Back in the ’70s, Chris Mandel quite literally stumbled into insurance, as a result of a racketball injury at Virginia Polytech Institute when he suffered a detached retina. After two months of lying flat in a hospital bed, he had to forego his post-graduate job in retail management and start looking for employment in D.C. — he began an unexpected career in managing claims at Liberty Mutual.
Mandel excelled in his job but realized a career in claims management wasn’t what he wanted. So, in the early ’80s, he moved to Marsh brokerage for five years and set up a risk management program for an AT&T spinoff that evolved into what is now Verizon. He then left Marsh to be Verizon’s first risk manager — building its program from scratch.
By the ’90s, he landed in several top corporate risk management positions at the American Red Cross, Pepsico/KFC and Triton Global Restaurants (YUM Brands). Mandel also began his six-year volunteer stint as the president of RIMS (1998-2004), after serving in many different key RIMS leadership roles. He earned an MBA in finance from George Mason University along the way.
By 2001, Mandel was on several advisory boards (i.e. Zurich, AIG, FM Global and Liberty Mutual), before making a career and geographic move to the USAA Group in San Antonio. There, he built an enterprise risk management (ERM) program because he saw a “broken traditional approach” to risk management. After nearly 10 years of developing an ERM program lauded in the industry (including by AM Best, Moody’s and S&P), Mandel was promoted at USAA to head of enterprise risk management, as well as president and vice chair of Enterprise Indemnity, a USAA commercial insurance subsidiary. While at USAA, he was recognized as Business Insurance’s Risk Manager of the Year (2004).
His dream was to be a corporate chief risk officer, but he saw that title more often going to “quants,” (like actuaries), rather than risk professionals. So, as a well-known and sought-out industry spokesperson and visionary, Mandel moved on from USAA in 2010 to found a Nashville-based risk management consulting group, then-called rPM3 Solutions, which holds a patent on a game-changing enterprise risk measurement methodology. Then, in 2013, he moved to Sedgwick as a senior vice president. He is responsible for conducting scholarly research, driving innovation, managing industry relations and forging new business partnerships.
In early 2016, he was appointed director of the newly formed Sedgwick Institute, which is an extension of the firm’s commitment to delivering innovative business solutions to Sedgwick’s clients and business partners — as well as the whole insurance industry. In 2016, Mandel was awarded RIMS’ distinguished Goodell Award (see video below).
When asked what he sees as critical strengths for someone entering risk management, Mandel said: “I try to hire managers who can think strategically and who can convince C-suiters and boards of the value of being resilient in addressing a company’s risk profile. Progressive leaders understand the strategy to leverage risk for value.”
A holistic approach, as he describes it, “seeks a vantage point that can assess both the upside and downside of all foreseeable risks.” He believes true innovation evolves from a company’s risk-taking. “It’s not so much identifying what or when adversity is going to happen, it’s how a company responds to risk in order to minimize disruption,” he said.
In assessing his personal strengths and accomplishments, Mandel feels that a person needs to be “emotionally intelligent” — able to adapt to different people in organizations. He doesn’t consider himself a people person but says he learned to be one the hard way. He advises: “Team spirit is putting other people first and helping them succeed. … Admit your failures and build trustworthiness from your mistakes.”
Besides writing, teaching, speaking and (still) playing racketball, he serves an active role as an advisory board member of Insurance Thought Leadership. He and his wife also serve in church ministries, where he often plays guitar alongside his grown children, who are ordained ministers. Mandel said, “I’m blessed by a Creator who’s had my back.”
Over the last 10 years of the “risk leader” portion of my career, as the head of enterprise risk management at USAA (2001-10), as well as during my subsequent work as an ERM consultant, I was challenged by several questions that affect risk management results and, by extension, ultimate success. All fell under the header of “risk management maturity,” and focusing on it can provide huge benefits to you and to your organization.
To start, we need to get two things straight. First, how are you defining “risk,” and have you driven a consensus among key stakeholders about that definition? Second, which risks are you going to manage, and where on the loss curve do they fall?
These questions may sound simple, but the reality is that many risk leaders have responsibilities for only a portion of the risks that organizations face — often, only the insurable risks. If that’s the case, you have your answer to both questions nailed.
If, on the other hand, you are a risk leader with broader accountability for more or all risks (via enterprise risk management, or ERM) that could affect an organization (both negatively and positively), then the first question — “how does your firm define risk?” — requires clear definition. The most commonly accepted definition of risk is “uncertainty.” I like this simple definition, and it captures the most central element of concern. However, the real challenge remains the question about the level of uncertainty (aka frequency/likelihood). To many, even more important is the level of impact or severity. My favorite chart to help illustrate this concept is one where the “tail” of the loss distribution represents where the proverbial “black swans” live.
A typical loss curve has as its peak the expected level of loss, and the black swan sits out on the tail of this curve, where the x-axis is impact of severity of loss and the y-axis is the frequency or likelihood of loss. While many hazard-focused leaders put their attention on risks at expected level or to the left along the x-axis where certainty of loss rises, the challenge is where in this region of the curve to the right should one be managing? While the possibility of loss becomes increasingly remote as you move out toward the tail of the curve, the impact of events become more destructive. Key questions that must be answered include:
Do we care more about likelihood or impact, or are they equal?
What level of investigation do we apply to risks that are remotely likely?
How do we apply limited resources to risks that are remotely likely?
Do we have a consensus among key stakeholders as to what risks we should focus on and how?
Do have or need a process to manage emerging risks?
Do we have a consensus on and clear understanding of how we define risk in our organization?
These issues are the starting point to the risk management maturity question, which, if handled well, facilitates organizational success. From these answers, you can chart your course for your firm. The answers will define the process elements of maturity. But we need to define what risk maturity is to track progress toward it and to ensure that stakeholders are aligned around the chosen components.
The various components among the numerous risk maturity models tend to overlap considerably. Here’s one generic set of attributes of maturity:
Risk is managed to specifically defined appetite and tolerances
There is management support for the defined risk culture and direct ties to the corporate culture
A disciplined risk process is aligned with other functional areas
There is a process for uncovering the unknown or poorly understood risks
Risk is effectively analyzed and measured both quantitatively and qualitatively
There is collaboration on a resilient and sustainable enterprise
The first, and I think most thoroughly developed, model comes from the Risk and Insurance Management Society (RIMS). It was developed some 10 years ago or so but remains in my opinion a simple yet comprehensive view of the seven most important factors that inform risk maturity and that, when well implemented, should drive an effective approach to managing any risk within your purview.
The components of the RIMS model include a focus on:
The degree to which an enterprise-wide approach is supported by executive management and is aligned with other relevant functions
The degree to which repeatable and scalable process is integrated in the business and culture
The degree of accountability for managing risk to a detailed appetite and tolerance strategy
The degree of discipline applied to using the elements of good root-cause analysis
The degree to which a robust emerging risk process is used to uncover uncertainties to achieving goals
The degree to which the vision and strategy are executed considering risk and risk management
The degree to which resiliency and sustainability are integrated between operational planning and risk process
As with all risk management strategies (no two of which that I’ve seen are exactly the same), there is no one way to accomplish maturity. Every risk leader needs to do for her organization what the organization needs and will support.
Another maturity model that is worthy of note is the Aon model. Like RIMS’ model, it enables multiple levels of maturity and methodology for charting progress toward an ideal state. Characteristics of the Aon model include:
Ensuring the board understands and is committed to the risk strategy
Establishing effective risk communications
Emphasizing the ties among culture, engagement and accountability
Having stakeholder participation in risk management activities
Using risk information for decision making
This is not to say that the RIMS model ignores these issues. There is simply a different emphasis.
Also noteworthy is Protiviti’s perspective on the board of directors’ accountability for risk oversight. A few highlights include:
An emphasis on the risks that matter most
Alignment between policies and processes
Effective education and use of people and their place in the organization
Assumptions that are supportable and understood
The board’s knowledge of the right questions to ask
Focus on understanding the relationship to capability maturity frameworks
Certainly, the good governance of organizations is critical, and the board’s role is paramount. If the board is engaged and accountable for ensuring that its risk oversight is effective, the strategy is likely to be executed successfully and, by inference, risk will have been effectively managed, as well.
To complete the foundation for the business case for using a risk maturity model to track progress, consider these key points:
There is no one right approach; each organization must chart its own course aligned with its culture and priorities
Risk must be treated as an integral aspect of strategy
There must be a focus on additive value, as with all corporate processes
Risk maturity has produced documented valuation premium for studied users
With the effective use of risk maturity models, you should be able to better chart your risk evolution journey, and how a good maturity strategy related to corporate strategy and priorities is the ultimate nexus for success. Risk and risk management should drive performance results and what remains to be done to achieve longer-term aspirations. This approach to managing your risk strategy should allow you to:
Translate the component of risk maturity into a successful ERM journey
Refer to ERM results and impacts achieved by others to buttress your efforts
Understand key tactics to exploit and pitfalls to avoid as you perfect your risk management strategy.
Using a risk maturity model will, if nothing else, provide the guard-rails and discipline that may otherwise be missing from your current attempts to make a difference in the success of your enterprise.
When the question of whether ERM is a success or failure comes up, it raises a further question: Why aren’t companies doing a better job of measuring the value it generates?
The reasons that the value of ERM is not quantified by companies include:
It is extremely hard to know when a loss did not happen because of ERM.
It is just as hard to quantify the cost of loss that did not happen.
It is difficult to quantify the “soft” benefits of enhanced reputation because ERM is practiced or because of improved strategic alignment in the organization; ERM requires an understanding of the company’s strategic goals and objectives to identify the risks that might derail their achievement.
It is often hard to justify the time and expense of measuring something that is not easy to measure.
Having acknowledged some of these obstacles, the only way that companies will know if their ERM efforts are successful is to create some measurement scheme that makes sense for their particular situation. Without measurement, how would a company know not only if it wants to continue an ERM implementation but also how much to invest in it.
Let us look at a few possible approaches to measuring the value of ERM:
Once an ERM process has gained some level of maturity in an organization, this approach would take the form of looking at fairly common and reliable metrics on a before-ERM and after-ERM basis. (There are ERM maturity models, developed by experts, that can be used to evaluate how far along the path to full or optimal implementation a company has progressed.) In fact, each of the approaches described would only be reasonable if the ERM process had been in place and well-executed for some period.
Naturally, there will multiple variables, not just the practice of ERM, that play into these metrics, but that is true for most metrics, and explanations can and should accompany the numbers to explain such variables.
Such metrics would include: 1) number of insurance claims, 2) number of worker injuries, 3) number of lawsuits related to a risk/loss events, 4) number of days or hours production is lost because of a risk/loss event, 5) cost of insurance and 6) total cost of risk (TCOR). Thus, when reviewed before and after ERM, the metrics can be charted to show absolute changes in value as well as trend lines. It might even be possible to notice on a relative basis that there are fewer risk-related surprises brought to management’s attention because ERM effectively identified risks while there was still time to deal with them.
Each company will be able to come up with its own unique metrics based on what it is currently capturing, what it could capture and what is important to its business operations.
The value of ERM would be evident or could be computed from the before-and-after metrics.
“What If” Approach
In the “what if” approach, one or more of the most significant risks in the risk register, which did not materialize when expected because of mitigation by the company, would be selected. Perhaps this was a regulatory change that would have harmed a product line, but the company took lobbying efforts or did product redesign because the risk was appropriately identified, prioritized and mitigated.
The amount of the loss that the risk would have likely have produced would be computed. Even if it were an insured loss, the estimate would take into account such things as the potential increase in insurance rates, management time and all other attendant expenses not covered.
Since the risk did not produce a loss, the amount of the “what if” loss is the value of ERM.
Alternatively, a significant loss event that affected key competitors but did not affect the company using ERM could be used to assess value. Perhaps it was a natural catastrophe that the company was better protected for or a demographic shift that the company anticipated and reacted to because of ERM.
To get at ERM’s value, the company would have to approximate what the risk, if ignored, would have cost.
Lacking Any Other Explanation Approach
In “The Valuation Implications of Enterprise Risk Management Maturity,” a wholly independent and peer-reviewed research project conducted by Mark Farrell of Queen’s University Management School and Dr. Ronan Gallagher of University of Edinburgh Business School, published in The Journal of Risk and Insurance, using data from the RIMS Risk Maturity Model,the case is made that, failing any other explanation, the companies with greater maturity have higher valuations because of it. Specifically, the study found that there was “clear and significant statistical correlation between mature enterprise risk management practices and a firm’s value.” Organizations exhibiting mature risk management practices-as assessed with the RIMS Risk Maturity Model-realize a valuation premium of 25%.
Yet another approach that does not rely on metrics, per se, is a discretionary approach. In other words, the board, CEO or C-suite could attribute a value to ERM that is based on the recognition that the ERM process has, for example: 1) created a risk aware culture, 2) helped to identify and ameliorate risk, 3) made recovery from risks that have materialized much faster and more efficiently and 4) enhanced the brand among stakeholders.
The discretionary approach does require that management is involved in the ERM process, has an open mind about its contribution and will articulate its conclusions about ERM’s value so that the entire organization is aware of this assessment. Without management’s giving voice to its success, the question of whether it is a success or failure will haunt ERM.
There are undoubtedly other approaches that could be used. The key point is that companies that have invested in introducing ERM should do so in a vigorous way and should measure and communicate its value. This will ensure that the entire organization maintains a commitment to this important process.
From the You Can’t Make This Stuff Up Department: Steve Legg took an important step on his path to becoming the director of risk management of Starbucks to avoid having what looked like a bad pun on his business card. He had earned his Associate in Risk Management designation, but that meant his name appeared as Legg-ARM. So, he says, he went on to earn his Chartered Property & Casualty Underwriter (CPCU) designation, because it is listed before ARM. His card now (safely) reads “Steve Legg, CPCU, ARM.”
But I’m jumping into the middle of the story, in this second in our series of Thought Leaders in Action. (The first, with Loren Nickel, director of risk management at Google, is here.)
To begin at the beginning, I’ll provide a summary of Legg’s background, then follow with the story of how he earned his prestigious position, some detail on Starbucks and how it manages risk and some insights from Legg for other risk managers.
Legg, who is 46 years old, has been at the Starbucks headquarters in Seattle since June 1997. His responsibilities include global corporate property and casualty insurance and risk financing for the company. Legg reports to the treasurer of Starbucks and heads a risk management team of 13 professionals, with two-thirds involved in claims management and the balance working in risk financing and risk transfer, its risk management information system (RMIS) , internal reporting and captive management. Starbucks has 22,519 stores in 66 countries, with a targeted growth rate of 1,650 net new stores during this fiscal year. Starbucks, the name inspired by Herman Melville’s novel Moby Dick, has one of the most recognized logos in the world. Its mission statement, developed by its founder Howard Schultz, is “to inspire and nurture the human spirit one person, one cup and one neighborhood at a time.”
Before joining Starbucks, Legg worked as an independent insurance broker, as well as in a claims capacity for Crawford & Co. Legg served on the board of the Washington state chapter of the Risk & Insurance Management Society (RIMS) for seven years, serving as president of the chapter during the 2005-2006 year. He has been an active participant within National RIMS and has served as a speaker to other insurance industry groups, such as the CPCU Society, the Professional Liability Underwriting Society (PLUS) and the Marine Insurance Association of Seattle. He has a degree in political economy of industrial societies from the University of California at Berkeley.
Legg grew up in Kirkland, WA, on the east side of Lake Washington. Nicknamed “the little city that could,” Kirkland is the former headquarters for the Seattle Seahawks and Costco. Kirkland Signature is still Costco’s store brand.
“I grew up interested in a lot of different things, but I wouldn’t say with any degree of certainty that I knew what I wanted to do for a living,” Legg said. “I was intrigued with going somewhere else to study, so I attended UC Berkeley. I was interested in crisis management, and I just happened to be at Cal when the 6.9 Loma Prieta earthquake  and devastating Oakland Hills firestorm  hit. From those experiences, I thought I might pursue law school.
“As things turned out, my first job was back in Washington state working as a claims adjuster for the branch manager of Crawford & Co., hired by our mutual friend and industry colleague Katrina Zitnik, who was later director of workers’ comp for Costco, 2001-2013. We handled the huge Boeing workers’ comp self-insured account. There were around 100 employees in that office alone. My specialty was working with chemical-related claims, which was really fascinating, before I moved over to liability claims. By my second year there, I started to really understand what risk management was all about.”
From that experience, Legg went on to achieve his ARM designation. “It may sound corny, but I didn’t like the way it looked on my business card as Legg-ARM, so I went on to pursue my CPCU,” Legg said.
“With that formal insurance education, I went to work for a regional insurance brokerage in Kirkland where I learned a lot about insurance and other facets of risk management.” Legg said: “I came to this realization that I didn’t want to handle claims or broker insurance. I wanted to be on the buyer’s side of all this – tending to insurance and a whole lot of other things.”
In 1997, Legg was hired by his predecessor at Starbucks, which had gone public in 1992. At the time he joined Starbucks, the company had about 1,000 stores in the U.S. and Canada and just a few new locations in Japan. Legg describes his experience at that time in risk management as more of a buyer of insurance, but his job responsibilities quickly deepened and expanded with the global spread of Starbucks. He assumed the director of risk management position in 2006 when his boss and mentor retired and became active in the management of Starbucks’ Vermont captive.
The evolving company
Legg explained that the organizational structure is set up based on three key global regions: (1) the Americas; (2) EMEA, which is Europe, Middle East and Africa; and (3) CAP, which is China, Asia Pacific. “Our biggest push is in the CAP region, especially China, which presents a lot of opportunity,” he said. Although that region has a tea-drinking tradition, Legg pointed out that Starbucks owns the tea company Tazo and more recently bought Teavana and its 300-plus stores, providing a high-end, specialty tea product that has become popular at Starbucks locations. He said Starbucks’ specialty coffee and expresso beverages have also become very popular in tea-drinking cultures.
Starbucks has also expanded its offerings in premium pastries (it bought La Boulange), food and merchandise offerings, and it recently began providing beer and wine in selected areas of the country. “Evenings at Starbucks had been under-utilized,” Legg said, “so with the rollout of beer and wine we’re able to serve additional patrons.”
How Starbucks manages risk
Serving 66 countries with various laws and customs, Starbucks has a global quality assurance organization work with business units that are immersed in foreign locations. “Risk management and legal principles are practiced with our people that understand and are sensitive to local government, culture, customs and laws,” Legg said. “Starbucks wants to provide appropriate food and beverages, and we have a global safety security organization, as well, that makes sure that we are tending to the different types of risks these different and diverse cultures hold. Safety and security are fundamental components in the initial and on-going training of our partners.”
When asked about the challenge of identifying, evaluating and treating risk in far-flung global operations, Legg noted that there is a common thread regardless of demographics that relates to keeping stores well-managed, clean, secure and hazard-free. He added that a global design team works with individual markets to address issues that mitigate any unusual risk factors, which could include something as simple as adjusting counter and stool height. Store components are designed to provide for each locale’s needs while Starbucks maintains the quality and consistency that its customers expect.
As for dealing with its insurance and reinsurance markets, Legg noted that Starbucks collects a significant amount of data on all of its locations to enable its internal team and underwriters to have the geographic information they need for modeling. North American operations are mostly self-insured via large retentions and deductibles; Legg points out that first-dollar and low-deductible insurance policies are far more common, accessible and prevalent in other parts of the world. Compulsory insurance requirements differ across jurisdictions — in many parts of the world, for instance, workers’ compensation as we know it is not available, and injuries or illnesses among employees (which Starbucks calls “partners”) are addressed in different ways.
“Regardless of the transfer or retention of risk, Starbucks feels that no one could ever care as much about our partners and our brand as we do,” Legg said. He added, “We inspire and nurture our partners and customers… through providing good products, friendly service and by contributing to our communities. It’s an important part of our culture and what makes this brand so strong.”
All eligible full- and part-time Starbucks employees receive comprehensive health coverage and equity in their company, referred to as “bean stock.” In turn, employees typically volunteer more than one million hours each year in helping their local communities. Starbucks has also set up agronomy offices in different countries around the world to help origin farmers to better manage their crops and businesses. “It’s really important all up and down the chain from the front-line stores to the source of the company’s most precious commodity to have a seamless connection,” Legg said.
I asked Legg what coaching suggestions he has for people entering the field of risk management.
He said, “I think to be successful in risk management that it helps to have a good understanding of a number of different disciplines like accounting, finance, law, etc. Most importantly, you need to have the ability to think critically through things to make good decisions and to then have the ability to communicate well and to influence others. Knowledge without good communication skills won’t equip you for this career.
“I find myself guiding and teaching other people in the organization every day, helping them develop their own risk assessment philosophy in what they do day in and day out. We in risk management can’t be there all the time, so our job is to train others throughout the organization to make good, sound risk management decisions.
“Be open-minded and flexible. Risk management staff needs to identify and admit their mistakes, correct things and be able to change course as needed.”
Legg added with a laugh, “You think you know in detail how things are, then you find out you really don’t know how things are.”
A large retailer gets hacked, and customer data is taken, which costs millions in expense and lost revenues. A product recall is perceived to be badly handled, which tarnishes a manufacturer’s reputation and seriously erodes revenue, as well as margins. An acquisition fails to produce the expected profit lift and hurts a technology company’s share price. These organizations have implemented ERM, and, clearly, ERM has failed. Or has it?
Let’s look at three criticisms of ERM:
ERM Cannot Identify and Protect Against All Significant Uncertainties
This criticism is fair in the most literal sense only. Even a very robust and well-administered ERM process cannot find every major risk that an organization is subject to, nor can it protect against all risks, whether identified or not. However, without ERM, the ability to identify a majority of significant uncertainties facing an organization is greatly diminished. Not only that, without an ERM approach to risk, the mitigation of known risks is more likely to be addressed silo by silo even when an enterprise-wide solution is necessary.
In addition, with ERM, organizations are generally better prepared to rebound from unexpected, unidentified risks that do hit them. For example, ERM organizations typically have very robust business continuity and business recovery plans, have done tabletop exercises or drills that simulate a crisis and have maintained a lessons-learned and special expertise file that can be called upon, as needed.
According to a post by Carrier Management, citing RIMS, “A whopping 77% of risk management professionals credit enterprise risk management with helping them spot cyber risks at their companies.”
These survey results do not suggest that chief risk officers or risk managers, who are responsible for the ERM process, are cyber experts or that all cyber risks can be specifically ascertained. Rather, the survey suggests that ERM better positions a company to discover cyber risks, just as it does with other categories of risk.
If ERM can reduce business uncertainties and surprises by identifying risks and managing them better than other forms of risk management, despite not being able to do so 100% of the time, it has not failed. In fact, it has most probably added great value. Consider a CEO who can avoid even one unnecessary sinking feeling when realizing that a risk that should have been spotted and dealt with has hit the company. How much is it worth to that CEO to prevent that feeling?
ERM Focuses on the Negative Rather Than the Positive
This criticism is not fair in any sense. It requires an upside-down view of ERM. Think about it. In almost any definition of ERM, there is some sort of statement as to the purpose or mission of ERM. The purpose is to better ensure that the organization achieves its strategy and objectives. What could be more positive?
By dealing with risks that challenge the ability of the organization to meet its targets, ERM is fulfilling an affirmative and important task. That most risks pose a threat is not disputed. But by removing, avoiding, transferring or lessening threats, organizations have a better chance of succeeding.
This is not the only positive result that can emanate from ERM’s handling of risk. Often, a thorough examination of a risk will result in opportunities being uncovered. The opportunity could take the form of innovating a product or entering a new market or creating a more efficient workflow.
Consider a manufacturer that builds a more ergonomic chair because it has identified a heightened risk of lawsuits arising from some new medical diagnoses of injuries caused by a certain seat design. Or, consider an amusement park that is plagued by its patrons throwing ticket stubs and paper maps on the ground, thereby creating a hazard when wet or covering dangerous holes or obstacles. Imagine that the company decides to reduce the risk by increasing debris pick-up and offering rewards to patrons for turning in paper to central depositories, then turns it into “clean” confetti sold to a party goods manufacturers.
These are hypothetical examples, but real-life examples do exist. Some are quite similar to these. Many risk managers, unfortunately, are reticent to share their success stories in turning risk into a reward. For that matter, many are reluctant to share their successes of any kind. One could speculate why this is so. It may be as simple as not wanting to tempt the gods of chance.
ERM Is Too Expensive
Those who criticize ERM for being too expensive to implement may lack information or perspective. Consider the following questions:
Has ERM been in place long enough to produce results?
Has the organization started to measure the value of ERM (there are ways to measure it)?
Can an organization place a dollar value on avoiding a strategic risk or a loss that does not happen; does it need to?
Has the number of surprises diminished?
Are there successes along with failures?
How much is it worth to enhance the company’s reputation because it is seen as a responsible, less volatile company because of ERM?
How efficiently has the ERM process been implemented?
Is too much time being spent on selling the concept rather than implementing the concept?
Has the process and reporting of ERM results been kept clear and simple?
To answer the criticism of a too expensive process, the following are things that a company can do to make sure the process is cost-effective:
Embed the process, as far as feasible, into existing business processes, e.g. review strategic risk during strategic planning, hold ERM committee meetings as part of or right after other routine management meetings, monitor ERM progress during normal performance management reviews, etc.
Assign liaisons to ERM in the various business units and functional departments who have other roles that complement risk management.
Do not try to boil the ocean; keep the ERM process focused on the most significant risks the company faces.
Measure the value that ERM brings, such as reduction in suits or lower total cost of risk or whatever measures are decided upon by management.
In the author’s purview of ERM in various organizations, the function tends to be kept very lean (without diminution of its efficacy). If the above suggestions are adopted, along with other economical actions, the costs associated with the process can be kept in balance with the value or well below the value.
It is possible for an ERM process to be poorly executed, and thus deserve criticism. It is also possible for an ERM process to be well-executed and deserve nothing more than continuous improvement.
The caution is that no one should expect perfection or suppose that one unanticipated risk that creates a loss denotes a total failure of this enterprise-wide process. Organizations are sometimes faced with situations that are beyond a reasonable expectation of being known or managed.
It would be fair to lodge criticism of ERM under certain circumstances; for example, if an organization’s ERM process did not reveal a risk that all its competitors recognized as a risk and addressed. But even in that case, perhaps there were reasons to think the risk would not penetrate protections the organization already had in place. Suffice it to say, every process and situation must be evaluated on its own merits and within the proper context.