March 11, 2020
Key Indicators of Weak ERM Programs
by Donna Galer
The more nebulously a risk is characterized, the less clear who should own it, the greater the chance it won't be adequately addressed.
Almost every insurer has an official list of risks, often referred to as a risk register. Maintaining a risk register is a basic step in managing risks, following risk identification, prioritization, assignment of risk owners and creation of mitigation plans.
One problem with many risk registers is that they are filled with generic risks. Although these risks may be real ones for the company, their lack of specificity does not contribute to a true understanding of them in the necessary detail or to planning targeted mitigations for them.
For example, a risk register might show a risk such as “premium receivables may be late, resulting in ‘over 90s’ or uncollectable premiums,” a risk that every insurer has to some degree. However, for the company in question the real risk is “underwriters may have too much discretion to change premium collection terms and conditions leading to ‘over 90s’ or uncollectable premium.” The generic version does not indicate the root cause of the risk and can lead to ineffective mitigation strategies.
Or, a risk register may show a risk as “difficulty in attracting talent for open positions” when the real risk is “social media and internet sites may not present the company in a good light, making it hard to attract talent.” By stating a generic risk, management does not have to admit what it may not want to acknowledge.
Yet another example is a risk register that has stated an IT risk as “too many legacy systems still exist, creating data and service issues,” when the actual risk is “the XYZ underwriting system is not adequately integrated with other systems to create accurate data and seamless processing or a competitive customer experiences.” Not naming the culprit system(s) omits the source and scope of the risk and not adding some modifiers to the effects of the risk omits the true nature of what is at stake if the risk is not addressed.
The more nebulously a risk is characterized, the less clear who should be the risk owner. Without a clear and appropriate risk owner, the greater the chance that the risk will not be adequately addressed.
Regardless of the category of risk, without specifics the entries in many risk registers seem more for external consumption than internal action. If the same list of risks could be adopted by any other insurer of the same size, age and business mix, then it is not fit for purpose for the insurer whose risks it is supposed to represent. It may be fine for an externally published list of risks to lack detail that could be considered proprietary, so long as it meets certain thresholds, but it is not fine for a list intended for internal use.
See also: Risks, Opportunities in the Next Wave
Another big problem with risk registers is that many do not include the strategic risks the company needs to be concerned about. Strategic risks tend to stem from the vision, mission and goals of the company. A strategic risk might concern the lines of business written or the customer segments targeted or the geographic footprint. For example, a risk for a WC monoline insurer might be “premium volume may shrink significantly in the next five years due to robotics and AI reducing the size of the workforce.” A risk for an “internet only” insurer might be “there may be difficulty reaching sufficient scale because of the lack of barriers to entry by identical competitors and because some buyers will never buy over the internet. Such an insurer will also have a talent risk because of competition for IT talent across all insurers and industries.
Or, a risk for an insurer that has high concentrations in Cat-prone states might be: “Without further geographic expansion, the lack of diversification may hurt profitability significantly.”
It is simply not common to see these types of strategic risks listed in the risk register. Yet, strategic risks tend to be the most existential of all risks. In the past, some large insurer failures stemmed from strategic risks not being addressed appropriately or at all. For example, risks associated with undisciplined growth or delayed reaction to underperforming books of business, which are strategic risks, have not been recognized by insurers, and such insurers have paid a steep price for that lack of recognition.
An additional problem with risk registers is the mediocrity of the planned mitigations. A good risk register should minimally show: 1) the risk, 2) its ranking as to impact and likelihood, 3) the risk owner, 4) the planned mitigation and 5) the status of the mitigation efforts at each update of the register.
Undoubtedly, it is key to identify the risks, but identification and recording of the these does nothing to help to the organization unless there is adequate mitigation. Mitigation can take many forms: avoiding, transferring, minimizing or accepting the risk, albeit with a contingency. A planned mitigation that is too weak, too expensive versus the risk or too impossible to implement will not benefit the organization. Worse yet, an inadequate mitigation may allow the risk to grow while the board or senior management thinks it is being reduced.
The mitigations in the register should not be just a recounting of current controls or risk-reducing practices lessening; they should be innovative and robust tactics for attacking the risks.
Boards, senior management and chief risk officers should evaluate their risk registers based on these questions:
- To what extent are risks stated clearly and specifically?
- Are there risks included that are unique to the company?
- Based on how the risk is stated, is it clear who the risk owner should be?
- Based on how the risk is stated, does it help to pinpoint what type of mitigations are needed?
- To what extent are strategic risks included?
- Are there current or emerging strategic risks that are not included?
- Are the planned mitigations equal to the seriousness of the risks; i.e. are they sufficiently robust?
- Is the cost of the planned mitigation in balance with the potential impact of the risk?
- Are the planned mitigations attainable, implementable?
- Is the mitigation plan implementation on track?
Bottom line, a poorly constructed risk register points to a failure of the entire ERM process and practice. As an essential tool for managing risk across the enterprise, it reveals a lot about how well risk is being managed. Thus, the register can be a good indicator of the overall state of ERM in the organization.