Key Indicators of Weak ERM Programs

The more nebulously a risk is characterized, the less clear who should own it, the greater the chance it won't be adequately addressed.

Almost every insurer has an official list of risks, often referred to as a risk register. Maintaining a risk register is a basic step in managing risks, following risk identification, prioritization, assignment of risk owners and creation of mitigation plans. 

One problem with many risk registers is that they are filled with generic risks. Although these risks may be real ones for the company, their lack of specificity does not contribute to a true understanding of them in the necessary detail or to planning targeted mitigations for them. 

For example, a risk register might show a risk such as “premium receivables may be late, resulting in ‘over 90s’ or uncollectable premiums,” a risk that every insurer has to some degree. However, for the company in question the real risk is “underwriters may have too much discretion to change premium collection terms and conditions leading to ‘over 90s’ or uncollectable premium.” The generic version does not indicate the root cause of the risk and can lead to ineffective mitigation strategies.

Or, a risk register may show a risk as “difficulty in attracting talent for open positions” when the real risk is “social media and internet sites may not present the company in a good light, making it hard to attract talent.” By stating a generic risk, management does not have to admit what it may not want to acknowledge.

Yet another example is a risk register that has stated an IT risk as “too many legacy systems still exist, creating data and service issues,” when the actual risk is “the XYZ underwriting system is not adequately integrated with other systems to create accurate data and seamless processing or a competitive customer experiences.” Not naming the culprit system(s) omits the source and scope of the risk and not adding some modifiers to the effects of the risk omits the true nature of what is at stake if the risk is not addressed.

The more nebulously a risk is characterized, the less clear who should be the risk owner. Without a clear and appropriate risk owner, the greater the chance that the risk will not be adequately addressed.

Regardless of the category of risk, without specifics the entries in many risk registers seem more for external consumption than internal action. If the same list of risks could be adopted by any other insurer of the same size, age and business mix, then it is not fit for purpose for the insurer whose risks it is supposed to represent. It may be fine for an externally published list of risks to lack detail that could be considered proprietary, so long as it meets certain thresholds, but it is not fine for a list intended for internal use.

See also: Risks, Opportunities in the Next Wave  

Another big problem with risk registers is that many do not include the strategic risks the company needs to be concerned about. Strategic risks tend to stem from the vision, mission and goals of the company. A strategic risk might concern the lines of business written or the customer segments targeted or the geographic footprint. For example, a risk for a WC monoline insurer might be “premium volume may shrink significantly in the next five years due to robotics and AI reducing the size of the workforce.” A risk for an "internet only" insurer might be “there may be difficulty reaching sufficient scale because of the lack of barriers to entry by identical competitors and because some buyers will never buy over the internet. Such an insurer will also have a talent risk because of competition for IT talent across all insurers and industries.

Or, a risk for an insurer that has high concentrations in Cat-prone states might be: “Without further geographic expansion, the lack of diversification may hurt profitability significantly.”  

It is simply not common to see these types of strategic risks listed in the risk register. Yet, strategic risks tend to be the most existential of all risks. In the past, some large insurer failures stemmed from strategic risks not being addressed appropriately or at all. For example, risks associated with undisciplined growth or delayed reaction to underperforming books of business, which are strategic risks, have not been recognized by insurers, and such insurers have paid a steep price for that lack of recognition. 

An additional problem with risk registers is the mediocrity of the planned mitigations. A good risk register should minimally show: 1) the risk, 2) its ranking as to impact and likelihood, 3) the risk owner, 4) the planned mitigation and 5) the status of the mitigation efforts at each update of the register.

Undoubtedly, it is key to identify the risks, but identification and recording of the these does nothing to help to the organization unless there is adequate mitigation. Mitigation can take many forms: avoiding, transferring, minimizing or accepting the risk, albeit with a contingency. A planned mitigation that is too weak, too expensive versus the risk or too impossible to implement will not benefit the organization. Worse yet, an inadequate mitigation may allow the risk to grow while the board or senior management thinks it is being reduced.

The mitigations in the register should not be just a recounting of current controls or risk-reducing practices lessening; they should be innovative and robust tactics for attacking the risks.

Boards, senior management and chief risk officers should evaluate their risk registers based on these questions:

  • To what extent are risks stated clearly and specifically?
  • Are there risks included that are unique to the company?
  • Based on how the risk is stated, is it clear who the risk owner should be?
  • Based on how the risk is stated, does it help to pinpoint what type of mitigations are needed?
  • To what extent are strategic risks included?
  • Are there current or emerging strategic risks that are not included?
  • Are the planned mitigations equal to the seriousness of the risks; i.e. are they sufficiently robust? 
  • Is the cost of the planned mitigation in balance with the potential impact of the risk?   
  • Are the planned mitigations attainable, implementable?
  • Is the mitigation plan implementation on track?

Bottom line, a poorly constructed risk register points to a failure of the entire ERM process and practice. As an essential tool for managing risk across the enterprise, it reveals a lot about how well risk is being managed. Thus, the register can be a good indicator of the overall state of ERM in the organization.


Donna Galer

Profile picture for user DonnaGaler

Donna Galer

Donna Galer is a consultant, author and lecturer. 

She has written three books on ERM: Enterprise Risk Management – Straight To The Point, Enterprise Risk Management – Straight To The Value and Enterprise Risk Management – Straight Talk For Nonprofits, with co-author Al Decker. She is an active contributor to the Insurance Thought Leadership website and other industry publications. In addition, she has given presentations at RIMS, CPCU, PCI (now APCIA) and university events.

Currently, she is an independent consultant on ERM, ESG and strategic planning. She was recently a senior adviser at Hanover Stone Solutions. She served as the chairwoman of the Spencer Educational Foundation from 2006-2010. From 1989 to 2006, she was with Zurich Insurance Group, where she held many positions both in the U.S. and in Switzerland, including: EVP corporate development, global head of investor relations, EVP compliance and governance and regional manager for North America. Her last position at Zurich was executive vice president and chief administrative officer for Zurich’s world-wide general insurance business ($36 Billion GWP), with responsibility for strategic planning and other areas. She began her insurance career at Crum & Forster Insurance.  

She has served on numerous industry and academic boards. Among these are: NC State’s Poole School of Business’ Enterprise Risk Management’s Advisory Board, Illinois State University’s Katie School of Insurance, Spencer Educational Foundation. She won “The Editor’s Choice Award” from the Society of Financial Examiners in 2017 for her co-written articles on KRIs/KPIs and related subjects. She was named among the “Top 100 Insurance Women” by Business Insurance in 2000.

MORE FROM THIS AUTHOR

Read More