Tag Archives: marc dominus

How to Remove Fear in Risk Management

Someone is looking over your shoulder, and you know who it is. If you’re the CEO, it’s your board and shareholders. On the factory floor or in the cubicles, it’s the foreman or the supervisor. But just as often these days, the sources of anxiety and caution confronting risk managers may not be corporate employees at all. Rapidly shifting technology that is often difficult to understand and measure, unfamiliar demographics, expanding globalization, and ever more stringent regulatory compliance requirements are now part of an anxiety- producing stew that organizations’ risk managers must understand and deal with. All these forces threaten a corporation’s revenue, margins, profitability, and overall competitiveness more quickly and unpredictably than ever.

Consequently, if you are an internal auditor – the person responsible for assessing and helping improve the risk management process – your chair these days may feel more like a hot seat. Which of the decisions daily barraging a modern corporation should be the higher priorities? And how, in a business world of frequent disruption, will you, your superiors, and those who report to you weigh and mitigate the waves of serious risks facing the company nonstop? What are the most important metrics to use for any given risk issue? Can the company rely solely on its in-house staff to analyze and resolve unforeseen and often unforeseeable problems?

Just as important, how will the enterprise as a whole handle these issues and make necessary decisions? How does company culture get in the way of using risk management effectively, to reach the decisions that will help the company grow and become more competitive, and how can sustainable risk management (SRM) assist?

Company managers often are not encouraged to exercise independent judgment, even when they are the acknowledged experts. Without transparency and effective multilevel communications in their company, managers are likely to be wary of crossing unseen boundaries, suspect that hidden agendas are controlling important decisions, or feel isolated and unsure of the enterprise objectives that should help guide their decisions. Moreover, anxiety about making important decisions is common in organizations that don’t give their decision-makers the tools and data required to make intelligent risk analyses. Without confidence that they understand the risks associated with a decision, and in a culture where the consequences of a bad outcome are punitive, managers understandably are likely to be cautious.

Behind employees’ hesitation to make and express independent judgments or to make decisions can be a corporate culture of mistrust, caution, and covering one’s backside. In other words, a culture of fear – fear of losing face, losing a contract, losing revenue, losing political advantage, losing a job.

A culture of isolation and timidity defeats collaboration, creativity, transparency, and the ability of a corporation to objectively analyze the broad range of risks it faces each day. It can render the internal audit function far less effective and useful than it should be and can be. In this environment, the internal audit function may mistakenly be seen solely as a means of uncovering errors, assigning blame, and enforcing penalties. Managers may be understandably reluctant to provide anything other than the most general and diluted information about their operations and decisions.

One need not wade through the scientific research about the impact fear has on decision- making to understand how destructive it can be. The brain has separate centers for processing fearful and rewarding experiences. As Dr. Gregory Berns, director of the Center for Neuropolicy at Emory University, has explained, “The most concrete thing neuroscience tells us is that when the fear system of the brain is active, exploratory activity and risk-taking are turned off.” Good decisions in this state are unlikely. “Fear prompts retreat. It is the antipode to progress,” said Berns. “Just when we need new ideas most, everyone is seized up in fear, trying to prevent losing what we have left.”

In this way, fear can nullify or dilute a company’s risk management processes. An effective SRM program, however, encourages and supports an environment that minimizes fear, reduces uncertainty, and increases transparency and confidence in decision-making throughout the enterprise.

Barriers to Solutions

It may seem that established tenets of good corporate governance already include rooting out the fear, indifference, lack of collaboration, and siloed decision-making that stand in the way of optimizing risk management. After all, most companies talk an excellent game when it comes to collaboration and open and honest risk analysis. Too few, however, have developed the internal mettle to tolerate it.

Starting with assessing corporate culture and change management practices, internal auditors can play an important role in transforming the boilerplate talk into sustainable programs. They can provide unbiased, to-the-point assessments, independent of internal politics. The problems they find and the solutions they recommend can be critical for a company seeking to develop the capacity for SRM. But whether from too much caution and resignation or just fear of change, many internal auditors say the structure of their jobs discourages them from alerting their companies to critical gaps in risk assessment and mitigation.

A recent global study by The Institute of Internal Auditors (IIA) Research Foundation spotlights some of the problem areas. Not even two-thirds of the surveyed chief audit executives (CAEs) said they consult with division or business heads when they develop audit plans. Only slightly more than half said they consult with audit committees. There may be many reasons for this audit-in-isolation phenomenon, but it commonly occurs in companies that do not value the risk management process and therefore do not prioritize it. The phenomenon occurs in companies where key players are not encouraged to speak up.

Just one-third of audit plans are updated three or more times a year, the study found. This means that CAEs may be overlooking important changes in the business environment. No wonder only 57 percent said that their internal audit departments were “fully aligned or almost fully aligned” with the enterprise strategic plan. This kind of exclusion signals that leadership does not embrace the people responsible for monitoring management of the company’s risk and that the audit function is not seen as a critical part of the management process.

Our experience with clients reflects these findings and shows that risk management professionals themselves may be at least partially responsible for the isolation and erosion of their programs. They could assume, for instance, that the value and relevance of SRM are obvious and not consistently sell a program that’s underway, neglecting to point out its continuing value, highlight its successes, and develop metrics that are easily understandable.

The program itself may not be as inclusive as it should be. Sometimes risk management processes are not designed to seek out and incorporate the views of front-line employees. Any effective SRM process, however, must reach into the depths of company operations. At the same time, employees at all levels often are not trained well in how to assess and evaluate risk. Employees may be able to calculate some risk in dollar terms without appreciating that they also should be looking at, for example, threats to customer satisfaction, employee safety, and regulatory and contract compliance.

Too often, as well, an unappreciated or ineffective risk management program does not account for the unique characteristics and business objectives of the corporation. Organizations sometimes employ a cookie-cutter approach to developing a risk management framework that’s not calibrated to address essential and distinctive company attributes.

Sometimes risk reporting to the board and top executive levels may be so extensive and detailed that no one reads the reports. Or risk reporting may be so superficial that its assessments and proposed solutions carry little weight. When risk management is not seen as a source of continuous improvement for the organization, risk management funding may be erratic or inadequate, its staffing just an afterthought, and its placement in the corporate hierarchy too isolated to be effective.

Working Toward a More Viable Program

An SRM program protects and advances the organization’s primary business objectives. To do their job effectively, risk management leaders must be included as members of the executive management team. Their inclusion helps to ensure that consideration of risks is incorporated into every significant strategic decision.

It is also possible that a company and its leadership simply are not prepared for the important cultural shift required to champion SRM. All too typically, executives are experts at shifting blame, pointing fingers, and covering their reputations when something goes wrong or hard decisions must be made.

SRM requires a no-blame environment, a collaborative process in which personnel work together to assess and solve problems without fear that their careers will suffer or they will lose the confidence of their peers. A frank and constructive assessment of an operational failure, for instance, is possible only when, instead of trying to find fault, the evaluation concentrates on solutions to keep the failure from happening again. This collaborative approach is not common enough in modern corporations.

Why SRM Is Worth It

The benefits of developing an open, fearless, and transparent SRM program ripple through every level of the enterprise. The program helps ensure that the company can perform with confidence and agility in the face of unpredictable events and shifting economic conditions. It supports the development of accurate, timely, and relevant metrics that reduce uncertainty in decision-making. It provides an effective process for dealing with emerging technologies, surprising moves by competitors, market uncertainties, natural disasters, and even internal scandals. When the program is working, the board, C-suite executives, and managers at all levels understand the kinds of risks the company must deal with and then use that awareness when making their decisions.

An active and embedded SRM program, visibly supported by leaders, regularly refreshes the managers’ awareness and stimulates their insights concerning the shifting market and business conditions that pose the greatest risks to the company’s operations. Employees work collaboratively with their supervisors and are asked to help solve missteps rather than being blamed or punished for them.

SRM offers continuing opportunities to save costs and improve productivity. It can reduce operational and material losses and waste and spotlight process improvements. SRM more closely aligns people, assets, processes, and technology with the organization’s business strategies. It also reassures the board and other stakeholders that compliance issues are being addressed and that company assets and reputation are being protected. The results – which we see time and again – include increased growth, improved profitability, and higher staff morale.

ITL Introduces a Channel for ERM

With the traction that InsuranceThoughtLeadership.com (ITL) is now seeing in the marketplace, a consensus developed among the principals that it was time for the addition of a new channel of expertise to further flesh out the rapidly evolving practice of risk management and help influence its course and impact on the success of organizations.

This description of risk management’s potential is resonating more and more with both practitioners and senior leaders, including board members. Yet risk management is morphing under several different rubrics, including enterprise risk management (ERM), strategic risk management (SRM), governance, risk and compliance (GRC) and older terms like holistic or integrated risk management that do not seem to have gained much traction. Confusion is increasing among practitioners and leaders as the semantics shift. For various reasons, some good and some not so good, the emphasis on risk management is shifting, as well.

One could easily argue that names and acronyms shouldn’t matter, but they do, if only to gain recognition and acceptance for the discipline among a remaining, and not insignificant, group of observers. There are meaningful differences between ERM, SRM and GRC that relate to the focal point of each practice. In addition, there are practitioners who use these terms/acronyms in different ways.

I might, as I often do, like to say that it’s all just “risk management” or at least should have been had we not pursued these tangential efforts that have not served a portion of the user community well. You might note the irony in this statement because my reputed expertise is in ERM, for which I have had direct connections as a practitioner and consultant, as an author and as simply an advocate for a more robust approach to managing risk for over 13 years. Nevertheless, for the more astute, these nuances in risk management have often been beneficial. They have allowed advanced practitioners to evolve their profession further by narrowing their focus to the more material and significant aspects of the discipline, as they relate to their specific environment, culture and situation.

Confused yet?

Well, don’t be. But realize that a key pillar of great risk management is doing it in a way that is most germane to your organization and its needs and priorities. Customization is the order of the day for managing risk well. That means that, while some organizations may want to deploy a comprehensive approach, others will want to pick and choose those components that are meaningful and will have the most impact. Customization also means that certain risk stakeholders will have greater stakes in the outcomes than others. Each organization’s risk stakeholder group will be unique in its make-up, and this drives other aspects of customization that enable alignment among all players.

But the key question now for this launch of a new topic channel for ITL is how it fits into the ITL “conversation” strategy, which is focused on driving change in the broader insurance industry space. We have decided to take the “risk management” channel that has existed since the beginning and rename it as ERM.

Risk management, since the inception of its use as a term of art, has overwhelmingly meant the management of hazardous or insurable risks; strictly construed — a subset of operational risk. Traditional risk management is no doubt an important discipline in its own right, but companies need to broaden their thinking and include risks that are not insurable (e.g. financial and strategic). I love to say, “Enterprise risk management is what risk management should have always been.” So while we will always need what I consider “traditional” risk management to address insurable risks, an enterprise-wide approach to managing risks must ultimately be employed, regardless of the label or name given to the activity. This will improve the chances of survival in an increasingly challenging world and ultimately success – even if it comes at the expense of those who ignore this truth.

Regardless of the choices people make, what really matters is managing risk with excellence and ensuring that, no matter who is involved, all significant risks are addressed. Why? Because effective risk management is directly tied to organizational success. I like to say, “A risk is not a risk unless it either threatens or facilitates an objective.” If this foundational principle is true (and why would I lie?), then the effective management of all significant risks must become a mandate for leadership and a top priority for the board.

We can say this has always been a truism for organizations, but evidence suggests otherwise. The landscape is littered with extinct companies that failed in this regard. And while it is true that effective risk management is simply a part of good management, so are many other components that fail regularly.

So the question then becomes, how will businesses achieve this fundamental (though lofty for some) goal to increase the chances of both short- and long-term success? Answering that question is what this ITL channel will make its mission. We will do so by providing you content from some of the best ERM thought leaders and successful practitioners who have achieved or are well on their way to achieving this goal. To that end, I am happy to introduce today, the first group of contributors who will work with me to bring you the best new ideas in ERM, including tools, advice for avoiding pitfalls, techniques, strategies, tactics and success stories. This group will include:

  • Russell McGuire, director of ERM/GRC practice, Riskonnect (U.S.)
  • Grace Crickett, senior vice president and chief risk officer, AAA of Northern California, Nevada and Utah (U.S.)
  • Marc Dominus, ERM practice leader, Crowe Horwath (U.S.)
  • Dave Ingram, executive vice president, Willis Re (formerly S&P’s ERM leader) (U.S.)
  • Donna Galer,  chief administrative officer, Zurich (retired) (U.S.)
  • Rick Machold, chief audit executive, Total Systems Services (U.S.)
  • Mark Stephens, managing director, Milliman Risk Advisory Services  (U.S.)
  • Peador Duffy, chairman, Risk Management International (UK)
  • Horst Simon, director, risk management, Horwath MAK, (Dubai)
  • Gary Bierc, CEO and founder of rPM3 Solutions (U.S.)
  • Norman Marks, vice president and chief audit executive, SAP,(retired) (U.S.)

While you may not know all of these names, I assure you they are big thinkers, have accomplished much and will stimulate new thinking for this discipline and help you, our readers, reach new heights of ERM success.

So, stay tuned and come back frequently. What you’ll see here will always be fresh and insightful.

 

Contributor Biographies

Marc Dominus

Marc is the enterprise risk management (ERM) solution leader for Crowe. His responsibilities include coordinating the design and delivery of Crowe’s ERM services and directing innovation initiatives in this area. His experience includes more than 20 years of providing risk management consulting services. Marc’s areas of expertise include ERM framework specification and  implementation, enterprise risk assessment (ERA), professional training, executive strategic workshop facilitation, risk culture enablement and change management. He has performed consulting engagements and delivered training programs for significant and complex private and government organizations for major corporate and public entities across the world. He frequently writes, presents and delivers professional training on topics related to ERM.

Donna Galer

Donna is a consultant, author and lecturer. Her top-selling book, Enterprise Risk Management – Straight to the Point, with co-author Al Decker, was published in 2013.

She served as the chairwoman of the Spencer Educational Foundation from 2006-2010, following retirement from Zurich Insurance. This foundation awards scholarships to students studying risk management and insurance. She held a number of positions in her 17 years at Zurich from 1989 to 2006. Her last position at the company was chief administrative officer for Zurich’s world-wide general insurance business ($36 billion gross written premium, or GWP), with responsibility for strategic planning among other areas.

She began her insurance career at Crum & Forster Insurance after a brief time at JPMorgan Chase (Chase Manhattan).

She has served on numerous industry and academic boards, published many articles on ERM and strategy and was named among the Top 100 Insurance Women by Business Insurance in 2000.

Horst Simon

Horst is the director of risk management at Horwath MAK (a member firm of Crowe Horwath International) in the Dubai International Financial Centre. He has held positions with Mashreq Bank, Emirates NBD, Barclays Bank and Standard Bank Group of South-Africa. He has lived in four countries and worked in more than 20.

He worked as an associate with a number of renowned global firms in banking, professional services, training and business process outsourcing and has been in the banking and consulting industries for more than 34 years.  Supported by the UK-based consultancy Genius Methods, he developed and launched the risk culture maturity monitor, an online tool that accurately measures the level of maturity of an organization’s risk culture.

His special interest is in the field of people risk, and he is a regular speaker at international conferences, a trainer in operational risk and enterprise risk culture in the Middle East, Asia and Africa and a blogger on www.Zawya.com.

He supported the capacity building program of the Macroeconomic and Financial Management Institute of Eastern and Southern Africa (MEFMI); he is the co-regional director of the Global Association of Risk Professionals (GARP), Dubai, UAE chapter, and a member of the Professional Risk Managers‘ International Association (PRMIA).

Grace Crickett

Grace’s career has been diverse, involving a variety of industries, ranging from equipment rental to healthcare and from not-for-profit to a Fortune 500, covering the U.S., Canada, Mexico and Singapore. The scope of her work has included self-administration of claims, safety and loss prevention, internal audit, benefits administration, continuity planning, emergency management, captive management and IT and physical security. As senior vice president of risk services and chief risk and compliance officer with AAA NCNU, she is charged with implementing ERM with her compliance, risk management and internal audit team.

Grace was chosen in 2011 as one of Business Insurance’s Women to Watch. Grace was also selected by Business Insurance magazine for its 2011 Risk Management Honor Roll. Also in 2011, Treasury and Risk magazine named Grace as one of the “100 Most Influential People in Finance.” She received the Information Security Executive (ISE) of the Decade Award in 2012 and West and North America Awards in 2011.  She is actively engaged with various professional organizations, including RIMS, as a member of the ERM committee and president of the Golden Gate Chapter.

Peador Duffy

As founder and chairman of Risk Management International (RMI), a successful and growing risk management practice for the past 20 years, Peador has been at the leading edge of risk professionalism and assisting companies to manage strategic risks to their business model. A former officer with the Irish Defence Forces, he has taken first-hand military experience to the boardroom in helping businesses develop superior risk analysis and in conducting crisis scenarios with senior management teams in major corporations and businesses of critical national interest. He provides thought leadership and a pragmatic approach as a strategic overlay to risk traditionalists and has seen risk management grow from board room buy-in, as a compliance imperative, to board room traction as a competitive countermeasure after the global financial crisis.

Dave Ingram

Dave is a member of Willis Re’s analytics team based in New York, offering insurers a practical way to use ERM to identify specific actions and strategies that will enhance the risk-adjusted value of the firm. He assists clients with developing their first ORSA, presenting their ERM programs to rating agencies, developing and enhancing ERM programs and developing and using economic capital models.

In 2012, Dave was named one of the 100 most influential people in finance by Treasury and Risk Magazine.

With more than 30 years of actuarial and general management experience in the insurance industry, Dave has served as corporate actuary, business unit head and planning officer for a major U.S. insurance company. He was previously the senior director, ERM, in the insurance ratings group of Standard & Poor’s (S&P). In that position, he spearheaded the initiative to incorporate ERM as one of the primary insurance ratings criteria and the development of the framework for reviewing economic capital models. He also was a consulting actuary providing advice on risk management and risk analysis to banks, investors and insurers with Milliman.

In addition to writing some 100 published articles relating to ERM, Dave has spoken on ERM at more than 100 events in North America, Asia, Europe, Middle East, Africa, Australia and South America. He was the first chair of the 2,500-member Joint SOA/CAS/CIA Risk Management Section. Dave is now the chair of the International Actuarial Association’s enterprise and financial risks committee and chair of the Actuarial Standards Board ERM committee.

Dave is a graduate of Lehigh University and has an enterprise risk analyst charter from the SOA, financial risk manager certification from GARP and professional risk manager certification from the PRMIA.

Rick Machold

Rick has more than 28 years experience across multiple industries and disciplines, including business risk management, process design and improvement, change facilitation, forensic accounting and strategic planning. He was most recently head of enterprise risk at Invesco and had global responsibility for the company’s enterprise risk management efforts. As administrative coordinator and member of Invesco’s corporate risk management committee, he oversaw the continuing development of the company’s ERM framework, tools and practices.

His background is primarily in management consulting and public accounting, having served as a partner in PricewaterhouseCoopers global risk management solutions practice in both St. Louis and Atlanta. His clients have included the Centers for Disease Control and Prevention (CDC), the New York Yankees Partnership, Wyeth-Ayerst, Ryder System,  Dell and many others. For several years before joining Invesco in January 2007, Rick was an independent consultant in enterprise risk management to First Data, based in Denver. He subsequently served as senior vice president and chief risk officer for Certegy, a transaction processing provider based in Atlanta.

Rick serves on the board of City of Refuge in downtown Atlanta and is an active member of the Institute of Internal Auditors and the Risk Management Research Council. He is a frequent speaker on enterprise risk management and has written several articles on enterprise risk management and internal control. Rick is a regular guest lecturer on ERM for the University of Georgia’s EMBA program and most recently for Kennesaw State University.

Mark Stephens

Mark manages the Milliman Risk Advisory Services practice group. The practice delivers a portfolio of risk consulting services, such as enterprise risk design, test and build projects, operational risk assessments, ERM education and training and ERM technology evaluation. The ERM practice uses diagnostic consulting strategies to understand an organization’s enterprise risk goals and challenges and then customizes solutions to deliver required business results.

In addition, Mark is the executive director of the Milliman Risk Institute, which supports enterprise risk management research and development. The Milliman Risk Institute advisory board meets on a semi-annual basis and conducts corporate surveys and publishes the results along with expert commentary.

Mark began his career as a risk management consultant for Federated Mutual and later became managing director for Aon Risk Services. While at Aon, Mark designed and managed Aon Value Exchange, which provided pricing and margin guidance for broker products and services.

In addition, Mark managed the Aon Global eSolutions Group, which developed risk analytics software for multinational clients to assist with enterprise risk, claims management, exposure management and policy management. Mark served on the management teams for Aon’s enterprise risk practice council, the financial institutions practice group and the ARS-US national service board. Mark also led national and international change-management teams for risk software integration and for margin improvement. Finally, Mark was CEO of Aon RiskLabs and led the M&A team for Aon’s acquisition of Risk Laboratories and Valley Oak Systems.

In 2007, Mark founded Strategic Risk Partners, where he designed industry-leading best practices for enterprise risk management and operational risk management. In addition, he developed unique online software platforms for collaboration around governance, risk and compliance, ERM and operational risk

Russell McGuire

At Riskonnect, Russell is director of ERM Services and in charge of development and implementation of solutions for ERM, including design of GRC software. He consults with clients on the establishment of an effective, sustainable ERM framework supported by the necessary technology to ensure success.

Gary Bierc

Gary founded and is CEO of rPM3 Solutions, a software and services firm specializing in the practical application of “cost of risk” in an ERM context. rPM3’s ARQ Technology software creates powerful outputs and analysis around the cost of risk, which exposes important links between risk and performance. This unique software delivers a patented method to make the process of identification and quantification easy and repeatable for any business or enterprise.

Norman Marks

Norman has spent more than a decade as a chief audit executive for major companies, with as much as $28 billion in revenue. He has implemented isk management, ethics programs and disclosure processes at multiple organizations and is a recognized thought leader in the professions of internal auditing and risk management.

A frequent speaker and writer on governance, risk and controls, he is the author of the popular book from the Institute of Internal Auditors’ on Sarbanes-Oxley Section 404 and of the IIA’s GAIT family of guidance products.

Norman has built or repaired internal audit functions to standards that are recognized as world class by management, audit committee members, service providers, CPA firms, peer CAEs and other internal audit leaders.