These days, most forward-thinking finance executives would concede that risk can no longer be assessed department by department or under the arbitrary coverage categories offered by insurers. Risks cut across business units and entire organizations. One event can often trigger simultaneous crises, and while much of the insurance industry may insist on discussing trends in terms of single-year contracts and specific areas of exposure, corporate executives in charge of risk management are starting to construct integrated risk profiles for their companies that involve far longer time horizons and buckets of risk. Conceptually, enterprise risk management (ERM) has finally arrived, even though it may be called by many other names.

Although the term has been kicked around for years in finance circles, the ERM approach retained a certain academic quality until the 21st century arrived, bringing with it the specter of more cataclysmic and systemic risks than have been faced in decades–and sky-high insurance premiums and substantial pressure on companies to retain risk. The hard market and tough times forced companies to see the bigger picture. “The science of risk management is making giant leaps forward,” says John F. Ryan, senior vice president at ESIS Marketing and ACE USA’s regional operations. “Risk management is not a product. It’s not an organization. It’s a process, and companies are stepping up with new ideas.”

Nonetheless, while everyone’s thinking may have caught up with the concept, if only out of necessity, the tools provided to harried CFOs and treasurers have not. “When you look at risk holistically, you must measure it,” says Susan Skerritt, a partner at Treasury Strategies Inc. in New York. “But the system to measure it doesn’t exist.”

Some companies, like Microsoft Corp., are not waiting for someone else’s tools. When Microsoft wanted a risk management information system that could cope with the complexities of its insurance coverage and claims, Treasurer Brent Callinicos decided on a custom-built solution. The platform built by an India-based software company lets Microsoft look at its losses and insurance coverage across the organization and from its own perspective rather than that of its carriers.

Since the new system records loss events whether or not they’re covered by insurance, it builds a database of such events for the company, which allows Microsoft to begin creating models based on its own experience. Admittedly, the accumulation of the loss event data by the system wasn’t planned, but it has become a key benefit, Callinicos notes, since there is generally a dearth of data available on business risks, compared with data on financial risks. This is in part because many lawsuits are settled privately. Now, “there are areas on the business risk side where there’s enough data to extrapolate from,” Callinicos says.

Unfortunately, most companies’ resources will not afford them that luxury any time soon, and Microsoft claims it has no immediate plans to bring to market its new system in its entirety. So what options are left for companies? AT&T Wireless, although $14.5 billion in revenues itself, followed an approach that many smaller companies might consider.

One Company’s Approach

Bill Buchan, AT&T’s executive director for risk strategy and administration, also chose to bring in outside help. The first step was hiring Deloitte & Touche to develop a methodical system for assessing company-wide risk. Risks were strategically broken down into four categories: strategic, operational, financial and hazard. Then, using a business risk assessment survey developed by the consulting firm, risks were further refined into 12 sub-categories. Next, Buchan harnessed an enterprise risk assessor software developed by Methodware. The software creates computer-generated risk models, aggregated by business line, geographical areas or other parameters. “It distills results into meaningful documents,” he says.

Buchan acknowledges that the goal of pan-organizational risk assessment is by no means a snap. “If you haven’t created the process, it’s hard to extract information from different business areas,” says Andrew Kuritzkes, managing director at Mercer Oliver Wyman in New York. “You need to create the organizational role and mandate in order to make progress.” That means crafting an overall vision for the company to link various initiatives together.

That job falls to risk managers and treasury execs, in most cases. Already accustomed to the spotlight since 9/11 wreaked havoc on property and casualty premiums and Enron Corp. put directors and officers on the griddle, risk managers have been forced to explore the idea of retaining more risk and, as a result, have become much more diligent about the concept of risk mitigation. “Insurance transfer is that last thing we do,” says AT&T Wireless’ Buchan. “If we want it, we keep it. We operationalize the risk out.”

Because of the pressures of the hard market, companies are also becoming more efficient in assessing risks and making their own calculations about how much they want to retain. “They come to us with much more carefully conceived programs,” ACE’s Ryan notes. “They are much more comfortable with retained risk and more willing to be a little creative.”

But the road to identifying key risks is littered with failures, despite the fact that certain industries have some clear choices. “For a retailer, it might be weather in the spring and fall, combined with gross domestic product in the fourth quarter,” says Robert Arvanitis, CEO of Risk Finance Advisors, a risk advisory firm in Westport, Conn. Though risks may not be bundled together holistically, two or three big things can be extracted. The problem is figuring out which two or three things matter most.

Mike Chagares, senior vice president in business risk consulting at Marsh Inc., tells the story of a company that identified 557 risks company-wide. The list was unwieldy. “I came up with 47 by having a consistent business process,” he says. “Then, there needs to be a way of pulling it all together.”

Energy and financial services companies have been using this approach for years since the interconnection between risks in these industries is more obvious and thus more quantifiable, says Robert Benvenuto, a managing director at Gallagher Financial Products in Chicago. “Outside those two sectors, there’s more difficulty,” he says. “It’s all driven by a company’s ability to quantify risk data.”

Industry Hardliners

Working against risk managers like Buchan is foot-dragging by the insurance companies. Typically, insurers help companies with models for gauging risks and requirements for risk transfer. Most carriers, however, steer clear of corporate efforts to measure risks across the organization, reckoning their best financial interest lies in maintaining single-year coverage based on highly specific categories of risks, such as intellectual property.

“Right now, the insurance world isn’t geared to manage large baskets of risk,” says Carl Groth, a senior vice president at insurance broker Willis in New York. Groth says he gets inquiries about enterprise risk programs from companies almost monthly, but “there are only a handful of insurance companies willing to even entertain the context. They stick to what they’re used to.”

So companies are trapped: They don’t get help from insurers in assessing enterprise risks, and they can’t get policies to cover them either. This requires finance execs to think out of the box in terms of creating self-insurance through captives or alternative risk transfer or, better still, eliminating risk. For example, “companies are using captives to get more flexibility,” says Risk Finance Advisors’ Arvanitis. “You can use them as a platform to bundle risk yourself.”

The conclusion of many risk managers: It’s easier to think creatively without the limitations of a policy.