Tag Archives: Effective risk management

Claims and Effective Risk Management

The cost of claims has been at the heart of Total Cost of Risk (TCOR) since even before the inception of risk management as a separate function. The sheer magnitude of losses, insurable or not, defines so much of what risk managers focus on and tends to be what they report on most often, as well. The nature of mature and, by inference, effective risk management programs has claim management as a key focus. While risk maturity is directly correlated with risk effectiveness, this latter term encompasses a much broader perspective on things that matter. 

Not surprisingly, many components of risk management maturity have some connection to effective claim management. Accordingly, it is appropriate to understand what these components are and how they dovetail with a more comprehensive view into effective risk management. Admittedly, this perspective relates most to the traditional practice of risk management, focused on hazard risk, but failure in this realm will likely point to failure in other areas of risk management.

Components of Risk Discipline 

To instill risk discipline, and, by extension, maturity into claim management, one must set the tone for effectiveness across the spectrum of risk management activities and significantly feed overall risk management performance. This tone will influence the ability of risk leaders to act as “trusted advisers” to organizational decision makers. This should be a key goal for risk leaders, critical to long-term effectiveness and functional sustainability.

The starting point for this subject is two key things. First, how one defines “risk” and drives a consensus among key stakeholders about that definition. Claims are, of course, the outgrowth of risk and exposure. This direct relationship is the essence of why claims and effective claims management have a direct relationship to effective risk management. Whether this aspect of the discipline gets done by insurers (as part of the insurance contract), insureds (as a part of a self-administered claim operation) or through third parties (independent adjusters, third party administrators etc.) makes little difference. Effective claim management feeds effective risk management.

The second issue is both which risks are your focus and where on the loss curve they fall. This may sound simple, but the reality is that many risk leaders have responsibilities for only a portion of the risks that organizations face; often only the insurable risks. If that’s the case, the need to focus on claim management is clear; one leads to the other.

The Basics of Effective Risk Management Maturity

If you are a risk leader with broad accountability for risks, then the first question of “what is a risk to your firm?” requires total clarity. For the purposes of this article, a good definition of risk is “uncertainty” as it relates to the accomplishment of objectives. This simple definition captures the most central element of concern — uncertainty. However, the real challenge is determining the amount of uncertainty (such as frequency/likelihood), as well as the level of impact or severity. Each risk leader must make this choice and get it validated by his or her organization.

While many leaders focused on hazard risk look at risks at actuarially “expected” levels of loss, the challenge is how far out on the tail one should manage. While the possibility of loss becomes increasingly remote as you move out toward the tail of the curve, the impact of events becomes more destructive. Because the magnitude of loss in this realm can be catastrophic, the importance of both preventing and mitigating these events and their impact becomes critical. Central to after-loss mitigation is the claim management process. Related key questions that every risk leader must answer include:

  • What matters more to your organization: likelihood or impact, or are they equal?
  • What level of investigation should you apply to less likely risks?
  • How do we apply typically limited resources to remotely likely risks?
  • Do you have a consensus among key stakeholders as to what risks to focus on and how?
  • Do you have or need an emerging risk identification process?
  • Do you have a consensus on and clear understanding of how you define risk in your organization?
  • Have you educated your organization on the correlations between losses, claims and risk effectiveness?

These questions are the starting point for ensuring risk management maturity. From your answers to these questions, you can chart your course for what this will mean to your firm. The answers will define the process elements of maturity that will be needed to achieve your desired state. But we need to define what risk maturity is to track progress toward this state and to ensure that stakeholders are aligned around the chosen components necessary to get there. Understanding the attributes of claims and risk maturity includes:

  • Managing exposures to specifically defined appetite and tolerances;
  • Management support for the defined risk culture that ties directly to the organizational culture;
  • Ensuring disciplined risk and claim processes aligned with other functional areas;
  • Creating a process for uncovering the unknown or poorly understood (aka emerging) risks;
  • Effective analysis and measurement of risk and claims both quantitatively and qualitatively; and,
  • A collaborative focus on a resilient and sustainable enterprise, which must include a robust risk and claim strategy.

See also: Future Is Already Here in Claims

Examples of Risk Management Maturity Models

One thoroughly developed risk management maturity model (RMM) comes from the Risk Management Society (RIMS). While it was developed some 10 years ago, it remains a simple, yet comprehensive view of the seven most important factors that inform risk maturity. When well implemented, these components should drive an effective approach to managing all risk within your purview. 

The components of the RIMS RMM model include:

  • Adopting an enterprise-wide approach that is supported by executive management and that is aligned well with other relevant functions;
  • The degree to which repeatable and scalable process is integrated in the business and culture;
  • The degree of accountability for managing risk to a detailed appetite and tolerance strategy;
  • The degree of discipline applied to using the elements of good root cause analysis;
  • The degree to which a robust emerging risk process is used to uncover uncertainties to goal achievement;
  • The degree to which the vision and strategy are executed considering risk and risk management; and,
  • The degree to which resiliency and sustainability are integrated between operational planning and risk process.

Like all risk management strategies, no two are exactly the same, and there is no one way to accomplish maturity. Importantly, every risk leader needs to do for his or her organization what the organization needs and will support. 

Of course, RIMS is not the only source of risk maturity measurement. Others, including Aon, offer other criteria. Aon’s model includes these components:

  • Ensuring the board understands and is committed to the risk strategy;
  • Effective risk communications;
  • Emphasis on the ties among culture, engagement and accountability;
  • Stakeholder participation in risk management activities;
  • The use of risk in/formation for decision making; and,
  • Demonstration of value.

This is not to say that the RIMS model ignores these issues, they simply take a different emphasis between the models. 

Another model worth considering is from Protiviti’s perspective on risk maturity as it relates to the board of director’s accountability for risk oversight. A few highlights of the perspective include:

  • An emphasis on the risks that matter most;
  • Alignment between policies and processes;
  • Effective education and use of people and their place in the organization;
  • Ensuring assumptions are supportable and understood;
  • The board’s knowledge of asking the right questions; and,
  • Understanding the relationship to capability maturity frameworks.

Certainly, good governance is critical to ultimate success, and the board’s role in that is the apex of that consideration. If the board is engaged and accountable for ensuring their risk oversight responsibility is effectively executed, the successful execution of the strategy is likely and, by inference, risk and related claims will have been effectively managed, as well.

Another critical aspect of the impact of risk and claims that should not be overlooked is their impact on productivity. If productivity is directly related to people’s availability to work, then we can quickly agree that risks produce losses that affect both people and property, oftentimes together. We can readily agree that impacts to productivity are a frequent result of losses and the claims they generate. Further, productivity impacts are not just limited to on-the-job injury. Every car accident, property loss or general liability loss that includes personal injury has implications for productivity, in either the workplace or outside of the workplace. As a result, it behooves all risk and claim leaders to execute their roles by aligning their interests and driving their focus.

Finally, a few fundamentals that are important to understand in execution of these goals include understanding that:

  • how you handle claims will directly affect not just your TCOR but your overall risk management capability and effectiveness; 
  • there is no one right approach to managing claims or risks; each organization must chart its own course aligned with its culture and priorities;
  • risk and the claims they can generate must be treated as an integral aspect of organizational strategy;
  • risk and claim management should be a focus on additive value; and,
  • risk and claim maturity have shown that better results are achieved as a result.

See also: How Risk Managers Must Adapt to COVID

In its simplest form, risk management is about preventing (or, on the upside, leveraging), financing and controlling risk and loss. Effective risk management is dependent on many elements, not least of which is effective claims management. And while claims are naturally focused on negative events that have already occurred, this activity is centrally critical to comprehensive, effective risk management.

How you prioritize claims and related activities will have significant effects on how you can contribute to organizational success. Doing both well will enable both risk and claim management effectiveness, demonstrated by measurable maturity.

How to Understand Your Risk Landscape

This is part two of a series of five on the topic of risk appetite and its associated FAQs.

The author believes that enterprise risk management (ERM) will remain locked in organizational silos until boards are mobilized in terms of their comprehension of the links between risk and strategy. This is achieved either through painful and expensive crises or through the less expensive development of a risk appetite framework (RAF). Understanding risk appetite is very much a work in progress for many organizations. The first article made a number of observations of a general nature based on experience in working with a wide variety of companies. This article describes the risk landscape, measurable and unmeasurable uncertainties and the evolution of risk management.

The Risk Landscape

Lessons learned following the great financial crisis (GFC) include the importance of establishing an effective risk governance framework at the board level. In essence, two key questions must now be addressed by boards.

First, do boards express clearly and comprehensively the extent of their willingness to take risk to meet their strategic and business objectives?  Second, do they explicitly articulate risks that have the potential to threaten their operations, business model and reputation?

To be in a position to provide credible answers to these fundamental questions, we must first seek to understand the relationship between risk and strategy.

It is RMI’s experience that risk and strategy are intertwined. One does not exist without the other, and they must be considered together. Such consideration needs to take place throughout the execution of strategy. Consequently, it is vital that due regard is given to risk appetite when strategy is being formulated

Crucially, risk is now defined as “the effect of uncertainty on objectives.”

It is clear, therefore, that effective corporate governance is strategy- and objective-setting on the one hand, and superior execution with due regard for risks on the other. This particular landscape is what we in RMI refer to as the interpolation of risk and strategy. For this reason, RMI describes board risk assurance as assurance that strategy, objectives and execution are aligned. Alignment is achieved through operationalization of the links between risk and strategy, which will be described in the final article in this series.

Before further discussion, however, we would like to draw attention to observations based on our practical experience that give cause for concern, namely:

1.  Risk appetite: While we now have a globally accepted risk management standard3 and sharper regulatory definition of effective risk management for regulated organizations, there is as yet much confusion, and neither a consensus nor an internationally accepted guidance, as to the attributes of an effective risk appetite framework.

2.  Risk reporting: In relation to risk reporting, two significant matters arise:

Risk registers that are primarily generated on the basis of a compliance-centric requirement, as distinct from an objectives-centric4 approach, tend to contain lists of risks that are not explicitly associated with objectives. As such, they offer little value in terms of reporting on risk performance.

Note: RMI supports the adoption of a board-driven, objectives-centric approach5 to reporting and monitoring risks to operations, the business model and reputation.

Risk registers and other reporting tools detail known risks and what we know we know. They tend not to detail emerging or high-velocity risks that have the potential to threaten the business model. As such they tend to be of limited value in terms of reporting or monitoring either unknown knowns6, or unknown unknown7 risks. This is a matter that should give boards cause for concern given pace of change, hyper-connectivity and the disruptive nature of new technologies.

3.  Risk data governance: The quality, rigor and consistency in application of accounting data that is present in well-managed organizations does not equally exist in those same organizations in the risk domain.

The responsibility of directors to use reliable accounting information and apply controls over assets, etc. (internal controls) as part of their legally mandated role extends equally to information pertaining to risks that threaten financial performance. The latter is not, however, treated in an equivalent fashion to accounting data. Whereas the integrity of accounting data is assured through the use of proven and accepted accounting systems subject to audit, information pertaining to risks typically relies on the use of disparate Excel spreadsheets, word documents and Power Points with weak controls over the efficacy of copying and pasting of data from one level of report to another.

Weaknesses and failings in risk data governance can be addressed in much the same way as for other governance requirements.

For example:

a.    Comprehensive training for business line managers and supervisors on:

  •  (Risk) Management Processes,
  •  (Risk) Vocabulary,
  •  (Risk) Reporting,
  •  Board (Risk) Assurance Requirements

b.    Performance in executing (risk) management roles and responsibilities included in annual performance appraisals,  

c.   System8 put to process through the use of database/work flow solutions, providing an evidence basis of assurance that:

  • The quality, timing, accessibility and auditability of risk performance data is as rigorously and consistently applied as that for accounting data,
  • Dynamic management of risk data (including risk appetite/tolerance/criteria) can be tracked at the pace of change
  • Tests can be applied to the aggregation of risks to objectives at the pace of change and prompt interdictions applied when required,
  • Reports, or notification, of significant risks are escalated without delay, and without risk to the originator of information.

4.  Lack of understanding of the nature of the risks that need to be mastered in the boardroom:

Going back to our definition of risk as the effect of uncertainty on objectives: There are many types of objectives — for example, economic, financial, political, regulatory, operational, customer service, product innovation, market share, health safety, etc. — and there are multiple categories of risk. But what is uncertainty?

Uncertainty9 is the state, even partial, of deficiency of information related to understanding or knowledge of an event, its consequence or its likelihood.

There are essentially two kinds of uncertainty:

1.   Measurable uncertainties: These are inherently insurable because they occur independently (for example, traffic accidents, house fires, etc.) and with sufficient frequency as to be reckonable using traditional statistical methods.

Measurable uncertainties are treated individually through traditional (risk) management supervision, and residually through insurance.

Measurable uncertainties are funded out of operating profits.

2.   Unmeasurable uncertainties:  These are inherently un-insurable using traditional methods because of the paucity of reliable data. For example, whereas we can observe multiple supply chain and service interruptions, data breaches, etc. they are not sufficiently similar or comparable to be soundly put to a probability distribution and statistically analyzed.

Un-measurable uncertainties are treated on a broad basis through organizational resilience. For the top 5-15 corporate risks10 that are typically inestimable in terms of likelihood of occurrence, the organization seeks to maintain an ability to absorb and respond to shocks and surprises and to deliver credible solutions before reputation is damaged and stakeholders lose confidence.

Un-measurable uncertainties are funded out of the balance sheet.

The hyper-connected and multispeed world in which we live today has driven the effect of un-measurable uncertainties on company objectives to unprecedented, heights, and so amplified the risk potential enormously.

5.  Urgent need to recognize the mission-critical importance of building  and preparing management to always be prepared to offer credible solutions in the face of unexpected shocks and surprises  Figure 1 below describes the evolution of risk management as depicted within the red dotted line11 and the next stage of the evolution (resilience) as envisioned by RMI.

RMIFINAL

Figure 1: Evolution of risk and the emergence of “resilience” as the current era in the evolution of 21st century understanding of risk  

Resilience was the theme that ran through the World Economic Forum: Global Risks 2013, Eight Edition Report.  Resilience was described as capability to

  1. Adapt to changing contexts,
  2. Withstand sudden shocks, and
  3. Recover to a desired equilibrium, either the previous one or a new one, while preserving the continuity of operations.

The three elements in this definition encompass both recoverability (the capacity for speedy recovery after a crisis) and adaptability (timely adaptation in response to a changing environment).

The Global Risks 2013 Report emphasized that global risks do not fit neatly into existing conceptual frameworks but that this is changing insofar as the Harvard Business Review (Kaplan and Mikes12) recently published a concise and practical taxonomy that may also be used to consider global risks13.

The report advises that building resilience against external risks is of paramount importance and alerts directors to the importance of scanning a wider risk horizon than that normally scoped in risk frameworks.

When considering external risks, directors need to be cognizant of the growing awareness and understanding of the importance of emerging risks.

Emerging risks can be internal as well as external, particularly given growing trends in outsourcing core functions and processes.

table3

It is also interesting to observe the diversity in understanding of emerging risk definitions. For example:

  • Lloyds: An issue that is perceived to be potentially significant but that may not be fully understood or allowed for in insurance terms and conditions, pricing, reserving or capital setting,
  • PWC: Those large-scale events or circumstances beyond one’s direct capacity to control, that have impact in ways difficult to imagine today,
  • S&P: Risks that do not currently exist,

The 2014 annual Emerging Risks Survey (a poll of more than 200 risk managers predominantly based at North American re/insurance companies) reported the top five emerging risks as follows:

  1. Financial volatility (24% of respondents)
  2. Cyber security/interconnectedness of infrastructure (14%)
  3. Liability regimes/regulatory framework (10%)
  4. Blowup in asset prices (8%)
  5. Chinese economic hard landing (6%)

Maintaining business defense systems capable of defending the business model has become an additional fiduciary requirement for the board, alongside succession planning and setting strategic direction15.

References:

Influenced by COSO (Committee of Sponsoring Organizations of the Threadway Commission, Enterprise Risk Management (ERM)  Understanding and Communicating Risk Appetite, by Dr. Larry Rittenberg and Frank Martens

2 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard.

3 The new globally accepted risk management standard (ISO 31000) is not intended for the purposes of certification. Rather, it contains guidance as to risk-management principles, a framework and risk management process that can be applied to any organization, part of an organization or project, etc. As such, it provides an overarching context for the application of domain-specific risk standards and regulations — for example, Solvency II, environmental risk, supply chain risks, etc.

4 Risk Communication Aligning the Board and C-Suite: Exhibit 1 Top Challenges of Board and Management Risk Communication by Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD) and Oliver Wyman

5  The Conference Board Governance Centre, Risk Oversight: Evolving Expectations of Board, by Parveen P. Gupta and Tim J Leech

6 An unknown known risk is one that is known, and understood, at one level (e.g. typically top, middle, lower level management) in an organization but not known at the leadership and governance levels (i.e. executive and board levels)

7An unknown unknown risk is a so called black-swan (The Black Swan: The Impact of the Highly Improbable, Nassim Nicholas Taleb)

8 Specified to the ISO 31000 series

9 Source: ISO 31000 (Risk Management 2009). ISO 31000 is now the globally accepted risk management standard

10 More than 80% of volatility in earnings and financial results comes from the top 10 to 15 high-impact risks facing a company: Risk Communication Aligning the Board and C-Suite, by the Association for Financial Professionals (AFP), the National Association of Corporate Directors (NACD), and Oliver Wyman

11 Source: Institute of Management Accountants, Statements on Management Accounting, Enterprise Risk Management : Frameworks, Elements and Integration

12 Managing Risks: A New Framework

13 Kaplan and Mikes’ third category of risk is termed “external” risks, but the Global Risk 2013 report refers to them as “global risks.” They are complex and go beyond a company’s scope to manage and mitigate (i.e. they are exogenous in nature).

14 Audit and Risk, 21 July 2014, Matt Taylor, Protiviti UK,

15 The Financial Reporting Council has determined that it will integrate its current guidance on going concern and risk management and internal control and make some associated revisions to the UK Corporate Governance Code (expected in 2014). It is expected that emphasis will be placed on the board’s making a robust assessment of the principal risks to the company’s business model and ability to deliver its strategy, including solvency and liquidity risks. In making that assessment, the board will be expected to consider the likelihood and impact of these risks materializing in the short and longer term;