement or change management, it uses rudimentary technology (disparate spreadsheets) and risk classification categories, and has limited exchange with LOB risk owners.? Furthermore, it has little if any Board visibility and carries little strategic weight.? This type of ERM unit is largely perceived as “bureaucratic” and ineffective, and appears to reinforce the perception of ERM as a “check the box” exercise for the organization.? The biggest challenge here is gaining relevance.

Another 50% of organizations succeed in developing more advanced ERM skills, and ascend to the “Watchdog” role.?? Watchdog organizations generally possess broader business knowledge and better technology (often including multiple Risk Registers / ERM systems), but struggle to integrate them.? Although Watchdogs typically monitor KRIs and provide input to their development, they rarely lead the development process.? They employ standard risk classifications, e.g., Probability vs. Severity (H, M, L).? Their relationship and involvement with individual business units or risk owners varies greatly, i.e., close partners with some, distant from others.?? Watchdogs typically report to the Board at least annually on the top risks that the organization faces. Their focus, however, remains more on KRI trend reporting rather than true synthesis or holistic integration.? They monitor traditional risks, such as Finance, IT, and Operations well, but don’t exhibit a great deal of creativity in exploring newer areas such as Cyber, International, or the identification of correlated risks.? They are often perceived as simply covering the same ground as—or second guessing—the business units.? This often creates friction across the organization, and the LOBs can be somewhat dismissive.? The ERM staff does understand the business reasonably well and can contribute more than they do.? But they often feel that they just don’t have a strong enough mandate to do so.?

Only about 10% of ERM organizations grow into the “Business Partner” role within their respective companies, thereby achieving the highest levels of effectiveness.? Their stature derives from three elements:

·?????? A thorough understanding of the specific risks within all units of their businesses,

·?????? Enabling technology to automate risk stratification, reporting and monitoring, and

·?????? Ongoing partnerships with the rest of the organization to monitor risks as they change to calibrate potential correlations.?

These ERM organizations provide strategic value by creating a holistic perspective on the enterprise’s total risk posture as it evolves over time.? The unit typically concentrates its efforts not on evaluating the existing LOB mitigations around established risks, but on defining the interactions between those risk across LOBs, defining their interactions with new and emerging risks, and creating mitigation plans for those exposures and potential risk cascades.? This provides unique value to the enterprise, as ERM is the only group with the mandate and the capabilities to view risk from this perspective.? Enabling technology typically allows risk prioritization and focuses ERM attention on the highest value priorities. Many of these organizations are currently determining how to integrate AI into these efforts.

The three key questions for all CFOs, CROs and Risk Managers should first be:? where are you, what do you want to be, and how can you best serve or save your organization??? In our experience, we have often found significant divergence between ERM’s internal perception of itself, and the perception its corporate partners have of it.?

So, what should you do NOW?

1.????? Evaluate your organization’s current perception of ERM.?

2.????? Validate these perceptions with peers and management.

3.????? Create a roadmap to ensure your organization’s ERM future.

You may want to begin by surveying your senior management on what they expect or would like of you and then conduct an honest evaluation of your current skills and existing activities.?

Gary Preysner, CPCU, LSSBB Gary Preysner, CPCU, LSSBB, is the Insurance Enterprise Risk Practice Leader with Strategic Risk Associates and President of The Ironwood Consulting Group. He works with insurance companies across the globe to improve their insurance-specific processes and implement new technologies, while simultaneously strengthening their risk management capabilities. Contact Gary to discuss how he has developed creative and novel solutions to some of the most difficult process and risk challenges that insurance companies face. He can be reached at [email protected].

Steven Strickman is a development partner with Strategic Risk Associates, LLC, as well as a Founding Partner in the Ironwood Consulting Group, LLC, where he specializes in Risk, Operations and Expense Consulting for the Insurance industry. He can be reached at [email protected].

Strategic Risk Associates (SRA) is a technology solution provider and risk management consulting practice serving the Financial Services, Insurance and Technology Industries. SRA's proprietary technology and methodology was designed and built by industry experts to enable clients to navigate risk and drive growth. SRA Watchtower is an intuitive risk intelligence and performance management platform built to continuously inform, enlighten, and empower executives and boards. SRA has helped hundreds of banks effectively navigate through significant risk events since the 2008 financial crisis. Learn more here.