Tag Archives: risk manager

How Risk Management Differs From Insurance

The new cool lingo and title for producers is “risk manager.” When I interview these “risk managers,” most cannot tell me what risk management actually is — but the title helps increase sales.

Somewhere along the line I’ve realized that many people in the industry do not really understand what insurance does! “It protects in case of an accident” is the most common answer. But what does it “protect” in case of an accident?

Insurance is a subset of risk management. Risk management can be done quite well without any insurance, but insurance can’t really be done well, correctly, without some level of risk management. Insurance is usually sold without any risk management efforts due to many factors, including lack of knowledge among consumers, the difficulty of explaining insurance coverages, laziness on the part of insurance distributors and consumers, incompetency and the fact that selling a complex product like insurance is difficult unless the seller makes it seem excessively simple — hence cartoon animals and bumbling morons selling insurance, and selling it successfully!

Since time began, risk management has always existed, whether definitively or intuitively, in human endeavors. Modern insurance was created when risk managers for banks decided that a financial risk management tool was required to protect the loans they made to ship owners/builders. The banks needed a way to shift the risk of loans not being repaid in the event the ship sank or was pirated. The banks decided they could not cause enough cannons to be added (cannons were the original risk management tool against pirates), nor could the ships of the day be adequately engineered to overcome Mother Nature. So, some people in London created insurance.

Today, most property insurance serves the same function. People buy homeowners insurance policies to satisfy their mortgage company’s requirement. This is why so many people naively quit buying homeowners insurance when they’ve paid off their mortgage, because some insurance agent failed to explain the importance of liability insurance.

Risk management is designed to minimize risk, particularly probable risks. If you look at a normal curve of risk frequency, the large area in between the two ends is where straight, non-insurance risk management solutions shine. For example, in certain environments, the probability of someone slipping and falling is high. Insurance is not the best solution. Fixing the flooring is the best solution.

Insurance is the best solution for known risks that are highly unlikely to occur. Insurance is not designed to be a maintenance policy. Maintenance is known and expected. Insurance is designed for the unexpected and unlikely. Insurance companies would quickly go out of business if insurance covered the expected and likely because their claims would exceed their revenues or the price would be so high no one would buy the policies.

See also: 3 Practical Uses for AI in Risk Management

This reality of insurance leads to huge frustration among consumers because they don’t get to “use” their insurance. Who wants to buy something expensive to protect their property from an event that is highly unlikely and unexpected to occur? (Life insurance and health insurance are true exceptions to the unlikely and unexpected rule because death is highly likely. Life insurance is a death timing insurance for your death occurring at an unlikely, and therefore unexpected, time. Health insurance has morphed into an almost unrecognizable distant cousin of true insurance.)

Most agents do not adequately explain that buyers “use” their insurance daily. Insurance enables them to use their house immediately rather than waiting until they can purchase the house in cash. People get to drive, they get to bid on construction jobs, they get to protect their families. It’s hard to explain these benefits in jingles.

If a person is only selling P&C insurance, then, using a normal curve as an example, they are only addressing around 5% of a company’s risk. The other 95% encompasses more straight risk management solutions outside of insurance. If you call yourself a risk manager when you are really only selling insurance, are you representing yourself truthfully only 5% of the time?

This article was originally published at burand-associates.com.

Space, Aviation Risks and Higher Education

What do you do when a group of precocious students decide to build a satellite and launch it into space? Or, when they decide to build an unmanned aviation vehicle (UAV)—more commonly known as a drone—and fly it over a busy urban market? Or, when they design and launch a few rockets October Sky-style from a training field on campus before heading to a NASA competition for a chance at $50,000 in prize money?

As a risk manager, considering the answer to these questions may cause a heart palpitation or two as you think about the potential effects of these educational opportunities on the educational institution. Not only does the institution face increased liability and property damage risks, but there is also the potential for increased risk to reputation and even regulatory compliance considerations.

Insurance was likely the last thing the students at St. Thomas More Catholic School in Arlington, VA, were thinking about when they began construction on a shoebox-sized satellite called Cubesat. According to a Washington Post article, the purpose of Cubesat, which was released from the International Space Station on Feb. 15, 2016, is to beam photos from 200 miles above the Earth back to computers in their school library. You can view pictures from the satellite here.

See Also: Should We Take This Risk?

Insurance was also, probably, the last thing students from the University of Wisconsin-Whitewater were thinking about in October 2015 when they launched their drone to capture aerial images of the new Whitewater City Market. According to the University of Wisconsin News, the purpose of the project was to respond to the market organizer’s request to geographically depict the organic growth of the Whitewater City Market. A video of the aerial images has been posted to YouTube and can be viewed here.

To the 54 college teams selected by NASA for 2015-2016 NASA Launch Challenge, insurance was likely pretty low on the list of considerations as the teams worked to design, construct, test, launch and successfully recover a high-powered reusable rocket and its payloads. The purpose of the challenge is to encourage participation in STEM fields and to examine innovative solutions to potential issues that may arise during space travel. There is also $50,000 in prize money for the top three teams that complete the challenge. For 2015-16, the competing rockets will be launched on April 16, 2016.

So, what are the risks associated with these types of activities, and how can insurance assist the college in transferring some of these risks?

According to a white paper recently published by Allianz, a large commercial insurer, these types of aviation/space risks can be bifurcated into two areas: (1) ground or pre-launch risks and (2) in-orbit or post launch risks.

Ground risks include:

  • Hazard or catastrophic risk to facilities because of fire. This type of risk can be significantly increased if someone is using flammable chemicals, such as nitrogen or any of the components present in rocket fuel. Keeping these materials on campus can create additional risk for the institution, which may not be contemplated in current insurance programs.
  • Transportation risk increases the risk of property and liability losses. Moving rocket components, including flammable materials, increases the potential for losses to (1) the components themselves and (2) a third party that may be injured as a result of an incident on the road.
  • Liability loss because of launch failure may result in damage to property near the launch site or even injury to a third party, faculty member or student. Failure to take adequate safety precautions during design/construction—working with chemicals, power tools and other materials—may result in increased potential for injury to students and faculty participating in the project.

Post-launch risks:

  • Loss of the object because of malfunction, damage or equipment failure, items that represent a significant investment of time, resources, and materials. Such a loss may result in the inability to participate in a competition, a loss of grant money or additional time spent rebuilding or reworking the project.
  • Liability loss due to in-air collision, falling objects or interference with another aerial object (such as a satellite signal or an airplane’s operating equipment)—these types of incidents may result in significant bodily injury or property damage of a third-party property.

Typical insurance policies maintained by most institutions may not provide adequate coverage for space/aviation risks:

Property policy—Provides coverage for loss or damage to property, equipment and materials of the university. Coverage is generally broad but may exclude: (1) hazardous materials, (2) property in transit or off premise, (3) property not owned by the university and (4) pollution because of the release of a hazardous substance or chemical.

General liability policy—Provides coverage for the injury or property damage of a third party because of the negligence of the institution or those operating on behalf of the institution. Coverage responds to a wide range of standard risks, but there may be exclusions for: (1) aviation risks, (2) loss caused by the acts of a third party, such as a student or contractor, (3) third-party liability related to a discharge of pollutants/chemicals, (4) loss of institutional reputation or cost of a crisis management team, (5) coverage for regulatory fines and penalties for failure to obtain proper permits, etc. and (6) the liability to a third party because of the failure of a vessel to perform as expected or because of a design flaw.

Automobile liability policy—Provides coverage for liability and property damage associated with the operation of a motor vehicle. Coverage responds to a wide range of standard risks, but there may be exclusions for: (1) pollution because of the discharge of a chemical substance transported on or in the vehicle, (2) liability for use of third-party transportation, such as a rental vehicle or bus charter or the use of a personal vehicle by a faculty member or student and (3) property damage to institutional property being transported on or in the vehicle.

There are additional types of coverage that may be needed, including:

Pollution coverage—Including premises pollution (to provide coverage for the institution’s own facilities) and pollution liability coverage (to provide coverage for third-party exposure to pollutants)

Aviation/space coverage—Specialized policies can provide coverage for losses to an aerial vessel or its equipment and, also, for the most common types of liability loss (collision, crash or interference). Note: Special endorsements may be required for drones.

Inland marine rider/policy—Provides coverage for scheduled equipment and property that may not otherwise be covered by the institution’s standard property coverage. This can include coverage for property that is being transported in a vehicle

Crisis management coverage—Provides coverage for loss or damage to the institution’s reputation; this may include coverage for the costs to engage a crisis mitigation team and public relations experts or the cost to take other steps to preserve and restore the reputation of the institution.

See Also: What Is the Future for Drones?

Professional liability—Provides coverage to professionals because of the failure of the design/construction or for the failure of the devise to perform as intended. This coverage may include coverage for damages not related to injury or to property damage— including the financial loss and the costs for rework and redesign.

Not all insurance policies are created equal—individual coverage and policies may respond differently. Please consult with an expert if you if you have questions about coverage for these types of institutional activities.

P2P Start-Ups From Around the World

Before the advent of underwriting in London’s coffee houses in the 1600s, civilizations used various mechanisms to provide financial protection within their communities. For example, in the Middle Ages, tradesmen learned their skills through apprenticeships in the guild system. These guilds collected fees, and the wealthier guilds used these fees as a kind of insurance safety net.

If a member of the guild was robbed, if his house burned down or if he died, the guild used money from the safety net to rebuild the house, support the family or settle any financial obligations.

The world of insurance has changed a lot since those times, but the fundamental definition of insurance as “the mutuality in the sharing of losses” hasn’t.

Which brings us to emergence of the new generation of peer-to-peer (P2P) insurance firms. These InsurTech start-ups want to address the conflict between the insured and insurer, because the insurer is betting that the insured won’t make a claim, while the insured is betting he will. The P2P InsurTechs also want to address human behavior and moral hazard.

P2P insurance protagonists around the world

Friendsurance – Germany

The pioneer of P2P insurance in 2010, Friendsurance pools its users into small groups and gives its customers a cash-back bonus at the end of each year if they remain claim-less. Friendsurance operates as an independent broker in Germany. See here for an interview with CEO and founder Tim Kunde.

Lemonade – U.S.

Claiming to be the “world’s first P2P insurance carrier,” little is known about Lemonade other than that it is coming soon. The company hit the press when it was reported it had raised a massive $13 million in seed funding (a strong indication where the puck is heading).

Inspeer – France

Here, customers form friend-and-family groups to share the deductible (aka excess) element of a claim. This enables high deductibles, thereby reducing premiums from the insurance carrier. The group shares the benefit of lower premiums and provides each other with financial cover for the higher deductible if there is a claim.

PeerCover – New Zealand

This is a friend-and-family savings scheme to provide financial cover for deductibles in the event of a claim. Like Inspeer, the higher deductibles result in lower premiums for everyone in the group. However, unlike Inspeer, in the event of a claim, members get as much as three times their initial contribution back to cover their excess.

Guevara – UK, TongJuBao – China

For Guevara and TongJuBao, I spoke with the founders to find out more about how P2P insurance works and why it is different from traditional insurance. The two companies have two very contrasting stories.

I’ll start in China—or Shanghai and Hong Kong, to be precise. Recently, I skyped with Tang Loaec, founder of the Community Risk Sharing platform, TongJuBao (aka P2Pprotect).

Tang is on his third financial business launch after a career in banking and risk management. In his spare time, he writes fiction books!

TONGJUBAO EN+CN
Like most involved with InsurTech start-ups, Tang wants to disrupt insurance.

Tang explained, “We all want protection, but nobody loves insurance. And our insurance providers have not done a good job. In China, customer satisfaction is low at around 19%. Something needs to be done.

“People think the process is unfair. Consumers pay premiums regularly and on time, but, when it comes to the claim, insurers often delay and deny the amount to be paid out. This just leads to a breakdown of trust.”

Often, an InsurTech startup builds a business model that relies on a traditional underlying insurance business model. Tang aims to build a P2P insurance model that is more than a social group sharing each other’s exposure to deductibles. TongJuBao, like Guevara and the recently announced Lemonade, plans to go further and completely redefine the end-to-end insurance model.

This is not just a distribution play built on some social novelty factor. This is the start of a new wave of insurance business!

With TongJuBao, there is no underlying insurance carrier. Its model separates the underwriting process from the claims process, thereby removing any conflict of interest. First, TongJuBao creates social communities or groups that customers join. The company then creates a deposit account for every member.

All members pay two sums of money into their deposit accounts. One is the fee for administration. The other is, effectively, a guarantee deposit to cover the risk being insured. All members pay the same amount into the deposit account to buy units of protection — in other words, if one unit provides £10,000 of cover, and I want £50,000 of cover, I buy five units.

Tang explained that his first-year focus is on launching a range of social risk products into the Chinese market:

– Marriage cover is typically not insurable because divorce is a human-based, not event-based, decision. TongJuBao’s product will launch with a flat-rate premium and a short-term, no-claims period (to guard against early payout on someone buying, marrying, divorcing and claiming in a very short period). Effectively, this is selling an insurance product as an alternative to a pre-nup.

There is a similar product in the U.S. market from Safeguard Guaranty, which claims to offer the “world’s first divorce probability calculator.”

– In China, child abduction is a massive social problem (see this report from the Guardian). Nobody knows the true scale of the issue, but it has been a problem since the 1980s and is possibly an unintended consequence of the “one child” policy.

TongJuBao’s policy will provide immediate support to the family through an agency that will offer emotional support as well as initiate search-and-rescue activity in the critical early hours after abduction.

How does TongJuBao work?

Tang explained, “The members of each community pay premiums into a large pot, and then members draw on the pot when they claim. Essentially, everyone in the community signs a contract with everyone else. The members all share the risk and reward.“

This is a mutualization model, but there is a capital limitation with this model, so all payouts are restricted to a capped amount. In many ways, you could look at the TongJuBao model as a marketplace more than as an insurance carrier. However, unlike the Uvamo model, members are not speculative investors looking to get a return on an investment.

As for regulation, TongJuBao operates under a civil law contract and not as a regulated insurance business. This is the model that has been working for P2P lending over the past eight years, and Tang expects it to work just as well for P2P insurance.

Can this business model scale?

Tang believes he can get the same rates of growth in protection as the ones China has seen in lending. He told me, “The model will scale. Just look at P2P lending in China, which has scaled to over 2,000 platforms and [where] total volume of lending is four times more than [the] rest of the world put together! And how did this happen? Because, in China, banks were not meeting customer needs. It’s the same story for insurance; they are not serving customer needs.”

In many ways, TongJuBao’s business model takes us back to the roots of insurance. Way back in 1696, Hand in Hand Fire & Life Insurance,  the predecessor to Aviva, the UK’s largest insurer, was created to provide everyone in the community with protection in the event of a fire. Members paid a subscription, and Hand in Hand owned its own fire brigade. Everyone in the community enjoyed the collective support of all the other members in the event of a fire.

Moral hazard

A common theme when talking to InsurTech firms is “the moral hazard.” The long form definition of moral hazard can be found here, on Wikipedia. In the modern context, the term is used to define the actions and choices of the protected party when it doesn’t carry the financial consequences of those actions. If an insured party knows it is protected financially should it crash a car or drop an iPhone in the street, does it act with the same level of precaution as it would without any financial cover? And why should it? That’s what the insured party has bought insurance cover for, isn’t it?

5479639_orig

(Source: http://www.lifetonic.co.uk/articles/moral-hazard)

Leaving personal responsibility and the moral dimension of this debate to one side, the fact is that a riskier attitude ultimately leads to higher premiums for everyone.

This is why P2P insurance offers the potential for lower-cost insurance. By having you join groups or communities you have an affinity with—whether family, friends or people with common interests—the business model relies on a socially responsible attitude to risk-taking, as well as a financial one.

If the insured knows the deductible is going to be funded by family members, is she less likely to make an exaggerated claim, especially when she is also taking the deductible from her own pocket?Guevara_Logo_black

Hanging out with Guevara 

One sign of success appears when your name is regularly dropped as a pioneer in your field, which was the case when Guevara and Friendsurance were prominently named when the story about Lemonade hit the press

So, it was my absolute pleasure to spend time with three of the four founders of Guevara at their London headquarters—Paul AndersonRich Philip and Mike Greer. (The fourth founder is Kim Miller.)

Anyone who spends time in the investor community, especially during early-stage investing, will tell you it’s all about the team. And there’s no better example than the team at Guevara, with a wide range of backgrounds, skill sets and experiences.

Everything about Guevara is incredibly professional, from the cool branding and young Turks’ positioning to the grey-haired underwriting and pricing experience in the back office.

Formed in 2013, Guevara started offering motor insurance in late 2014. As the founders explained the origins of this digital insurance business, they relayed their personal experiences in buying insurance, from paying high premiums to having no idea with whom they were insured.

The best story came from Anderson, who is from Australia. When he first came to the UK, he bought car insurance based on having an Australian driver’s license. It cost him £1,000.

Close to renewal time, his insurance provider reminded him that his Australian driver’s license was only valid for a year and that he needed to switch to a UK one. However, there was an unintended consequence of swapping. He was recategorized as a new/inexperienced driver of less than a year! His premium shot up to £4,000. Same driver, same car, same location.

Sadly, this is an all-too-real illustration of how motor insurance works today and why there is real market opportunity for a new approach.

‘Old insurance is rubbish’

Guevara offers a standard motor insurance policy that is underwritten using traditional rating factors (ABI rating, driver history, location). The premiums are competitive, although drivers are unlikely to find Guevara on the aggregator sites.

This is because Guevara is different. Here’s why.

New customers are offered a choice of groups to join. Their base price (which is what Guevara calls the premium) is split in two, with one portion going into the individual group (called the protection pool) and the rest going into a single pot that supports all of the groups (called the insurance fees).

The amount of the split is anything up to 50% and depends on the number of members in the group. For groups of fewer than 10, the pool contribution is 20%, with 80% going into insurance fees. But when groups get to be larger than 100 members, the base price is split 50-50 between the two pots.

Claims are first paid from the money collected in the protection pool associated with each group until it runs out (or doesn’t, in which case there is a surplus). In the event that the protection pool runs out, claims are covered out of the collective pot (insurance fees). And in the event that the collective pot runs out—i.e. the combined ratio exceeds 100%—Guevara is reinsured by a traditional carrier.

The key here is that any surplus is redistributed back to the members. At renewal time, all money in the protection pool stays where it is, and the renewal premium is discounted accordingly.

The model works so that members can achieve 100% discount on their protection pot contribution and only pay the insurance fees element if everyone in their group does not make a claim. For larger groups, this is 50% of the originally quoted motor premium.

To affinity and beyond!

What makes Guevara work is affinity. Having an association with the group is really important, because this model relies on keeping claims expenses down. Even if there has been an accident and a claim needs to be made, the member has direct incentives to minimize the claims expense.

Guevara screen

For example, following an incident, how frequently does the insured go and arrange a hire car instead of letting the insurer do it at a much lower expense? If the Guevara customer knows that a claim will directly affect friends or family or will hurt its affinity group, the customer is more likely to only claim what is necessary.

What you see is what you get

Guevara also wants to tackle the continued complaint of customers is that there is no transparency with motor premiums — How are they calculated? Why do they vary so much from one insurer to another? Why do they go up from one year to the next?

Guevara not only lets customers make their own choices about the group they join but always lets them see who is in the group, how much money is in the protection pot, who is making a claim and, most importantly, how much is left in the pot at renewal time.

Philip, one of Guevara’s founders, said the company’s aim is to “encourage customers to engage and understand our insurance product. … Insurance is such a large proportion of household discretionary spending. By giving our customers accountability within their groups and making that transparent for everyone, we can reduce the cost of motor insurance for everyone.”

What next for Guevara?

For now, the team is totally focused on the UK motor market, but I can sense they won’t stop there. And this is more than a distribution play. Guevara is building a full-stack insurance model, and building an insurance business is no small feat. It takes time and a lot of capital to do that. Plus, there is the whole subject of regulation, which has to be embraced and fully adopted into the business model.

Guevara’s product is ultra-sticky because the upsides come at renewal time, just when buying decisions are being made. For Guevara to succeed, it has to show, over time, that it can deliver a better trust engagement, a change in driving behavior and, ultimately, lower, fairer premiums for group members (which is the goal for all the P2P InsurTechs I’ve listed).

Insurance evolution

Evolution-Of-Travel-Insurance1Jeff Bezos is credited with saying, “What is dangerous is not to evolve.” The traditional insurance model is not in good health, and this is creating the dynamic for change. The emergence of P2P insurance is evolution in action, even if it is taking us back to the roots of the industry!

5 Questions to Ask About Cyber

Cyber security placed first in a list of emerging casualty risks among insurance buyers, according to a survey of 135 insurance professionals conducted by London-based specialty lines broker RKH Specialty. 70% of respondents put cyber risk in the top spot. According to a Best’s News Service article about the survey, healthcare and retailers have been the major buyers. Logic will tell you that the reason for the growing demand for specialized cyber coverage is the simple fact that losses stemming from cyber-related attacks and business interruption can be catastrophic.

Of course, not all policies are created equal, so here are some things to consider when purchasing cyber security coverage to help ensure that policyholders are adequately protected from the losses after a cyber attack.

#1 If your business has a cyber attack, will your operations cease or be interrupted? If so, you need to make sure the cyber coverage you procure has “business interruption coverage.”

#2 Does your cloud contract stipulate that your third-party cloud vendor must meet all the federal regulatory requirements in encrypting personally identifiable information (PHI) and healthcare records? If not, you need to verify how the third-party vendor is protecting your employees’ and patients’ information from cyber attacks and whether its cyber coverage will protect you.

#3 Do all mobile devices – such as smartphones and tablets – have proper encryption software to protect personally identifiable information and healthcare records? HIPAA security regulations require healthcare providers to use encryption as a means of protection for their patients electronic PHI. If they don’t do so, healthcare providers can be heavily penalized by federal regulators. Most cyber policies have a stipulation that, to be covered, all insureds must adhere to the most recent encryption requirements for electronic protected health information (ePHIs).

#4 Does your legal counsel have experience responding to cyber attacks? Businesses often have their own attorneys and use them frequently for everyday operations. However, the likelihood is that the in-house counsel does not specialize in the legalities of cyber attacks. Having an attorney who specializes in data breaches can make the process run more smoothly and ensure that important details are not missed or mishandled – such as notifying regulatory agencies, properly setting up notification of employees and patients as well as advising PR staff on all media inquiries and other external communications.

#5 Does your business have an expert consultant they can call on to make recommendations on cyber coverage or risk management strategies to reduce the risk of attacks – or to help manage the crisis after an attack? Enlisting the help of a cyber-liability expert and mapping out a plan can help mitigate the potentially catastrophic losses related to a data breach event.

How to Remove Fear in Risk Management

Someone is looking over your shoulder, and you know who it is. If you’re the CEO, it’s your board and shareholders. On the factory floor or in the cubicles, it’s the foreman or the supervisor. But just as often these days, the sources of anxiety and caution confronting risk managers may not be corporate employees at all. Rapidly shifting technology that is often difficult to understand and measure, unfamiliar demographics, expanding globalization, and ever more stringent regulatory compliance requirements are now part of an anxiety- producing stew that organizations’ risk managers must understand and deal with. All these forces threaten a corporation’s revenue, margins, profitability, and overall competitiveness more quickly and unpredictably than ever.

Consequently, if you are an internal auditor – the person responsible for assessing and helping improve the risk management process – your chair these days may feel more like a hot seat. Which of the decisions daily barraging a modern corporation should be the higher priorities? And how, in a business world of frequent disruption, will you, your superiors, and those who report to you weigh and mitigate the waves of serious risks facing the company nonstop? What are the most important metrics to use for any given risk issue? Can the company rely solely on its in-house staff to analyze and resolve unforeseen and often unforeseeable problems?

Just as important, how will the enterprise as a whole handle these issues and make necessary decisions? How does company culture get in the way of using risk management effectively, to reach the decisions that will help the company grow and become more competitive, and how can sustainable risk management (SRM) assist?

Company managers often are not encouraged to exercise independent judgment, even when they are the acknowledged experts. Without transparency and effective multilevel communications in their company, managers are likely to be wary of crossing unseen boundaries, suspect that hidden agendas are controlling important decisions, or feel isolated and unsure of the enterprise objectives that should help guide their decisions. Moreover, anxiety about making important decisions is common in organizations that don’t give their decision-makers the tools and data required to make intelligent risk analyses. Without confidence that they understand the risks associated with a decision, and in a culture where the consequences of a bad outcome are punitive, managers understandably are likely to be cautious.

Behind employees’ hesitation to make and express independent judgments or to make decisions can be a corporate culture of mistrust, caution, and covering one’s backside. In other words, a culture of fear – fear of losing face, losing a contract, losing revenue, losing political advantage, losing a job.

A culture of isolation and timidity defeats collaboration, creativity, transparency, and the ability of a corporation to objectively analyze the broad range of risks it faces each day. It can render the internal audit function far less effective and useful than it should be and can be. In this environment, the internal audit function may mistakenly be seen solely as a means of uncovering errors, assigning blame, and enforcing penalties. Managers may be understandably reluctant to provide anything other than the most general and diluted information about their operations and decisions.

One need not wade through the scientific research about the impact fear has on decision- making to understand how destructive it can be. The brain has separate centers for processing fearful and rewarding experiences. As Dr. Gregory Berns, director of the Center for Neuropolicy at Emory University, has explained, “The most concrete thing neuroscience tells us is that when the fear system of the brain is active, exploratory activity and risk-taking are turned off.” Good decisions in this state are unlikely. “Fear prompts retreat. It is the antipode to progress,” said Berns. “Just when we need new ideas most, everyone is seized up in fear, trying to prevent losing what we have left.”

In this way, fear can nullify or dilute a company’s risk management processes. An effective SRM program, however, encourages and supports an environment that minimizes fear, reduces uncertainty, and increases transparency and confidence in decision-making throughout the enterprise.

Barriers to Solutions

It may seem that established tenets of good corporate governance already include rooting out the fear, indifference, lack of collaboration, and siloed decision-making that stand in the way of optimizing risk management. After all, most companies talk an excellent game when it comes to collaboration and open and honest risk analysis. Too few, however, have developed the internal mettle to tolerate it.

Starting with assessing corporate culture and change management practices, internal auditors can play an important role in transforming the boilerplate talk into sustainable programs. They can provide unbiased, to-the-point assessments, independent of internal politics. The problems they find and the solutions they recommend can be critical for a company seeking to develop the capacity for SRM. But whether from too much caution and resignation or just fear of change, many internal auditors say the structure of their jobs discourages them from alerting their companies to critical gaps in risk assessment and mitigation.

A recent global study by The Institute of Internal Auditors (IIA) Research Foundation spotlights some of the problem areas. Not even two-thirds of the surveyed chief audit executives (CAEs) said they consult with division or business heads when they develop audit plans. Only slightly more than half said they consult with audit committees. There may be many reasons for this audit-in-isolation phenomenon, but it commonly occurs in companies that do not value the risk management process and therefore do not prioritize it. The phenomenon occurs in companies where key players are not encouraged to speak up.

Just one-third of audit plans are updated three or more times a year, the study found. This means that CAEs may be overlooking important changes in the business environment. No wonder only 57 percent said that their internal audit departments were “fully aligned or almost fully aligned” with the enterprise strategic plan. This kind of exclusion signals that leadership does not embrace the people responsible for monitoring management of the company’s risk and that the audit function is not seen as a critical part of the management process.

Our experience with clients reflects these findings and shows that risk management professionals themselves may be at least partially responsible for the isolation and erosion of their programs. They could assume, for instance, that the value and relevance of SRM are obvious and not consistently sell a program that’s underway, neglecting to point out its continuing value, highlight its successes, and develop metrics that are easily understandable.

The program itself may not be as inclusive as it should be. Sometimes risk management processes are not designed to seek out and incorporate the views of front-line employees. Any effective SRM process, however, must reach into the depths of company operations. At the same time, employees at all levels often are not trained well in how to assess and evaluate risk. Employees may be able to calculate some risk in dollar terms without appreciating that they also should be looking at, for example, threats to customer satisfaction, employee safety, and regulatory and contract compliance.

Too often, as well, an unappreciated or ineffective risk management program does not account for the unique characteristics and business objectives of the corporation. Organizations sometimes employ a cookie-cutter approach to developing a risk management framework that’s not calibrated to address essential and distinctive company attributes.

Sometimes risk reporting to the board and top executive levels may be so extensive and detailed that no one reads the reports. Or risk reporting may be so superficial that its assessments and proposed solutions carry little weight. When risk management is not seen as a source of continuous improvement for the organization, risk management funding may be erratic or inadequate, its staffing just an afterthought, and its placement in the corporate hierarchy too isolated to be effective.

Working Toward a More Viable Program

An SRM program protects and advances the organization’s primary business objectives. To do their job effectively, risk management leaders must be included as members of the executive management team. Their inclusion helps to ensure that consideration of risks is incorporated into every significant strategic decision.

It is also possible that a company and its leadership simply are not prepared for the important cultural shift required to champion SRM. All too typically, executives are experts at shifting blame, pointing fingers, and covering their reputations when something goes wrong or hard decisions must be made.

SRM requires a no-blame environment, a collaborative process in which personnel work together to assess and solve problems without fear that their careers will suffer or they will lose the confidence of their peers. A frank and constructive assessment of an operational failure, for instance, is possible only when, instead of trying to find fault, the evaluation concentrates on solutions to keep the failure from happening again. This collaborative approach is not common enough in modern corporations.

Why SRM Is Worth It

The benefits of developing an open, fearless, and transparent SRM program ripple through every level of the enterprise. The program helps ensure that the company can perform with confidence and agility in the face of unpredictable events and shifting economic conditions. It supports the development of accurate, timely, and relevant metrics that reduce uncertainty in decision-making. It provides an effective process for dealing with emerging technologies, surprising moves by competitors, market uncertainties, natural disasters, and even internal scandals. When the program is working, the board, C-suite executives, and managers at all levels understand the kinds of risks the company must deal with and then use that awareness when making their decisions.

An active and embedded SRM program, visibly supported by leaders, regularly refreshes the managers’ awareness and stimulates their insights concerning the shifting market and business conditions that pose the greatest risks to the company’s operations. Employees work collaboratively with their supervisors and are asked to help solve missteps rather than being blamed or punished for them.

SRM offers continuing opportunities to save costs and improve productivity. It can reduce operational and material losses and waste and spotlight process improvements. SRM more closely aligns people, assets, processes, and technology with the organization’s business strategies. It also reassures the board and other stakeholders that compliance issues are being addressed and that company assets and reputation are being protected. The results – which we see time and again – include increased growth, improved profitability, and higher staff morale.