Tag Archives: erm

Why Don’t Most ERM Systems Work?

So why don’t most Enterprise Risk Management system work?  Simply, they don’t “manage” risk, they just record it.  Manage is a verb not a noun. It is activity not an item.  Making a list might be adequate for those who want to check off regulatory compliance, but it’s does not produce a ROI.

They don’t manage threats

To manage threats you need to actively monitor risk drivers and influences thru lead and lag KRIs in real time.  Reporting systems aren’t much use if they’re telling you after the event. By the time it shows up on a heat map it’s not a risk, it’s an incident.  Simply moving your risk management from spreadsheets to a cloud risk register does nothing to pursue an active defence against threats.

To create a workable system, you need to take your risk registers, work out what causes those risks to worsen (drivers and influences), and what lead/lag KRI to use to monitor the movement of those drivers and influences.  You then need to set up a real-time system for collecting those KRIs and alerting the appropriate people who can act on the threats immediately.

They don’t tell you HOW it will affect Objectives

The common practice of recording what objectives might be affected by a risk does nothing to assist in achieving or optimizing those objectives.  The real purpose of risk management is to navigate the myriad of influences on the objective’s outcome as they occur, i.e. it is an interactive real-time activity.

Risk Management’s primary purpose in the strategic and tactical planning phase is to identify the best course to market and thereby optimize resources (time and capital).  This requires specifying HOW risks and actions interrelate and compound effect on one another.  This highlights two things.  For ERM to work it must integrate both risk and actions, and it must know HOW variations in either compound effect.

Once these are in place they can easily be used to monitor progress in achieving objectives. Workflows and Issue reporting become inputs to risk drivers and influences which in turn automatically update risks. With a real-time aggregation of risks (roll-up), alerts can be sent to interested parties when the risk threshold of any objective is threatened.

See also: The Current State of Risk Management  

They don’t improve the quality of decision making

By definition complex systems (the business world) are chaotic (see Chaos Theory), where small variations alter outcomes, like the weather and the winner of the Melbourne Cup.  But risk management was never about predicting the future. It’s about providing advice on the effects of possible decision outcomes and being prepare for any adverse effects.

But here’s the real rub.  For ERM to be useful it has to employ Predictive Analytics and machine intelligence.  In my defence, Predictive Analytics doesn’t actually predict the future, it just highlights obscure facts. It provides true decision making collateral on possible opportunities and threats in any scenario, from which “informed decisions” can be made, instead of “gut feel” guesses.  It helps mitigate decision bias and raise ramifications sometimes overlooked in the heat of a problem.

Obviously many ERM systems have numerous other failing, such as a single hierarchy for aggregating or “rolling-up” risks (wouldn’t it be nice if the world was that simple), and not including Incident Management in ERM to create a closed feedback loop, which drives evolution and effectiveness.  But the single most important thing is to use your risk collateral as part of the day-to-day operational decision making and not to just let it stagnate in risk registers being reviewed annually.

Insurance CROs: Shifting to Offense

EY’s seventh annual survey of chief risk officers in the insurance industry confirms that companies are starting to move on from the post-crisis era of defensive risk management. While some CROs speak of works in progress or continuing improvements to their company’s risk management efforts, more CROs report they are comfortable with functioning frameworks that provide “defense” for the company.

There is continued maturation and increasing sophistication of the role. Some CROs are spending more of their time engaged on high-priority strategic and business-driven issues, such as disruption, innovation and emerging threats, including cybersecurity.

See also: The State of Risk Oversight in 2017  

CROs are starting to move to offense. They see their roles less in terms of organizational compliance with enterprise risk management (ERM) policies. Nor are they reacting to regulatory requirements. For almost all companies surveyed, Own Risk Solvency Assessments (ORSA) are “job done.” Even CROs at companies that faced challenges related to federal regulation or
Solvency II report that such issues are largely behind them.

Many of this year’s discussions involved consideration of “what comes next?” As the CRO agenda evolves, significant transitions are underway (see figure 1):

  • From relative stability to disruption
  • From clear and well-understood threats to emerging and unknown risks
  • From serving as a control function to partnering with the business
  • From focusing on the risks of action to promoting innovation and avoiding the risk of inaction

See also: Key Misunderstanding on Risk Management  

Where CROs mostly played defense in focusing on compliance and regulatory activities after the crisis, many have started to move on to a more active, business-driven posture, with greater emphasis on adding value through the efficient delivery of ERM.

You can find the full EY report here.

Finding Data’s Proper Role in ERM

As we collect more data, and become more sophisticated within our use of analytics, we can understand, manage and mitigate more emerging risks than ever before.

In turn, our better-informed outlook changes how we approach risk. Instead of considering individual incidences, we now have the data to think about and build new approaches to understanding overall risk – including mitigation and management strategies. Enterprise risk management (ERM) provides a framework for understanding and responding to business uncertainties and opportunities with relevant insights that are delivered through common, integrated risk identification, analysis and management disciplines. Approaching ERM with analytics can provide a more strategic approach to holistically identifying, managing and mitigating risks.

As a result, business leaders are not only looking at specific elements of risk anymore. It’s not just about single claims, like medical malpractice, which can be easily priced from an insurance perspective. Increasingly, leaders are looking at other risks, which have not been measurable or predictable in the past, but are becoming more so.

When assessing the risk of, for example, property damage, risk managers have decades of data to draw on, data like incidence rates or average claim size, which helps model exposure profiles. Emerging risks, precisely because they are new, do not have this data. Emerging, big picture risks such as cyber security, damage to brand and reputation and supply chain are among the most pressing concerns that risk professionals face today.

Few industries exemplify this better than healthcare.

In Depth

Why Healthcare?

In healthcare, data has been critical in the education of practitioners and the treatment of patients – it has provided the necessary information needed to establish best practices and clinical protocols and provided the metrics that help increase the quality of care provided.

Data can also predict, and even affect, medical costs. Across the globe, medical costs are rising. In the U.S. alone, healthcare costs are around $3 trillion – accounting for 18% of national GDP. These costs are only set to rise as the effects of aging populations and changing lifestyles make themselves felt.

Luca Franzi De Luca, vice president, Aon Italy, says: “The state of healthcare is a truly global concern. More than ever, care providers need new ways to manage the costs – and risks – that coming years will bring.” Data will be key in addressing these issues.

See also: The Current State of Risk Management  

The Data Revolution and a Better Understanding of Risk

The more parts of a system that you can observe – such as cost, quality, exposures to loss and population health – the more you can predict. And the more you can predict, the better you can understand, and price, risk. As such, ERM is becoming more of a possibility than ever before.

  • Risk control and traditional operational risks: From malpractice claims to workers’ compensation costs to property exposures, the healthcare industry now has decades of historical data that enables it to better manage and price risk. However, emerging risk poses a more severe problem: relatively new threats such as cyber attacks do not have the historical data behind them to give organizations a proper understanding of their exposure. And as healthcare – both data and actual care itself – becomes increasingly digitized, whether through back-end services like databases or digital infrastructure, or through frontline services like robotics and smart health devices, cyber will become more and more important. This is already happening. In 2016, healthcare was one of the most attacked industries because of the value of patient records. And as with malpractice or workers’ compensation, as more data is gathered for cyber risk, we are better-equipped to build risk models to address this emerging enterprise risk.
  • Population outcomes: One way for healthcare organizations to control their risk burden is to minimize the amount of illness in the world beyond their walls, and data is helping them to achieve this. For instance, big data, machine learning algorithms and better integration between public services is allowing more and more sophisticated forms of epidemiology and can help measure and control incidence rates in populations at large. This means a reduced risk profile for front-line care providers. “There’s a connection between keeping people healthy and enterprise risk. For example, malpractice claims will decrease if more and more individuals are healthy and not hospitalized,” De Luca explains. “Furthermore, analytics is enabling us to focus on 20% of the population that is driving 80% of the cost of care.”
  • Quality of care: Medical malpractice is estimated to cost around $55 billion cost in the U.S. alone. Improving the overall quality of care that individuals receive could reduce related costs. Data has enabled organizations to better understand their processes and eliminate the inefficiencies and errors that can lead to litigation.
  • Costs: Better data modeling processes can also give deeper insights into an organization’s total costs. For a hospital, keeping track of operating costs may be relatively straightforward. But other costs, such as those generated by supply chain risk, fluctuations in pharmaceutical or technology prices or business interruption from a cyber attack or pandemic, may be more difficult to grasp. Advanced data tools can give healthcare providers a better understanding of their total financial burden.

Data tells us about the world. The better we are at collating and analyzing data, the better we are at predicting how the world will behave. The use of data in the healthcare sector is providing greater visibility into all potential channels of risk – and also, new opportunities. Instead of looking at potential risks on an item-by-item basis, risk managers, senior management and the C-suite can start thinking about risk in macro terms. What is our organization’s total risk-bearing capacity? How does our current risk profile fit within that? And what strategies can we pursue to mitigate or finance those risks?

Data technologies and methodologies are evolving all the time. Using these developments to gather and analyze more and more data around emerging risks is essential. This isn’t just important in the medical industry, but something that all industries can and must do. Only then will their strategies be able to deal with emerging, enterprise risk. “Organizations will be able to focus holistically on enterprise risk management, rather than focusing on specific liabilities as in the past,” De Luca says.

The Current State of Risk Management

The Ponemon Institute recently shared the results of its survey on risk management: The Imperative to Raise Enterprise Risk Intelligence: Inside the Promise & Pitfalls of Enterprise Risk Management. The results are disturbing, but unfortunately what I had anticipated.

The 641 who answered the survey were involved in risk management within their organization, so the results are skewed toward having some level of formalized risk management. In other words, the respondents are better than the general population. Most of the respondents are IT folk, and some of the questions reflect the author’s IT orientation, as opposed to a general business one.

See also: 4 Steps to Integrate Risk Management  

The report, as so many, has to define risk management in its own way. But, frankly, the definition isn’t bad. The report splits the issue into risk management and risk intelligence.

In the context of this research we define enterprise risk management as the application of rigorous and systematic analysis techniques to the evaluation of risks that impact the whole organization including information assets and IT infrastructure. Cyber risk management is considered a component of enterprise risk management.

We define enterprise risk intelligence as the insight necessary to drive actionable business decisions related to governance, risk and compliance. It is the organization’s ability to think holistically about risk and uncertainty, speak a common risk language and effectively use real-time information and forward-looking risk concepts and tools to maximize business performance.

Ponemon tells us that only 24% of respondents said they have a risk management strategy that is clearly defined and pertains to the entire enterprise. Ponemon doesn’t define what it means by a risk management strategy, so I can’t comment further.

But this is key:

“…only 43 percent of respondents say enterprise risk intelligence integrates well with the way our business leaders make decisions.”

I have to wonder whether the business leaders would agree with that assessment by the risk practitioners!

This adds fuel to that fire:

“A lack of collaboration among organizational functions is a barrier to an effective enterprise risk management program. 53% of respondents say their finance, operations, compliance, legal and IT functions do not collaborate on enterprise risk management activities. Only 8% of respondents say these functions fully collaborate in enterprise risk management activities.”

A lack of resources and an inadequate budget are identified as barriers.

But here is the key question. If the leaders of the organization are not persuaded that risk management is adding value by enabling success, and believe that there are better ways to invest scarce resources, why should we surprised that the risk management activity is under-funded?

This is demonstrable when “30% of respondents say no one person has overall responsibility to ensure the risk management program is well executed.”

See also: A Revolution in Risk Management  

The appendix contains some valuable pieces of information. Here are two:

  • Only 32% say their organization has a very significant commitment to enterprise risk management.
  • On a scale or 1 (low) to 10 (high), just 14% of the respondents rated the effectiveness of their risk management activity as a 9 or 10.

So what do we make of this?

Let’s start with some unpleasant facts!

  1. Our business leaders are not idiots. If they have not invested in risk management, there’s a reason! They are not convinced it will help them succeed. They see it as a compliance activity that costs time and money, checks the box for the board and regulators, but doesn’t help them be successful.
  2. If they saw risk management as helping them make better decisions, you can bet they would invest in it!
  3. They can be persuaded, not by words but by action.
  4. Risk practitioners too often are focused on managing risks instead of achieving business objectives. There’s a huge difference.
  5. Risk practitioners don’t connect with business executives because they talk technobabble instead of the language of the business. A discussion of risk appetite or a risk appetite framework is not something that any executive focused on results will want to attend.
  6. The traditional approach to risk management, a list of top risks, is not going to work. It hasn’t worked for decades so why should it now?
  7. Satisfying the board but not top management is not a recipe for long-term success.
  8. The risk practitioner has to think out of the box. Understand what the company’s leaders need to be successful and make intelligent and informed decisions, then deliver it.

I welcome your comments.

Is There Risk in Embracing Insurtech?

As insurers rush headlong into the digital scramble, they should keep in mind the proverbial iceberg. Not all the risks involved are strictly tied to the innovation itself. Certain ones are below the water level.

Insurers actively participating in the digital revolution have done so in a variety of ways: 1) innovation labs, 2) insurtech accelerators with external partners, 3) investments in insurtech companies, 4) purchases of insurtech companies. These are reasonable approaches for staying current and competitive. However, there are some caveats that should be heeded.

Focus Risk

Insurance is not a simple business. Machines cannot be set to produce thousands of identical items, a sale is not final and competition is never at a low ebb. It is a complex business that relies on actuarial forecasting, capital models, complicated and multi-layered contracts, in many cases, and astute claims handling. Thus, companies must remain focused on the functions and metrics fundamental to the business, if they are to achieve good results.

Over the years, the insurance industry has adapted to paradigm shifts of all types, for example: 1) automation of internal operations, 2) agent/broker electronic interface, 3) paperless environments, 4) increased transparency with regulators and 5) product development responsive to new risks such as cyber or supply chain disruption. Now, creating new ways to interact with stakeholders digitally and developing products that are fit for purpose in a digital world should be within the capability bounds of these same insurers.

The caution is that insurers should not get so focused on their digital initiatives they lose proper sight of the basics of the business: underwriting, claims, actuarial, finance, customer service. Equally, insurers cannot lose sight of other disruptive forces in the environment such as climate change, terrorism and cyber threats.

See also: Insurtech: Unstoppable Momentum  

A piece appearing on AIR Wordwide’s website written by Bill Churney asks “Have You Lost Focus On Managing Catastrophe Risk?” He alludes to the fact that catastrophes have been light these past 10 years, which may cause inattention, and that many new insurance staffers were not working when Katrina, Andrew or Hugo hit, thus have no personal experience to tap for handling sizable events. A lack of focus on managing catastrophe risk could be critically detrimental for companies. And although there is nothing concrete to suggest that insurers have lost such focus, the question underscores the possibility of attention deficits. The need for continuous and careful attention to the rudimentary aspects of the business cannot be dismissed, even if they may not seem as exciting or timely as digital inventions.

Within memory, there have been companies that allowed themselves to lose necessary focus. Some got so focused on mergers and acquisitions that core functions were not managed properly while the emphasis was on cross sales and economies of scale. Some got so intent on improving customer relations that business imperatives were ignored in favor of appeasing the customer, and some got so diversified that senior management did not have the bandwidth to manage the whole enterprise.

How can the 2016 results at AIG be explained? Could the more recent focus on divestitures, staff changes and cuts, a drive to return dividends to shareholders and the CEO’s reported concentration on technology have caused it to lose its once unparalleled focus on profitable underwriting, rigorous claims handling and product innovation.

Investment Risk

With investments pouring into insurtech, it raises the question: What is left for anything else? Despite fintech investments starting to slow, KPMG reports, “There was a dramatic increase in interest in insurtech in Q3’16, and the trend is expected to continue. The U.S. was the top country in Q3’16 with 10 insurtech deals, valued at $104.7 million in total.”

These numbers do not capture the many millions of dollars that insurers are investing in insurtech activities internally, of-course. As mentioned above, they are spending money to create dedicated innovation labs and accelerator programs and to launch other types of speculative insurtech projects. Many older projects have become operational, including new business unit or company startups, the introduction of bots on company websites, telematics in vehicles, digitized claims handling…and the list goes on.

How does an insurer know when an investment in insurtech is enough or too much, thereby negating other necessary investments required by functions such as underwriting, claims or actuarial?

The caution is not about doing an ROI (return on investment) analysis for a specific project. It is about doing an ROI analysis for the portfolio of projects that are vying for funding vis-a-vis the need to keep the company solvent while maintaining progress with the digital strategy. The larger the insurer, the more used it is to managing multiple priorities and projects. For mid-size to small insurers, this skill may be less developed, and they may face even greater risk of getting out of balance.

Growth Risk

Insurance is one of the few industries for which growth can be just as risky as no growth. Industry pundits have long claimed that new business performs about three points worse than policies already on the books. The difference between a company at a combined ratio of 99 compared with 102 can be quite significant. The causes for this phenomenon have to do with such factors as: 1) the potential for adverse selection, 2) the reason customers choose to change carriers and 3) the costs associated with putting new business on the books. These are not the only ones. It is harder for actuaries to predict the loss patterns for groups of customers for whom there is no history in the company’s database.

See also: Infrastructure: Risks and Opportunities  

If the reason for investing in insurtech is to increase new business written, insurers should be cautious about how much and what kind of new business they will write because of their insurtech enhancements. To the extent that insurtech enables insurers to hold on to existing business, the outcome is less risky.

For example, it remains to be seen whether drivers who want to buy insurance by the mile are a better or worse risk pool than other drivers, whether those involved in the sharing economy, such as renting rooms in their homes, are more or less prone to loss than homeowners who do not rent rooms. Are small businesses that are willing to buy their coverage on-line likely to file a higher number of claims or a lower number compared with small businesses who use an agent? Do insurance buyers who are attracted to peer-to-peer providers have loss experiences at a different rate than those who are not attracted to such a model?


The march toward more digitization in the insurance industry will and must go forward. At the same time, insurers should be wise enough to realize and address underlying risks inherent in this type of aggressive campaign to modernize.