Tag Archives: erm

ERM Shows Its Worth in Pandemic

Although some say COVID-19 is a black swan event, it really is not. Pandemics have occurred in the recent as well as the remote past. A clearly articulated description of pandemic risk can be found in the World Economic Forum’s, The Global Risks Report 2019. “The spread of infectious disease” was among the top 10 risks listed, based on impact. There are estimates of the cost of a pandemic in one of the special chapters in the report, though these may look small compared with what COVID-19 might actually cost.

In the The Global Risk Report for 2020, “infectious diseases” is again among the top 10 risks. That report describes the readiness of countries to deal with epidemic or pandemic and cites a Nuclear Threat Initiative study that concluded that “no country is fully prepared to handle an epidemic or pandemic.”

The World Economic Forum’s (WEF) annual meeting in Davos, Switzerland is attended by government, business, scientific and other leaders from a plethora of countries. The ideas and data developed by its staff and contributors are widely distributed and well communicated. 

The WEF is not the only organization or individual to warn about pandemics. Bill Gates gave an excellent TED talk about pandemics in 2015 that has now gone viral on the internet. Heath organizations, think tanks focused on health and other types of organizations have put out the warning, as well. 

In the face of these warnings, it is puzzling as to why has there been the lack of preparation witnessed in some sectors. On the other hand, many major corporations reacted speedily and effectively to the challenges presented by the pandemic, even if they had not had it among their list of top risks. The reason they were able to do so rests, in large measure, on these companies’ adoption and implementation of enterprise risk management (ERM). 

ERM’s Premise

ERM is a process that addresses both operational and strategic risk across all facets of an organization by identifying, prioritizing, mitigating and monitoring risk to ensure that the mission and strategy of the organization can be assured. Below are the numerous ways ERM has proven its worth in ameliorating the potential adverse effects of the pandemic, whether the risk was fully recognized or not.

See also: How Risk Managers Must Adapt to COVID

How ERM Has Mitigated Pandemic Risk Among Practicing Companies 

A robust ERM implementation includes having both a business continuity and a disaster recovery plan. These plans enable companies to 1) assemble key decision makers immediately to approve responsive actions, 2) communicate to employees quickly and 3) move to “work at home” conditions without too many glitches. Many companies have indeed moved to a “digital only” environment with employees working at home. When this was not possible, companies rapidly put guidelines in place to create social distancing and other modes of worker protection.

ERM places a heavy emphasis on information technology security. Thus, as companies migrated to more work at home, employees already had cyber training. IT staff have implemented strong controls on aspects such as accessing systems and cloud security. Further, cyber insurance products have been purchased. 

ERM also includes having a solid handle on supply chain risks, meaning that supply chains are well-documented and diversified and that supply alternatives lined up. A number of ERM practitioners moderate the parameters of their just-in-time production and ordering to allow for a certain amount of inventory to be available in the event of a catastrophe. However, even a company following ERM best practices can experience supply difficulties and losses when a pandemic is truly global and lingering, but less so than others.

In addition, ERM-managed companies tend to have very solid financial underpinnings in terms of capital levels, credit lines, investment portfolio diversification, etc. The “however” in this case is that many small businesses are unable to have as substantial a financial foundation as larger ones, and even large companies with solid financials cannot sustain a severe drop in revenues for consecutive months. Nevertheless, to the extent that practicing ERM resulted in stronger financials, companies were better-positioned to withstand the financial impact of the pandemic.

Further, ERM fosters keen focus on reputation risk. Companies with dynamic ERM practices understand the need to aggressively protect corporate reputation. As such, many of such companies widely communicated what they were doing to protect all stakeholders from the effects of the pandemic, modified their advertising to take a more sober and caring tone and introduced a new level of caution in all they did.

See also: COVID: How Carriers Can Recover

An Example for Others

Governments and healthcare institutions could have benefited from ERM or more robust ERM. The list of mitigations that could have been in place is legion. For example, stockpiles of personal protective equipment and respirators could have greater, the number of ICU beds could have been higher, protocol for where to treat patients who contract the virus could have been drafted in advance and treaties among co-operating countries that address warnings and the closing of borders in the event of an outbreak could have been drawn in advance. 

It is hard to argue that companies with sound ERM practices were better-positioned to deal with the pandemic than those with less sound or no ERM. The benefit in dollars and cents may not be able to be determined accurately, but the benefit is real.

Key Indicators of Weak ERM Programs

Almost every insurer has an official list of risks, often referred to as a risk register. Maintaining a risk register is a basic step in managing risks, following risk identification, prioritization, assignment of risk owners and creation of mitigation plans. 

One problem with many risk registers is that they are filled with generic risks. Although these risks may be real ones for the company, their lack of specificity does not contribute to a true understanding of them in the necessary detail or to planning targeted mitigations for them. 

For example, a risk register might show a risk such as “premium receivables may be late, resulting in ‘over 90s’ or uncollectable premiums,” a risk that every insurer has to some degree. However, for the company in question the real risk is “underwriters may have too much discretion to change premium collection terms and conditions leading to ‘over 90s’ or uncollectable premium.” The generic version does not indicate the root cause of the risk and can lead to ineffective mitigation strategies.

Or, a risk register may show a risk as “difficulty in attracting talent for open positions” when the real risk is “social media and internet sites may not present the company in a good light, making it hard to attract talent.” By stating a generic risk, management does not have to admit what it may not want to acknowledge.

Yet another example is a risk register that has stated an IT risk as “too many legacy systems still exist, creating data and service issues,” when the actual risk is “the XYZ underwriting system is not adequately integrated with other systems to create accurate data and seamless processing or a competitive customer experiences.” Not naming the culprit system(s) omits the source and scope of the risk and not adding some modifiers to the effects of the risk omits the true nature of what is at stake if the risk is not addressed.

The more nebulously a risk is characterized, the less clear who should be the risk owner. Without a clear and appropriate risk owner, the greater the chance that the risk will not be adequately addressed.

Regardless of the category of risk, without specifics the entries in many risk registers seem more for external consumption than internal action. If the same list of risks could be adopted by any other insurer of the same size, age and business mix, then it is not fit for purpose for the insurer whose risks it is supposed to represent. It may be fine for an externally published list of risks to lack detail that could be considered proprietary, so long as it meets certain thresholds, but it is not fine for a list intended for internal use.

See also: Risks, Opportunities in the Next Wave  

Another big problem with risk registers is that many do not include the strategic risks the company needs to be concerned about. Strategic risks tend to stem from the vision, mission and goals of the company. A strategic risk might concern the lines of business written or the customer segments targeted or the geographic footprint. For example, a risk for a WC monoline insurer might be “premium volume may shrink significantly in the next five years due to robotics and AI reducing the size of the workforce.” A risk for an “internet only” insurer might be “there may be difficulty reaching sufficient scale because of the lack of barriers to entry by identical competitors and because some buyers will never buy over the internet. Such an insurer will also have a talent risk because of competition for IT talent across all insurers and industries.

Or, a risk for an insurer that has high concentrations in Cat-prone states might be: “Without further geographic expansion, the lack of diversification may hurt profitability significantly.”  

It is simply not common to see these types of strategic risks listed in the risk register. Yet, strategic risks tend to be the most existential of all risks. In the past, some large insurer failures stemmed from strategic risks not being addressed appropriately or at all. For example, risks associated with undisciplined growth or delayed reaction to underperforming books of business, which are strategic risks, have not been recognized by insurers, and such insurers have paid a steep price for that lack of recognition. 

An additional problem with risk registers is the mediocrity of the planned mitigations. A good risk register should minimally show: 1) the risk, 2) its ranking as to impact and likelihood, 3) the risk owner, 4) the planned mitigation and 5) the status of the mitigation efforts at each update of the register.

Undoubtedly, it is key to identify the risks, but identification and recording of the these does nothing to help to the organization unless there is adequate mitigation. Mitigation can take many forms: avoiding, transferring, minimizing or accepting the risk, albeit with a contingency. A planned mitigation that is too weak, too expensive versus the risk or too impossible to implement will not benefit the organization. Worse yet, an inadequate mitigation may allow the risk to grow while the board or senior management thinks it is being reduced.

The mitigations in the register should not be just a recounting of current controls or risk-reducing practices lessening; they should be innovative and robust tactics for attacking the risks.

Boards, senior management and chief risk officers should evaluate their risk registers based on these questions:

  • To what extent are risks stated clearly and specifically?
  • Are there risks included that are unique to the company?
  • Based on how the risk is stated, is it clear who the risk owner should be?
  • Based on how the risk is stated, does it help to pinpoint what type of mitigations are needed?
  • To what extent are strategic risks included?
  • Are there current or emerging strategic risks that are not included?
  • Are the planned mitigations equal to the seriousness of the risks; i.e. are they sufficiently robust? 
  • Is the cost of the planned mitigation in balance with the potential impact of the risk?   
  • Are the planned mitigations attainable, implementable?
  • Is the mitigation plan implementation on track?

Bottom line, a poorly constructed risk register points to a failure of the entire ERM process and practice. As an essential tool for managing risk across the enterprise, it reveals a lot about how well risk is being managed. Thus, the register can be a good indicator of the overall state of ERM in the organization.

A Renewed Focus on EERM Practices

With third-party risks on the rise, there is renewed focus on maturing extended enterprise risk management (EERM) practices within most organizations. This focus appears to be driven by a recognition of underinvestment in EERM, coupled with mistrust of the wider uncertain economic environment.

To understand the broader risk environment and provide organizations with the insights needed to effectively assess their risk and adapt processes accordingly, Deloitte recently conducted the EERM Risk Management Survey 2019, obtaining perspectives from more than 1,000 respondents across 19 countries covering all the major industry segments. Results shed light on crucial considerations surrounding economic and operating environments; investment; leadership; operating models; technology; and affiliate and subcontractor risk. More specifically:

Economic and operating environment: Economic uncertainty continues to drive a focus on cost reduction and talent investment in EERM. The main drivers for investing in third-party risk management are: cost reduction, at 62%, reduction of third-party-related incidents, at 50%, regulatory scrutiny, at 49%, and internal compliance, at 45%. Organizations urgently want to be more coordinated and consistent in extended enterprise risk management across their organization, as well to improve their processes, technologies and real-time management information across all significant risks.

Investment: Piecemeal investment has impaired EERM maturity, left certain risks neglected and hurt core basic tasks. Only 1% of organizations say they address all important EERM issues, and only a further 20% say they address most EERM issues. One of the main reasons for this maturity stall is that organizations are taking a piecemeal approach to investment – they are mostly making tactical improvements rather than investing in strategic, long-term solutions. This piecemeal approach has led to certain areas – such as exit planning and geopolitical and concentration risk – being neglected, and some organizations not doing core basic tasks well, such as understanding the nature of third-party relationships and related contractual terms.

See also: The Globalization of Risk Management  

Leadership: Boards and senior executives are championing an inside-out approach to EERM, which includes better engagement and coordination and smarter use of data. The survey reveals that boards and executive leadership continue to retain ultimate responsibility for EERM in the majority of organizations. Better engagement and coordination across internal EERM stakeholders is a top priority for boards and senior leaders. Boards are moving away from using periodically generated data to more succinct and real-time, actionable intelligence, generated online. But who has ultimate responsibility for third-party risk management? According to the survey results, 24% indicated the chief risk officer, 19% indicated other board members and 17% indicated the CEO.

Operating models: Federated structures are the most dominant operating model for EERM, underpinned by centers of excellence and shared services. More than two-thirds, 69%, of respondent organizations say they adopt a federated model, and only 11% of organizations are now highly centralized, which is down from 17% last year. Investments in shared assessments and utilities, and managed services models, are also increasing. Furthermore, co-ownership of EERM budgets is also emerging as a trend. Robust central oversight, policies, standards, services and technologies, combined with accountability by business unit and geographical leaders, is a pragmatic way to proceed.

Technology: Organizations are streamlining and standardizing EERM technology across diverse operating units. The survey confirms Deloitte’s prediction last year that a three-tiered approach for third-party risk management will continue. Smartly coordinated investments in third-party risk management technology across three tiers can drive efficiency, reduce costs, improve service levels, increase return on equity and create a more sustainable operating model. More specifically, 59% of the respondents adopted tier one, 75% adopted tier two and tier three continues to grow.

Affiliate and subcontractor risk: Organizations have poor oversight of the risks posed by their third parties’ subcontractors and affiliates. The lack of appropriate oversight of subcontractors is making it difficult for organizations to determine their strategy and approach to the management of subcontractor risk. Only 2% of survey respondents identify and monitor all subcontractors engaged by their third parties. And a further 8% only do so for their most critical relationships. Leading organizations are starting to address these blind spots through “illumination” initiatives to discover and understand these “networks within networks.” Less than 32% of organizations evaluate and monitor affiliate risks with the same rigor as they do other third parties. As affiliates are typically part of the same group, organizations are likely to have a higher level of risk intelligence on them than other third parties.

See also: Is There No Such Thing as a Bad Risk?  

For more information on Deloitte’s “2019 Extended Enterprise Risk Management Survey,” or to download a copy, please visit their website here. You can find the full report here.

Risk Culture Revisited: A Case In Point

True, a great deal has been written about the importance of inculcating a positive risk culture if an organization is serious about managing its enterprise risk. Yet, when it comes to discussions about organizational culture, many executives’ eyes glaze over because the topic is too nebulous or because they have no idea how to influence or develop a particular type of culture. Underwriters, considering an application from a commercial customer, generally do not look too deeply into the company’s risk culture. Given that risk is growing in magnitude and variety and with increasing speed of onset, it behooves leaders to take concrete actions to establish a sound risk culture or to maintain one if it already exists. And underwriters should also be interested in the risk culture of accounts they write for the same reasons.

Often, I am inspired to write about something because of some news I hear or read about. In this case, something on the law360 website caught my attention: A woman slipped and fell near a collapsed “wet floor” sign at a casino. This person, Ms. Sadowski, suffered serious injuries and was awarded $3 million by an Ohio jury.

“The sign lay flat on the floor that day in September 2016, and a Jack Cincinnati Casino employee even walked around it but did not pick it up,” Sadowski’s attorney, Matt Nakajima, said, according to the Cincinnati Enquirer. He said that, moments later, Sadowski tripped over it and broke one of her knee caps. There were no safety measures in place for floor inspections or fall prevention, he said, and the employee who walked around the collapsed sign was not reprimanded. So, despite the use of “wet floor” signs, other aspects of risk management were purportedly absent.

It seems the jury believed Nakajima’s description. If the description is accurate, the part about an employee walking around a collapsed “wet floor” sign is very troubling, as is the fact that there were no consequences for the employee. These kinds of actions point to a lack of a risk aware culture at various levels.

See also: Building a Risk Culture Is Simple–Really  

So, how do leaders build a risk culture and how do underwriters probe to see what kind of risk culture exists in their prospective insureds’ organizations.

Three Basic Steps to Build Risk Culture

  • Articulate the organization’s position on managing risk at key communication junctures and through different media with employees: 1) hiring interview, 2) orientation, 3) staff meetings, 4) webcasts, newsletters, bulletin boards.
  • Include a risk culture criterion in all performance reviews; e.g., does the employee perform duties safely and address or report hazards/risks when they are identified? Evaluate positively or negatively, as warranted. Celebrate exemplary cases of risk awareness or risk mitigation.
  • Ensure that policies, procedures and work instructions all describe what is expected in terms of safety, precaution and risk reporting

Three Basic Data Points for Underwriters to Ascertain

  • Does the organization have any losses in the loss history that show an egregious lack of risk awareness?
  • Does the organization practice ERM or, at least, have policies around required safety measures, risk/hazard reporting, training on avoiding cyber and other risks, etc.?
  • Does the organization discuss or evaluate risk awareness as part of normal performance management?

At a time when every insurer is streamlining the information it requests from potential insureds, adding more requests for data seems antithetical. However, in light of the thousands of ways that employees can create, increase or decrease risk in an organization, the culture they embrace is very important. For example, an HR staffer who delays inputting an employee termination to the appropriate systems can create huge data and physical security risks. Likewise, a factory worker who leaves equipment running while going on break, when it should be turned off, can create safety and property risk. Or, consider a finance employee who thinks a spoofed email is actually from the CEO and sends a payroll check to the hacker’s account because there was no secondary control or it was not adhered to. The questions above will help underwriters to get a glimpse of the risk culture at the company they are evaluating.

See also: Thinking Differently: Building a Risk Culture  

A risk aware culture plays a role regardless of the category of risk: financial, operational, legal, cyber, human resource, strategic, etc. Everyone from the top to the bottom of the organization needs to have an automatic and quickfire gut check regarding their actions – am I creating a risk by taking this action; have I recognized the risks in the situation that is leading me to action; do I need to vet a recognized risk with others? When an organization reaches the point where this type of thinking is natural, and almost universal, then it can be said that a positive risk culture has been embedded.

Her latest book, “Enterprise Risk Management: Straight Talk for Nonprofits,” can be found here.

Top Emerging Risks for Insurers

Over the past two decades, enterprise risk management (ERM) has evolved from a novel concept to an accepted and mature business practice. As such, insurers have significantly improved their identification and mitigation of risks, especially in the areas of underwriting aggregation, capital inefficiencies, dominance of legacy systems and others. Certain emerging risk areas are definitely on insurers’ radar screens, such as: the Internet of Things (IOT), autonomous cars and climate change. Yet, there are other emerging risks that are not fully recognized or understood. These require a robust application of enterprise risk management techniques.

Alternative Capital at the Primary Level

So far, alternative capital providers, in the form of insurance-linked securities. collateralized reinsurance, etc., have made their impact felt among reinsurers. Primary insurers, of course, have used alternative capital in place of traditional reinsurance, usually CAT bonds. However, primary insurers have not felt the threat of being replaced by alternative capital.

The risk is real that large books of low-volatility policies, which would normally be covered by primary insurers, could be packaged by banks, reinsurers or other parties into securitized risk pools. Such packages would be attractive to investors, who want to participate in a different tranche of risk than currently offered at reinsurance levels. Thus, primary insurers could be bypassed altogether, at least, in terms of bearing risk and being paid for risking their own capital for doing so. Primary insurers would likely be needed to supply some services, such as actuarial and claims, by the party packaging the pool. But insurers could be replaced over time by other entities, given advancements in automation, coupled with artificial intelligence.

See also: Insurers Grappling With New Risks  

Before a wholesale movement of business occurs, primary insurers themselves could package large books of their less volatile business and offer them as alternative capital investments. However, in doing that, they may hasten the scenario where other parties become the packagers, simply by virtue of providing the example.

Market Fragmentation

It is clear now that internet players, which are expert at digitization as well as a variety of other forms of innovation, will be insurers as well as distributors of insurance. What is less clear, but is nevertheless an emerging risk area, is how well they will perform at profitability and how much market share they will absorb. Despite the lack of clarity at this point, the risk boils down to increased fragmentation in the marketplace wherein large and small insurers, alike, will have to deal with more competition and a greater division of business among all players.

It is not uncommon for personal insurance buyers to bundle their home, auto and either small business or life insurance with one or two carriers. But with more choices in an already crowded arena and heightened ease of doing business, it is easy to picture the same individual buying his or her 1) auto coverage from a per-mile internet provider because of best rates, 2) homeowners coverage from another internet provider because of its social responsibility stance, 3) small business coverage from a traditional insurer because of its customer service and 4) life insurance from yet another internet provider because it requires less information and hassle.

It is also easy to see that more provider choices for customers will likely lead to less volume for any one insurer. Already there over 5,000 insurers domiciled in the U.S. Although the larger insurers control a disproportionate share, more active insurers may play havoc with that situation while knocking out some smaller insurers altogether.

Bottom-line, fragmentation risk carries burdens for insurers in terms of: 1) how  to vary expense with volume, 2) how to keep their brand awareness and image vibrant and 3) how to encourage and manage continuous innovation.

Cyber Aggregation

Cyber has become a growing line of business among many, mainly larger insurers’ portfolios. When insurance pundits are questioned about where growth will come from, cyber is the answer cited most often, usually followed by privatized flood insurance.

See also: How the Nature of Risk Is Changing  

Although loss modeling has come a long way for natural catastrophe events, it is still in its infancy when it comes to cyber events. Thus, the progress that insurers have made in managing how much aggregate business they write subject to hurricane or earthquake prone losses is far superior to their ability to manage cyber aggregations.

This risk area is incredibly significant because of factors that this author has written about previously. Cyber events can potentially be either or both simultaneous and ubiquitous, unlike natural catastrophes, which tend not to happen at the same time or simultaneously around the whole world. Consider the magnitude of the losses if the “Not Petya” cyberattack that happened to Merck were to have happened to the entire Fortune 500 or to half of the Fortune 1000 during the same week. The insured loss alone for the Merck attack was estimated by Verisk-PCS as $275 million. Alternatively, consider the losses if hackers were to strike the electric grid in five major cities at the same time.

Insurers face the risk that they are assuming more risk than they realize or are capable of handling should a massive, coordinated attack occur. Until models are more perfect, insurers should proceed with an abundance of caution.