Raising the bar

The decade ahead should see less talk about enterprise risk management and more action, reports Graham Buck

If the so-called Noughties were marked by an acceleration of interest in the benefits to business of enterprise risk management, so the oddly named Teens are likely to witness more companies actually embedding an ERM framework across the organisation. As Tom Teixiera, vice president of enterprise risk solutions at ERM software and services group, Strategic Thought confirms, it's clear that the financial crisis has changed attitudes towards managing risk.

He reports that companies, particularly in the financial sector, are once more adopting a 'back to basics' approach to risk and looking to get the essentials right. This means having a mechanism that covers all of their business units, detects emerging risks and links them to the appropriate control mechanism.

"So ERM management schemes need to establish the context of risk, identify the coding data and look at business relationships," he suggests. "The industry sectors already good at this are those that are highly regulated - particularly energy and utility companies whose business plans and regulatory requirements are quite similar to one another's and which have implemented these detection systems."

Add to these the tech companies, which are generally prudent thanks to their bruising experiences during the dotcom bubble and have become adept at managing what are often complex supply chains, suggests Grant Foster, an associate director of Aon Global Risk. He also cites supermarkets as a sector skilled in supply management, due largely to their vulnerability should a major supplier go bust. But other sectors now need to move up the learning curve and implement ERM across the business, says Teixiera. They include aerospace and defence which, he suggests, is generally good at bottom-up risk assessment and technical risk but less skilled at integrating a top-down approach at both strategic and management level.

So how can companies identify areas in which their programmes are lacking? "When firms come to examine the gaps in the ERM framework they will see common mistakes, such as the absence of a common database, a lack of reporting and executives who do not subject the risk information to a proper review," suggests Ed Moorby, managing consultant at PA Consulting.

"These mistakes are unlikely to have changed very much since the previous review."
He describes reporting as too often the "Achilles heel" of an ERM framework, whereas it needs to be dynamic and free of any set format to deliver the flexibility needed. Teixiera stresses that the tone on ERM needs to be set by top management in order to have an integrated approach. A useful mechanism for this is the use of maturity models, of which many are available online. These measure the level of risk management maturity and the quality of information being generated and reported within the company.
"An assessment is carried out across all of the business units at least once a year, and you set the level of maturity appropriate to the organisation," he says. "Results on the company's maturity of risk management are now reported at board level and pressure from the board to achieve targets helps to embed the process." This may mean some organisations deciding that they do not need to operate at the top level of maturity. It's up to its executives to decide what is appropriate.

While it's likely that embedding ERM within the organisation will prove an uncomfortable experience for them, it's also part of a much-needed cultural change he adds.


Companies on a learning curve quickly recognise that ERM is a continuous process. As Mike Angelina, chief actuary and risk officer for Bermuda-based specialty insurer and reinsurer Endurance notes: "You can't ever let up, as there is a need to continually improve as the bar is raised higher and higher." Angelina agrees that the lead on ERM must come from the very top. "The best thing for an organisation is to have a risk-aware, risk-sensitive and risk-mitigating culture in place. That culture starts with the chief executive and it's up to the board to push forward with ERM initiatives."
He believes that in North America, a changing approach to ERM predates the financial crisis. Four years ago hurricanes Katrina, Rita and Wilma exposed the shortcomings in many programmes, and served to push the insurance industry further down the ERM path.

The impetus for ERM has also come from US regulation and the introduction of Sarbanes-Oxley in 2004, adds Karl Campbell, vice president Europe and the Middle East at Cura Software. "However, it has also been driven by America's business schools, which have promoted the message that companies need to recognise their risk vulnerabilities and threats, using them to decide which opportunities they wish to pursue."

Among these weaknesses was the over-reliance of capital models which, while a useful tool, are backward-looking. Angelina says that as an insurer, Endurance also found that models based on Value At Risk (VAR) were too focused on one area, with the industry focused on once in every 100 years and even once in 250 years events. He suggests that companies might more usefully look at scenario planning - basically a method for learning about the future by understanding the nature and impact of the most uncertain and important driving forces affecting the world - although "you really need to review which events are driving the tail of your distribution, to help you with your hedging strategy."

Angelina is encouraged by companies' increasing focus on managing emerging risk, which dovetails neatly with a more uncertain economic outlook. "You can see what might drive your ERM and what the company is - and should be - doing about extreme events that are not being captured or are being missed entirely."

He also feels that the company benefits from bringing more individuals in to contribute to its ERM programme. Endurance's own team is multi-discipline and represents a cross-section of the organisation. "Bringing in the next level down of executives helps by introducing new ideas and if directors are brought in from a range of different disciplines then assumptions can be challenged, and revised if necessary."

The company is better able to "own" risk through this approach, he adds. This tends to be more easily accomplished by smaller companies, which tend to have fewer layers and greater flexibility. While consensus may not always be possible on risk decisions, people have a better understanding of the issues involved and dialogue can include debate on aspects such as risk versus reward trade-offs.


What are the hallmarks of a mature and effective ERM framework? A recently-published international survey by Aon identifies the following nine major features:
• a board level commitment, with risk handled as part of corporate strategy;
• a dedicated risk executive in place to drive the process;
• engagement and accountability in the ERM process at all levels of the organisation;
• engagement in the process by the company's stakeholders;
• corporate communications are fully transparent;
• financial information and strategic information are integrated into decision making;
• the process identifies new and emerging risks, while also making time to look at what lies ahead;
• a move away from risk avoidance and mitigation to instead extract value from risk.

What the financial crisis exposed was that institutions had become too wrapped up in models, adds Grant Foster. So companies need to recognise the root of risk and the human aspect, rather than being overly reliant on ratings or numbers. Risk must be embedded into critical decisions. Too many companies get caught up in "doing the deal" ââ

    Share Story:


Cyber risk in the transportation industry
The connected nature of the transport and logistics industries makes them an attractive target for hackers, with potentially disruptive and costly consequences. Between June 2020 and June 2021, the transportation industry saw an 186% increase in weekly ransomware attacks. At the same time, regulations and cyber security standards are lacking – creating weak postures across the board. This podcast explores the key risks. Published April 2022.

Political risk: A fresh perspective
CIR’s editor, Deborah Ritchie speaks with head of PCS at Verisk, Tom Johansmeyer about the confluence of political, nat cat and pandemic risks in a world that is becoming an increasingly risky place in which to do business. Published February 2022.