Tag Archives: michael elliott

Pulse Check: How Do You Approach Risk?

The first step to managing risk is understanding it.
That simple sentence gets to the heart of the opportunities and challenges of risk management. The concept of risk is pretty simple.

The ISO 31000 definition of risk couldn’t be much more straightforward: “the effect of uncertainty on objectives.” But anyone who’s been tasked with managing an organization’s risk knows that identifying and managing business risks is complex.

How organizations tackle risk varies from company to company based on their particular risk appetite. One business may be ready to push the envelope and look for competitive advantages through bigger gambles, while a more conservative firm may rely on established trends and avoid risk to the extent possible.

For risk managers tasked with interpreting an organization’s risk appetite and recommending a course of action, risk is something of a moving target. The risks themselves are constantly changing, and even within a single organization, the approach to risk may vary by department or individual.

See also: Easier Approach to Risk Profiling  

And risk managers’ jobs are only getting more difficult. In fact, more than 70 percent of executives say that risks have gotten more numerous and more complex over the last five years, according to a recent report from the Enterprise Risk Management (ERM) Initiative at North Carolina State University and the American Institute of Certified Public Accountants. The report, “The State of Risk Oversight: An Overview of Enterprise Risk Management Practices,” surveyed CFOs and other executives at organizations of varying sizes across a broad range of industries. While these executives said that risks were getting more complicated, only a quarter said that they have a “mature” or “robust” risk management process to address these escalating risks.

Understanding risk at the enterprise level

Those organizations that lack effective risk management processes have limited ability to assess emerging strategic, financial or operational risks and opportunities. Only a quarter of those surveyed considered their organization’s risk management process to be an important strategic tool.

The holistic approach of ERM, which seeks to actively manage all of an organization’s risks instead of taking the traditional silo approach, has several benefits. It helps leaders establish an enterprise-wide appetite for risk and prioritize individual risks based on what’s likely to have the most significant impact on the organization.

Perhaps most importantly, it identifies the interplay of specific risks–circumstances that could originate in one area but have major implications for another. If flooding is likely to delay a delivery to a manufacturer, a robust ERM program would analyze that risk’s effect on not just shipping and receiving but also sales, facilities, customer service and any other area that could be affected.

As organizations take an enterprise-wide view of their risks, the skills risk managers need to be successful will shift as well. In one 2017 PwC survey, 63 percent of corporate officers said that giving frontline employees more risk management responsibilities enables their companies to better foresee and respond to risk, and about half will further this shift in the next three years. It’s clear that organizations are increasingly relying on risk managers who can effectively communicate risk elements and strategy to both executives and employees.

Understanding emerging risks

Understanding your organization’s risk appetite and addressing current risks is only part of risk management. New risks crop up all the time, and risk managers need to stay vigilant. Cyber risk, with its ever-increasing sources and severity, gets a lot of media coverage and is a top priority for most organizations, but even traditional types of risk are constantly shifting and evolving. Risks stemming from government action and regulations have been particularly difficult to predict of late, and organization-specific issues like employee malfeasance, reputational harm and operational risks continue to pose serious threats.

More and more risk managers are turning to data analytics to quantify these risks, but many organizations still struggle to effectively use the data at their disposal. In fact, another PwC survey asked U.S. executives, “Which areas of risk represent the largest capability gaps for your company today?” The leading response: fragmented risk data and analysis. Risk managers have so much data at their fingertips, much of it unstructured, that they can’t effectively use it to make risk-based decisions. Complexity scientist Francesco Corea points out that more information should lead to more accurate results, but it can also make things more complicated.

See also: New Approach to Risk and Infrastructure?  

Understanding what your risk managers need

As organizations work to establish an ERM program and grapple with overwhelming amounts of data, let’s take a closer look at three factors that will make risk managers and their departments more effective.

  • Risk managers need education. A solid foundation in risk management principles and practices, as well as an understanding of the methods used to deploy ERM across an organization, is essential. The Institutes’ Associate in Risk Management (ARM™) program provides that comprehensive overview, but ongoing education to keep up with evolving risks is just as important.
  • Risk managers need access. Risk managers need to be able to secure buy-in from many individuals: executive decision makers, data scientists, frontline employees and more. Risk managers therefore need access to these collaborators, as well as training on the soft skills needed to be effective in their role.
  • Risk managers need allies. An organization shouldn’t rely on just one or two risk experts to deal with risk. If risk is to truly become a key strategic tool, individuals at every level of the company need to develop basic risk knowledge and a risk mindset.

This piece is based on one of several Institutisms, mottos to inspire risk management and insurance professionals to success through lifelong learning and continuous education. Knowledge is the path to managing your clients’ risks. And in the world of risk management and insurance, The Institutes are the ultimate knowledge resource for professionals–at every level and in any discipline. From designations and continuing education to networking and research that informs public policy, our name is all you need to know. Learn more about the ARM designation.

4 Disasters That Never Should Have Occurred

It’s not easy trying to predict the unpredictable. Yet that’s what risk managers are responsible for doing every day. Sometimes, the plans to identify or protect against a particular disaster come up short. Read on for four of the biggest risk management disasters in history – and how the risk management industry has learned from them.

It’s become an iconic image in pop culture – Leonardo DiCaprio leans in close behind Kate Winslet as she raises her arms and exclaims “I’m flying!”

But what can Kate and Leo teach us about risk management?

Quite a lot, in fact. Thanks to several movies and countless other retellings, the tragedy of the Titanic is something everyone knows. But with a better understanding of some basic risk management principles, the Titanic never would have sunk at all.

Michael Angelina, executive director of the Academy of Risk Management and Insurance at Saint Joseph’s University, uses the Titanic and other notable risk management disasters to give his students a better idea of what exactly risk management is – and why they should care about it.

It turns out some of the most notable risk management disasters had specific causes that create pretty clear lessons for risk managers in a range of industries to learn. Let’s take a closer look at four of the biggest risk management disasters in history and what ARMs and risk managers took from them, starting with the event everyone’s favorite ’90s epic/romance/disaster movie is based on.

The sinking of the Titanic

The shortage of lifeboats on board the Titanic on April 15, 1912, has become a well-known fact representing the arrogance and naiveté of designers, crew members and passengers who were positive the massive vessel was unsinkable. To be sure, pretty much everyone was overconfident, from not giving lookouts binoculars to ignoring warnings from other ships about icebergs in the area.

And while the lack of lifeboats is held up as the primary example of that hubris, the 20 lifeboats actually complied with safety regulations at the time. In fact, only 16 rescue ships were required. Lifeboat capacity was determined by the weight of the ship, not the number of passengers on board. This rule was developed for much smaller ships and hadn’t been updated to adjust for the enormous ships that were built in the early years of the 20th century. What’s more, there hadn’t been a significant loss of life at sea for 40 years, and large ships usually stayed afloat long enough for individual lifeboats to make multiple trips to and from a rescue vessel. For all of those reasons, everyone tragically assumed there were an adequate number of lifeboats for passengers.

The risk management lesson learned: Complying with regulations and established best practices is no guarantee that a specific risk has been effectively mitigated. Risk managers need to consider these safeguards the same way they would any other risk prevention effort and take additional action when they don’t sufficiently guard against risk.

See also: A Revolution in Risk Management  

Deepwater Horizon explosion

When the Deepwater Horizon oil rig exploded on April 20, 2010, several executives from BP and Transocean were actually on the structure to celebrate seven years without a lost-time safety incident on the project. Company leaders were so focused on preventing – and measuring – lesser risks like slips, trips and falls that they failed to identify the more complicated process management risks that ultimately led to the explosion.

Risk management lesson learned: All risk analysis is essentially weighing how likely an event is to occur against what impact that event would have, then identifying effective ways to address those risks. Thanks to complacency, cutting corners, arrogance or some combination of those factors and others, BP and Transocean targeted risks with high probabilities and low impact. In the process, they neglected risks in the opposite quadrant of that matrix that were unlikely to occur but could have catastrophic results.

Sept. 11 attacks

Since the tragic events of Sept. 11, 2001, individuals, businesses and the U.S. government have put vast effort and resources into preparing for and defending our nation against further attacks. Professors of risk management at the University of Pennsylvania call 9/11 a “black swan” event – one that is very rare and difficult to prepare for.

Risk managers are extremely good at preventing what’s happened before from happening again. But unlikely events are extremely difficult to predict. Before Sept. 11, 2001, terrorism was listed as an unnamed peril in a majority of commercial insurance deals, according to Penn researchers. After the attacks, insurers paid $23 billion, and many states passed laws permitting insurers to exclude terrorism from corporate policies. Today, the semi-public Terrorism Risk Insurance Act covers as much as $100 billion in insured losses from terrorist attack.

Risk management lesson learned: These black swan events are difficult to predict and even more difficult to prepare for. A portion of the risk management field will always be reacting to the specifics of previous significant events and incorporating them into their models forecasting future risk.

Financial Crisis of 2007-2008

Plenty of people were quick to blame risk managers for failing to protect the world’s largest financial institutions against the biggest economic disaster since the Great Depression. The Harvard Business Review identified six ways companies fail to manage risk, while the Risk and Insurance Management Society (RIMS) argues the financial crisis was not caused by the failure of risk management, but rather organizations’ failure to embrace appropriate enterprise risk management behaviors. Companies provided short-term incentives and did not communicate enterprise risk management principles to all levels of the organization.

Risk management lesson learned: Risk management cannot exist in a vacuum. Creating a robust enterprise risk management program also requires communicating it to all levels of the organization and creating a culture and incentive system that matches the level of risk.

See also: Can Risk Management Even Be Effective?  

Interested in learning more about risk management? Check out the Associate in Risk Management designation from The Institutes.