One of the most difficult tasks for insurers in establishing an effective enterprise risk management (ERM) program is embedding ERM principles and practices throughout the organization. As challenging as it may be for chief risk officers and risk committees to master the key concepts and strategies of ERM, it can be even more difficult to explain them to “novice” business people in the rest of the organization.
It is critical to the success of an ERM program, however, that companies instill ERM practices at every level in the company. ERM should be a day-to-day, simmering concern within business departments, rather than just a once-a-quarter fire drill by a small core risk-management team.
Accordingly, a major phase in most ERM programs is a “roll-out” phase of training and education for functional departmental managers, business heads and staff that may be involved in identifying risks, or implementing controls. Within this training, a foundational agenda item is often a session explaining what ERM is, and how it differs from what staff may be used to as traditional or historical compliance, internal audit, or risk management efforts.
As part of this training, giving specific concrete examples of potential risks, claims or losses can be extremely effective in helping individuals envision risks in their own area, and better appreciate how the issue could be of concern beyond his or her own functional area. Using case studies, and perhaps providing detailed data or statistics about the frequency or magnitude of risk, enables respondents to really “picture” the significance of loss. This helps participants extrapolate their own experiences and thoughts more fully into the future when assessing risk from an ERM perspective.
Embedding ERM into the organization, and tips for training, were recent topics of discussion at this year's annual Risk and Insurance Management Society (RIMS) conference in Philadelphia. One interesting idea for bringing ERM concepts into focus for business staff, and “making it real,” was introduced by a director of corporate risk for a Midwestregional carrier. He suggested at least one simple training tool that could be considered as a “baby step” on the path of understanding ERM concepts, and gave trainees a copy of The Wall Street Journal to review from a risk assessment perspective.
In this exercise, employees were told that they should identify some major risks that could impact their company from stories in the daily news. Through a brainstorming session, the group was able to come up with a list of major risks and identify emerging trends that had practical impact on the company. Increased mortgage interest rates, stagnant unemployment rates, tornadoes in the Midwest and financial institution mergers were just a few of the potential indicators of loss—as well as opportunity—that could have knock-on effects to their company.
Some issues affected human resources. Some impacted interest rates and investment activity. Others were indicators of potential asset or property risk. But most importantly, they were concrete examples of real-world events that helped employees better envision potential loss or threats to their own business, which may cut across functional departments and have even greater impact on the entity as a whole. This helped emphasize the need for, and benefit of, company-wide risk management.
Other variations of a “real world” exercise can be built into ERM training in a number of ways. For example, take a closer look at cell phones, and the risks a company faces when issuing employees mobile phones. In the “old world” before ERM, companies may have done a cost/benefit analysis of issuing cell phones by looking at the total cost of the actual phone and any monthly charges, and weighing that against the benefit of having employees available to talk to colleagues and clients while travelling or otherwise away from the office, and at odd hours of the day.
A New World
In the “new world,” where risks need to be considered and weighed with a broader perspective, the company may approach such a decision from a new angle, weighing not only the pure cost of the hardware and airtime, but also potential loss to other areas:
- What about employees talking or texting on the mobile phone while driving or walking, increasing their risk of first- or third-party accidents? Might this warrant additional auto liability insurance for the company? Or should the company at least make sure that accidents caused while talking or texting are not excluded from corporate insurance policies? This may impact the corporate HR, corporate risk or other insurance-buying departments.
- What happens if the phone is stolen or lost? Might there be breaches of confidential corporate information, trade secrets, or legally-protected customer data, especially for smart phones used to send and receive routine company emails with attachments and data exhibits? Are there IT security, data protection and privacy policies and procedures which need to be put in place to ensure that such risks are appropriately mitigated?
- Might there be tax deductions potentially available (or not) to companies for phones as corporate physical assets offsetting some of the dollar costs? This could be a major consideration for the finance or accounting areas.
- Taken to extreme, the analysis could even go as far as to consider the risk of potential future personal injury from radiation due to cell phone use, as the World Health Organization’s International Agency for Research on Cancer Epidemiology continues to research mobile phones as a possible cause of cancer. Could this risk eventually increase group medical insurance costs for companies where corporate phones are routinely issued?
- Make time for that first baby step. Look at the stories of today and list out the answers to the question, “What is the best and worst that could happen from this occurrence or event?” This can bring home the message that important corporate decisions can be impacted in multiple ways, through several departments by risks, flowing through multiple areas in the company.
- Once this foundational principle is mastered, it is easier to move to the next step of talking about risk assessment or quantification, and control or mitigation techniques. Down the road, more complex ERM concepts such as using gathered data for strategic decision making, operational improvements and financial planning can be considered, on more solid footing.