S P O T L I G H T


June 16, 2011
SIGN UP!





Links

Firm Overview
Client List
Insurance Expertise
Case Studies
Events & Sponsorships
Quarterly Newsletter
About Nolan
The Robert E. Nolan Company is an operations and technology consulting firm specializing in the insurance industry. For 38 years, we have helped insurance companies redesign processes and apply technology to improve service, quality,
productivity, and costs.

Our staff members are all senior industry experts with 15+ years in the industry. Visit www.renolan.com to download our insurance industry studies, white papers, and client success stories.

Enterprise Risk Management:
The Checks and Balances of Successful Strategy Implementation
Tim Lauer
Senior Consultant

The recent economic challenges has many of our clients facing new uncertainties, competitive realities, and stiffer shareholder and customer expectations. In many cases, businesses are asking, "What happened?" or "How did it happen?"

These are the wrong questions to ask because they look at the situation retrospectively and on an incident basis instead of from a broader forward-thinking perspective. They also tend to indicate a risk management system that is not linked to a corporate strategy; one out of tune with emerging risk.

Instead, it is better to have a risk management program that links to the firm's mission and strategy first, quantifies the firm's risk appetite, and provides a periodic risk assessment across the enterprise. This proactive design-which incorporates risk response, monitoring, and reporting as control features-is based on deep participation throughout the enterprise.

The current state of the art in enterprise risk management (ERM) program design uses the framework developed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), published in 2004. The framework is easily pictured as a three-dimensional matrix, with the columns being corporate objectives, the rows being ERM program activities, and the depth being departments or other organizational sub-units. The ability to compile organizational sub-units into larger groupings provides executives and boards with a portfolio-wide view of risk.

Objectives
ERM programs operate within a strategy setting. Their goal is to help ensure that the corporation's mission and strategy are accomplished. The COSO framework groups objectives into four standard categories-strategic, operations, reporting, and compliance. However, it is not uncommon to have more than the standard four. For example, a technology company might want a category for innovation risk, or a financial enterprise might need categories for safeguarding assets and product risk. The key point is that ERM program objectives, corporate strategic objectives, and the activities of the enterprise are linked. Every activity engaged in by the entity should connect to an objective.

Activities
The machinery of the ERM, how it works, and what it does in a year are called "components" or "activities" of ERM programs. Auditors, rating agencies, and regulatory agencies are very interested in the scope and depth of ERM activities undertaken by the firm. Under the COSO framework, activities are organized into eight areas—internal environment, objective setting, event identification, risk assessment, risk response, control activities, information and communication, and monitoring.

The key to understanding how ERM activities work in the COSO framework is to understand how they fit together and why the activities are what they are. Beginning with the board of directors and applying an organized, systematic assessment, the risk management philosophy, strategic plan, risk appetite, and the company's ethical values are linked to certain activities (namely, objective setting, event identification, risk assessment, and risk response). Control activities, information and reporting, and monitoring activities are carried out to provide feedback to management and the board about the current risk position of the firm.

Analytics
The basic analysis for most risk management programs centers around quantifying the probabilities of an event and the dollar amount of the impact. Although not complicated, the analysis takes a step-by-step approach and some interesting graphical presentations that we will cover in a future article.

Getting Started
ERM is a tool that can help identify and quantify the potential for adverse outcomes, but we find that application of the concepts is often misunderstood or underutilized. ERM programs are not slip-and-fall prevention; they are not insurance programs, and they are not about legal involvement in business operations. Rather, they are about communications, training, education, and a corporate-wide view of the enterprise. They require relatively high levels of experience and business savvy. Every situation is different, but here are a few important timing and pacing milestones:

  • Board approval
  • Board training
  • Identification of the ERM leader
  • Senior management introduction and training
  • Risk identification
  • Actuarial support
  • Reporting design
  • Summary
Beginning a new ERM program or remodeling an existing one should be undertaken as a long-term commitment. In our experience, it takes at least two business cycles for an ERM program to fully realize its objectives and demonstrate its value. The first cycle is all-new and reinforcement for training; the first application in the real world. By the time the second cycle comes around, the entity is more experienced, knows what to expect, and is far enough along in the ERM activities to see real results.

Please drop me a line at [email protected] if you are interested in learning more about ERM programs and how they can assist your organization in better managing risk.