Tag Archives: Christopher Mandel

How to Use Risk Maturity Models

Over the last 10 years of the “risk leader” portion of my career, as the head of enterprise risk management at USAA (2001-10), as well as during my subsequent work as an ERM consultant, I was challenged by several questions that affect risk management results and, by extension, ultimate success. All fell under the header of “risk management maturity,” and focusing on it can provide huge benefits to you and to your organization.

To start, we need to get two things straight. First, how are you defining “risk,” and have you driven a consensus among key stakeholders about that definition? Second, which risks are you going to manage, and where on the loss curve do they fall?

These questions may sound simple, but the reality is that many risk leaders have responsibilities for only a portion of the risks that organizations face — often, only the insurable risks. If that’s the case, you have your answer to both questions nailed.

See Also: How to Develop Risk Maturity

If, on the other hand, you are a risk leader with broader accountability for more or all risks (via enterprise risk management, or ERM) that could affect an organization (both negatively and positively), then the first question — “how does your firm define risk?” — requires clear definition. The most commonly accepted definition of risk is “uncertainty.” I like this simple definition, and it captures the most central element of concern. However, the real challenge remains the question about the level of uncertainty (aka frequency/likelihood). To many, even more important is the level of impact or severity. My favorite chart to help illustrate this concept is one where the “tail” of the loss distribution represents where the proverbial “black swans” live.

A typical loss curve has as its peak the expected level of loss, and the black swan sits out on the tail of this curve, where the x-axis is impact of severity of loss and the y-axis is the frequency or likelihood of loss. While many hazard-focused leaders put their attention on risks at expected level or to the left along the x-axis where certainty of loss rises, the challenge is where in this region of the curve to the right should one be managing? While the possibility of loss becomes increasingly remote as you move out toward the tail of the curve, the impact of events become more destructive. Key questions that must be answered include:

  • Do we care more about likelihood or impact, or are they equal?
  • What level of investigation do we apply to risks that are remotely likely?
  • How do we apply limited resources to risks that are remotely likely?
  • Do we have a consensus among key stakeholders as to what risks we should focus on and how?
  • Do have or need a process to manage emerging risks?
  • Do we have a consensus on and clear understanding of how we define risk in our organization?

These issues are the starting point to the risk management maturity question, which, if handled well, facilitates organizational success. From these answers, you can chart your course for your firm. The answers will define the process elements of maturity. But we need to define what risk maturity is to track progress toward it and to ensure that stakeholders are aligned around the chosen components.

The various components among the numerous risk maturity models tend to overlap considerably. Here’s one generic set of attributes of maturity:

  • Risk is managed to specifically defined appetite and tolerances
  • There is management support for the defined risk culture and direct ties to the corporate culture
  • A disciplined risk process is aligned with other functional areas
  • There is a process for uncovering the unknown or poorly understood risks
  • Risk is effectively analyzed and measured both quantitatively and qualitatively
  • There is collaboration on a resilient and sustainable enterprise

The first, and I think most thoroughly developed, model comes from the Risk and Insurance Management Society (RIMS). It was developed some 10 years ago or so but remains in my opinion a simple yet comprehensive view of the seven most important factors that inform risk maturity and that, when well implemented, should drive an effective approach to managing any risk within your purview.

The components of the RIMS model include a focus on:

  • The degree to which an enterprise-wide approach is supported by executive management and is aligned with other relevant functions
  • The degree to which repeatable and scalable process is integrated in the business and culture
  • The degree of accountability for managing risk to a detailed appetite and tolerance strategy
  • The degree of discipline applied to using the elements of good root-cause analysis
  • The degree to which a robust emerging risk process is used to uncover uncertainties to achieving goals
  • The degree to which the vision and strategy are executed considering risk and risk management
  • The degree to which resiliency and sustainability are integrated between operational planning and risk process

As with all risk management strategies (no two of which that I’ve seen are exactly the same), there is no one way to accomplish maturity. Every risk leader needs to do for her organization what the organization needs and will support.

Another maturity model that is worthy of note is the Aon model. Like RIMS’ model, it enables multiple levels of maturity and methodology for charting progress toward an ideal state. Characteristics of the Aon model include:

  • Ensuring the board understands and is committed to the risk strategy
  • Establishing effective risk communications
  • Emphasizing the ties among culture, engagement and accountability
  • Having stakeholder participation in risk management activities
  • Using risk information for decision making
  • Demonstrating value

This is not to say that the RIMS model ignores these issues. There is simply a different emphasis.

Also noteworthy is Protiviti’s perspective on the board of directors’ accountability for risk oversight. A few highlights include:

  • An emphasis on the risks that matter most
  • Alignment between policies and processes
  • Effective education and use of people and their place in the organization
  • Assumptions that are supportable and understood
  • The board’s knowledge of the right questions to ask
  • Focus on understanding the relationship to capability maturity frameworks

Certainly, the good governance of organizations is critical, and the board’s role is paramount. If the board is engaged and accountable for ensuring that its risk oversight is effective, the strategy is likely to be executed successfully and, by inference, risk will have been effectively managed, as well.

See Also: How to Link Risk and Strategy

To complete the foundation for the business case for using a risk maturity model to track progress, consider these key points:

  • There is no one right approach; each organization must chart its own course aligned with its culture and priorities
  • Risk must be treated as an integral aspect of strategy
  • There must be a focus on additive value, as with all corporate processes
  • Risk maturity has produced documented valuation premium for studied users

With the effective use of risk maturity models, you should be able to better chart your risk evolution journey, and how a good maturity strategy related to corporate strategy and priorities is the ultimate nexus for success. Risk and risk management should drive performance results and what remains to be done to achieve longer-term aspirations. This approach to managing your risk strategy should allow you to:

  • Translate the component of risk maturity into a successful ERM journey
  • Refer to ERM results and impacts achieved by others to buttress your efforts
  • Understand key tactics to exploit and pitfalls to avoid as you perfect your risk management strategy.

Using a risk maturity model will, if nothing else, provide the guard-rails and discipline that may otherwise be missing from your current attempts to make a difference in the success of your enterprise.

How to Manage Claims Across Silos

The long-minimized and largely untapped synergy between casualty claims and benefit programs may offer opportunities for both industries.

Some argue that these worlds are just too different and distinct to bring together, whether through simple alignment or partial to full integration. Managers are often more comfortable in their own functional areas, and sometimes crossing over can stretch expertise and focus. Fundamentally, however, claims are claims.

There’s been a shift in thinking and a growing interest in a more collaborative, aligned and even fully integrated services approach – one that takes many forms but that at its core incorporates a more combined strategy from date of incident through claim closure. The targeted goals for this approach are:

  • Ensuring an appropriate employee experience throughout the life of the claim
  • Targeting and delivering optimal outcomes
  • Minimizing the cost of risk associated with the reasons employees are under medical care or unable to contribute productively to their employer’s mission

Shared Goals

On its face, the value of collaboration seems obvious. From both an employee benefits and risk management perspective, providing care for the individual is of the utmost importance. One of the main objectives is ensuring the right outcomes, which includes leveraging the basic skills of investigation, verification, documentation and equitable resolution that are common between these two realms.

The nuances and distinctions that exist between them are not insignificant, but the key goals are the same – caring for people under medically related distress (regardless of source), minimizing disruptions to workforce productivity and closing claims efficiently and effectively with fairness to all parties and their respective goals and objectives.

Although these objectives have varying levels of importance in each field, they are fundamental to process effectiveness in both. This is not to say that there aren’t peculiar and unique aspects of each that require certain expertise and skills to achieve specific goals.

However, while blending skill requirements among a common group of claims professionals can be challenging, it is not rocket science. Defining and filling positions to enable successful claims handling in both worlds is eminently doable. The biggest hurdle may in fact be the necessary collaboration between these typically distinct functional areas and their leaders.

Many employers are already effectively managing employee injury and disease exposures. There are discernible trends emerging toward fewer silos and more performance-oriented measurements that are focused on short- and long-term strategies. Those companies taking a more collaborative approach can benefit from key elements such as:

  • Compassionate care that puts employee interests first
  • Integrated reporting and measurement across departments
  • Robust analytics that result in prescriptive actions with impact
  • Innovative tools targeted to specific process opportunity areas
  • A more holistic focus on the care of affected employees
  • The over-arching goal of a healthy, productive workforce

So whether or not you have direct responsibility for both functional areas, I urge you to lead the charge that would leverage this opportunity for the benefit of your organization.

How Much Cyber Risk Should You Take?

I have been spending a fair amount of time over the last few months, talking and listening to board members and advisers, including industry experts, about cyber risk.

A number of things are clear:

  • Boards, not just those members who are on the audit or risk committee, are concerned about cyber and the risk it represents to their organizations. They are concerned because they don’t understand it – and the actions they should take as directors. The level of concern is sufficient for them to attend conferences dedicated to the topic rather than relying on their organizations.
  • They are not comfortable with the information they are receiving on cyber risk from management – management’s assessment of the risk that it represents to their organization; the measures management has taken to (a) prevent intrusions, (b) detect intrusions that got past defenses and (c) respond to such intrusions; how cyber risk is or may be affected by changes in the business, including new business initiatives; and, the current level and trend of intrusion attacks (some form of metrics).
  • The risk should be assessed, evaluated and addressed, not in isolation as a separate IT or cyber risk, but in terms of its potential effect on the business. Cyber risk should be integrated into enterprise risk management. Not only does it need to be assessed in terms of its potential effect on organizational business objectives, but it is only one of several risks that may affect each business objective.
  • It is impossible to eliminate cyber risk. In fact, it is broadly recognized that it is impossible to have impenetrable defenses (although every reasonable effort should be made to harden them). That recognition mandates increased attention to the timely detection of those who have breached the defenses, as well as the capability to respond at speed.
  • Because it is impossible to eliminate risk, a decision has to be made (by the board and management, with advice and counsel from IT, information security, the risk officer and internal audit) as to the level of risk that is acceptable. How much will the organization invest in cyber compared with the level of risk and the need for those same resources to be invested in other initiatives? The board members did not like to hear talk of accepting a level of risk, but that is an uncomfortable fact of life – they need to get over and deal with it!

The National Association of Corporate Directors has published a handbook on cyber for directors (free after registration).

Here is a list of questions I believe directors should consider. They should be asked of executive management (not just the CIO or CISO) in a session dedicated to cyber.

  1. How do you identify and assess cyber-related risks?
  2. Is your assessment of cyber-related risks integrated with your enterprise-wide risk management program so you can include all the potential effects on the business (including business disruption, reputation risk, inability to bill customers, loss of IP, compliance risk and so on) and not just “IT-risk”?
  3. How do you evaluate the risk to know whether it is too high?
  4. How do you decide what actions to take and how much resource to allocate?
  5. How often do you update your cyber risk assessment? Do you have sufficient insight into changes in cyber-related risks?
  6. How do you assess the potential risks introduced by new technology? How do you determine when to take the risk because of the business value?
  7. Are you satisfied that you have an appropriate level of protection in place to minimize the risk of a successful attack?
  8. How will you know when your defenses have been breached? Will you know fast enough to minimize any loss or damage?
  9. Can you respond appropriately at speed?
  10. What procedures are in place to notify you, and then the board, in the event of a breach?
  11. Who has responsibility for cybersecurity, and do they have the access they need to senior management?
  12. Is there an appropriate risk-aware culture within the organization, especially given the potential for any manager to introduce risks by signing up for new cloud services?

I welcome your thoughts, perspectives and comments.

10 Building Blocks for Risk Leaders (Part 5)

Important things in life are not easily reduced to 10 steps. Nevertheless, this series provides a list of 10 building blocks to achieving long-term success in risk management from someone who has spent more than 25 years striving to carve out the most satisfying career possible, while never losing sight of the attributes attached to the bigger picture. Part 1 is here, Part 2 here, Part 3 here and Part 4 here. This is the fifth and final part.

9. Advance the Profession by Finding or Creating Personal Vision

The concept of innovation is directly and explicitly tied to risk and risk management. Put simply, there is no innovation without risk. Part of this paradigm is taking personal risk to move the discipline forward to places others may not have imagined. In the realm of risk management, settling for the status quo is to be avoided at all costs . Nothing stays the same for long, and a core competency of a true risk leader is having the gumption to push back on owners, which sometimes means questioning authority.

Just as the overall business environment is ever-evolving, the myriad internal and external drivers that can affect the risk profile of organizations must be carefully monitored. It is in this monitoring where the willingness to challenge conventional thinking and the status quo can lead to change, and risk-taking behaviors can be shifted to be more in line with risk appetite and tolerances. A vision for more innovative processes, tools and techniques can be developed, as well as an enhanced view into the murk of risk itself. Importantly, this demonstration of risk leadership will lead to the evolution of risk leaders’ personal vision for more effective risk management for their organizations.

If we haven’t learned anything else since that fateful day on Sept. 11, 2001, we’ve learned that new risks emerge with increasing regularity and seem to have increasing relevance to enterprise success. Furthermore, these new and emerging risks often fall into the strategic category, so they are often not easily measured or mitigated. All this speaks to the need for continuous improvement and innovation in how risk management is practiced and how it affects the design and execution of the organization’s risk framework and model. While personal vision for risk management is necessary — for personal satisfaction and the long-term success of the firm — no two frameworks or models are exactly alike, just as no two firm risk profiles are identical.

By crafting risk strategy, framework and model around the continuously evolving needs of the firm, risk leaders’ vision for risk management will take shape. As it is successfully implemented, this vision will also drive the risk profession forward, through benchmarking, networking and professional external collaborations, allowing all risk practitioners to improve, as well. This is the perfect segue to the last element of a personal risk leader success profile.

10. Give Back

Giving back to the next generation and to communities and nonprofit organizations (some of which can’t afford the cost of risk expertise, e.g., churches and civic organizations) is essential to developing a well-rounded leader and person. But giving back goes well beyond even service to the community and to nonprofits. In the larger context, giving back includes various strategies to help others. Examples include employing interns on a regular basis and taking the time to coach and mentor them well. Too often, intern programs are mismanaged or even abused as sources of raw labor out of which no real development or education occurs. This destroys the attraction to enter the risk profession. Because these programs—done well—can be the source of exceptional talent, it behooves all risk leaders to take advantage of intern sourcing when feasible and include it as a key component of long-term resource planning.

Giving back is also accomplished by bringing the risk leaders’ considerable knowledge to various forums, such as at conferences and industry meetings, through presentations and participation in efforts to discover new solutions to problems. While the primary goal should be to help others, it almost always includes mutual benefit. Many of my colleagues say they actually get more out of this effort than they put in. That has certainly been true for me.

Another example of giving back is the Spencer Educational Foundation’s Risk Manager in Residence Program. This program provides funding for risk experts to bring that expertise into higher educational institutions through a series of lectures and teaching done with the collaboration of selected professors whose goal is to bring diverse experiential learning to students pursuing risk and insurance degrees. This program has been instrumental in highlighting for students the opportunities available in the risk discipline.

There are many opportunities to serve other organizations through volunteer board and advisory positions, where risk experience and expertise is made available to help these organizations, particularly with risk governance. A residual benefit of this activity is broadening the network of contacts and relationships outside the industry, where a clear demand for risk expertise is almost always needed, but infrequently recognized or acted upon.

Last, but certainly not least, is the ever-present opportunity to mentor and coach others to help them achieve their career goals. This is a fundamental responsibility of every manager of people. But it really gains traction with others when those outside the immediate work circle ask for mentoring or coaching, as they recognize and value the deep and broad expertise they can learn via a mentoring program. Usually accompanying that is a keen understanding of the political, social and cultural aspects of work life that those with less experience often find challenging to navigate. One benefit of this activity is a deep and lasting gratitude that is too infrequent in day-to-day business interactions. The related personal satisfaction is often immeasurable and certainly lasting. Personal brands are enhanced, and those being mentored can close the loop on what a true risk leader profile looks like.

Conclusion

There you have it—my list of 10 building blocks for long-term success in risk management. All functions need great leaders to achieve high performance, and risk leaders have more than their share of hurdles to overcome in the process. And yet, those who stick their necks out and take the personal risk associated with doing extraordinary things often succeed in doing so. I urge you to think big about the possibilities of a career in risk and consider these 10 important things that can help define the correct path to take.

After all, no risk, no reward.

10 Building Blocks for Risk Leaders (Part 4)

Important things in life are not easily reduced to 10 easy steps. Nevertheless, this series provides a list of 10 building blocks to achieving long-term success in risk management from someone who has spent more than 25 years striving to carve out the most satisfying career possible, while never losing sight of the attributes attached to the bigger picture. Part 1 is here, Part 2 here and Part 3 here. This is Part 4 in the series.

7. Developing the Bench

While all managers are expected to develop their employees, this aspect of management is harder in risk management than in many other disciplines or functions, if only because of the often smaller teams. But getting the right bench strength established is essential to getting the risk management fortified for the hard times that will inevitably arise. The right bench will also improve the chances of sustained success.

Just finding great people is hard enough. In the risk management world, keeping them can be more challenging for a variety of reasons, including limited upward mobility because of the small team size. However, there are ways to deal with this limitation. For example, GE is well-known for running talented managers though the audit function, where managers have opportunities to gain a broader and deeper understanding of what makes the business tick.

Taking a similar approach with risk management accomplishes the same goals and argues for a regular rotation of talent through both risk management and operations. This allows talented people to be exposed to other leaders and their functions, perhaps opening doors of opportunity. Doesn’t that detract from developing long-term risk leaders? At first blush, it may look that way. In reality, the approach furthers another goal all risk leaders should have; namely, to make every employee into a “little risk manager” for the specific risks for which they are accountable.

While the actual direct report bench of the average risk department will often appear shallow, it can be deepened by considering all employees as a part of the risk team and emphasizing risk stakeholders who can be rotated through risk management to help build a risk culture. Be sure to consider vendor/supplier partners to be part of the team. As we’re all in the risk game together, it behooves every risk leader to look at teams in this broader, more inclusive fashion.

Finally, don’t forget interns. Many view interns incorrectly, as a drag on an already small team, requiring time-consuming training, coaching and direction that fully trained employees may not. Others think interns are only good for mundane tasks and end up underutilizing their skills. But if there is a good intern recruitment strategy—recruiting from the “right” schools and presenting an attractive case for why students should intern in risk management—great interns will be discovered who can materially contribute to the success of both the team and its mission. The key is to not think of them as “temps” but as those who lend themselves to being developed over time for full-time roles. This approach will demonstrate commitment to a solid intern program, which in turn will attract the best and the brightest and broaden the recruitment and team effectiveness strategy.

8. Supplement Value Preservation With Value Creation

While protecting and preserving is job one for risk leaders, the bigger opportunity is helping others understand what it means to exploit risk for gain. This is a foreign concept to many because they don’t think in terms of risk when they’re stress-testing a strategic plan and its component parts . Therein lies the tremendous opportunity to find a way into the planning process, by helping planners make this connection, and understanding the relationship between risk and success.

Because every risk represents the possibility of failure for organizations, the ultimate challenge for all risk leaders is getting a seat at the planning table, to educate, inform and contribute to the thinking of those charged with plan development and measurement. Don’t be fooled into thinking , however, that acceptance in this realm is a slam dunk. Just as the value proposition for enterprise risk management has been difficult for many to articulate and sell, so planners are naturally skeptical about allowing risk managers to participate directly in their process. Part of this reluctance comes from the reality that, in many organizations, the C-Suite is not sold on risk management as a strategic contributor to helping define success for the enterprise. This stems from the dated perception of risk managers as “just insurance” managers. But, as entrenched as that perception may be in many organizations, it is changeable. That is the challenge.

Central to changing this perception is helping educate key management on how risk can and should be leveraged for gain—the upside of risk. Every risk leader needs to educate and make organizations more aware of risk “opportunities” and be willing to take the personal risk associated with doing so. This personal risk is one reason many risk leaders have not evolved into the strategic advisers that can be the pinnacle of the profession. Don’t assume that, just because someone is adorned with the title of chief risk officer, that she is actually acting as strategic adviser. Many are just high-level risk owners with accountability for some related processes, rather than truly “enterprise-wide” risk leaders.